Guia independente do Regulamento (UE) 2024/2847 · Estado: em vigor
Esta página é uma tradução automática (IA) e não foi revista por uma pessoa. Os artigos do blogue estão disponíveis apenas em inglês.
← All news
Fast Check6 July 2026

Fast Check: After CISA's 3 July 2026 Fortinet Warning, FortiGate Firewalls Fall Under the CRA's Class II Rules

Fast Check: After CISA's 3 July 2026 Fortinet Warning, FortiGate Firewalls Fall Under the CRA's Class II Rules

On 3 July 2026, CISA warned Fortinet customers that multiple flaws across FortiOS, FortiProxy e FortiGate appliances had been added to its Known Exploited Vulnerabilities (KEV) catalogue, meaning attackers are using them in the wild. What made this wave notable is speed: researchers and attackers alike are now using AI-assisted fuzzing to surface firmware bugs in hours rather than months, compressing the window between disclosure and exploitation. KEV is a United States mechanism, but the device at the centre of it, an enterprise firewall, is squarely in scope of the EU Cyber Resilience Act. So this Fast Check asks a simple question: if a FortiGate is sold into the EU, where does it sit under the CRA, and what would an actively exploited flaw trigger?

Where a firewall sits in the CRA

The CRA sorts products with digital elements into three tiers: default (self-assessed), importante (Annex III), and crítico (Annex IV). Annex III splits into Class I and Class II, and Class II is the higher-risk band. Firewalls are named there explicitly: Annex III, Class II, lists firewalls, intrusion detection and prevention systems. A FortiGate is a firewall with IDS/IPS functions, so it lands in Class II, not in the default self-assessed tier and not in Class I. You can check any product against the tiers with our classification tool or run the full Fast Check yourself.

Class II means no pure self-assessment

The classification matters because it fixes the conformity route. For most products, the lightest internal control procedure (module A) in Annex VIII is enough: the manufacturer assesses its own product and signs the EU declaration of conformity. That door is closed for Class II. Under Article 32, a Class II product must demonstrate conformity with the Annex I essential requirements through one of three heavier routes: EU-type examination (module B) plus conformity to type (module C), full quality assurance (module H), or a sistema europeu de certificação da cibersegurança at assurance level at least substantial. The first two bring in a organismo notificado. In short, a firewall maker cannot simply self-declare; a third party has to be in the loop. Our CE marking and conformity guide maps each route to its module.

The 24-hour clock an exploited flaw would start

Classification decides how a product reaches the market. Article 14 decides what happens when it is attacked. From 11 de setembro de 2026, a manufacturer that becomes aware of an actively exploited vulnerability must send an early warning within 24 hours, a fuller notification within 72 hours, and a final report within 14 days of a corrective measure being available. This is exactly the situation a KEV listing describes: a flaw already exploited in the wild, often before a fix is broadly deployed. The duty covers legacy products already on the market, not just new launches, so a firewall shipped today would still be caught. Our Article 14 reporting guide sets out the 24, 72 and 14-day sequence.

Status at publication, 6 July 2026

Two things are not yet in place. ENISA's Single Reporting Platform, the single entry point manufacturers must use for Article 14 notifications, is not yet operational; ENISA has scheduled it to be live by 11 de setembro de 2026, with a testing period beforehand. And no CRA harmonised standard has yet been cited in the Official Journal, so the Article 27 presumption of conformity is not available for any category. A firewall maker preparing now is doing so before either the reporting tool or the standards it can build against are finalised.

What this means for firewall makers and buyers

The takeaway is not that Fortinet is uniquely exposed; the same logic applies to any firewall or IDS/IPS vendor selling into the EU, and the AI-accelerated discovery trend guarantees more such warnings. For makers, the practical steps are to confirm the Class II classification early, plan for a organismo notificado route rather than self-assessment, and stand up an internal detection and triage process that can meet a 24, 72 and 14-day rhythm once reporting begins. For buyers, a live KEV entry is a useful proxy for the vulnerability-handling maturity the CRA will eventually require of every in-scope product: patch cadence, clear advisories, and a support period that outlasts the threat. The exploited-flaw warning is a US signal today. Under the CRA, from 11 September 2026, a comparable flaw in an EU-market firewall starts a clock the manufacturer cannot pause.

Published 6 July 2026 · Fast Check. Part of the CRA insights blog on cyberresilienceact.eu.