The European Union's Cyber Resilience Act (CRA) is shifting from legislative milestone to enforceable compliance schedule, with direct implications for manufacturers and importers of connected building devices. The first obligations take effect in less than five months.
The CRA entered into force on 10 December 2024, published as Regulation (EU) 2024/2847 in the Official Journal of the European Union. Its main obligations apply from 11 December 2027, with reporting obligations taking effect on 11 September 2026. For the building sector - which relies heavily on connected sensors, access control systems, building management system (BMS) controllers, HVAC actuators, and lighting networks - those dates represent concrete procurement, certification, and security engineering inflection points.
Background
The CRA aims to close regulatory gaps and strengthen coherence across the EU's cybersecurity legislative framework, ensuring that products with digital components - including IoT products - are secured throughout the supply chain and lifecycle. Previously, measures at Union and national levels only partially addressed identified cybersecurity risks, creating a legislative patchwork within the internal market.
The Act regulates "products with digital elements" (PDEs), a category encompassing a broad range of hardware and software, though it excludes medical devices, vehicles, and other product types already governed by sector-specific safety rules. For building professionals, this captures the vast majority of networked field devices sold on the European market. A parallel, earlier obligation is already in effect: cybersecurity requirements under the Radio Equipment Directive (RED) applied as of 1 August 2025 to internet-connected radio devices, meaning Wi-Fi and Bluetooth-enabled building IoT products face binding obligations ahead of the CRA's own timeline.
Prior coverage on this portal has documented the broader convergence of building cybersecurity frameworks, including NIS2 obligations for building automation operators. The CRA extends the compliance burden upstream to the manufacturers and vendors supplying those systems. Related reading: Integrated Building Security Standards Gain Momentum.
Details
The CRA establishes a tiered risk classification for products with digital elements, with compliance pathways varying by category. The regulation divides products into four risk classes. The default category - covering roughly 90% of products, including standard software applications, consumer electronics, and lower-risk IoT devices - permits manufacturer self-assessment without mandatory third-party verification, though technical documentation proving adherence must be retained. Higher-risk devices require third-party conformity assessment. Provisions on notification of conformity assessment bodies take effect on 11 June 2026, by which date organizations must have identified and engaged qualified third parties for product assessments.
The most immediate deadline for building IoT vendors is the vulnerability reporting obligation, arriving in September 2026. From that date, all manufacturers must report any actively exploited vulnerability to ENISA within 24 hours of discovery. This applies to all manufacturers of products with digital elements shipped to the EU - including software, IoT devices, OT systems, networking gear, and embedded systems - and covers legacy products already on the market.
Underpinning that reporting requirement is a practical dependency on Software Bills of Materials (SBOMs). The CRA explicitly requires vendors to create SBOMs, as outlined in Annex I, Part II: manufacturers must identify and document vulnerabilities and components in products, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at least top-level dependencies. While SBOM obligations are not formally enforceable until December 2027, SBOM infrastructure and automated vulnerability tracking are a practical necessity from September 2026 - making SBOM readiness effectively mandatory at least 15 months before the official deadline.
The full requirements taking effect in December 2027 mandate secure-by-design principles across the device lifecycle. Devices must include strong authentication, encrypted communications, secure boot, and safe default configurations. Manufacturers must monitor vulnerabilities across all product components and issue timely security updates, as well as implement a coordinated vulnerability disclosure (CVD) policy enabling the public to report vulnerabilities before exploitation occurs. Compliance documentation must be retained for 10 years and made available to regulators on demand.
Penalties for non-compliance are substantial. Products may be withdrawn from the EU market, and manufacturers face fines of up to €15 million or 2.5% of global annual turnover.
Supply chain implications extend to importers and distributors. IoT device importers, distributors, and resellers carry significant obligations under the CRA and in some circumstances can be treated as manufacturers themselves. For building procurement officers and system integrators, this creates a due diligence requirement: specifying and sourcing devices with demonstrable compliance documentation, published support timelines, and SBOM data will become standard procurement practice.
Outlook
For critical products, conformity assessment capacity poses an emerging bottleneck - only a limited number of certified bodies can perform assessments, and demand is expected to far exceed capacity as the December 2027 deadline approaches. In March 2026, the European Commission published draft guidance for consultation to help manufacturers, developers, and other stakeholders understand their obligations and ensure a consistent approach across the EU. Building IoT vendors that delay classification, SBOM implementation, and third-party assessment planning risk both market access disruption and regulatory penalties in an increasingly compliance-driven European procurement environment.
