The European Union's Cyber Resilience Act (CRA) is shifting from policy to active enforcement, imposing concrete compliance dates on manufacturers of connected building devices and forcing facility operators, system integrators, and procurement teams to reassess supply chains before the first regulatory deadline arrives this September.
Background
The CRA entered into force on 10 December 2024.1Cyber Resilience Act | Shaping Europe’s digital future The regulation establishes the EU's first horizontal cybersecurity framework for all products with digital elements-a category that directly encompasses building IoT hardware. A product with digital elements is defined as hardware or software whose intended or foreseeable use includes direct or indirect data connection to a device or network, covering smart meters, sensors, industrial control systems, smart thermostats, and connected alarm systems. Building automation systems (BAS), HVAC controllers, access control gateways, and energy management sensors all fall within this scope.
The regulation aims to ensure that products with digital components, including IoT devices, remain secure throughout the supply chain and their full lifecycle. Before the CRA, cybersecurity requirements across EU member states formed a fragmented legislative patchwork, increasing legal uncertainty for manufacturers and users alike while burdening companies with differing requirements for similar product types.
Details
The CRA operates on a two-stage enforcement schedule that many vendors are underestimating. The main obligations apply from 11 December 2027, while reporting obligations take effect on 11 September 2026. That earlier date is the more immediate pressure point for building IoT vendors.
From 11 September 2026, all manufacturers of products with digital elements shipped to the EU-including IoT devices, OT systems, and embedded systems-must report actively exploited vulnerabilities within 24 hours to ENISA and designated national CSIRTs (Computer Security Incident Response Teams). Critically, this applies even to legacy products already shipped. A BAS gateway or smart meter deployed years ago remains in scope if it is still commercially available and an exploitable vulnerability emerges.
Meeting the 24-hour reporting window requires infrastructure that most building device vendors do not yet have in place. Under the CRA's documentation requirements, manufacturers must maintain a Software Bill of Materials (SBOM) and review the entire supply chain for security risks. The SBOM is a digital inventory listing all software components in a product, including non-obvious elements. Manufacturers, importers, and distributors must keep this list current, with every software update or security patch requiring continuous SBOM maintenance-ideally through an automated process.
On the certification side, conformity assessment bodies (CABs) will begin checking product conformity from 11 June 2026, enabling manufacturers to obtain external CRA conformity certification. External conformity assessment is mandatory for products with a high safety risk-CRA classes "critical" and "highly critical"-such as critical infrastructure components, IoT devices with high damage potential, and industrial control systems, though a self-declaration is sufficient for roughly 90 percent of all networked products.
Non-compliance carries severe financial consequences. Products may be withdrawn from the EU market, and manufacturers face fines of up to €15 million or 2.5% of global annual turnover.
The regulation's supply chain requirements extend beyond manufacturers. Companies must work closely with suppliers to ensure seamless security monitoring throughout the entire product lifecycle. For building sector integrators, this introduces due diligence obligations on any third-party component vendor. Particular risk areas include vulnerabilities in external programs from partners outside the EU with limited understanding of CRA compliance, purchased components with incomplete documentation, and open-source software.
In March 2026, the European Commission published draft guidance for feedback to help companies apply the CRA, aiming to clarify obligations for manufacturers, developers, and other stakeholders while ensuring a consistent approach across the EU.
Outlook
First standardisation deliverables, including horizontal and product-specific standards, are expected in Q3 2026, with sufficient CABs to be notified across member states by 11 December 2026. Building operators and procurement teams sourcing new IoT devices for commercial projects are increasingly requiring CRA compliance evidence from vendors as a contractual condition, as non-compliant products face potential market withdrawal after the December 2027 full enforcement date. Early adopters stand to gain a competitive advantage-manufacturers delivering more secure and reliable connected products can build customer trust and strengthen their market position.
