The European Union's Cyber Resilience Act (CRA) is moving from policy to enforcement reality, with the first hard deadline - mandatory vulnerability reporting to EU authorities - less than four months away for manufacturers of connected building devices including HVAC controllers, access systems, lighting nodes, and smart meters.
The CRA entered into force on 10 December 2024 as Regulation (EU) 2024/2847. Main product obligations apply from 11 December 2027, and reporting obligations take effect on 11 September 2026. The legislation establishes the first horizontal, legally binding cybersecurity framework for all products with digital elements sold in the EU market, directly encompassing the sensor networks, gateways, and software platforms that underpin modern Building Management Systems (BMS) and Energy Management Systems (EMS).
Background
A cybersecurity incident in one connected product can affect an entire organization or supply chain, often propagating across the internal market within minutes. Prior to the CRA, various EU and national initiatives only partially addressed these risks, creating a legislative patchwork. The building sector has been particularly exposed: BMS environments are fully connected digital ecosystems in which heating, ventilation, access control, and safety systems are networked, remotely accessible, and increasingly vulnerable.
The CRA directly complements the NIS2 Directive, which targets organizational cybersecurity practices for essential service operators, while the CRA targets the security of the products themselves. As covered in our earlier analysis of integrated building security standards, NIS2 and sector frameworks such as ISA/IEC 62443 are already reshaping how building operators approach governance. The CRA adds a product-level mandate that reaches upstream to device manufacturers and component suppliers.
Details
The compliance timeline contains three distinct milestones that building technology vendors cannot ignore. On 11 June 2026, provisions governing the notification of Conformity Assessment Bodies (CABs) come into effect, requiring manufacturers to have identified qualified third parties for higher-risk product assessments. Organizations must have identified and begun working with qualified third parties for product assessments by that date.
From 11 September 2026, manufacturers must report actively exploited vulnerabilities and serious incidents to ENISA and designated national CSIRTs via a single reporting platform. Initial notification must be made within 24 hours, followed by a full report within 72 hours and a final update within 14 days of mitigation. Critically, the notification requirements apply from 11 September 2026 onward regardless of when a product in scope was placed on the market. Legacy building IoT hardware already deployed across European facilities falls within scope for reporting purposes.
Full product conformity, including secure-by-design requirements, CE marking, and post-market monitoring, becomes mandatory on 11 December 2027. Devices must include strong authentication, encrypted communications, secure boot, and safe default configurations. Manufacturers must also define a support period - lasting at least five years unless the expected product lifetime is shorter - during which they will manage vulnerabilities.
The CRA classifies products with digital elements into four risk tiers. The default category covers approximately 90% of products, comprising standard software applications, consumer electronics, and lower-risk IoT devices, for which manufacturers can self-assess conformity. Important and Critical products, however, require assessments involving a third-party notified body. For building technology, network-connected access control systems and identity management platforms are more likely to fall into the higher-risk tiers.
A practical prerequisite for the September 2026 reporting deadline is a Software Bill of Materials (SBOM) - a structured inventory of all software components in a product. Without an SBOM, vendors cannot determine whether legacy firmware running on deployed HVAC controllers or smart lighting gateways contains a newly disclosed vulnerability, making timely reporting operationally impossible.
Non-compliance carries material financial consequences. Products may be withdrawn from the EU market, and manufacturers face fines of up to €15 million or 2.5% of global annual turnover. As a regulation - not a directive - the CRA is directly applicable in all EU member states without the need for local implementing laws.
In March 2026, the European Commission published draft guidance to help manufacturers, developers, and other stakeholders understand their obligations under the regulation and ensure a consistent approach across the EU. The consultation closed that same month, with finalized guidance expected to inform how building IoT vendors structure conformity documentation.
Outlook
The first standardization deliverables - horizontal and product-specific harmonized standards - are expected in Q3 2026, giving building technology manufacturers clearer technical benchmarks against which to assess conformity. Procurement teams across commercial real estate portfolios are expected to accelerate requests for CRA compliance declarations and SBOM disclosures from technology vendors ahead of the December 2027 product deadline. Tenants and investors are increasingly evaluating a building's digital resilience before signing leases or financing projects, adding commercial pressure that may push vendor timelines beyond the regulatory minimum.
