With less than four months until the EU Cyber Resilience Act's (CRA) first binding enforcement milestone, manufacturers of connected building products face a hard legal deadline: from 11 September 2026, all actively exploited vulnerabilities must be reported to ENISA, the EU Agency for Cybersecurity, within 24 hours of discovery. The obligation applies regardless of when the product was first shipped, placing legacy building automation hardware - including field controllers, gateways, and access management systems already installed across European commercial premises - squarely in scope alongside new product launches.
Background
The CRA, formally designated Regulation (EU) 2024/2847, entered into force on 10 December 2024. It establishes mandatory cybersecurity requirements for any "product with digital elements" placed on the EU market, shifting product security from voluntary practice to a condition of market access. According to the European Commission, the regulation builds on the 2020 EU Cybersecurity Strategy and complements the NIS2 Directive, which targets organizational cybersecurity obligations for operators of essential services. Where NIS2 governs how building owners and facility operators manage cyber risk within their organizations, the CRA targets the security of the products those organizations procure and deploy.
The regulation enforces a phased timeline. Vulnerability and incident reporting obligations take effect on 11 September 2026, while full compliance - including CE marking and conformity assessment - is required from 11 December 2027. The European Commission published draft guidance for public feedback in March 2026 to help manufacturers interpret their obligations, with a particular focus on easing compliance for small and medium-sized enterprises.
Details
The CRA's scope is deliberately broad. According to the regulation's text and accompanying implementing measures, in-scope products include connected hardware such as industrial controllers, sensors, and smart building devices; embedded firmware in any connected device; and remote data processing solutions - such as cloud back-ends - essential for a product to function. The Commission's November 2025 implementing regulation (EU) 2025/2392 provides product-category detail for important and critical classifications, which carry stricter conformity assessment routes requiring third-party notified body involvement.
For the building IoT segment, products such as network-connected access control systems and smart security cameras fall within the "Important Class I" category, according to analysis of the implementing regulation. Default-category products - covering the majority of lower-risk connected devices - may self-certify compliance through an internal control procedure without engaging a notified body. Higher-risk classifications require either EU-type examination or full quality assurance procedures.
The September 2026 reporting deadline carries a critical - and widely underestimated - implication for legacy products. Under the CRA's Article 69(3), reporting obligations apply to all products with digital elements still on the market before the December 2027 full-compliance date, not only newly launched hardware. Manufacturers lacking a software bill of materials (SBOM) and automated vulnerability-tracking capabilities will be unable to meet the 24-hour notification window. The CRA mandates machine-readable SBOMs, secure-by-design engineering, coordinated vulnerability disclosure, and security updates for the product's expected lifetime.
Enforcement authority rests with national market surveillance authorities, which each EU member state must designate under the CRA's Chapter V provisions. Those bodies may initiate product evaluations for items presenting significant cybersecurity risk and require manufacturers to take corrective or restrictive action. Non-compliance carries penalties of up to €15 million or 2.5% of global annual turnover, whichever is higher, though microenterprises and small enterprises may not be fined for failures to meet the 24-hour reporting deadline.
Outlook
Building owners and facility managers procuring connected systems ahead of the December 2027 full-compliance date should request documented evidence of CRA readiness from vendors - including product classification, SBOM availability, and a defined security update commitment period. Procurement teams at NIS2-covered organizations face an additional consideration: the two regulations intersect such that a CRA-noncompliant product causing a security incident at an essential-services operator could trigger liability under both frameworks simultaneously. The European Commission's finalized guidance, expected following the March 2026 consultation, will provide further interpretive clarity on scope boundaries, particularly around remote data processing components integrated into building management platforms.
