The EU's Cyber Resilience Act (CRA) has introduced binding compliance deadlines that are forcing building automation and smart building IoT manufacturers to restructure product development cycles, certification processes, and supply chain practices ahead of full enforcement in December 2027.
Background
The CRA entered into force on December 10, 2024, published as Regulation (EU) 2024/2847 in the Official Journal of the European Union. The regulation establishes compulsory cybersecurity requirements for all products containing digital elements sold in the European Union, with obligations phasing in gradually through 2027. For the smart building sector, the scope is broad: industrial machinery, medical devices, and building automation systems now depend on complex software stacks, cloud services, and third-party integrations - connectivity that expands the attack surface for cyber threats.
The regulation aims to ensure that products with digital components, including IoT devices, remain secure throughout the supply chain and their full lifecycle. It is complemented by earlier obligations under the Radio Equipment Directive (RED): cybersecurity requirements for radio equipment - particularly IoT devices - already applied from August 1, 2025, under Article 3(3)(d)-(f) of the RED. The RED cybersecurity requirements overlap significantly with the CRA, and products meeting CRA essential requirements will largely satisfy RED Article 3.3(d/e/f).
Key Deadlines and Compliance Requirements
The CRA imposes a three-stage obligation structure. The main obligations apply from December 11, 2027, with reporting obligations taking effect on September 11, 2026. At that first major deadline, vulnerability reporting obligations begin for all manufacturers; from that date, any actively exploited vulnerability must be reported to ENISA within 24 hours of discovery.
Products will bear the CE marking to indicate CRA compliance, and national market surveillance authorities will handle enforcement. Under the new framework, CE marking is directly tied to CRA compliance - if a product does not meet the requirements, it cannot legally carry the CE mark or be sold in the EU. For higher-risk building systems such as industrial control platforms and access management hardware, manufacturers can typically self-assess standard products, but "Important" or "Critical" products require third-party notified body assessments.
On product support, manufacturers must define a support period for vulnerability management lasting at least five years, unless the expected product lifetime is shorter. Industrial products often fall into Important Class II or Critical categories; a key challenge is that long product lifecycles of 10-20 years must still meet the five-year minimum support requirement.
Non-compliance carries significant financial and market-access consequences. Products may be withdrawn from the EU market, and manufacturers face fines of up to €15 million or 2.5% of global annual turnover.
Supply Chain and Procurement Impacts
The CRA extends obligations beyond product manufacturers. IoT device importers, distributors, and resellers face substantial requirements and, in some circumstances, can be classified as manufacturers themselves. The regulation makes clear that parties along the entire supply chain share responsibility for security.
For building operators and system integrators, capacity constraints in the certification pipeline pose a near-term risk. Only a handful of certified bodies can perform conformity assessments for critical products, and demand is expected to far exceed capacity as the deadline approaches. Third-party assessments can take 4-10 months, meaning vendors that defer certification planning risk project delays that flow directly into smart building deployment timelines.
Retrofitting cybersecurity into existing designs costs five to ten times more than incorporating it from the outset, with a typical board redesign running €50,000-€200,000. Vendors relying on legacy or white-label platforms face the most acute exposure: many depend on white-label designs, ODM suppliers, or legacy platforms that have not been updated in years. Under the CRA, this becomes a major liability, leaving companies to choose between retiring legacy products or building new platforms from scratch using secure-by-design principles.
Outlook
In March 2026, the European Commission published draft guidance for public feedback to help companies apply the CRA, aiming to clarify how key provisions should be interpreted and implemented. Building operators procuring IoT-enabled systems should begin verifying vendor CRA readiness now, requesting documentation on product classification, software bill of materials (SBOM) availability, and planned conformity assessment timelines. Early adopters stand to gain a competitive advantage - by delivering more secure and reliable connected products, manufacturers can strengthen customer trust and their position in an increasingly security-conscious market.
