The EU's Cyber Resilience Act (CRA), formally Regulation EU 2024/2847, entered into force on 10 December 2024, triggering a binding compliance countdown that will reshape procurement, software architecture, and risk governance for every vendor supplying connected devices and analytics platforms to commercial buildings across Europe.
The CRA's first hard deadline arrives on 11 September 2026, when mandatory vulnerability and incident reporting obligations take effect under Article 14 of the regulation. From that date, manufacturers of products with digital elements - including IoT sensors, building management system (BMS) gateways, energy meters, and connected HVAC controllers - must report actively exploited vulnerabilities to the EU Agency for Cybersecurity (ENISA) within 24 hours of discovery. Full compliance with the regulation's security-by-design, Software Bill of Materials (SBOM), and lifecycle patching requirements is mandatory by 11 December 2027, at which point non-compliant products cannot legally be placed on the EU market.
Background
The CRA addresses what the European Commission describes as inadequate cybersecurity standards across connected hardware and software products and the persistent lack of timely security updates from vendors. It complements the NIS2 Directive, which already extends cybersecurity obligations to operators of building automation systems supporting critical services, and the EU Data Act, which has applied data-access and interoperability rules to IoT-generated data since September 2025.
The building sector carries particular exposure. Smart buildings deploy dense networks of connected endpoints - occupancy sensors, access control readers, air quality monitors, lighting controllers, and AI-driven analytics engines - across multi-vendor architectures that have historically prioritized interoperability over security hardening. According to security researchers cited by Claroty, 75% of organizations operate BMS devices with known, exploited vulnerabilities. This makes commercial building infrastructure a direct target of the CRA's scope, which explicitly covers IoT sensors, smart meters, industrial control components, and the remote data processing software that feeds AI analytics platforms.
The regulation divides products into four risk tiers - Default, Important Class I, Important Class II, and Critical - each carrying different conformity assessment requirements. According to the European Commission's implementing regulation published in November 2025, important product categories include network management systems, smart home security devices, and identity management systems; critical categories cover hardware security modules and tamper-resistant microcontrollers. Building IoT vendors whose products fall into these categories will require third-party conformity assessment by notified bodies. Member States must strive to ensure a sufficient number of notified bodies are in place by 11 December 2026.
Details
The September 2026 reporting deadline carries a technical precondition many building technology vendors have not yet met: a functional SBOM infrastructure. According to the CRA's text, manufacturers must draw up an SBOM in a commonly used, machine-readable format covering at least top-level dependencies for each product. Without this inventory, vendors cannot reliably determine within 24 hours whether a newly disclosed vulnerability affects a deployed product - a critical gap given that building IoT devices often remain in service for 10 to 15 years and run layered software stacks drawing on dozens of third-party libraries.
The requirement has direct implications for AI-driven building analytics platforms. These systems ingest data streams from dozens of device types across a building portfolio, process them using machine learning models, and output operational recommendations on energy use, predictive maintenance, and occupant comfort. Under the CRA, software enabling remote data processing from IoT devices, where it is supplied in a commercial context, falls within the regulation's scope. Vendors of such platforms must maintain technical documentation, manage vulnerabilities across both their own code and integrated third-party components, and ensure continuous security update availability over the product's supported lifecycle.
For procurement teams, the CRA is already reshaping supplier qualification. According to legal analysis from YPOG, major clients and public sector bodies increasingly require compliance documentation - covering AI governance, GDPR, and cybersecurity - as part of tender processes, and companies unable to provide such evidence face a significant disadvantage. Facility managers and system integrators specifying building IoT systems for EU-market deployments should begin requiring CRA product classification evidence, SBOM availability commitments, and documented vulnerability disclosure channels as standard contract terms.
Penalties for non-compliance are substantial. Manufacturers that fail to meet CRA requirements face fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. The Commission published draft implementation guidance for stakeholder feedback in March 2026, and CEN/CENELEC is developing harmonized European standards - including a specific SBOM schema - with a draft horizontal standard expected by mid-2026, according to workshop documentation published by the standardization bodies.
Outlook
With the September 2026 reporting deadline now less than four months away, vendors that have not yet established SBOM generation pipelines and incident reporting processes risk non-compliance from day one of enforcement. Conformity Assessment Body notification provisions take effect on 11 June 2026, meaning the queue for third-party assessments of Important and Critical products is expected to tighten significantly in the coming weeks. Building operators and procurement officers should use the remaining transition window to audit installed device portfolios, request SBOM documentation from existing suppliers, and align specifications with the CRA's security-by-design requirements ahead of the December 2027 full enforcement date.
For related coverage, see our previous reporting on Integrated Building Security Standards Gain Momentum and Security-by-Design Surge in Building Automation Amid Rising Cyber-Physical Risks.
