Europe's Cyber Resilience Act (CRA) is forcing manufacturers and importers of connected building devices - from HVAC controllers and lighting management nodes to smart locks and occupancy sensors - into a defined compliance sequence with enforceable legal consequences. The regulation entered into force on 10 December 2024, with reporting obligations taking effect on 11 September 2026 and full product requirements applying from 11 December 2027. With less than four months until the first operational deadline, building automation vendors that have not yet activated vulnerability monitoring and disclosure processes face immediate non-compliance risk.
Background
Before the CRA, EU and national initiatives only partially addressed cybersecurity risks in connected products, creating a legislative patchwork that increased legal uncertainty for manufacturers and users alike and added compliance burdens for similar product types. The regulation - formally adopted as Regulation (EU) 2024/2847 - establishes a unified legal framework for product cybersecurity across the EU. Unlike NIS2, which focuses on the network and information systems of organisations, the CRA targets the cybersecurity of hardware and software products themselves. Industrial machinery and building automation systems now rely on complex software stacks, cloud services, and third-party integrations - connectivity that expands the attack surface for cyber threats.
The regulation applies across all 27 member states and binds manufacturers regardless of where they are headquartered. Manufacturers based outside the EU fall within scope if their products reach the EU market: a US-based SaaS company selling into Germany, a Japanese IoT vendor shipping to France, and an open-source foundation distributing commercial support contracts in the Netherlands are all subject to the CRA.
Key Deadlines and What They Require
The compliance timeline is phased across three critical dates. On 11 June 2026, provisions on notification of conformity assessment bodies take effect. Organisations must have identified and begun working with qualified third parties for product assessments.
The more immediate operational pressure arrives on 11 September 2026. From that date, mandatory reporting of actively exploited vulnerabilities and security issues becomes legally binding for any product with digital elements on the EU market, regardless of when it was first released - legacy products are not exempt. The reporting cadence is fixed: a 24-hour early warning, followed by a 72-hour notification, and a 14-day or one-month final report depending on event type. For building IoT vendors whose portfolios include controllers and sensors shipped years earlier, the absence of a complete software bill of materials (SBOM) and real-time vulnerability monitoring means they may not know whether a product is affected within the required time window - and by the time a manual investigation concludes, the 24-hour clock will have expired.
Full CRA enforcement begins on 11 December 2027, at which point all new products placed on the EU market must carry CE marking, pass conformity assessments, and meet secure-by-design requirements. Non-compliance can trigger fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. Products may also be withdrawn from the EU market entirely.
The CRA classifies products into four risk tiers - default, Important Class I, Important Class II, and Critical - with increasingly rigorous conformity assessment requirements. Default products may self-attest. Important Class I products may use harmonised standards or a notified body. Important Class II products, such as firewalls and endpoint detection tools, require mandatory third-party assessment. Most standard building IoT devices - lighting controls, environmental sensors, and access readers without privileged network roles - are expected to fall into the default category, allowing manufacturer self-attestation. However, devices that function as network gateways or provide identity management could be classified at higher tiers.
The CRA mandates a machine-readable SBOM, secure-by-design engineering, coordinated vulnerability disclosure, and security updates for the product's expected lifetime. On 3 March 2026, the European Commission published draft guidance to help companies apply the CRA, clarifying how key provisions should be interpreted and implemented.
Outlook
First standardisation deliverables - including horizontal and product-specific standards - are expected in Q3 2026. A delegated act specifying the presumption of conformity for the European Cybersecurity Certification scheme under the EUCC is anticipated in Q4 2026.
For building technology integrators and facility managers, the approach of the September 2026 deadline makes supplier documentation audits an immediate procurement requirement. Manufacturers that embed security by design, monitor for vulnerabilities throughout the product lifecycle, and ensure products can be updated securely will be better positioned in procurement evaluations as purchasers increasingly stipulate CRA-readiness. Vendors that delay remediation of known weaknesses in legacy building products may face the combined exposure of mandatory regulatory disclosure and market withdrawal under a single enforcement action.
For background on industry-wide security baseline initiatives affecting smart buildings, see our earlier coverage on Integrated Building Security Standards Gain Momentum and Security-by-Design Surge in Building Automation.
