The EU Cyber Resilience Act (CRA) imposes a staggered series of legally binding compliance deadlines on manufacturers and distributors of building IoT devices, with the first enforcement obligations already active and the next critical date just months away. Published as Regulation (EU) 2024/2847 and entered into force on 10 December 2024, the CRA establishes mandatory cybersecurity requirements for all connected hardware and software sold on the European market - a scope that directly encompasses smart thermostats, access controllers, occupancy sensors, BMS gateways, and industrial control systems used in commercial buildings.
Background
Prior to the CRA, cybersecurity requirements for IoT products were fragmented across national frameworks and sector-specific directives, creating inconsistent obligations for manufacturers and purchasers. Before the CRA, various EU and national initiatives only partially addressed cybersecurity risks for digital products, creating a legislative patchwork within the internal market, according to the European Commission. The CRA replaces that patchwork with a single horizontal framework applicable to virtually all products with digital elements - defined as any hardware or software whose intended use includes a direct or indirect data connection to a device or network.
An earlier layer of obligations, less widely understood among building technology vendors, is already active. Cybersecurity requirements under the Radio Equipment Directive (RED) Delegated Regulation 2022/30 have applied since 1 August 2025 to all internet-capable wireless devices - including those using Wi-Fi, Bluetooth, Zigbee, LoRaWAN, and cellular connectivity. Under these RED provisions, devices must not adversely affect network integrity, must protect personal data and user privacy, and must support anti-fraud mechanisms. According to legal analysis published by Reed Smith, many economic operators remain unaware that these RED obligations predate the CRA's own enforcement schedule, applying immediately rather than in 2026 or 2027.
Details
The CRA's compliance schedule operates in three formal phases. Chapter IV of the CRA, governing the notification of conformity assessment bodies, applies from 11 June 2026, with vulnerability and incident reporting obligations under Article 14 taking effect from 11 September 2026, according to the European Commission's official legislative summary. Full CRA compliance, covering all essential cybersecurity requirements for products placed on the EU market, is mandatory from 11 December 2027.
The September 2026 deadline is particularly consequential for building IoT vendors. From 11 September 2026, all manufacturers of products with digital elements must report any actively exploited vulnerability to ENISA and designated national Computer Security Incident Response Teams (CSIRTs) within 24 hours of discovery - an obligation that extends to legacy products already on the market. Meeting this requirement demands that manufacturers have a Software Bill of Materials (SBOM) infrastructure in place: the CRA explicitly requires manufacturers to identify and document components in their products, including drawing up an SBOM in a commonly used, machine-readable format covering at least top-level dependencies, per Annex I of the regulation.
The CRA applies a three-tier risk classification that determines the conformity assessment path. The default category, covering the majority of building IoT devices, permits manufacturer self-assessment; Important Class I products can self-assess against harmonized standards where available, but require third-party assessment if no applicable harmonized standard exists; Important Class II and Critical products require mandatory third-party conformity assessment in all cases. The European Commission published Commission Implementing Regulation (EU) 2025/2392 on 1 December 2025, entering into force on 21 December 2025, providing detailed definitions of which products qualify as "important" or "critical", according to legal firm HSF Kramer. Classification depends on a product's core functionality, not incidental features.
For facility managers and procurement officers, the implications are direct: devices sourced after December 2027 that lack CRA conformity documentation and CE marking cannot lawfully be placed on the EU market. Non-compliant products face loss of CE marking and market access, while penalties for manufacturers are set at the national level within the framework established by the CRA. The European Commission published draft guidance on CRA implementation on 3 March 2026 for stakeholder feedback, aiming to help manufacturers and economic operators apply the regulation consistently across the EU.
Supply chain exposure is a further consideration. IoT device importers, distributors, and resellers carry significant responsibilities under the CRA and in some circumstances may themselves be treated as manufacturers, according to regulatory guidance. Building operators sourcing devices through third-party system integrators should seek contractual assurances covering vulnerability disclosure practices, patch lifecycle commitments, and conformity assessment documentation.
Outlook
Harmonized technical standards supporting CRA implementation are being developed, with adoption of most expected in Q3 or Q4 2026 - meaning many manufacturers will face conformity assessment decisions before finalized reference standards are available. EU type-examination certificates and approval decisions issued regarding cybersecurity requirements remain valid until 11 June 2028 unless they expire before that date, per the Commission's legislative text. Facility operators specifying building IoT equipment for projects with commissioning dates after mid-2026 should require evidence of CRA readiness from vendors as part of their procurement and specification process.
For related context, see our earlier coverage on integrated building security standards and security-by-design in building automation.
