More than 40 billion IoT devices are projected to be operational worldwide by 2030140 billion IoT devices are projected to be operational worldwide by 2030, and a significant share will be embedded in commercial buildings across Europe-managing HVAC systems, access control, smart metering, and building automation infrastructure. Until now, the cybersecurity of those devices has been governed largely by voluntary guidelines and fragmented national rules. That changes with the EU Cyber Resilience Act (CRA).
The CRA entered into force on 10 December 2024, establishing mandatory, market-wide cybersecurity requirements for all products with digital elements sold in the European Union. For building IoT vendors and the facility managers, system integrators, and procurement officers who specify their products, the compliance clock is already running-and the first hard deadline is less than six months away.
What the CRA Actually Requires
The CRA is not a sector-specific directive. It applies to all hardware and software products with digital elements placed on the EU market, including IoT sensors, smart meters, IP cameras, industrial control systems, firmware, and the remote data processing solutions tied to them. Building automation systems (BAS), HVAC controllers, access control gateways, and lighting management platforms all fall squarely within scope.
The regulation is the first EU-wide legislation to impose mandatory cybersecurity requirements on connected products, shifting accountability firmly onto manufacturers rather than end-users or operators.
Core obligations for manufacturers include:
- Security-by-design: Products must be designed with minimal attack surfaces, secure default configurations, and protection against unauthorized access and data interception.
- Vulnerability handling: Manufacturers must identify, document, and remediate vulnerabilities, maintain accessible channels for external security researchers, and provide free security updates for the product's supported lifespan.
- Software Bill of Materials (SBOM): Manufacturers must generate a machine-readable SBOM covering all software components and dependencies, kept current and available to market surveillance authorities on request.
- Conformity assessment: Depending on a product's risk classification, manufacturers must either self-certify or submit to third-party evaluation by a notified body before affixing CE marking.
- Documentation retention: Technical documentation, SBOMs, and the EU Declaration of Conformity must be retained for 10 years or the support period, whichever is longer.
Three Deadlines That Define the Compliance Window
Understanding when each obligation takes effect is critical for planning. The CRA operates on a phased timeline:
| Date | Milestone | What It Means |
|---|---|---|
| 10 Dec 2024 | CRA enters into force | Transition period begins; vendors should audit product portfolios |
| 11 Jun 2026 | Conformity assessment bodies notified | Third-party notified bodies become operational; high-risk BAS/IoT devices can begin certification |
| 11 Sep 2026 | Mandatory vulnerability & incident reporting begins | Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours |
| 11 Dec 2027 | Full CRA enforcement | All essential requirements mandatory; non-compliant products barred from EU market |
The September 2026 deadline is the one many vendors are underestimating. From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe security incidents to ENISA and designated national CSIRTs within 24 hours-and this applies to products already on the market, not just new releases. The practical consequence: vendors need SBOM infrastructure and vulnerability monitoring in place before this date, even though formal SBOM obligations do not become fully enforceable until December 2027. Building operators relying on legacy BAS devices should note that this reporting obligation extends to products already deployed.2Building operators relying on legacy BAS devices should take note that this reporting obligation extends to products already deployed.
Risk Classification and What It Means for BAS Devices
Not all building IoT products face identical compliance pathways. The CRA uses a four-tier risk classification-Default, Important Class I, Important Class II, and Critical-that determines the conformity assessment route.
- Default products (many basic IoT sensors and non-networked devices) can follow a self-assessment route.
- Important Class I products require more rigorous internal controls.
- Important Class II and Critical products must undergo third-party assessment by a notified body.
The European Commission published an implementing regulation in November 2025 formally defining the technical descriptions for important and critical product categories. Building operators and integrators specifying products in high-risk categories-such as network-connected access control systems or BAS gateways with privileged network access-should confirm their vendors' certification pathway and expected timeline before committing to long-term contracts.
Our earlier analysis on integrated building security standards covered how the CRA sits alongside the NIS2 Directive, which separately governs how operators of essential services manage their own cybersecurity posture. Both regimes apply simultaneously to many commercial building portfolios.
Procurement and Interoperability: The Hidden Upside
Beyond the compliance burden, the CRA introduces structural changes that could benefit building operators in the medium term.
Standardized security baselines will simplify procurement. Today, evaluating the cybersecurity posture of competing BAS vendors requires significant internal expertise and relies on inconsistent vendor disclosures. Under the CRA, mandatory SBOM availability, documented vulnerability handling policies, and CE marking for compliant products will give procurement teams a common evidential baseline. Shorter due-diligence cycles become feasible once vendors demonstrate conformity.
Interoperability friction should decrease. A significant share of BAS integration complexity stems from inconsistent security implementations across multi-vendor deployments-varying authentication mechanisms, incompatible update architectures, and undocumented software dependencies. As vendors align to common CRA requirements and emerging harmonized standards, the shared security baseline will reduce integration surface area. The trend toward open, multi-vendor smart building architectures stands to benefit directly from this harmonization.
Supply chain accountability becomes explicit. The CRA makes manufacturers responsible for cybersecurity throughout their supply chains; if a component supplier fails to provide required security documentation, the finished product cannot achieve compliance. For building operators, this shifts contractual leverage: vendors who cannot demonstrate supply chain traceability can be excluded from tender processes on objective grounds.
What This Demands of Building IoT Vendors-Especially Smaller OEMs
For larger BAS and IoT vendors with established software development practices, the CRA represents an accelerated formalization of processes many already operate informally. The heavier burden falls on smaller OEMs-the specialist manufacturers of niche sensors, proprietary gateways, and embedded controllers that populate many commercial building deployments.
Specific operational investments required include:
- Secure software development lifecycle (SSDLC): Embedding security requirements at the design phase, not retrofitting them. This means threat modeling, secure coding standards, and mandatory security testing prior to release.
- Patch management infrastructure: Establishing over-the-air (OTA) update capability and committing to defined support periods with free security updates.
- SBOM generation and maintenance: Implementing tooling to produce machine-readable SBOMs and keep them current as firmware and component versions change across a product fleet.
- Vulnerability disclosure processes: Creating and publicizing a formal channel for external researchers to report vulnerabilities, with defined internal triage and remediation timelines.
- Conformity documentation: Assembling technical documentation across engineering, quality, procurement, and IT systems sufficient to demonstrate compliance-a process that can take months when done manually.
Non-compliant products face fines of up to €15 million or 2.5% of global annual turnover, whichever is higher, and can be barred from the EU market entirely. For OEMs whose revenue depends on European commercial real estate and public-sector building portfolios, the commercial exposure is substantial.
Our feature on the security-by-design surge in building automation provides additional context on how leading vendors are already restructuring product development to accommodate these requirements.
Actionable Steps for Building Owners and Facility Managers
The CRA primarily targets manufacturers, but building owners, facility managers, and procurement officers carry indirect obligations-and significant leverage. Practical steps to take now:
- Audit your current BAS and IoT vendor base for CRA readiness. Request information on SBOM availability, vulnerability disclosure policies, and planned conformity assessment timelines.
- Update tender specifications to require CRA compliance evidence as a mandatory criterion-including CE marking status, SBOM documentation, and patch management commitments-for all connected building system procurements.
- Engage system integrators early to assess the compliance status of multi-vendor deployments and identify gaps in component-level supply chain documentation.
- Review long-term support clauses in existing vendor contracts. CRA requirements extend through a product's supported lifespan; vendors who cannot guarantee security updates for the contracted period create long-term compliance exposure.
- Align with NIS2 obligations if your organization operates essential services. The intersection of NIS2 operational requirements and CRA product requirements demands coordinated governance, not siloed compliance workstreams.
FAQ
Which building IoT products fall under the CRA? The CRA applies broadly to products with digital elements that connect to a network or another device. BAS controllers, HVAC sensors, smart meters, IP cameras, access control systems, lighting management gateways, and their firmware all fall within scope. Components sold separately, such as embedded modules, are also covered.
Do smaller building IoT OEMs face the same requirements as large vendors? In principle, yes. Smaller manufacturers benefit from limited carve-outs-microenterprises and small enterprises may not be fined for failures to meet the 24-hour reporting deadline in specific circumstances-but they must still meet essential cybersecurity requirements and produce conformity documentation. The investment required is significant for organizations without established security development practices.
How does the CRA interact with NIS2? The CRA regulates the cybersecurity of products, while NIS2 governs how operators of essential and important services manage their own cybersecurity. For building operators in sectors such as energy or public administration, both regimes apply simultaneously and require coordinated compliance strategies.
When should procurement teams start adjusting vendor selection criteria? Immediately. Complex BAS integration projects can have procurement and implementation cycles of 12-24 months. Including CRA readiness criteria in tender specifications now-SBOM availability, patch management policies, conformity assessment status-allows organizations to avoid inheriting non-compliant infrastructure ahead of the December 2027 enforcement date.
