Vendors supplying connected sensors, lighting controllers, building automation system (BAS) components, and smart metering devices to the European market face a binding two-stage compliance schedule under Regulation (EU) 2024/2847-the EU Cyber Resilience Act (CRA)-with the first hard deadline now less than four months away. The CRA entered into force on 10 December 2024, with mandatory vulnerability reporting obligations taking effect from 11 September 2026 and full enforcement of all product security requirements from 11 December 2027. The regulation shifts product cybersecurity from voluntary practice to a condition of EU market access, affecting manufacturers and importers regardless of geographic headquarters.
Background
Regulation (EU) 2024/2847 applies to hardware and software products with digital elements placed on the EU market, making product cybersecurity a market-access requirement. For the building sector, this captures a broad range of connected infrastructure: in-scope categories include IoT sensors, smart meters, cameras, and industrial control systems. The building IoT segment faces particular exposure because, as the European Union Agency for Cybersecurity (ENISA) has noted, digital products are increasingly embedded in critical systems such as energy infrastructure and industrial automation, expanding the attack surface-particularly across software supply chains and connected devices.
The CRA complements but does not replace the NIS2 Directive. NIS2 focuses on organizational cybersecurity, while the CRA targets the products themselves. Vendors whose devices contain wireless connectivity also face overlap with the EU Radio Equipment Directive (RED), whose cybersecurity provisions partially pre-empt elements of the CRA.
Compliance Details
Chapter IV, covering notification of conformity assessment bodies, applies from 11 June 2026, while the reporting obligations in Article 14 apply from 11 September 2026. From that date, all manufacturers of products with digital elements shipped to the EU-including IoT devices and embedded systems-must report actively exploited vulnerabilities within 24 hours to ENISA and designated national Computer Security Incident Response Teams (CSIRTs). Notably, reporting obligations apply to all products with digital elements available on the EU market, including those placed on the market before 11 December 2027.
By December 11, 2027, full CRA requirements will apply, mandating secure-by-design development, CE marking, conformity assessments, and lifecycle vulnerability management for all products with digital elements on the EU market.
The CRA divides products into four risk classes, each with distinct compliance requirements. Lower-risk building IoT devices-such as standard room sensors-may qualify for manufacturer self-assessment, while higher-risk components including smart meter gateways require third-party conformity assessment. Commission Implementing Regulation (EU) 2025/2392, establishing technical descriptions of important and critical product categories under the CRA, was signed on 28 November 2025 and published in the Official Journal on 1 December 2025. Smart meter gateways for electricity, gas, heat, and other metering systems are specifically listed, with requirements for cryptographic protection and secure communication layers.
For procurement officers and facility managers specifying BAS equipment, the CRA introduces requirements for documented Software Bills of Materials (SBOMs). SBOMs are encouraged to improve transparency and enable better supply chain risk management; according to the National Institute of Standards and Technology (NIST), SBOMs provide a structured inventory of software components, improving visibility and risk assessment across supply chains. Without accurate SBOMs, dependency tracking, or automated vulnerability correlation, meeting a 24-hour reporting requirement becomes extremely difficult. A growing industry consensus suggests the effective SBOM deadline is 2026, not 2027.
Penalties for non-compliance are structured in tiers. Manufacturers that fail to meet essential cybersecurity requirements or reporting obligations face fines of up to €15 million or 2.5% of total worldwide annual turnover-whichever is higher-under Article 64 of the CRA. Beyond fines, authorities may issue immediate withdrawal orders and, in extreme cases, mandate product recalls requiring manufacturers to retrieve products already sold to end users.
Interoperability obligations also carry procurement weight. Products compliant with harmonized CRA standards benefit from a presumption of conformity; the European Commission has adopted a request for 41 standards to support CRA implementation, with adoption deadlines for most set to Q3/Q4 2026. Building operators with multinational portfolios will need to ensure that specifications for future installations reference conformity documentation-not just CE marking-to verify vendor compliance in cross-border projects.
On the global regulatory front, the CRA is emerging alongside the U.S. IoT Cybersecurity Improvement Act and NIST guidance, which already mandate baseline controls such as secure development, vulnerability management, encryption, and identity. Together, CRA and NIST-aligned requirements create a de facto global baseline, with North American buyers increasingly demanding CRA-aligned assurances even when not legally required.
Outlook
On 3 March 2026, the European Commission published draft guidance to help manufacturers, developers, and other stakeholders understand their obligations under the CRA and ensure a consistent approach across the EU. The guidance aims to clarify how key provisions should be interpreted and implemented. First standardization deliverables from the European Standards Organizations are expected in Q3 2026, according to the Commission's implementation roadmap, providing vendors with harmonized reference frameworks ahead of full enforcement. Building sector procurement teams that do not revise supplier qualification criteria to include CRA conformity documentation before the December 2027 deadline risk supply-chain delays and potential product withdrawal orders on installed equipment.
