European regulators are advancing a framework that would mandate cybersecurity certification for Internet of Things (IoT) devices installed in commercial buildings, linking digital security standards directly to the bloc's energy efficiency agenda for the built environment. The proposal, moving through the European Parliament and European Commission, targets building automation systems (BAS) across offices, retail facilities, and industrial sites - covering HVAC controls, access management, lighting networks, and energy management platforms.
Background
The initiative sits within a rapidly expanding EU regulatory stack reshaping how connected devices enter and operate in European markets. The Radio Equipment Directive (RED) cybersecurity requirements became mandatory from August 1, 2025, applying to virtually all internet-connected radio devices sold in the EU, including building IoT sensors and controllers. Supporting that mandate, the European Commission incorporated EN 18031 - "Common security requirements for radio equipment" - as a harmonized standard under RED in January 2025.
Simultaneously, the broader EU Cyber Resilience Act (CRA) is moving into enforcement. The CRA entered into force on December 10, 2024, with main obligations applying from December 11, 2027, and vulnerability reporting obligations beginning September 11, 2026. The CRA imposes security-by-design requirements on all products with digital elements sold within the EU single market, categorizing them into default, important, and critical risk tiers, with higher-risk products subject to mandatory third-party conformity assessment.
Research published in Buildings (MDPI, June 2025) found that adoption of AI and IoT in Building Energy Management Systems (BEMS) is significantly shaped by this regulatory landscape, including the EU AI Act, GDPR, the EU Cybersecurity Act, and the Energy Performance of Buildings Directive (EPBD). Intelligent control strategies have been shown to reduce building energy consumption by 15-30% on average, according to the review, which assessed 64 sources comprising peer-reviewed articles and regulatory documents.
Details
The proposed certification framework centers on a common security baseline aligned with existing EU product-safety and data governance rules. Under the CRA, manufacturers are required to integrate secure boot, access controls, and encryption from the design phase, ensuring devices ship without known exploitable vulnerabilities and with secure default configurations. The EN 18031 standard further specifies requirements for access control mechanisms, authentication, secure software updates, and secure storage for building-connected radio equipment.
The tiered certification approach reflects building criticality: high-risk systems such as fire safety controls, life-safety infrastructure, and critical facility management face more stringent oversight than general commercial automation. Under the EU Cybersecurity Act's certification scheme, three assurance levels - basic, substantial, and high - reflect the risk associated with cybersecurity threats and the intended use of ICT products. On January 20, 2026, the European Commission proposed a revised Cybersecurity Act renewing the European Cybersecurity Certification Framework (ECCF), with ENISA to expand its vulnerability management services.
For building automation vendors, the compliance pathway involves conformity assessment aligned with CRA product categories. For the highest-risk product class, self-assessment is not sufficient and mandatory third-party assessment by a notified body is required. Certification workflows can last six to twelve months and involve multiple stakeholders including accredited laboratories, regulatory agencies, and industry groups, with any design change potentially triggering recertification.
Industry analysts note that procurement practices in the EU are already shifting. Tenders for building systems increasingly incorporate cybersecurity requirements and alignment with upcoming regulations, according to a 2025 review published in Preprints.org, pressuring system integrators and BAS vendors to upskill in cybersecurity and privacy engineering.
Outlook
The first standardization deliverables under the CRA - covering horizontal and product-specific standards - are expected in Q3 2026, with conformity assessment body notification provisions entering application from June 11, 2026. For facilities teams and procurement officers, the framework signals longer vendor assessment cycles and new risk-scoring criteria that weigh cybersecurity maturity alongside energy performance and lifecycle costs. Vendors that establish compliance early stand to gain cleaner market access and reduced competition from low-security or counterfeit devices, though certification costs remain a recognized hurdle for smaller suppliers in the building automation segment.
Related coverage: Integrated Building Security Standards Gain Momentum
