Regulatory fines under the EU Cyber Resilience Act (CRA) can reach up to €15 million or 2.5% of global annual turnover, whichever is higher - yet most building automation products currently deployed in European commercial real estate were designed with no formal cybersecurity certification requirement in mind. That gap is closing fast.
The EU's Cyber Resilience Act (CRA)1Cyber Resilience Act (CRA), adopted on 23 October 2024 and entering into force on 10 December 2024, establishes horizontal cybersecurity requirements for all products with digital elements sold on the EU market. For the smart building sector - whose operational backbone consists of IP-connected HVAC controllers, BACnet gateways, access control systems, lighting managers, and energy meters - the regulation represents the most consequential compliance shift since CE marking was introduced for electrical equipment.
This article examines which building systems fall in scope, how the certification regime is structured, what manufacturers must change, and how operators can begin aligning procurement and maintenance strategies now.
What the CRA Covers - and Why Buildings Are Central
The CRA applies to "products with digital elements" - defined as any software or hardware product, including its remote data processing solutions, that is capable of directly or indirectly connecting to a device or network. In practical terms, this sweeps in virtually every networked component of a modern building management system (BMS).
Building automation systems (BAS/BMS) - controlling HVAC, lighting, access, fire safety, and energy management across commercial and industrial buildings - are mostly classified as Default class under the CRA. However, those deployed in hospitals, data centres, and other critical facilities may be treated as Important Class I or higher.
The implication is significant: classification determines the conformity assessment route. Default-class products can proceed via manufacturer self-assessment; Important-class products require third-party evaluation by an EU Notified Body before they can bear the CE marking mandatory for market access.
The BACnet and Modbus protocols widely used in BAS were not designed with security in mind, meaning CRA compliance demands significant attention to protocol security and access control. BAS controllers with IP connectivity are unambiguously in scope, while field devices operating solely on BACnet MS/TP or RS-485 with no IP stack may fall outside the regulation's reach - though operators should verify each device's connectivity architecture.
A parallel regulatory track applies sooner. Manufacturers of connected devices must also address new cybersecurity requirements under the Radio Equipment Directive (RED) delegated acts, which apply from 1 August 2025 to many internet-connected wireless devices. In January 2025, the European Commission incorporated EN 18031 - "Common security requirements for radio equipment" - as a harmonised standard under RED. This mandates that radio equipment comply with EN 18031-1 (network protection), EN 18031-2 (personal data and privacy), and EN 18031-3 (protection for financial transactions). Wireless building sensors, gateways, and mesh-network controllers are directly affected.
The Phased Enforcement Timeline
Compliance is not a single deadline - it unfolds across three stages that stakeholders must plan for in parallel:
| Date | Milestone | Who Is Primarily Affected |
|---|---|---|
| 1 Aug 2025 | RED cybersecurity delegated act applies (EN 18031-x) | Wireless IoT device manufacturers |
| 11 Jun 2026 | Rules for Notified Bodies and conformity assessment procedures take effect | Manufacturers of Important/Critical-class products |
| 11 Sep 2026 | Vulnerability reporting obligations begin | All manufacturers within CRA scope |
| 11 Dec 2027 | Full CRA enforcement - all new digital products on the EU market must comply | Manufacturers, importers, building operators |
The CRA entered into force on 10 December 2024. Main obligations apply from 11 December 2027, with reporting obligations applying from 11 September 2026.
The September 2026 reporting obligation requires manufacturers to notify authorities upon discovering exploited vulnerabilities in their products - a requirement with direct implications for building system vendors who often ship products with multi-decade operational lifespans and minimal patch cadence.
What Manufacturers Must Change
The CRA introduces obligations spanning the entire product lifecycle, not just the point of sale. Mandatory cybersecurity requirements cover planning, design, development, and maintenance; manufacturers must meet these obligations at every stage of the value chain and handle vulnerabilities throughout a product's lifecycle.
For building technology vendors, the principal changes are:
- Secure-by-design engineering: The CRA aims to prevent devices with known exploitable vulnerabilities from reaching the market. It defines rules for security updates, protection from unauthorised access, data confidentiality and integrity, resilience against denial-of-service attacks, and vulnerability handling.
- Software Bill of Materials (SBOM): BAS products often run embedded Linux with commercial BACnet stacks and custom web interfaces; every component must be tracked for CVEs (Common Vulnerabilities and Exposures).
- Protocol hardening: Manufacturers should implement BACnet/SC (Secure Connect) for all IP-based BACnet communication. BACnet/SC provides TLS 1.3 encryption and certificate-based authentication per ASHRAE Addendum bj.
- Defined support periods: BAS controllers are often installed during building construction and remain in service for the building's lifetime; security support periods must reflect operational timescales of 10-15 years.
- CE marking and documentation: Products of particular cybersecurity relevance will need third-party assessment by a Notified Body before market placement, and products will bear the CE marking to indicate compliance.
Conformity assessment standards are still developing. CRA conformity specifications are being developed by CENELEC; first drafts of test catalogues are expected by the end of 2025 for some CRA aspects. Manufacturers waiting for finalised harmonised standards before initiating internal gap assessments risk running out of runway before the 2027 deadline.
Implications for Building Operators and Procurement
Building operators face a different but equally pressing set of obligations. While the CRA directly targets manufacturers, it shapes procurement decisions decisively: without documented conformity, products cannot be marketed in the EU. Any device lacking the appropriate CE declaration post-2027 cannot legally be procured for new installations.
For retrofit and lifecycle planning, this translates into several practical considerations:
- Procurement specifications must reference CRA compliance for all IP-connected components, with suppliers required to demonstrate conformity evidence or provide SBOM documentation.
- Maintenance contracts should include patch management obligations, particularly for controllers and gateways managing environmental or access control functions in critical settings.
- Data privacy exposure must be assessed: EN 18031-2 mandates personal data and privacy security in internet-connected radio equipment, intersecting with GDPR obligations for operators collecting occupancy or biometric access data.
- Legacy systems require a parallel risk assessment: Devices predating the CRA will not need retrofit certification, but cybersecurity threats can propagate through various products with digital elements before reaching a target - including through chaining multiple vulnerability exploits - meaning legacy gaps can undermine otherwise compliant new installations.
Operators managing buildings under the NIS2 Directive's scope - including facilities providing essential services - should note that NIS2 and the CRA overlap, as covered in our earlier analysis of integrated building security standards.
EU Requirements vs. Global Schemes: A Comparative View
The CRA does not exist in isolation. Building technology vendors operating across jurisdictions must navigate a patchwork of certification regimes:
| Scheme | Legal Status | Scope | Key Standard | Penalties |
|---|---|---|---|---|
| EU CRA | Mandatory (Dec 2027) | All connected digital products on EU market | EN 303 645, IEC 62443, CRA harmonised standards | Up to €15M or 2.5% turnover |
| EU RED (EN 18031) | Mandatory (Aug 2025) | Internet-connected radio/wireless devices | EN 18031-1/-2/-3 | Market ban |
| US Cyber Trust Mark | Voluntary | Consumer IoT devices, US market | NIST IR 8425 | None |
| ETSI EN 303 645 | Voluntary baseline | Consumer IoT (basis for national schemes) | EN 303 645 / TS 103 701 | None |
Relevant international standards such as ETSI EN 303 645 and IEC 62443 can already demonstrate compliance of IoT products against minimum EU security requirements. Manufacturers seeking to align development resources efficiently should prioritise these existing standards as the starting point for CRA conformance work, given that harmonised CRA standards remain in development.
Many countries have already based national product certification schemes around ETSI EN 303 645, demonstrating how one standard can underpin multiple assurance schemes and provide certification flexibility while maintaining strong security baselines.
Steps for Operators Planning Upgrades or Retrofits
For facility managers and procurement teams aligning smart building infrastructure with incoming certification requirements, a structured approach is advisable:
- Audit connected device inventory - Identify all IP-connected components, categorise by function (HVAC, access, metering, fire), and flag any devices transmitting over radio/wireless protocols.
- Classify by CRA risk category - Determine whether devices qualify as Default, Important Class I, or Important Class II based on deployment environment and function.
- Request SBOM and conformity documentation from suppliers - Engage existing vendors now to understand their CRA readiness roadmaps ahead of the 2027 deadline.
- Update procurement templates - Embed CRA compliance clauses, patch management requirements, and minimum support period terms into all new tender and framework agreements.
- Plan legacy remediation in parallel - Identify end-of-life devices that will not receive CRA-compliant firmware and budget for phased replacement in capital expenditure cycles.
- Monitor the RED deadline (August 2025) - Wireless device procurement after this date must meet EN 18031-x requirements; verify supplier declarations before specifying.
Conclusion
The EU's push to mandate IoT security certification for commercial buildings is not a future risk - it is an active regulatory transition with the first hard deadline already in 2025. For manufacturers, the CRA demands a fundamental shift toward secure-by-design engineering, lifecycle vulnerability management, and documented conformity. For building operators, it redefines the due diligence required in procurement, maintenance planning, and data privacy governance.
The preparation window is narrowing. With conformity assessment bodies becoming active in June 2026, manufacturers who delay internal gap analyses face mounting pressure against shrinking timelines. Operators who do not begin updating procurement specifications risk inheriting non-compliant infrastructure carrying both cybersecurity and regulatory exposure well beyond the 2027 enforcement date.
Frequently Asked Questions
Does the CRA apply to existing installed building systems? The CRA applies to products placed on the market from 11 December 2027 onward. Devices already installed before that date are not retroactively required to achieve CRA certification, though operators should assess legacy risk independently given potential vulnerability chaining across mixed-generation infrastructure.
What is the difference between the CRA and the RED delegated act for building IoT? The RED delegated act (enforced from 1 August 2025) applies specifically to internet-connected wireless and radio devices. The CRA is broader, covering all products with digital elements regardless of whether they use radio technology. Both can apply simultaneously to the same device - a wireless BMS sensor, for example, must comply with RED from August 2025 and with the CRA from December 2027.
Are BACnet and Modbus field devices in scope? Only if they include an IP stack. Devices operating solely on BACnet MS/TP or RS-485 serial links with no internet or network connectivity may fall outside CRA scope. Manufacturers and operators should verify each device's connectivity architecture against the CRA's definition of "direct or indirect logical or physical data connection."
What standards can manufacturers use today to begin CRA preparation? ETSI EN 303 645, IEC 62443, and the EN 18031-x series are currently the most applicable reference standards. CENELEC-developed harmonised CRA standards are in development, with first test catalogue drafts expected in late 2025 for certain product categories.
What are the penalties for non-compliance? Fines can reach €15 million or 2.5% of global annual turnover, whichever is higher. Non-compliant products can also face market withdrawal or distribution restrictions across all 27 EU member states.
