A convergence of enforceable IoT cybersecurity regulations across the EU, US, and Asia is forcing manufacturers, system integrators, and facility operators to redesign connected building systems and revise procurement criteria. Compliance deadlines have already arrived, with more milestones due through 2027.
Background
What was once a patchwork of guidance and best practices has evolved into a growing body of enforceable regulation. For commercial building automation, this matters acutely: Building Management Systems (BMS), AI-driven energy optimization platforms, HVAC controllers, and access control hardware all rely on networks of connected IoT devices that regulators now treat as critical infrastructure endpoints.
Three universal themes have emerged in IoT and smart device cybersecurity: the elimination of default passwords, lifecycle responsibility, and the Software Bill of Materials (SBOM) as a standard requirement. All three carry direct operational implications for building system specification and supplier selection.
Regulation is becoming a strategic priority. Where digitalization was once a competitive advantage, it is now a binding standard under frameworks such as the Cyber Resilience Act (CRA), NIS2, the Radio Equipment Directive (RED), and IEC 62443. For building automation professionals, this signals a fundamental shift in how connected systems must be specified and validated before deployment.
Details
The most immediate mandate is the EU's updated RED. As of August 1, 2025, RED cybersecurity requirements became mandatory, establishing a legal floor for wireless devices. In January 2025, the European Commission incorporated EN 18031, "Common security requirements for radio equipment," as a harmonized standard under RED. EN 18031 covers access control mechanisms permitting only authorized entities to reach security and network assets; authentication mechanisms managing access to configuration and security parameters; secure update mechanisms ensuring software is installed with integrity and authenticity; and secure storage protecting asset confidentiality and integrity.
Longer-term, the CRA sets a more comprehensive framework. Unlike voluntary frameworks, the CRA introduces mandatory cybersecurity requirements for products with digital elements placed on the European market, spanning the entire product lifecycle from design and development through deployment and ongoing support. The first CRA regulations apply from September 2026, with all remaining requirements in force from December 11, 2027, after which all connected products must fully comply. Companies that fail to comply face fines of up to €15 million or 2.5% of global turnover, whichever is higher.
The SBOM - a machine-readable inventory of all software components in a product - is emerging as a central instrument in both regulatory compliance and procurement. Under the CRA, manufacturers of "products with digital elements" will be required to maintain an SBOM and review the entire supply chain for security risks. CISA, in collaboration with the NSA and 19 international partners, published joint guidance emphasizing software supply chain transparency and encouraging the integration of SBOM generation, analysis, and sharing into routine security practices. South Korea's formal roadmap mandates SBOMs for all public sector procurement starting in 2027, aligning Seoul with the US and EU in treating software components as a critical supply chain risk.
In the United States, the FCC's Cyber Trust Mark program - developed in collaboration with NIST - establishes a voluntary cybersecurity labeling scheme for IoT devices. The Cyber Trust Mark will become mandatory for IoT devices in US government contracts starting January 2027. In the first quarter of 2026, the FCC reopened applications for Lead Administrator and Label Administrators under the program.
AI-driven building systems face compounding scrutiny. China's amended Cybersecurity Law, effective January 2026, explicitly integrates AI governance, requiring "synchronised planning" of security during the development of AI-driven smart city and industrial infrastructure. Across major markets, organizations deploying IoT and operational technology (OT) systems are expected not only to secure devices but to demonstrate that security controls are consistent, measurable, and continuously enforced. According to a Fortinet survey, 52% of organizations assigned CISO or CSO responsibility for OT in 2025, up from 16% in 2022.
Across the UK, EU, and Japan, universal default passwords are now effectively illegal for new connected devices, and regulators mandate a minimum of two to five years of security updates. For building system manufacturers, optimizing for cost, time-to-market, and functionality over security is no longer viable. Default passwords, unencrypted telemetry, hard-coded keys, and limited remote firmware update capability all represent risks that regulators and enterprise buyers are no longer willing to accept.
Outlook
The EU's Cyber Resilience Act, effective December 2027, expands RED requirements to any digital hardware-software combination, placing virtually no connected building automation component outside regulatory scope. Starting in 2027, all public sector procurement will require an SBOM, with 2025 and 2026 serving as a pilot period for manufacturers to build the necessary tracing infrastructure. Integrators and specifiers sourcing BMS hardware, AI analytics platforms, and wireless sensors for commercial projects will face mounting documentation and certification requirements at procurement - making regulatory compliance a core element of supplier qualification, not an afterthought.
