(Note: Opinions in the articles are of the authors only and do not necessarily reflect the opinion of the European Union)
 

Buildings are becoming more digital, and building performance increasingly depends on connected products that generate, exchange, and rely on data. That creates a simple but important reality: if the digital layer cannot be trusted over time, building digitalisation cannot be trusted either. Energy performance, indoor air quality, remote services, fault detection, and smarter operation all depend on products that remain reliable, maintainable, and understandable long after installation.

This is why the Cyber Resilience Act (CRA) matters to Technical Building Systems (TBS) and Building Automation and Control Systems (BACS). It pushes cybersecurity into the core of product quality, lifecycle responsibility, and cooperation across the building value chain.

A joint industry paper now being prepared and co-signed by several European associations, including ARGE, EHPA, eu.bac, EVIA, Eurovent, EPEE, and other partners, aims to make that reality more visible. Its value is not only to explain obligations, but to translate a horizontal regulation into the operational reality of long-life, multi-vendor building systems.

Why buildings need a specific reading of the Cyber Resilience Act

Building technologies are not short-lived consumer devices. Many remain installed for 10, 15 or 20 years, often in mixed environments with legacy protocols, phased retrofits, constrained maintenance windows and different levels of cyber maturity.

This is where the first major friction appears: installed life is often longer than realistic secure supportability. A controller may still be physically in service while its hardware can no longer support modern security expectations. That does not remove the need for cyber resilience, but it does mean the sector needs realistic support periods, transparent assumptions and credible migration paths. A second friction concerns commissioning and service. Secure-by-default is essential, but buildings also require practical installation, integration, and maintenance. The challenge lies in the design of products and processes that reduce unnecessary exposure without ignoring field reality.

This matters well beyond cybersecurity specialists. In a more digital building stock, trusted data is becoming part of credible building performance. If products are insecure, poorly maintained, or unclear in their lifecycle status, the value of the data they generate also becomes weaker.

Cybersecurity is becoming part of product quality

The stronger effect of the CRA is that cybersecurity can no longer be treated as an add-on or a purely IT concern. It becomes part of how a product is conceived, designed, tested, documented, supported, and eventually renewed.

That means manufacturers need to make key assumptions explicit: intended use, exposed interfaces, data role, support period, update model, vulnerability handling, and conditions for secure operation. These are not secondary details. They shape product architecture, hardware sizing, commissioning tools, customer information, and service models.

A small field device does not need the same approach as a gateway or supervisory controller, but every product with a digital role needs a clear and proportionate cybersecurity concept. The alternative is ambiguity, and ambiguity is exactly what the sector can no longer afford.

What changes across the value chain

The CRA exposes a long-standing weakness in the market: fragmented accountability. In real projects, responsibilities are often blurred between the component supplier, OEM, integrator, contractor, service provider, and the building operator.

A compliant product does not automatically create a secure building outcome. Secure products still need secure specification, secure integration, secure commissioning, controlled remote access, workable update planning, and informed operation. This is the third major friction point: product compliance and system resilience are related, but they are not the same thing.

That is why, even if the CRA is a regulation for products, its relevance extends beyond products and their manufacturers. Consultants and specifiers need clearer cybersecurity and lifecycle requirements in project documentation. Building owners and operators need earlier visibility on support periods, updated expectations, and migration limits. Integrators need usable guidance, not only legal language. Public authorities and policy actors need implementation that reflects the reality of long-life technical systems.

A simple example illustrates the point. A manufacturer may provide secure update packages and guidance; the integrator may plan deployment; the operator may choose the maintenance window. If certificates expire, if remote access remains unmanaged, or if a legacy protocol stays in use without mitigation, the risk does not disappear just because one actor did its part. The CRA makes these dependencies harder to ignore.

Opportunity, but not without tension

The CRA can improve product quality, lifecycle transparency, and trust in digital building technologies. It can also support more professional service models around updates, monitoring, configuration review, and lifecycle planning.

But the opportunity should not be romanticised. There are real costs, capability gaps, and adaptation challenges, especially for smaller companies. If the sector wants better outcomes, it will need practical guidance, common templates, proportionate interpretation and support for companies that have strong product expertise but limited regulatory capacity.

This is also why standards matter, but they should not be treated as a magic shortcut. The prEN 40000 series, currently being developed by CEN-CENELEC/JTC 13/WG 9, will provide a horizontal approach to the Cyber Resilience Act and should be the natural starting point for manufacturers. Where this horizontal approach does not sufficiently address the specific product, use case, operational environment, or risk treatment needs, manufacturers may then consider other relevant standards. For Technical Building Systems and building automation, EN IEC 62443 can be especially useful where its concepts are more closely aligned with the product or system context.

A joint industry paper to fit technical building systems in the Cyber Resilience Act

The joint industry paper is useful precisely because it does not present buildings as a generic IoT use case. It explains where building technologies fit the CRA logic, where they create specific implementation challenges, and where the market needs a common language instead of fragmented interpretation.

It also helps widen the conversation. Cyber resilience in buildings is about protecting the credibility of digital building services, the trustworthiness of technical data, and the long-term value of connected systems in the built environment, on top of avoiding vulnerabilities.

From the perspective of EVIA’s Working Group Digital & Data, this is also a natural evolution. Ventilation and indoor air quality technologies are increasingly connected to data, control, and building performance. Cyber resilience is therefore part of how these technologies create trust.

What the sector should do now

Manufacturers should make their assumptions explicit and review whether their products, documentation, and support models are aligned with a lifecycle view of cybersecurity. Specifiers and consultants should start asking for security and lifecycle information before products are selected. Building owners and operators should treat support periods, updateability, and migration planning as procurement issues. Associations and authorities should help turn the CRA into usable guidance for the sector.

The core message is simple. In digital buildings, cyber resilience is not an IT add-on; it is part of building performance credibility. The CRA, therefore, matters not only because it creates obligations, but because it sets a new expectation for the sector to be clearer about what can be trusted, for how long, and under which conditions. That is the real opportunity now emerging for the building value chain: not just more compliant products, but more trustworthy digital buildings.