Smart building systems have moved from proprietary isolated networks to IP-connected, cloud-managed platforms. That connectivity brings them within CRA scope. Art. 2(1) covers any product with a direct or indirect logical or physical data connection. A BMS controller with an Ethernet port qualifies. A smart thermostat with Wi-Fi qualifies. An access control reader with biometric capability is Important Class I under Annex III item 1. The building industry has not traditionally faced horizontal cybersecurity product regulation — the CRA changes that. Art. 13 imposes manufacturer obligations including risk assessment, technical documentation, vulnerability handling and ENISA reporting. CRACheck generates the 8-document technical file under Art. 31 and Annex VII. €149 per product. 15-25 minutes. Building system architecture stays in your browser.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Building management systems historically operated on proprietary protocols (BACnet MS/TP, LonWorks) outside IT regulation. Modern BMS use IP connectivity, cloud platforms and IoT gateways. Art. 2(1) of Regulation (EU) 2024/2847 covers any data connection. The moment your controller has an IP address, the CRA applies.
Annex III Class I item 1 of Regulation (EU) 2024/2847 explicitly lists "identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers." Building access control panels and card readers with network connectivity are Important Class I — not Default.
Art. 13(8) of Regulation (EU) 2024/2847 requires the support period to reflect expected use time. Building automation equipment is typically deployed for 10-20 years. A support period shorter than the expected deployment lifecycle leaves buildings running unpatched systems — and the manufacturer non-compliant for the duration of the gap.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Identifies Default (HVAC controllers, lighting), Important Class I (access control per Annex III item 1, network management per item 6, smart security devices per item 17).
Art. 31 and Annex VII documentation for BMS: system architecture, protocol stack, cloud integration, component inventory.
Cybersecurity risk assessment covering building-specific vectors: physical access compromise, HVAC manipulation, lateral movement, cloud platform attacks, multi-tenant building risks.
Annex II information for facility managers and system integrators: secure deployment, network segmentation, firmware update procedures, vulnerability reporting.
EU Declaration per Art. 28 and Annex V.
Coordinated vulnerability disclosure policy for building automation research community.
ENISA notification template per Art. 14.
Key dates with building industry procurement cycles: Art. 14 from September 2026, full enforcement December 2027, long-lifecycle support period milestones.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates Art. 31 and Annex VII documentation for each connected BMS product. Coverage includes cybersecurity risk assessment, vulnerability handling procedures, SBOM, coordinated disclosure, ENISA template and support period definition — all structured for building industry deployment contexts.
CRACheck does not perform penetration testing on BMS networks. It does not assess BACnet/IP protocol security. It does not conduct physical security testing of access control hardware. It does not provide notified body assessment for Important Class I products. It does not produce NIS2 documentation for building operators.
The building has an IP address now. The CRA follows. CRACheck documents the cybersecurity layer.
A vulnerability in building access control or HVAC management triggers 24h ENISA notification.
BMS products on the EU market must carry CE marking and Art. 31 documentation.
For BMS manufacturers non-compliant with Art. 13 or Annex I.
| Criterio | Building IT consultancy | Internal compliance | No CRA preparation | CRACheck |
|---|---|---|---|---|
| Price | €10K-25K | Staff time | €0 | €149 per product |
| Art. 31 coverage | Report only | Variable | None | 8-document file |
| Long-lifecycle documentation | One-time snapshot | Ongoing effort | N/A | Regenerable within 30 days |
| Data stays with you | Shared | Internal | N/A | 100% browser-side |
| CRACheck | €149 | 8-doc | Regenerable | Browser-side |
Pack 10: €99 per product. Pack 30: €79 per product. For smart building manufacturers with broad connected product ranges, contact us.
Request volume pricingCRACheck generates a structured document set according to Art. 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you provide about your BMS product. The accuracy of system architecture, protocol data and component inventories is your responsibility as manufacturer.
We guarantee that the document structure follows Art. 31 and Annex VII and that the legal references cited are correct. We do not guarantee acceptance by a market surveillance authority or facility management procurement process.
CRACheck is not legal advice. For classification of access control systems under Annex III and conformity assessment route selection, consult a qualified product compliance specialist.
Access control, HVAC, lighting, gateways — every connected BMS component needs Art. 31 documentation. Eight documents. €149 per product. Browser-side.