Our BMS uses BACnet MS/TP (serial), not IP. Is it in scope?

Art. 2(1) of Regulation (EU) 2024/2847 covers any product with a direct or indirect logical or physical data connection to a device or network. BACnet MS/TP is a physical data connection. If the controller communicates with other devices via any data protocol — even serial — it likely falls within scope. A fully standalone device with no data connection of any kind would be outside scope.

Our HVAC controller has no security functionality. Is it still Default or does it need a higher classification?

If the HVAC controller does not fall under any specific Annex III category (access control, network management, security devices), it is classified as Default under Regulation (EU) 2024/2847. Default products can use internal control (Module A) under Art. 32(1)(a). The full Art. 13 obligations still apply — classification affects the conformity assessment route, not the documentation obligation.

Building owners want 15-year support. Is that realistic under Art. 13(8)?

Art. 13(8) requires the support period to reflect expected use time. For building automation deployed for 15-20 years, a proportionate support period is expected. If you cannot commit to 15 years of security updates, you must clearly state the support period end date in the Annex II user information — and the building owner's procurement decision will factor that limitation.

Do sensors without firmware qualify?

If a sensor has no digital processing capability and no data connection, it is outside CRA scope. If it has firmware (even minimal), transmits data wirelessly, or connects to a gateway, it is a product with digital elements under Art. 3(1). Most modern building sensors with Zigbee, Z-Wave or Bluetooth capability qualify.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

You manufacture a building management system — HVAC controllers, smart lighting platforms, access control infrastructure, integrated BMS — with IP connectivity or cloud integration. Article 3(1) of Regulation (EU) 2024/2847 covers any product with a data connection. If your BMS communicates over IP, BACnet/IP, MQTT or any networked protocol, it is a product with digital elements. Access control readers are explicitly listed as Important Class I in Annex III item 1.

Smart building systems have moved from proprietary isolated networks to IP-connected, cloud-managed platforms. That connectivity brings them within CRA scope. Art. 2(1) covers any product with a direct or indirect logical or physical data connection. A BMS controller with an Ethernet port qualifies. A smart thermostat with Wi-Fi qualifies. An access control reader with biometric capability is Important Class I under Annex III item 1. The building industry has not traditionally faced horizontal cybersecurity product regulation — the CRA changes that. Art. 13 imposes manufacturer obligations including risk assessment, technical documentation, vulnerability handling and ENISA reporting. CRACheck generates the 8-document technical file under Art. 31 and Annex VII. €149 per product. 15-25 minutes. Building system architecture stays in your browser.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 2(1)

Any product with a data connection is in scope — including BMS with IP/BACnet/MQTT

Annex III item 1

Access control readers and biometric readers are Important Class I

€15M

Maximum fine under Art. 64(2) for BMS manufacturer non-compliance

How to proceed

Identify connected BMS components

Map every product in your portfolio with a data connection: controllers, gateways, sensors with IP/Zigbee/Z-Wave, cloud-connected thermostats, access panels. Each connected product is separately in scope.

Classify against Annex III

Access control readers including biometric readers: Important Class I (Annex III item 1). Network management systems for building networks: Important Class I (item 6). Smart home devices with security functionalities (smart locks, security cameras, alarm systems): Important Class I (item 17). Standard HVAC controllers and lighting systems: Default.

Conduct cybersecurity risk assessment

Art. 13(2)-(3): building-specific risks include unauthorised access to physical security systems, HVAC manipulation in critical facilities, network lateral movement from BMS to corporate IT, and cloud platform compromise affecting multiple buildings.

Address long deployment lifecycles

Art. 13(8): building systems are deployed for 10-20 years. The support period must reflect this. Security updates must be free of charge (Art. 13(9)) throughout the support period.

Compile Art. 31 documentation

Annex VII: system architecture, protocol specifications, cloud integration details, component inventory, vulnerability handling procedures.

Prepare for facility management procurement requirements

Building owners and facility managers subject to NIS2 (if classified as essential infrastructure) will require CRA documentation from their BMS suppliers as part of supply chain risk management.

Common mistakes

❌

SCOPE BLIND SPOT

Treating building automation as outside cybersecurity regulation

Building management systems historically operated on proprietary protocols (BACnet MS/TP, LonWorks) outside IT regulation. Modern BMS use IP connectivity, cloud platforms and IoT gateways. Art. 2(1) of Regulation (EU) 2024/2847 covers any data connection. The moment your controller has an IP address, the CRA applies.

❌

CLASSIFICATION ERROR

Not recognising access control systems as Important Class I

Annex III Class I item 1 of Regulation (EU) 2024/2847 explicitly lists "identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers." Building access control panels and card readers with network connectivity are Important Class I — not Default.

❌

LIFECYCLE MISMATCH

Setting a 3-year support period for equipment deployed for 15 years

Art. 13(8) of Regulation (EU) 2024/2847 requires the support period to reflect expected use time. Building automation equipment is typically deployed for 10-20 years. A support period shorter than the expected deployment lifecycle leaves buildings running unpatched systems — and the manufacturer non-compliant for the duration of the gap.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies Default (HVAC controllers, lighting), Important Class I (access control per Annex III item 1, network management per item 6, smart security devices per item 17).

Technical Documentation

Art. 31 and Annex VII documentation for BMS: system architecture, protocol stack, cloud integration, component inventory.

Risk Assessment

Cybersecurity risk assessment covering building-specific vectors: physical access compromise, HVAC manipulation, lateral movement, cloud platform attacks, multi-tenant building risks.

User Information

Annex II information for facility managers and system integrators: secure deployment, network segmentation, firmware update procedures, vulnerability reporting.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V.

CVD Policy

Coordinated vulnerability disclosure policy for building automation research community.

Notification Template

ENISA notification template per Art. 14.

Obligations Calendar

Key dates with building industry procurement cycles: Art. 14 from September 2026, full enforcement December 2027, long-lifecycle support period milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 BUILDING AUTOMATION COMPLIANCE CONSULTANCY

Cybersecurity assessment for BMS portfolio

€10,000-25,000 per product family

8-16 weeks

Requires sharing system architecture with consultant

One-time report per product generation

No reusable Art. 31 documentation

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history