Do smart meters fall under the stricter CRA requirements?

Yes, smart meters and comparable metering devices in energy grids are expected to be classified as critical products. They will then be subject to stricter requirements and need conformity assessment by a notified body.

How do CRA and NIS2 overlap for building technology manufacturers?

The CRA regulates product security, while NIS2 governs operator security. For manufacturers, this means your products must be CRA-compliant, and your customers (critical infrastructure operators) expect NIS2-compliant suppliers. Kunnus helps you efficiently address both sets of requirements.

How can I provide security updates for devices in isolated networks?

The CRA requires the provision of security updates but does not prescribe a specific delivery method. Offline update mechanisms via USB or local service tools are permissible. Kunnus documents the update process and delivery strategy in a CRA-compliant manner.

What does a 20-year deployment period mean for CRA compliance?

Manufacturers must provide security updates throughout the expected lifecycle. For 20-year deployment periods, a clear end-of-support strategy with transition solutions is recommended. Kunnus assists in planning and documenting these long-term strategies.

All Industries

Energy & Building Technology

Energy and building technology forms the backbone of critical infrastructure. Smart meters, building automation, and energy management systems are increasingly connected, placing them firmly in the focus of the Cyber Resilience Act. The overlap with critical infrastructure requirements and NIS2 makes the compliance landscape particularly complex.

Start CRA Assessment Now

CRA Relevance for Energy & Building Technology

Energy and building technology products frequently fall into higher CRA risk classes because they are deployed in critical infrastructure. Regulatory complexity increases through the overlap with NIS2 and national critical infrastructure regulations.

Smart meters and grid components are classified as critical products, subject to stricter CRA requirements including third-party conformity assessment
Building automation systems with network access fall under the CRA and must provide secure default configurations
Long deployment cycles of 20 to 30 years in building technology require sustainable vulnerability management strategies
Dual regulation through CRA and NIS2 affects manufacturers whose products are used in critical infrastructure
Energy management systems increasingly process sensitive consumption data and must combine data protection with cybersecurity

Compliance Challenges in Energy & Building Technology

Regulatory Overlaps

CRA, NIS2, critical infrastructure regulations, and industry-specific standards overlap. Manufacturers must understand which requirements apply to their products and how to meet them efficiently.

Extremely Long Deployment Cycles

Building technology is installed for decades. Providing security updates over 20 or 30 years requires entirely new support models and long-term planning.

Critical Infrastructure and Higher Risk Classes

Products for energy grids and critical building infrastructure fall into higher CRA risk classes. This means stricter requirements and potential third-party conformity assessment.

Field Devices with Limited Connectivity

Many devices in energy grids and buildings have limited network connectivity. Securely delivering updates to devices behind firewalls and in isolated networks is a particular challenge.

How Kunnus Supports Energy & Building Technology

Regulatory Mapping

Kunnus maps CRA requirements to existing standards and certifications. Leverage requirements already met through IEC 62443, critical infrastructure, or NIS2 compliance and avoid duplicate effort.

Long-term Lifecycle Management

Kunnus supports product lifecycles of over 20 years. The platform monitors vulnerabilities even for legacy components and assists in planning end-of-support scenarios.

Risk Class Assessment

Automatically determine the CRA risk class of your products. Kunnus identifies which products allow self-assessment and which require third-party conformity assessment.

Integrated Vulnerability Reporting

Meet reporting obligations for both CRA and NIS2 from a single platform. Kunnus consolidates vulnerability reporting to authorities and affected critical infrastructure operators.

Explore All Features

Frequently Asked Questions

Common questions about CRA compliance in this industry.

Check Your Energy Technology's CRA Readiness

Determine how well your energy and building technology products are prepared for the CRA and which risk class applies to you.

Start CRA Assessment Now

Energy & Building Technology