CRA Compliance Checklist: Energy Management Systems
Annex III Class II — energy management systems for grid-connected or industrial energy infrastructure are critical systems requiring third-party conformity assessment
Energy management systems (EMS) — including building energy management, industrial energy optimisation, and grid-connected demand response systems — are classified as critical products under the CRA. Those connected to energy infrastructure or capable of controlling significant energy loads fall under Annex III Class II, mandating third-party conformity assessment. Manufacturers must also address the intersection with the NIS2 Directive for operators in the energy sector.
1. Scope & Classification
Determine whether your EMS controls or monitors energy infrastructure — if so, apply Annex III Class II requirements
EMS systems that control industrial energy consumption, interface with smart meters, or participate in grid demand response are critical infrastructure components and require third-party assessment.
Engage a Notified Body for Type Examination for all Class II EMS products before market placement
Class II products cannot self-certify. Select a Notified Body with industrial cybersecurity expertise. Early engagement is essential given 6–12 month assessment lead times.
Assess intersection with NIS2 Directive obligations for customers in the energy sector
Energy sector operators are NIS2 essential entities. Your EMS must support their NIS2 security requirements. Align your product security architecture with IEC 62443 industrial cybersecurity standards.
Compile a full SBOM including EMS software, communication protocols (Modbus, DNP3, IEC 61850), and cloud platform components
EMS software stacks include industrial communication protocols with known vulnerabilities. Every component must be tracked and monitored for CVEs.
2. Product Security (Annex I Part I)
Implement strong authentication for all EMS interfaces — operator consoles, web portals, and API access
Weak authentication on EMS interfaces has led to major industrial incidents. MFA is required for all remote access. Local console access must also require authentication.
Encrypt all industrial communications including historian data, SCADA telemetry, and remote management traffic
Legacy industrial protocols (Modbus, DNP3) often lack native encryption. Use encrypted transport layers (TLS tunnels, VPN) for all EMS communications over untrusted networks.
Implement input validation and rate limiting on all EMS APIs to prevent injection and denial-of-service attacks
EMS APIs that accept energy consumption data or control commands must validate all inputs. A DoS attack on an EMS can disrupt industrial production.
Provide network segmentation capabilities to isolate EMS from corporate IT networks
EMS should operate in a dedicated OT network segment, not bridged to corporate IT. Provide clear deployment guidance and network architecture recommendations.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy with a dedicated OT security contact and defined response timelines
Industrial EMS vulnerabilities can have broad impact across multiple customer sites. A responsive CVD process with OT security expertise is essential.
Provide a secure patch delivery mechanism supporting industrial maintenance windows and offline update capability
Industrial sites may not have reliable internet connectivity or the ability to apply patches immediately. Support cryptographically verified offline patch delivery.
Define a minimum 10-year security support period for industrial EMS products reflecting typical asset lifecycles
Industrial energy systems have 15–25 year asset lifecycles. A 10-year minimum security support commitment is appropriate; clearly publish per-product support end dates.
4. Article 14 Incident Reporting
Define Article 14 triggers for EMS incidents — focus on energy supply disruption, safety system impact, and data exfiltration from grid infrastructure
An actively exploited vulnerability in an EMS controlling grid-connected loads is a high-severity Article 14 trigger. Pre-define criteria to enable fast decisions.
Coordinate Article 14 ENISA reporting with customer NIS2 incident reporting obligations — incidents may require parallel notifications
An incident affecting an energy sector EMS customer may simultaneously trigger your Article 14 obligations and the customer's NIS2 reporting duties. Pre-agree coordination procedures with major customers.
5. CE Marking & Conformity Assessment
Complete Notified Body Type Examination and obtain certificate before CE marking and market placement
For Class II EMS products, CE marking is only lawful after Notified Body assessment. Do not place products on the EU market without the certificate.
Prepare technical file aligned with IEC 62443 security levels to demonstrate comprehensive industrial cybersecurity
IEC 62443 is the de facto standard for industrial cybersecurity. Aligning your CRA technical file with IEC 62443 Security Level 2 demonstrates systematic compliance.
Issue EU Declaration of Conformity and affix CE marking — ensure DoC references the CRA
DoC must reference the CRA alongside any other applicable legislation (e.g. Low Voltage Directive, EMC Directive).
Track your Energy Management Systems compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Is a building energy management system (BEMS) for a single office building the same classification as a grid-connected EMS?+
Not necessarily. A BEMS managing a single commercial building's HVAC and lighting without grid connectivity is more likely Default or Class I. An EMS that connects to smart grid infrastructure, participates in demand response programmes, or controls significant grid-connected loads is more likely Annex III Class II. The key factor is the potential for widespread impact through the energy infrastructure.
Does the CRA require us to support legacy industrial protocols like Modbus?+
The CRA does not mandate or prohibit specific protocols. It requires that your product meet the Annex I security requirements, including encrypted communications. If your EMS must support legacy protocols like Modbus that lack native encryption, you must implement compensating controls — such as encrypted transport tunnels, network isolation, and access controls — and document these in your risk assessment.
Our EMS vendor supplies the software and we integrate it into our hardware platform — who holds the CRA obligations?+
The entity that places the integrated product on the market is the manufacturer for CRA purposes and holds primary obligations. If you integrate third-party EMS software into your hardware platform and sell it as a product, you must ensure the combined system complies. You should obtain CRA compliance commitments and SBOM data from your software vendor and incorporate them into your technical documentation.
Need a CVD policy for Energy Management Systems?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.