EU Cyber Resilience Act Guide for Facilities Management & CAFM System Vendors

CAFM and IWMS software products sold to EU customers — including computerised maintenance management systems (CMMS), workplace booking platforms, IoT-connected occupancy monitoring systems, energy management software, and integrated building operations platforms — are products with digital elements under Article 3(1). Standalone CAFM software without direct connections to building control systems is likely a Default-category product subject to standard CRA requirements. However, CAFM platforms integrated with BMS (building management systems), HVAC control, access control, or energy management systems — where the CAFM platform can issue control commands or configuration changes to building systems — may qualify as Important Products Class I or Class II. The increasing convergence of CAFM and BMS functionality in integrated workplace platforms requires vendors to classify based on the highest-risk integration capability offered.

CAFM and IWMS platforms typically collect and process sensitive operational data — maintenance schedules, occupancy patterns, energy consumption, and access event records — while connecting to building systems across multiple integration interfaces. Annex I requirements include: implementing authenticated and encrypted APIs for all integrations with building systems and IoT sensors; enforcing role-based access control with separation between facilities managers, contractors, and read-only occupants; providing multi-factor authentication for administrator access to the CAFM platform; securing mobile applications used by maintenance personnel with certificate-pinning and encrypted local storage; ensuring all data at rest is encrypted particularly for sensitive occupancy and access event records; and implementing comprehensive audit logs of all maintenance actions, configuration changes, and system access. The SBOM must cover the CAFM application platform, any mobile apps, and middleware components used for building system integration.

Article 13 requires a published CVD policy with a dedicated security reporting channel. For CAFM vendors, the CVD programme must handle: security researcher reports on the platform and its APIs; reports from facilities management professionals who identify unusual system behaviour; and internal security testing findings from periodic platform security reviews. The CVD policy should specify how security advisories are communicated to enterprise customers, many of whom will have their own change management processes governing when software updates can be applied. For vulnerabilities in CAFM components integrated with building control systems, the CVD policy should address coordination with building system vendors and the potential need for coordinated disclosure where the vulnerability spans multiple integrated systems. A machine-readable security.txt file at the vendor's primary domain establishes the standard researcher discovery mechanism.

Article 14 requires notification to the relevant national CSIRT within 24 hours of confirmed active exploitation. For CAFM platform vendors, exploitation scenarios include: unauthorised access to building occupancy data enabling criminal targeting of unoccupied properties; compromise of access event records exposing sensitive information about personnel movements; and, for platforms integrated with building control, potentially unauthorised modification of HVAC or access control settings. The incident response plan must include cloud platform monitoring capable of detecting exploitation, a rapid customer notification process for active incidents, and pre-established CSIRT contact details for member states where the platform is deployed. Enterprise customers using the CAFM platform to manage NIS2-regulated facilities will have their own incident reporting obligations — vendor notifications must provide sufficient detail to support customers' regulatory responses.

Default-category CAFM software may self-declare CRA conformity. The technical file should demonstrate the platform's security architecture, API security controls, data encryption approach, and vulnerability management programme. ISO/IEC 27001 certification of the vendor's information security management system, while not a substitute for CRA conformity, provides valuable supporting evidence and is increasingly expected by enterprise facility management customers. For CAFM vendors seeking to win contracts with public sector organisations (government buildings, hospitals, universities), CRA CE marking will become a standard procurement requirement alongside NIS2 supply chain security questionnaire responses. Vendors should prepare a compliance summary document — covering CRA CE marking status, security update policy, CVD policy URL, and incident notification commitment — for inclusion in enterprise tender responses.