EU Cyber Resilience Act Guide for HVAC & Climate Control Manufacturers

HVAC products within CRA scope include: connected room thermostats with WiFi or Zigbee connectivity, commercial HVAC unit controllers with BMS interfaces (BACnet, Modbus, LonWorks), refrigeration controllers with remote monitoring, air handling unit controllers with IP management, and building management system (BMS) gateways integrating HVAC systems into facility management platforms.

Residential smart thermostats with consumer WiFi connectivity and companion app control are typically Default Class — limited data processing and manageable attack surface. Commercial and industrial HVAC controllers integrated into building management networks, managing HVAC for large facilities, or connected via BACnet/IP to facility management systems are more likely to be Important Class I. Data centre cooling systems and pharmaceutical cleanroom HVAC — where temperature and humidity control has direct product quality and safety implications — may warrant Class I assessment even if the controller itself is otherwise modest.

HVAC controllers in commercial buildings are frequently connected to building management systems that share network infrastructure with IT systems — creating pathways for cyberattacks (multiple documented ransomware incidents entered building systems via HVAC VPN connections). CRA Annex I requirements address this systemic risk:

• Default credential elimination: Commercial HVAC controllers accessed via BACnet, Modbus, or web interfaces must not use factory default credentials. The Target breach (via HVAC contractor VPN access) demonstrated the consequences of poor HVAC access security.
• Encrypted management: Web-based and IP management interfaces must use HTTPS. BACnet/Secure Connect (BACnet over TLS) should replace legacy unencrypted BACnet where technically feasible.
• Authenticated firmware updates: Remote firmware updates to HVAC controllers must be cryptographically authenticated.
• Network segmentation: HVAC controllers must support isolated network configuration — not requiring connection to corporate IT networks for management.
• SBOM maintenance: Embedded RTOS and BMS communication protocol stack components must be documented in a comprehensive SBOM.

HVAC manufacturers — from large multinational climate companies to specialist controller manufacturers — largely lack formal CVD programmes. Security researchers who discover vulnerabilities in HVAC controllers (a documented research area given the Target breach publicity) find no structured disclosure channel. Article 13 mandates this change.

• Cover all IP-networked HVAC products and BMS integration hardware
• Be accessible via the corporate security.txt and product security pages
• Provide a submission channel for security researchers and building facility managers who identify anomalous HVAC behaviour suggesting compromise
• Define response timelines that account for the building operations context — HVAC vulnerabilities in critical facilities may require emergency response procedures
• Coordinate with building management system integrators who need to apply patches across facility deployments

CVD Portal enables HVAC manufacturers without dedicated security teams to establish a structured CVD programme, with intake, triage, and advisory publication workflows appropriate for organisations managing building technology products.

• Exploitation of HVAC controller vulnerabilities as a network entry point into building infrastructure
• Manipulation of temperature or environmental controls in critical facilities (data centres, pharmaceutical storage, hospitals)
• Use of HVAC management credentials to access broader BMS systems controlling fire, access control, and other building safety systems

The 24-hour ENISA notification must be triggered when exploitation is confirmed. For HVAC incidents affecting critical facility operators — hospitals, data centres, pharmaceutical manufacturers — parallel notification to the facility operator and potentially to sectoral CSIRTs is essential given the potential operational safety implications. Manufacturers should pre-establish direct notification protocols with major enterprise and critical facility customers for use in Article 14 scenarios.

Default Class residential HVAC products may self-assess under Module A. Class I commercial HVAC controllers require third-party conformity assessment. For manufacturers spanning both residential and commercial product lines, separate conformity assessment pathways apply to different product families.

1. BMS communication security (BACnet/SC, Modbus TCP authentication)
2. Web management interface security (HTTPS enforcement, authentication)
3. Firmware update authentication mechanism
4. SBOM for embedded software components
5. CVD policy operational status

Vendors with products certified under BACnet Testing Laboratories (BTL) or with BACnet/Secure Connect implementation can use BTL test reports as supporting evidence for the communication protocol security aspects of CRA assessment. The building automation sector's adoption of ASHRAE Guideline 35 (Cybersecurity for Building Automation Systems) provides an aligned framework that manufacturers should reference in their technical files.