BACnet Insight



          For smart buildings, this means that fire protection,   The BSI has published Technical Guideline TR-03183   Modernization of “IT-Grundschutz”
          access security, redundancies, and monitoring are now   for the implementation of the CRA. This is divided
          required by law – no longer just best practice.  into three parts:   The ”IT-Grundschutz” of the BSI is currently undergoing
                                            1.  General Requirements – Overview of security-re-  a  fundamental  revision.  The  new  “Grundschutz++”  is
          The CER Directive will also be specified in a separate   lated product requirements  to be introduced in stages from January 1, 2026. A key
          legislative procedure. It is becoming apparent that   2.  Software Bill of Materials (SBOM) – Transparency   innovation is the provision of a machine-readable set of
          operators with physically vulnerable infrastructure –   regarding the software components used  rules that covers all requirements in a structured JSON
          such as data centers, utility facilities, or security-critical   3.  Vulnerability Reports and Notifications – Rules for   file. This facilitates automated integration into ISMS
          buildings – will have to implement new organizational and   handling incoming vulnerability reports  tools and supports companies in their ongoing security
          technical measures.                                              3  assessments.

          ƒ  By January 17, 2026, national strategies for the resil-  RED: Cybersecurity of Wireless Components  The new structure follows an object-based approach,
           ience of critical facilities must be in place and com-              reduces redundancies, and increases transparency. To
           prehensive risk analyses must be carried out.  The revised Radio Equipment Directive (RED) came into   further facilitate applicability, the security levels ”basic”,
          ƒ  Critical facilities must be identified by July 17, 2026,   force Together with the CRA, it creates a dual obligation.  ”standard”, and “increased protection requirement”
           after which strict requirements will apply to affected   ƒ  Devices must be radio and electromagnetically safe  are  being  replaced  by  flexible  performance  figures
           organizations for implementation within a maximum   ƒ  IT protection mechanisms (e.g., encryption, access   in conjunction with dynamic thresholds. For small
           of 10 months.                      control) are also mandatory      and medium-sized organizations, the BSI will provide
                                                                               practical  entry-level  assistance  via  the  “Path  to  Basic
          Some EU member states have already completed national   This affects WLAN-enabled controllers, LoRa gateways,   Security” (WiBA) concept.
          implementation or are at an advanced stage.  and GSM modules, among other things.    4
                                                                               IT-Grundschutz modules INF.13 and INF.14
          CRA: Security Obligations for Manufacturers of   National Additions: TRBS 1115-1 &
          Digital Products                  IT-Grundschutz++                   Two new modules have been introduced in the
                                                                               IT-Grundschutz Compendium 2022 that are aimed
          The Cyber Resilience Act (CRA) was adopted in   In addition to the EU requirements, national regulations   directly at operators of building automation systems.
          December 2024 and will become binding in December   such as TRBS 1115-1 and the new IT-Grundschutz++  ƒ  INF.13 Technical Building Management (TBM) covers
          2027. The regulation defines basic security requirements   specify the security requirements in Germany.  the planning and operation of building services such
          for products with digital components. Manufacturers                    as heating, ventilation, air conditioning, and energy
          must demonstrate that IT security has been taken into   TRBS 1115-1    supply, including security requirements and risk
          account not only during development but throughout the                 analyses. It addresses risks arising from unsecured
          entire life cycle of their products.  The Technical Rule for Industrial Safety TRBS 1115-1   remote maintenance access, missing rights concepts,
                                            specifies the  requirements of  the Industrial Safety   or outdated protocols.    6
          Key requirements are:             Regulation  (BetrSichV)  with  regard  to  work  equipment
          ƒ  Secure development and production (“security by   consisting of a combination of hardware and software –  ƒ  INF.14 Building Automation (BACS) focuses on
           design”)                         so-called “digital work equipment.” Building automation   automation and control systems in buildings, in
          ƒ  Standardized vulnerability handling  systems also fall into this category if they perform safety-  particular interfaces to IT networks as well as data
          ƒ  ransparent and binding reporting processes for secu-  related functions or can be maintained via the internet.   security, availability, and integrity, and concentrates
           T
           rity vulnerabilities             TRBS 1115-1 emphasizes the operator’s responsibility   on the technical infrastructure of buildings, especially
          ƒ  Regular updates and clear communication about   for assessing the risks of such systems, taking cyber   power supply, air conditioning, access security, and
           security risks                   risks into account. This includes, for example, evaluating   fire protection.    7
                                            update mechanisms, remote access paths, and security
          For components in building automation such as BACnet   functions. The rule makes it clear that cybersecurity   Both modules provide practical requirements for network
          gateways, control devices, or KNX routers, this means     is no longer an isolated IT issue, but an integral part   segmentation,  protocol  hardening,  and  physical  asset
          Security “by design” and “by default” becomes mandatory   of occupational safety – with direct implications for   protection. For operators, this means that both the digital
          – including transparent vulnerability communication and   maintenance, servicing, and protective measures on site.   and physical architecture of buildings must be actively
          mandatory reporting channels in the event of security            5  protected and regularly checked. Manufacturers benefit
          breaches .                    2                                     if they develop and document their products directly with
                                                                               these modules in mind.




          Event / Deadline         Date                  Description
          Publication in the EU Official Journal  November 20, 2024  Publication of the legal text in the European Official Journal
          Entry into force of the regulation  December 11, 2024  CRA is formally in force and directly applicable in all Member States.
          Start of the transition period  December 11, 2024  Manufacturers, importers, and distributors have time to implement the regulation.
          Obligation to report active vulnerabilities  September 11, 2026  Manufacturers must report security vulnerabilities and incidents to ENISA within 24 hours.
          and security incidents
          Mandatory application requirements  December 11, 2027  All requirements apply in full: security requirements, CE marking, market surveillance,
                                                         conformity assessment.



                                                                                     BACnet Europe Journal 43 09/25 25