Page 25 - BACnet_Europe-Journal_43
P. 25
BACnet Insight
For smart buildings, this means that fire protection, The BSI has published Technical Guideline TR-03183 Modernization of “IT-Grundschutz”
access security, redundancies, and monitoring are now for the implementation of the CRA. This is divided
required by law – no longer just best practice. into three parts: The ”IT-Grundschutz” of the BSI is currently undergoing
1. General Requirements – Overview of security-re- a fundamental revision. The new “Grundschutz++” is
The CER Directive will also be specified in a separate lated product requirements to be introduced in stages from January 1, 2026. A key
legislative procedure. It is becoming apparent that 2. Software Bill of Materials (SBOM) – Transparency innovation is the provision of a machine-readable set of
operators with physically vulnerable infrastructure – regarding the software components used rules that covers all requirements in a structured JSON
such as data centers, utility facilities, or security-critical 3. Vulnerability Reports and Notifications – Rules for file. This facilitates automated integration into ISMS
buildings – will have to implement new organizational and handling incoming vulnerability reports tools and supports companies in their ongoing security
technical measures. 3 assessments.
By January 17, 2026, national strategies for the resil- RED: Cybersecurity of Wireless Components The new structure follows an object-based approach,
ience of critical facilities must be in place and com- reduces redundancies, and increases transparency. To
prehensive risk analyses must be carried out. The revised Radio Equipment Directive (RED) came into further facilitate applicability, the security levels ”basic”,
Critical facilities must be identified by July 17, 2026, force Together with the CRA, it creates a dual obligation. ”standard”, and “increased protection requirement”
after which strict requirements will apply to affected Devices must be radio and electromagnetically safe are being replaced by flexible performance figures
organizations for implementation within a maximum IT protection mechanisms (e.g., encryption, access in conjunction with dynamic thresholds. For small
of 10 months. control) are also mandatory and medium-sized organizations, the BSI will provide
practical entry-level assistance via the “Path to Basic
Some EU member states have already completed national This affects WLAN-enabled controllers, LoRa gateways, Security” (WiBA) concept.
implementation or are at an advanced stage. and GSM modules, among other things. 4
IT-Grundschutz modules INF.13 and INF.14
CRA: Security Obligations for Manufacturers of National Additions: TRBS 1115-1 &
Digital Products IT-Grundschutz++ Two new modules have been introduced in the
IT-Grundschutz Compendium 2022 that are aimed
The Cyber Resilience Act (CRA) was adopted in In addition to the EU requirements, national regulations directly at operators of building automation systems.
December 2024 and will become binding in December such as TRBS 1115-1 and the new IT-Grundschutz++ INF.13 Technical Building Management (TBM) covers
2027. The regulation defines basic security requirements specify the security requirements in Germany. the planning and operation of building services such
for products with digital components. Manufacturers as heating, ventilation, air conditioning, and energy
must demonstrate that IT security has been taken into TRBS 1115-1 supply, including security requirements and risk
account not only during development but throughout the analyses. It addresses risks arising from unsecured
entire life cycle of their products. The Technical Rule for Industrial Safety TRBS 1115-1 remote maintenance access, missing rights concepts,
specifies the requirements of the Industrial Safety or outdated protocols. 6
Key requirements are: Regulation (BetrSichV) with regard to work equipment
Secure development and production (“security by consisting of a combination of hardware and software – INF.14 Building Automation (BACS) focuses on
design”) so-called “digital work equipment.” Building automation automation and control systems in buildings, in
Standardized vulnerability handling systems also fall into this category if they perform safety- particular interfaces to IT networks as well as data
ransparent and binding reporting processes for secu- related functions or can be maintained via the internet. security, availability, and integrity, and concentrates
T
rity vulnerabilities TRBS 1115-1 emphasizes the operator’s responsibility on the technical infrastructure of buildings, especially
Regular updates and clear communication about for assessing the risks of such systems, taking cyber power supply, air conditioning, access security, and
security risks risks into account. This includes, for example, evaluating fire protection. 7
update mechanisms, remote access paths, and security
For components in building automation such as BACnet functions. The rule makes it clear that cybersecurity Both modules provide practical requirements for network
gateways, control devices, or KNX routers, this means is no longer an isolated IT issue, but an integral part segmentation, protocol hardening, and physical asset
Security “by design” and “by default” becomes mandatory of occupational safety – with direct implications for protection. For operators, this means that both the digital
– including transparent vulnerability communication and maintenance, servicing, and protective measures on site. and physical architecture of buildings must be actively
mandatory reporting channels in the event of security 5 protected and regularly checked. Manufacturers benefit
breaches . 2 if they develop and document their products directly with
these modules in mind.
Event / Deadline Date Description
Publication in the EU Official Journal November 20, 2024 Publication of the legal text in the European Official Journal
Entry into force of the regulation December 11, 2024 CRA is formally in force and directly applicable in all Member States.
Start of the transition period December 11, 2024 Manufacturers, importers, and distributors have time to implement the regulation.
Obligation to report active vulnerabilities September 11, 2026 Manufacturers must report security vulnerabilities and incidents to ENISA within 24 hours.
and security incidents
Mandatory application requirements December 11, 2027 All requirements apply in full: security requirements, CE marking, market surveillance,
conformity assessment.
BACnet Europe Journal 43 09/25 25