- Johnson Controls
- Trust Center
- Trust Center website update
Trust Center
EU Cyber Resilience Act (CRA)
The EU Cyber Resilience Act (CRA) is a landmark regulation designed to strengthen cybersecurity across the European Union by setting mandatory requirements for products with digital elements (PDEs)— including hardware, software, and connected devices.
- What is the EU Cyber Resilience Act?
- Purpose: To ensure that all digital products sold in the EU are secure by design and remain secure throughout their lifecycle.
- Scope: Applies to nearly all connected products, including IoT devices, embedded systems, cloud-based software, and industrial equipment.
- Key Requirements:
- Products must be free of known vulnerabilities at launch.
- Manufacturers must provide security updates throughout the product’s lifecycle.
- A Software Bill of Materials (SBOM) must be maintained and disclosed.
- Vulnerability reporting mechanism must be in place.
- Products must be configured securely by default.
-
Johnson Controls Product Lifecycle Information
We believe in transparency and helping our customers plan with confidence. Here you will find lifecycle details for our product range, from launch through to end of patching. Each product includes:
Release Date – Initial Product release date
End of Patching – The date after which security updates and patches are no longer provided, along with guidance on upgrade or replacement product.
CRA conformity – Certificate of conformity for the EU Cyber Resilience Act Market
By sharing this information, we aim to help you maximize product value, ahead of transitions, and make more sustainable decisions.
-
Johnson Controls Cybersecurity
Cyber Solutions
Johnson Controls -
Digital Services and SolutionsOpenBlue
-
Controls / HVAC
Industrial Refrigeration and Heating
Flex Pro Gen Fisheye PTZ Bullet Multisensor Flex Pro Gen 1mb Pro Gen 4mb Gen 2 8mb Gen 1 32mb Short 2mb 16mb 4x camera Flex Gen 1mb Pro Gen 2mb Gen 1 3mb Pro Gen 4 Long 5mb 8mb 2x camera
Frick
Metasys
Sabroe
York
Verasys -
Security
Tyco | AI
Tyco | American Dynamics
Tyco | CEM Systems
Tyco | Cloudvue
Tyco | Exacq
Tyco | IllustraFlex Pro Gen Fisheye PTZ Bullet Multisensor Flex Pro Gen 1mb Pro Gen 4mb Gen 2 8mb Gen 1 32mb Short 2mb 16mb 4x camera Flex Gen 1mb Pro Gen 2mb Gen 1 3mb Pro Gen 4 Long 5mb 8mb 2x camera
Tyco | Software House -
Fire
SafeLINC
-
Product Lifecycle Announcement
Product Reaching End of Patching
Flex Pro Gen Fisheye PTZ Bullet Multisensor Flex Pro Gen 1mb Pro Gen 4mb Gen 2 8mb Gen 1 32mb Short 2mb 16mb 4x camera Flex Gen 1mb Pro Gen 2mb Gen 1 3mb Pro Gen 4 Long 5mb 8mb 2x camera Replacement Product Information
Flex Pro Gen Fisheye PTZ Bullet Multisensor Flex Pro Gen 1mb Pro Gen 4mb Gen 2 8mb Gen 1 32mb Short 2mb 16mb 4x camera Flex Gen 1mb Pro Gen 2mb Gen 1 3mb Pro Gen 4 Long 5mb 8mb 2x camera
The CRA introduces mandatory cybersecurity requirements for products with digital elements sold within the EU. These include secure-by-design principles, vulnerability management, software transparency, and long- term support obligations. Johnson Controls is committed to meeting these standards across our portfolio of connected products and services.
- Our Compliance Efforts Include:
- Conducting a comprehensive audit of all applicable products
- Integrating secure-by-default architecture into product development
- Establishing robust vulnerability reporting and patching protocols
- Maintaining Software Bills of Materials (SBOMs) for transparency
- Collaborating with EU regulatory bodies and industry partners
We view the CRA not only as a regulatory requirement but as an opportunity to reinforce our commitment to cybersecurity, customer trust, and operational excellence. Our teams are working diligently to meet all CRA milestones ahead of the enforcement deadlines, with vulnerability reporting obligations beginning September 2026 and full compliance required by December 2027.
For questions or additional information, please contact our EU CRA Compliance Team at TrustCenter@jci.com.