EU Cyber Resilience Act (CRA)​

The EU Cyber Resilience Act (CRA) is a landmark regulation designed to strengthen cybersecurity across the European Union by setting mandatory requirements for products with digital elements (PDEs)— including hardware, software, and connected devices.

  • What is the EU Cyber Resilience Act?
  • Purpose: To ensure that all digital products sold in the EU are secure by design and remain secure throughout their lifecycle.
  • Scope: Applies to nearly all connected products, including IoT devices, embedded systems, cloud-based software, and industrial equipment.
  • Key Requirements:
    • Products must be free of known vulnerabilities at launch.
    • Manufacturers must provide security updates throughout the product’s lifecycle.
    • A Software Bill of Materials (SBOM) must be maintained and disclosed.
    • Vulnerability reporting mechanism must be in place.
    • Products must be configured securely by default.
  • Johnson Controls Product Lifecycle Information

    We believe in transparency and helping our customers plan with confidence. Here you will find lifecycle details for our product range, from launch through to end of patching. Each product includes:

    Release Date – Initial Product release date

    End of Patching – The date after which security updates and patches are no longer provided, along with guidance on upgrade or replacement product.

    CRA conformity – Certificate of conformity for the EU Cyber Resilience Act Market

    By sharing this information, we aim to help you maximize product value, ahead of transitions, and make more sustainable decisions.

  • Johnson Controls Cybersecurity

    Cyber Solutions
    Johnson Controls

  • Digital Services and Solutions
    OpenBlue
  • Controls / HVAC

    Industrial Refrigeration and Heating

    Flex Pro Gen Fisheye PTZ Bullet  Multisensor 
     Flex Pro Gen 1mb  Pro Gen 4mb Gen 2 8mb Gen 1 32mb  Short 2mb 16mb 4x camera
     Flex Gen 1mb  Pro Gen 2mb Gen 1 3mb Pro Gen 4  Long 5mb 8mb 2x camera 

    Frick
    Metasys
    Sabroe
    York
    Verasys

  • Security

    Tyco | AI
    Tyco | American Dynamics
    Tyco | CEM Systems
    Tyco | Cloudvue
    Tyco | Exacq
    Tyco | Illustra

    Flex Pro Gen Fisheye PTZ Bullet  Multisensor 
     Flex Pro Gen 1mb  Pro Gen 4mb Gen 2 8mb Gen 1 32mb  Short 2mb 16mb 4x camera
     Flex Gen 1mb  Pro Gen 2mb Gen 1 3mb Pro Gen 4  Long 5mb 8mb 2x camera 

    Tyco | Software House
  • Fire

    SafeLINC​

  • Product Lifecycle Announcement

    Product Reaching End of Patching

    Flex Pro Gen Fisheye PTZ Bullet  Multisensor 
     Flex Pro Gen 1mb  Pro Gen 4mb Gen 2 8mb Gen 1 32mb  Short 2mb 16mb 4x camera
     Flex Gen 1mb  Pro Gen 2mb Gen 1 3mb Pro Gen 4  Long 5mb 8mb 2x camera 

     

    Replacement Product Information

    Flex Pro Gen Fisheye PTZ Bullet  Multisensor 
     Flex Pro Gen 1mb  Pro Gen 4mb Gen 2 8mb Gen 1 32mb  Short 2mb 16mb 4x camera
     Flex Gen 1mb  Pro Gen 2mb Gen 1 3mb Pro Gen 4  Long 5mb 8mb 2x camera 

The CRA introduces mandatory cybersecurity requirements for products with digital elements sold within the EU. These include secure-by-design principles, vulnerability management, software transparency, and long- term support obligations. Johnson Controls is committed to meeting these standards across our portfolio of connected products and services.

  • Our Compliance Efforts Include:
  • Conducting a comprehensive audit of all applicable products
  • Integrating secure-by-default architecture into product development
  • Establishing robust vulnerability reporting and patching protocols
  • Maintaining Software Bills of Materials (SBOMs) for transparency
  • Collaborating with EU regulatory bodies and industry partners

We view the CRA not only as a regulatory requirement but as an opportunity to reinforce our commitment to cybersecurity, customer trust, and operational excellence. Our teams are working diligently to meet all CRA milestones ahead of the enforcement deadlines, with vulnerability reporting obligations beginning September 2026 and full compliance required by December 2027.

For questions or additional information, please contact our EU CRA Compliance Team at TrustCenter@jci.com.