Have you ever stopped to think about what could happen if a cyberattack targeted an HVAC/R system? These technologies are often the “silent workers” behind our comfort and safety, responsible for preserving products and maintaining healthy environments. As a result, vulnerabilities can lead to consequences that go far beyond compromised data. A successful cyberattack can disrupt essential services and compromise the security and reliability of HVAC/R systems, potentially affecting building operations, occupant comfort, and even critical infrastructure. This is why cybersecurity across all sectors, including ours, is becoming a strategic priority for the European Commission (EC).

The focus on cybersecurity in the European Union (EU) began in the early 21st century, as the internet became an important part of the economy and society. In 2000, the EC published a key communication that underlined the need to protect digital infrastructure and combat cybercrime.1 However, it was only in 2007 that cybersecurity was widely recognized as a critical issue across the EU. This followed a wave of coordinated cyberattacks on Estonia, which disrupted government and financial services,² marking a turning point and prompting more comprehensive action at the European level.

Since then, the EC has developed a series of initiatives and regulations that make one thing clear: cybersecurity is a shared responsibility. This includes all of us who work with HVAC/R technologies, which are becoming increasingly connected, intelligent, and essential to critical infrastructure. Let's take a closer look at the key EU actions that are shaping this evolving reality.

Laying the groundwork: ENISA and defining the strategy.

In 2004, the EC created ENISA³ , its first agency dedicated to cybersecurity. ENISA's role is to achieve a common high level of cybersecurity across Europe, contributing to EU cybersecurity policy, strengthening the reliability of ICT products, services and processes through cybersecurity certification schemes, cooperating with Member States and EU bodies, and helping to prepare Europe for future challenges. ENISA regularly publishes guidelines for the protection of Internet of Things (IoT) systems⁴, which apply directly to HVAC/R equipment using smart sensors, remote controls or cloud connectivity.

The first EU Cybersecurity Strategy⁵ was adopted in 2013. It emphasized protecting networks and information systems across the EU, supporting the fight against cybercrime, and developing industrial capabilities. The strategy was updated in 2020 to reflect the increasing complexity of cyber threats. This updated version, called the “EU Cybersecurity Strategy for the Digital Decade”, focused on protecting digital infrastructure, building resilience across the EU, and promoting international cooperation. This strategy clearly applies to the HVAC/R sector through its focus on connected devices, critical infrastructure, and supply chain security.

How has the EU regulated cybersecurity in recent years?

In recent years, the EC has been particularly active in introducing cybersecurity regulations, many of which directly affect operators and connected HVAC/R products.

First, as part of the EU Cybersecurity Strategy, the Cybersecurity Act was adopted in 2019⁶. This marked one of the first important steps towards a coordinated European response to cyber threats. In particular, this law significantly strengthened the role of ENISA, granting it a permanent mandate and expanding its responsibilities regarding operational cooperation and crisis management among Member States. It also increased ENISA's financial and human resources, enabling the agency to better support cybersecurity efforts across the EU. Interestingly, the acronym ENISA originally stood for “European Network and Information Security Agency”, a name replaced in 2019 by “European Union Agency for Cybersecurity” to reflect the agency's broader role.

In 2016, the Network and Information Systems Security Directive (NIS Directive) was published, requiring operators of essential services to take appropriate security measures. Essential services included energy, transport, health, and digital infrastructure. This directive was updated in 2022 with the publication of NIS2⁷ , which expanded the scope and requirements of the original directive. Specifically, the new rule also applies to public electronic communications providers, more digital services, waste and wastewater management, critical product manufacturing, postal and express courier services, public administration at central and regional levels, as well as the space sector. The requirements include policies for supply chain security, vulnerability management, and cybersecurity education and awareness programs. In terms of deadlines, NIS2 stipulated that each Member State should adopt a national cybersecurity strategy by October 2024.

Under NIS1 , HVAC/R was not explicitly covered, except when it was part of a critical service (e.g., a cooling system in a hospital or data center). In these cases, the responsibility lay with the operator (and not necessarily the HVAC/R supplier). However, HVAC/R manufacturers or service providers may be covered by NIS2 if their products are used in critical infrastructure, provide remote monitoring, IoT connectivity, or HVAC/R-related software, and are medium-sized or large companies (generally 50+ employees or more than €10M in turnover) in a relevant supply chain.

The Cyber ​​Resilience Act (CRA)⁸ came into force on 10 December 2024, being the first European regulation to impose cybersecurity requirements on all products with digital elements placed on the EU market. It establishes common standards for products with digital elements, including hardware and software. These products must meet specific cybersecurity requirements throughout their entire lifecycle, including automatic security updates and incident reporting. The law also introduces a duty of care for manufacturers, ensuring that products are secure by design and by default. The CRA applies from 11 December 2027 (except for conformity assessment bodies, which must comply by 11 June 2026; and manufacturers' reporting obligations, which become mandatory on 11 September 2026).

According to the CRA, HVAC/R companies that produce smart equipment will need to integrate cybersecurity into product design, development, and lifecycle management. For example, they will need to ensure that firmware is secure, regularly updated, and protected against known threats. They will also need to report vulnerabilities, provide adequate user guidance, and demonstrate compliance in order to place the product on the EU market.

The Radio Equipment Directive Act (RED DA)⁹ , adopted in 2021, is another important part of the European cybersecurity framework. It builds on the Radio Equipment Directive (RED), adding safety, health and electromagnetic compatibility requirements for devices that use radio frequencies and can connect to the internet. This act is relevant to wireless and connected products, and may include some HVAC/R devices that use wireless communication (such as Wi-Fi, Bluetooth or mobile networks). The RED DA will be applicable from August 2025.

RED DA also directly impacts the HVAC/R sector, particularly in products with wireless communication capabilities, such as Wi-Fi enabled smart thermostats, Bluetooth-connected HVAC control panels, cooling units that send data via mobile network to a cloud platform, or wireless temperature/humidity sensors.

Summary and conclusion

In summary, the EU Cybersecurity Strategy (2013) sets out the overall vision for building a resilient digital Europe, while the Cybersecurity Act (2019) puts this vision into practice by strengthening ENISA and creating a certification framework to ensure product security. Simultaneously, there are regulations such as the Radio Equipment Directive Delegated Act (2021) , which addresses cybersecurity in wireless and radio equipment, the NIS/NIS2 Directive (2016/2022) , which imposes cybersecurity measures for critical infrastructure operators, and the Cyber ​​Resilience Act (2024) , which establishes security requirements for digital products. All these elements work together to protect connected systems, including those in the HVAC/R sector.

Meeting cybersecurity policies is not just another challenge for our industry, but a critical priority. In an increasingly connected world, protecting our systems is no longer optional. It is a shared responsibility to ensure their security and reliability.