Supplier Information

The European Union's Cyber Resilience Act (Regulation (EU) 2024/2847) introduces mandatory cybersecurity requirements for virtually all products with digital elements sold in the EU market, with full enforcement beginning December 11, 2027.

Honeywell is committed to ensuring that our products and those of our suppliers meet the requirements of the CRA.

This page outlines what the CRA requires and what Honeywell needs from you as a supplier.

What Is the Cyber Resilience Act?

The Cyber Resilience Act is the EU's first horizontal regulation establishing uniform cybersecurity requirements for hardware and software products placed on the European market. It aims to improve cybersecurity across the EU by imposing mandatory requirements on “products with digital elements”.

The CRA's reach is global. The regulation focuses not on where a product is manufactured but on whether it is made available on the EU market. Any manufacturer wishing to sell a product in the EU must comply, regardless of where it is headquartered or where production occurs.

Timeline

The CRA entered into force on December 10, 2024, and obligations come into effect in phases.

• September 11, 2026: Vulnerability and incident reporting obligations begin. Manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA and their designated national CSIRT via ENISA's Single Reporting Platform.
• December 11, 2027: Full application of all remaining requirements, including essential cybersecurity requirements, conformity assessment, CE marking, and technical documentation obligations.

Products placed on the market before December 11, 2027, become subject to the CRA's full requirements only if they undergo a substantial modification after that date, though reporting obligations apply regardless.

Supplier Obligations Under the CRA

If your products fall within the CRA's scope and are destined for placement on the EU market by Honeywell, you are responsible for the following

Honeywell's Requirements for Suppliers

To maintain the integrity and compliance of products Honeywell places on the EU market, we are taking steps to ensure that our suppliers are on track to meet the requirements of the CRA.

• CRA Compliance Attestation: A written declaration confirming that your products meet the essential cybersecurity requirements of Annex I, accompanied by a copy of your EU Declaration of Conformity and evidence of CE marking, or (before December 2027) a documented plan and timeline for achieving compliance.
• Technical Documentation Access: Provision of relevant technical documentation, including cybersecurity risk assessments, security architecture descriptions, and test reports, sufficient for Honeywell to conduct due diligence on components integrated into its products.
• Software Bill of Materials (SBOM): A machine-readable SBOM for each product or component supplied to Honeywell, covering at minimum all top-level dependencies and known vulnerabilities at the time of delivery.
• Vulnerability Management Process Documentation: Evidence of an established vulnerability handling process, including your coordinated vulnerability disclosure policy, a designated contact point for vulnerability reports, and your defined support period (end-of-support date) for each product.
• Incident Notification Commitment: Agreement to notify Honeywell promptly (and in no case later than 24 hours after becoming aware) of any actively exploited vulnerability or severe security incident affecting products or components supplied to Honeywell, in addition to any mandatory reporting to ENISA and national CSIRTs.
• Ongoing Compliance Updates: Commitment to provide Honeywell with updates as the CRA's harmonised standards and implementing measures are finalized, including any changes to your product classifications or conformity assessment status.

Expect to receive communications from your Honeywell sourcing specialist to provide this information.

Timeline

Honeywell expects suppliers to progress toward full CRA readiness on the following schedule:

• By September 11, 2026: Have vulnerability and incident reporting processes operational, including registration on the ENISA Single Reporting Platform, to meet the Article 14 reporting obligations that take effect on that date.
• By Q4 2026: Provide Honeywell with CRA compliance attestations (or detailed compliance roadmaps) for all products and components supplied for integration into Honeywell products destined for the EU market.
• By December 11, 2027: Achieve full CRA compliance, including completed conformity assessments, CE marking, EU Declarations of Conformity, and all required technical documentation.

Resources

Official CRA Legislation and EU Guidance

• Full text of Regulation (EU) 2024/2847 (Cyber Resilience Act)
• European Commission CRA Summary
• European Commission CRA Implementation Page
• CRA Reporting Obligations and Single Reporting Platform
• CRA Standardisation Page
• European Commission CRA Implementation FAQ (December 2025)
• Implementing Regulation (EU) 2025/2392 (Product Category Technical Descriptions)

Standards and Frameworks

• STAN4CRA.eu: Joint CEN/CENELEC/ETSI standards development portal for CRA harmonised standards
• CEN-CENELEC M/606 Work Programme (PDF): Full list of 41 harmonised standards under development, with assigned committees and expected publication dates
• ETSI CRA Draft Standards (Public Consultation): Access draft European Standards for comment
• ENISA: CRA Requirements Standards Mapping: Maps existing international standards (including ETSI EN 303 645, IEC 62443, ISO/IEC 27002, ISO/IEC 30111, and ISO/IEC 29147) to specific CRA requirements
• ENISA: CRA Implementation via EUCC: Analysis of how EU cybersecurity certification supports CRA conformity
• European Vulnerability Database (EUVD): Centralized EU vulnerability information platform
• NANDO Database (Notified Bodies): Locate designated conformity assessment bodies

Key Standards for Existing Compliance Alignment

If your organization already follows any of the frameworks below, you have a meaningful head start on CRA compliance. The ENISA standards mapping study identifies the following as having the strongest alignment with CRA requirements:

• ETSI EN 303 645 (Cyber Security for Consumer IoT): Broadest coverage of Annex I, Part I product security requirements
• IEC 62443 series (Industrial Automation and Control Systems Security): Strong coverage for industrial control systems and operational technology
• ISO/IEC 27002 (Information Security Controls): Covers information security controls across multiple CRA requirements
• ISO/IEC 30111 and ISO/IEC 29147 (Vulnerability Handling and Disclosure): Directly relevant to Annex I, Part II vulnerability handling obligations

Note that conformance with these existing standards supports but does not replace CRA-specific conformity assessment. The first CRA harmonised standards are expected from CEN/CENELEC and ETSI by Q3 2026. Products conforming to cited harmonised standards will benefit from a presumption of conformity with the CRA's essential requirements.

Contact

For general inquiries about Honeywell's cybersecurity requirements for suppliers, contact your Honeywell procurement representative. We encourage suppliers to begin their CRA readiness assessments now and to reach out with questions early in the process.