Cyber Resilience Act (CRA) & UK PSTI Act – Impact Assessment for the OpenTherm Protocol

Following recent discussions and inquiries regarding the EU’s Cyber Resilience Act (CRA) and the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, we have conducted an initial assessment of the implications for the OpenTherm Protocol. Below is a summary of our findings and our current position.

Background and Inquiry

Both the CRA and the PSTI Act introduce mandatory cybersecurity requirements for connected products, particularly those with interfaces that can expose them to external threats, including the internet. A key concern raised by manufacturers is whether the OpenTherm communication protocol – a wired, point-to-point protocol used between devices such as heat pumps, boilers, HEMS and thermostats – would require adjustments to meet these new requirements, including the introduction of encryption.

Key Points of Consideration

OpenTherm Protocol is a low-level, two-wire communication standard used within the dwelling, generally not exposed to external networks.
Cybersecurity directives like the ETSI EN 303 645, often cited as a reference for IoT security, focus primarily on interfaces exposed to external networks (e.g., internet, Wi-Fi, Bluetooth).
The CRA aims at ensuring security across digital product lifecycles, while the PSTI Act emphasizes data protection and secure interfaces. The wording in PSTI does not exclude wired interfaces but appears oriented toward interfaces vulnerable to external access.
OpenTherm messages, while unencrypted, occur within a contained environment (dwelling) and require physical access to the bus, reducing practical risk.

Current Assessment and Position

At this time, based on our technical understanding and legal interpretations:

Encryption of the OpenTherm physical interface (wired bus) is not required under the CRA or PSTI, provided the interface is contained within the dwelling and not exposed to external networks.
- However, if OpenTherm data is routed or bridged to external interfaces (e.g., via internet-connected thermostats, smart home hubs, or gateways), then security provisions (including encryption, authentication, etc.) should be applied at the external interface.
No immediate changes to the OpenTherm protocol specification are necessary solely for compliance with CRA or PSTI.
Further discussion could be initiated within the Technical Committee regarding potential security enhancements or optional extensions for scenarios where OpenTherm data is bridged externally (e.g., via wireless protocols or gateways).

Proposed Actions

Maintain current OpenTherm protocol specifications with the existing approach for wired communication within the dwelling.
Add a discussion item to the next TC meeting agenda to review the potential impact of future interpretations of CRA/PSTI and explore optional security guidelines for externally bridged systems.
1. Your input is crucial for this discussion. Without feedback or contributions from members, we will be unable to include this topic on the agenda.
Monitor developments in EU and UK interpretations of cybersecurity acts and adjust recommendations as necessary.

Huite Jan Hak

Chairman of the Technical Committee