������

The message is clear: all stakeholders must be proactive in addressing regulations that introduce new responsibilities while also providing unforeseen opportunities for innovative business models.

Spearheading building services research

As buildings become more intelligent and connected, the way data is used and governed becomes critical. At the same time, the industry enters a new era of regulation that requires careful interpretation. Three researchers, Matias Vapola, Jani Mannonen, and Osku Torro, are trying to do precisely that.

The trio presented the preliminary results of their respective research at a workshop in April 2025. Their work is linked to one of Talotekniikka 2030’s four research topics, “The Impact of Digital Regulations and Cybersecurity Requirements on Data Governance and the Development of Digital Solutions in the Building Services Sector.”

Talotekniikka 2030 is an industry consortium comprising Aalto and Tampere universities, as well as 14 business partners that fund and spearhead research projects in the building services sector.

Cybersecurity & compliance: The big three

Matias Vapola discussed three EU regulations that have direct relevance to MEP: CRA, RED, and NIS 2.

The Cyber Resilience Act (CRA) is the most relevant to the building services sector. Its purpose is to set horizontal cybersecurity requirements for all products with digital elements. It applies to smart building technologies, BMS software, and MEP control systems, as well as any connected hardware and software, which must be CE-marked and cyber-secure by design.

The Radio Equipment Directive’s (RED) supplementary Delegated Act introduces new cybersecurity requirements by activating sections 3.3(d), (e), and (f) of the directive specifically for specific radio equipment, notably internet-connected devices. These requirements build upon the directive's traditional focus on radio spectrum use, mandating that new radio devices incorporate robust security measures, protect user data, and demonstrate compliance through CE marking. Manufacturers, importers, and distributors of IoT devices, including MEP firms, must ensure adherence to these expanded cybersecurity requirements.

The Network and Information Security Directive 2 (NIS 2), among other requirements, enhances cybersecurity resilience by setting supply chain cybersecurity obligations on entities classified as essential and important, including hospitals, data centers, critical manufacturers, and digital infrastructure providers. These entities, significant consumers of MEP products and services, will impose stringent cybersecurity requirements and auditing processes on their suppliers. Additionally, MEP firms providing SaaS solutions must determine whether their services, defined as on-demand, scalable, and network-accessible, fall directly under NIS 2.

Fortunately, adherence to existing cybersecurity standards, such as ISO 27001 and the IEC 62443 series, provides many companies with a foundational advantage, easing their transition toward compliance.

Data access, sharing, and control

Jani Mannonen presented five key regulations regarding digitalization and data but emphasized that not all of them are equally critical in the MEP sector.

The Data Act (DA) applies to IoT device manufacturers, cloud service providers, and platform operators. These include building management system (BMS) vendors, HVAC control system providers, and facility management platforms. It grants users, authorized third parties, and the public sector (under specific circumstances) the right to access and share data generated by connected devices, such as building automation systems. 

The DA also prevents companies from setting unreasonable conditions for accessing the data. Mannonen sees the DA as the most impactful of the five regulations for the industry.

The Artificial Intelligence Act (AIA) will undoubtedly become an essential regulation as AI adoption increases in building automation, predictive maintenance, and optimization. The act classifies AI systems into four risk levels: prohibited, high, limited, and minimal. No current MEP-related systems can be identified as “high-risk.”

The Data Governance Act (DGA) aims to enhance the reusability of protected public sector data and promote data sharing for the public good. It applies to public sector bodies and data intermediation service providers. The other two, the Digital Markets Act (DMA) and the Digital Services Act (DSA), also have a minimal impact on building services.

Data governance

Osku Torro provided an overview of an ambitious body of research that he and Mika Lehtimäki have undertaken. The key concept is that data and AI serve as enablers for systemic change in the construction industry. Data can become a critical resource, and Artificial Intelligence is a tool for utilizing it systematically.

Torro emphasized the need for a shared data governance framework, as defined by the DAMA-DMBOK, which involves exercising authority, control, and shared decision-making over data assets.

Finland has already implemented a significant amount of centralized data governance, including standardization within the RAVA3Pro project for digital building permits. The EU’s product passports serve as another example of a unifying force. Companies must also master their internal data governance to turn data into a business asset.

Business model invention with data and AI

Over the years, BIM has been at the forefront of building data management. However, BIM models are not the ideal place for storing product data. Torro suggested that the supply chain could make better use of BIM as knowledge graphs instead of 3D models. This shift in thinking enables the more effective use of databases and other connected data throughout the supply chain, as well as the digital twin of a building.

When standardized data becomes readily available, new business opportunities arise. Torro discussed a future where MEP companies leverage and enrich data, aided by AI agents, in new business models. He envisioned three fundamental models: process automation, data-centric services and products, and intelligent interfaces with data. The core idea is to transform data into a strategic business asset, enabling new service models, automation, and competitive differentiation.

The rapid development and deployment of AI tools and technologies, including AI agents and protocols, foster the creation of globally competitive products. Still, regulation can hinder or slow down this development in the EU. Torro acknowledged that a more relaxed interpretation of the GDPR, for example, would be advisable. 

The data-driven future of the building services sector

In the discussion that followed the three presentations, it became clear that many questions remain unanswered regarding the upcoming regulation, its implementation, and interpretation.

However, when the results of the three research projects become available, we’ll have a clearer understanding of how EU regulation will influence digital practices, risk management, and innovation strategies in the MEP sector.

Building services play a vital role in delivering smarter, more sustainable built environments. MEP firms that lead on compliance and innovation won’t just keep pace; they’ll help define the future of intelligent buildings.