BMS vendor lock-in happens when an owner can't get anyone but the original installer to service their building automation system — usually because passwords, licences, strategy files or a proprietary protocol were never handed over. BACnet (ANSI/ASHRAE 135) is the open baseline that should prevent this, but an open protocol on the datasheet doesn't stop a contractor keeping the keys.
It happens at the worst possible time: the service contract's up for renewal, the FM team sends the spec out to three firms for competitive quotes, and two of them come back within a week saying they can't touch it. Not won't. Can't. The controllers are fine, the wiring's fine, but nobody outside the original installer holds the engineering password, nobody has the strategy files, and nobody knows which flavour of "open" protocol was actually configured on site. The incumbent's renewal quote lands well above last year's and there's no real alternative, because there's no real competition. The building owner, who assumed they owned their own control system, finds out they own the cabinet and not much else.
This isn't rare and it isn't usually malicious. It's what happens when nobody wrote "hand over the passwords" into the spec, and nobody chased it at practical completion. By the time anyone notices, the engineer who did the original programming has moved to a different firm, the documentation folder has one commissioning certificate and nothing else, and the building's been running on inherited faith for three years.
Ask most FMs what vendor lock-in means and they'll say "proprietary protocol": a system that only talks its own dialect and can't be integrated with anything else. That does still happen, but it's the smallest part of the problem now. BACnet is ANSI/ASHRAE Standard 135, an open data-communication protocol for building automation maintained by ASHRAE, with BACnet Testing Laboratories (BTL) certifying that devices actually conform to the spec rather than just claiming to. Most controllers sold into UK commercial buildings today speak BACnet at some level. So if lock-in isn't usually the protocol, where does it actually live?
It lives in four other places, and any one of them is enough to trap an owner: the engineering software licence that's registered to the contractor, not the client; the supervisor and controller-level passwords that were set during commissioning and never disclosed; the graphics, points schedules and strategy application files that exist only on the integrator's laptop; and, increasingly, the certificate authority behind encrypted communications, which nobody agreed ownership of before the integrator left site. A system can be built entirely on open BACnet and still be completely locked to one contractor if those four things aren't in the owner's hands.
Two things have converged to make this a live issue rather than a theoretical one. First, Approved Document L Volume 2 (2021) requires new non-domestic buildings in England with heating or air conditioning systems over 180 kW to have a building automation and control system fitted, a requirement that's applied since 15 June 2022. That's pulled a lot more buildings, and a lot more owners who've never had to think about controls procurement before, into having a BMS at all, often specified by an M&E consultant and installed by whichever contractor won the tender on price.
Second, BS EN ISO 52120-1:2022 sets out BACS energy-performance classes running from D up to A, and under the standard's calculation factors, a Class A control system is attributed roughly 30% lower thermal energy use in offices than the reference Class C level. The BCIA (Building Controls Industry Association) actively campaigns for uptake of Class A controls in UK non-domestic stock. That matters for lock-in because planning a multi-year upgrade from a lower class to Class A means adding control functions, sequences and possibly hardware: work that's far cheaper and faster when the incoming contractor can actually read the existing strategy, rather than having to reverse-engineer or rip out a system they can't get into.
We'll assess your controls and provide a detailed quotation with energy savings estimates.
It helps to think about a BMS as four layers, because "is it open?" has a different answer at each one. At the field level (sensors, actuators, VAV boxes talking to a controller) openness barely matters commercially; these are usually proprietary to the controller manufacturer regardless of brand. At the controller-to-network level, BACnet (or increasingly Modbus alongside it) is where genuine interoperability starts, assuming the integrator actually used open objects and services rather than manufacturer-specific extensions bolted on top. At the network-to-supervisor level is where BACnet/SC comes in: Secure Connect was published as Addendum bj to ASHRAE 135-2016 and now sits as Annex AB of ASHRAE 135-2020, replacing the old broadcast-management (BBMD) headache with TLS-encrypted, certificate-authenticated WebSocket connections in a hub-and-spoke topology. It's a genuine security upgrade. But the standards community's own guidance on it is blunt: agree who owns the certificate authority before the integrator leaves site, and don't let anyone issue long-dated certificates that quietly become another form of lock-in. And at the top layer — the supervisor, the graphics, the dashboards the FM team actually looks at — is where owners increasingly specify a vendor-agnostic front end precisely so trending, alarms, scheduling and graphics stay with the building no matter which contractor holds the maintenance contract next.
It's worth saying plainly: this isn't a story about the industry refusing to change. Johnson Controls launched Metasys 16.0 on 29 June 2026, and it includes Node-RED visual integration tooling: a mainstream tier-1 BMS vendor shipping an open-source-ecosystem integration layer as standard, rather than treating third-party integration as something to be resisted. (Speed and cost claims around it are the vendor's own and should be attributed as such if quoted.) That's a real shift, and combined with BACnet/SC maturing and more owners actively specifying vendor-agnostic supervisors, the direction of travel is towards more openness, not less. The catch is that a vendor shipping open tooling doesn't automatically mean the contractor who installs it hands over the keys. The system can be technically open and still be practically locked, if nobody writes the handover terms into the contract.
"BACnet means no lock-in" is the big one, and it's wrong: protocol openness and system openness are different things, and a fully BACnet-compliant installation can still be a closed box if the licences, passwords and files stay with the contractor. The opposite myth is just as unhelpful: "lock-in is always the vendor's fault." Plenty of it is procurement's fault: specs that never asked for handover deliverables, project managers who signed off practical completion without checking the documentation folder, facilities teams who never chased the password disclosure that was technically owed to them. And a smaller but persistent myth is that open systems are inherently less secure than closed proprietary ones. BACnet/SC exists specifically to counter that argument: TLS encryption and certificate authentication were built into the open standard precisely so security stopped being the excuse for keeping systems closed.
It's also worth saying single-vendor estates aren't automatically wrong. Some owners genuinely want one contractor, one tool, one throat to choke, and consistent engineering across a portfolio, and that's a legitimate strategy. The problem isn't choosing lock-in. It's discovering it.
The checklist below is the single most useful thing to write into a controls spec or a service contract renewal: every item on it should exist, in the owner's name, before the contractor's van leaves site for the last time.
CIBSE Guide H remains the standard UK reference for specifying controls systems and is worth citing directly in any spec that's trying to close these gaps.
There are three moments where this is cheap to fix and expensive to ignore. At new-build spec stage, with Part L now pulling most sizeable projects into BACS territory anyway, it costs nothing extra to write the handover checklist into the M&E spec alongside the protocol requirement. At any BMS upgrade or Class A works, because that's exactly when an owner discovers whether they can bring in competitive tenders or are stuck with one name. And at contract renewal, which is the single best leverage point an owner has: a contractor who won't commit to a documented handover procedure in the renewed contract is telling you something about how the current one was run.
On a 16-floor London office FCU upgrade Alpha Controls carried out on Trend controllers with LightFi sensors, weekend-only access made full documentation non-negotiable from the outset: strategy files, points schedules and supervisor access were part of the handover pack precisely because the incoming FM team needed to be able to operate and re-tender the system without depending on the installer coming back. That's what a clean handover looks like in practice, not just on paper.
Vendor lock-in isn't a protocol problem anymore: BACnet and BACnet/SC have mostly solved the technical side of interoperability. It's a paperwork and procurement problem: passwords never disclosed, licences never transferred, files never handed over, certificates never assigned. Fix that at the spec stage or the next renewal and the building's controls stay the building's, whoever's servicing them next. If you're heading into a controls upgrade, a re-tender, or you're simply not sure what you'd get if you tried to switch contractors tomorrow, get in touch for a quote and we'll tell you straight what you actually own.
Specialist BMS installation, commissioning, and maintenance across London and the South East. SafeContractor Approved, BCIA Member.
Our team of building automation specialists is ready to help you optimise your building's performance and efficiency.
Get in Touch