The European Commission’s CE-Cyber Delegated Act, adopted under the Radio Equipment Directive (RED), represents the most significant regulatory shift for connected devices sold in the EU since the original CE framework. By activating RED Articles 3.3 (d), (e) and (f), the Act introduces mandatory cybersecurity requirements for a broad range of wireless and IoT products. These requirements become legally enforceable for products placed on the EU market from 1 August 2025.
For manufacturers, importers and integrators, the implications go well beyond software patches or documentation updates. The Act forces structural changes in device design, firmware development, supply-chain transparency and post-market monitoring. This article clarifies what the regulation covers, why it matters, and what IoT companies must do to remain compliant before the enforcement deadline.
A turning point for IoT compliance in Europe
For years, the EU has signalled that “security-by-design” would become a legal requirement for connected devices. The CE-Cyber Delegated Act is the first concrete and binding step under RED, applying to radio equipment that can communicate over the internet or process sensitive data, including a wide range of IoT devices.
Typical product categories in scope include:
- IoT sensors and hubs
- Consumer electronics with wireless connectivity
- Smart home devices
- Industrial wireless systems
- Asset trackers, wearables, and M2M modules
- Gateways, routers, and networking equipment
The regulation targets systemic IoT weaknesses: insecure firmware, weak default credentials, unprotected data flows, opaque update policies, and insufficient vulnerability handling.
What the CE-Cyber Act requires manufacturers to implement
The obligations fall into three pillars: secure networking, secure handling of data, and robust software lifecycle controls. These translate into concrete engineering and organisational requirements aligned with RED Articles 3.3 (d), (e) and (f).
1. Secure network and data protection
Manufacturers must ensure devices:
- authenticate connections and prevent unauthorized access
- encrypt personal data, credentials, and sensitive traffic
- protect against common attack vectors (replay, downgrade, MiTM)
- avoid hard-coded passwords and insecure pairing methods
In practice, this means modern cryptography, secure key provisioning and storage, and validated protocol configurations in real environments.
2. Enhanced software security and updateability
Devices must be able to:
- receive secure OTA updates
- verify firmware integrity before execution (e.g., secure boot)
- maintain a documented update strategy over the intended product lifetime
This affects embedded architecture and supply-chain planning: vendors must guarantee that chipsets, modules, and RTOS stacks support long-term patchability.
3. Mandatory vulnerability reporting and incident handling
Manufacturers must establish processes to:
- receive vulnerability reports (from researchers, customers, partners)
- investigate and respond within defined timelines
- deliver corrective updates or mitigations
- communicate risks clearly when necessary
Companies without a Product Security Incident Response Team (PSIRT) will need to formalise one.
Impact on IoT Product design and lifecycle
Compliance is more than ticking boxes. It requires changes across the entire device lifecycle.
Security-by-Design engineering
Developers must integrate security practices from architecture stages, including threat modelling, secure coding guidelines, and component provenance verification. “Late-stage security” will not withstand conformity assessment.
Component and module selection
Many IoT devices still rely on chipsets or stacks that lack secure boot, hardware crypto, or robust update mechanisms. Under the Act, this becomes a market-access risk. Manufacturers may need to select chipsets with hardware cryptographic acceleration and secure elements, and demand long-term software support from silicon vendors.
Documentation and technical files
To obtain CE marking, manufacturers must be able to provide technical documentation such as security architecture descriptions, cryptographic mechanisms used, update policies, and vulnerability management procedures. Missing or weak documentation can delay or block CE conformity.
Who is responsible? Manufacturers, importers and distributors
Responsibility extends beyond OEMs. Under RED, obligations apply to:
- Manufacturers: secure design, documentation, updateability, vulnerability handling
- Importers: verification that non-EU products meet requirements before placement
- Distributors: ensuring CE compliance for products they make available
Resellers of white-label IoT devices cannot assume compliance from upstream suppliers; they must audit it.
Timeline: Why action is urgent
The cybersecurity essential requirements activated via Delegated Regulation (EU) 2022/30 apply from 1 August 2025. Any new radio-enabled products placed on the EU market from that date must comply.
Given typical embedded development cycles, achieving compliance often requires 6–18 months of technical and process work. Key steps include:
- Gap analysis against Articles 3.3 (d)/(e)/(f)
- Architecture review for secure boot, OTA, and crypto
- Vendor audits for modules, SDKs, RTOS and libraries
- Creation or upgrade of PSIRT processes
- Security technical file completion
- Conformity assessment (Notified Body where applicable)
Major challenges for IoT manufacturers
1. Legacy devices
Older designs may lack hardware crypto support, secure OTA, or enough flash/RAM for modern security stacks. This may require hardware redesign, module swaps, or even withdrawal from the EU market.
2. Incomplete supply-chain transparency
Vulnerabilities often originate in third-party drivers, middlewares or libraries. Manufacturers are increasingly expected to maintain SBOMs (Software Bill of Materials) and track patch histories to demonstrate control of their software supply chain.
3. Lack of internal security expertise
Many IoT organisations still lack dedicated security engineering. RED cybersecurity compliance makes this gap a direct commercial risk, especially for SMEs shipping wireless products.
Opportunities: A more trustworthy IoT market
Despite the workload, the Act creates strategic upside:
- higher customer trust in connected products
- fewer post-deployment incidents and recalls
- clearer security differentiation in competitive tenders
- simplified access to all EU markets through a unified bar
Early adopters are likely to benefit first in smart home, industrial automation, energy management and critical infrastructure.
Practical steps IoT manufacturers should take now
To meet the enforcement deadline, companies should start immediately:
- Launch a formal CE-Cyber compliance assessment
- Map impacted products and prioritise by risk and revenue
- Review chipsets/modules/firmware stacks for crypto and updateability
- Implement secure boot, encrypted storage, authenticated OTA
- Establish or strengthen PSIRT and vulnerability workflows
- Produce or update technical documentation and security files
- Engage a Notified Body early if conformity assessment is required
Proactive planning avoids rushed engineering and market disruption as August 2025 approaches.
Conclusion: A mandatory step toward secure and competitive IoT croducts
The CE-Cyber Delegated Act marks a profound change in how connected products are designed, built and maintained in Europe. While compliance introduces new constraints, it also sets a clearer and more predictable bar for security across the IoT ecosystem.
Manufacturers that act early—redesigning architectures, updating processes, and ensuring supply-chain transparency—will be prepared not only for compliance, but for a more secure, resilient and competitive European IoT market.
The post CE-Cyber Delegated Act: What IoT Manufacturers Need to Do Before Enforcement appeared first on IoT Business News.