EU enforces stricter cybersecurity standards for connected devices ahead of 2025 deadline

The European Commission’s CE-Cyber Delegated Act introduces significant security requirements for IoT and wireless products, with compliance deadlines extended to August 2025 amid industry adjustments.

The European Commission’s CE-Cyber Delegated Act, introduced under the Radio Equipment Directive (RED), marks a transformative shift in the regulatory framework governing connected devices across the European Union. Scheduled for enforcement from 1 August 2025, the Act imposes binding cybersecurity requirements on a wide array of wireless and IoT products, spanning consumer electronics, smart home devices, industrial wireless systems, and networking equipment. This move represents the most significant tightening of compliance expectations for such products since the original CE marking regime was established.

The new regulation activates specific provisions of RED, namely Articles 3.3 (d), (e), and (f), mandating manufacturers, importers, and distributors to embed “security-by-design” principles at every stage of device development and lifecycle management. The Act targets systemic IoT vulnerabilities, including insecure firmware, weak default credentials, unprotected data flows, non-transparent update policies, and inadequate vulnerability response processes.

Under the regulation, manufacturers must adhere to three core pillars: secure networking and data protection, robust software lifecycle controls including secure over-the-air (OTA) update capabilities, and mandatory vulnerability reporting with clear incident management procedures. Practically, this means devices need modern cryptographic protections, secure key management, firmware verification before execution, and documented lifecycle strategies addressing patching and updates. Furthermore, companies must establish Product Security Incident Response Teams (PSIRT) to handle vulnerability reports and deliver timely mitigations.

This regulatory shift extends responsibility beyond original equipment manufacturers. Importers are required to verify that non-EU sourced products meet the new standards before placing them on the market, and distributors must ensure the CE compliance of products they make available. Even resellers of white-label IoT devices cannot simply rely on upstream suppliers for compliance, necessitating rigorous auditing.

The deadline extension to 1 August 2025, announced by the European Commission, provides some additional time for companies to align with these intensified requirements. This postponement followed delays in finalising key cybersecurity standards by CENELEC, the European Committee for Electrotechnical Standardization, which are expected to be completed by mid-2024. These standards will offer critical technical guidance to manufacturers in implementing the mandated security controls, enhancing clarity and uniformity in meeting the new obligations. The amendment formalising this timeline is anticipated to be published in the EU Official Journal by the end of 2023.

For many IoT manufacturers, compliance demands more than incremental adjustments. Legacy devices lacking hardware-based cryptographic support or secure OTA mechanisms may require redesign, substitution of chipsets or modules, or in extreme cases, withdrawal from the EU market. The Act thus challenges manufacturers to overhaul embedded architecture choices and enforce stringent supply-chain transparency, including maintaining Software Bill of Materials (SBOMs) and patch histories to demonstrate control over third-party components.

Industry observers note that many IoT organisations, particularly small and medium-sized enterprises, face a significant skills gap in security engineering. The Act’s stringent requirements make this gap not just a technical but a commercial risk, as compliance will be essential for continued market access. On the upside, adherence to the regulation promises to cultivate a more trustworthy IoT environment, reducing post-market security incidents and recall risks while offering companies clearer competitive differentiation through robust cybersecurity postures.

To prepare effectively, companies should immediately initiate comprehensive CE-Cyber compliance assessments, mapping impacted products and prioritising based on risk and revenue. Key preparatory steps include reviewing hardware and software stacks for adequate cryptographic capabilities and updateability, establishing or enhancing PSIRT workflows, and producing detailed technical and security documentation required for CE marking. Early engagement with Notified Bodies for conformity assessments where applicable is also advised to avoid last-minute hurdles.

As the August 2025 deadline approaches, the CE-Cyber Delegated Act will redefine IoT product design, manufacturing, and market strategy across Europe. Manufacturers that proactively embrace these changes stand to benefit from streamlined market entry across the EU’s unified regulatory landscape and heightened consumer trust in their connected devices.

📌 Reference Map:

• ^[1] (IoT Business News) – Paragraphs 1, 2, 3, 4, 5, 6, 7, 8, 9
• ^[2] (CERTWARE) – Paragraphs 3, 4
• ^[3] (IoT M2M Council) – Paragraph 2
• ^[6] (CEN CENELEC) – Paragraph 4
• ^[5] (IoT Approval) – Paragraph 2, 4
• ^[7] (Granite River Labs) – Paragraph 4

Source: Fuse Wire