CE-Cyber Delegated Act: What IoT Manufacturers Need to Do Before Enforcement

A turning point for IoT compliance in Europe

For years, the EU has signalled that “security-by-design” would become a legal requirement for connected devices. The CE-Cyber Delegated Act is the first concrete and binding step under RED, applying to radio equipment that can communicate over the internet or process sensitive data, including a wide range of IoT devices.

Typical product categories in scope include:

• IoT sensors and hubs
• Consumer electronics with wireless connectivity
• Smart home devices
• Industrial wireless systems
• Asset trackers, wearables, and M2M modules
• Gateways, routers, and networking equipment

The regulation targets systemic IoT weaknesses: insecure firmware, weak default credentials, unprotected data flows, opaque update policies, and insufficient vulnerability handling.

What the CE-Cyber Act requires manufacturers to implement

The obligations fall into three pillars: secure networking, secure handling of data, and robust software lifecycle controls. These translate into concrete engineering and organisational requirements aligned with RED Articles 3.3 (d), (e) and (f).

1. Secure network and data protection

Manufacturers must ensure devices:

• authenticate connections and prevent unauthorized access
• encrypt personal data, credentials, and sensitive traffic
• protect against common attack vectors (replay, downgrade, MiTM)
• avoid hard-coded passwords and insecure pairing methods

In practice, this means modern cryptography, secure key provisioning and storage, and validated protocol configurations in real environments.

2. Enhanced software security and updateability

Devices must be able to:

• receive secure OTA updates
• verify firmware integrity before execution (e.g., secure boot)
• maintain a documented update strategy over the intended product lifetime

This affects embedded architecture and supply-chain planning: vendors must guarantee that chipsets, modules, and RTOS stacks support long-term patchability.

3. Mandatory vulnerability reporting and incident handling

Manufacturers must establish processes to:

• receive vulnerability reports (from researchers, customers, partners)
• investigate and respond within defined timelines
• deliver corrective updates or mitigations
• communicate risks clearly when necessary

Companies without a Product Security Incident Response Team (PSIRT) will need to formalise one.

Impact on IoT Product design and lifecycle

Compliance is more than ticking boxes. It requires changes across the entire device lifecycle.

Security-by-Design engineering

Developers must integrate security practices from architecture stages, including threat modelling, secure coding guidelines, and component provenance verification. “Late-stage security” will not withstand conformity assessment.

Component and module selection

Many IoT devices still rely on chipsets or stacks that lack secure boot, hardware crypto, or robust update mechanisms. Under the Act, this becomes a market-access risk. Manufacturers may need to select chipsets with hardware cryptographic acceleration and secure elements, and demand long-term software support from silicon vendors.

Documentation and technical files

To obtain CE marking, manufacturers must be able to provide technical documentation such as security architecture descriptions, cryptographic mechanisms used, update policies, and vulnerability management procedures. Missing or weak documentation can delay or block CE conformity.

Who is responsible? Manufacturers, importers and distributors

Responsibility extends beyond OEMs. Under RED, obligations apply to:

• Manufacturers: secure design, documentation, updateability, vulnerability handling
• Importers: verification that non-EU products meet requirements before placement
• Distributors: ensuring CE compliance for products they make available

Resellers of white-label IoT devices cannot assume compliance from upstream suppliers; they must audit it.

Timeline: Why action is urgent

The cybersecurity essential requirements activated via Delegated Regulation (EU) 2022/30 apply from 1 August 2025. Any new radio-enabled products placed on the EU market from that date must comply.

Given typical embedded development cycles, achieving compliance often requires 6–18 months of technical and process work. Key steps include:

1. Gap analysis against Articles 3.3 (d)/(e)/(f)
2. Architecture review for secure boot, OTA, and crypto
3. Vendor audits for modules, SDKs, RTOS and libraries
4. Creation or upgrade of PSIRT processes
5. Security technical file completion
6. Conformity assessment (Notified Body where applicable)

Major challenges for IoT manufacturers

1. Legacy devices

Older designs may lack hardware crypto support, secure OTA, or enough flash/RAM for modern security stacks. This may require hardware redesign, module swaps, or even withdrawal from the EU market.

2. Incomplete supply-chain transparency

Vulnerabilities often originate in third-party drivers, middlewares or libraries. Manufacturers are increasingly expected to maintain SBOMs (Software Bill of Materials) and track patch histories to demonstrate control of their software supply chain.

3. Lack of internal security expertise

Many IoT organisations still lack dedicated security engineering. RED cybersecurity compliance makes this gap a direct commercial risk, especially for SMEs shipping wireless products.

Opportunities: A more trustworthy IoT market

Despite the workload, the Act creates strategic upside:

• higher customer trust in connected products
• fewer post-deployment incidents and recalls
• clearer security differentiation in competitive tenders
• simplified access to all EU markets through a unified bar

Early adopters are likely to benefit first in smart home, industrial automation, energy management and critical infrastructure.

Practical steps IoT manufacturers should take now

To meet the enforcement deadline, companies should start immediately:

1. Launch a formal CE-Cyber compliance assessment
2. Map impacted products and prioritise by risk and revenue
3. Review chipsets/modules/firmware stacks for crypto and updateability
4. Implement secure boot, encrypted storage, authenticated OTA
5. Establish or strengthen PSIRT and vulnerability workflows
6. Produce or update technical documentation and security files
7. Engage a Notified Body early if conformity assessment is required

Proactive planning avoids rushed engineering and market disruption as August 2025 approaches.

Conclusion: A mandatory step toward secure and competitive IoT croducts

The CE-Cyber Delegated Act marks a profound change in how connected products are designed, built and maintained in Europe. While compliance introduces new constraints, it also sets a clearer and more predictable bar for security across the IoT ecosystem.

Manufacturers that act early—redesigning architectures, updating processes, and ensuring supply-chain transparency—will be prepared not only for compliance, but for a more secure, resilient and competitive European IoT market.