The rapidly evolving regulatory landscape for IoT products presents significant compliance challenges—and opportunities—for manufacturers and compliance officers alike. In our latest session, we welcomed cybersecurity and digital compliance expert Natael Couturier, from Red Alert Labs, to demystify how businesses can navigate these regulatory shifts effectively.

Executive Summary:

The webinar "Navigating IoT Cyber Regulations in 2025 & Beyond" tackled essential developments impacting both consumer and industrial IoT products. With new regulations such as the Cyber Resilience Act (CRA), updated Radio Equipment Directive (RED), and emerging cybersecurity obligations within machinery regulations, manufacturers must urgently adapt. Natael emphasized proactive measures—particularly the early adoption of cyber risk analyses—to remain compliant and competitive in an increasingly regulated market.

Highlights and Key Takeaways

Understanding Regulatory Basics

The first step to IoT compliance is understanding regulatory terminology clearly:

• Directive: Broad requirements at the EU level, transposed by member states into local laws.
• Regulation: Specific, binding rules directly applicable across all EU states.
• Standard: Detailed technical specifications that manufacturers use to achieve compliance.

Manufacturers need clarity on these layers to avoid compliance pitfalls when launching products in the European market.

RED Directive and Cybersecurity

The longstanding Radio Equipment Directive (RED) now includes cybersecurity via Delegated Regulation EU 2022/30, effective August 2025. Unfortunately, many manufacturers are unprepared for these new requirements. However, harmonized standards like EN 18031 simplify the compliance process through self-declaration, easing the regulatory burden for those who proactively adopt them.

Preparing for the Cyber Resilience Act (CRA)

The CRA, set to impact IoT significantly by 2027, is already demanding attention. According to Natael, a crucial preparatory step is conducting thorough cybersecurity risk analyses. Without harmonized standards currently available, manufacturers—especially SMEs lacking dedicated compliance resources—should begin internal assessments immediately and consider strategic investments in compliance expertise or external partnerships.

Certification vs. Labeling

A clear understanding of "certification" versus "labeling" helps manufacturers avoid costly compliance misunderstandings:

• Labels: Visual indicators of compliance, useful primarily for consumer reassurance.
• Certifications: Formal verifications of compliance, often legally required, and accepted broadly within regulatory frameworks.

Choosing appropriate certifications or recognized labels can significantly affect market access and consumer trust.

Harmonized vs. Recognized Standards

Manufacturers frequently confront choices between harmonized and recognized standards:

• Harmonized Standards: Provide a direct presumption of conformity and enable self-declaration.
• Recognized Standards: Accepted industry-wide but require additional third-party verification to ensure regulatory compliance.

Utilizing harmonized standards like EN 18031 is typically advantageous for streamlined compliance.

Global Regulatory Trends and Alignment

Globally, regulatory alignment remains fragmented. Although fundamental cybersecurity principles like eliminating default passwords have universal appeal, significant differences persist between regional frameworks (e.g., U.S. Cyber Trust Mark, UK PSTI Act, Singapore CLS). Europe, notably, appears to be setting a robust regulatory pace, particularly with mandatory cyber risk analyses and strict cybersecurity controls embedded into product development cycles.

Industrial IoT and Machinery Regulation

The new EU Machinery Regulation (EU 2023/1230) introduces cybersecurity requirements to industries traditionally focused solely on safety. Manufacturers now face an essential mindset shift, recognizing cybersecurity as integral to operational safety. Lessons from sectors like automotive, where cybersecurity mandates already exist, can provide valuable guidance for industrial machinery manufacturers adapting to this new reality.

Final Strategic Advice from Natael

Proactive cybersecurity risk analysis emerged as the session’s most critical advice. Manufacturers and compliance officers must initiate comprehensive cybersecurity evaluations immediately. Waiting until regulatory deadlines approach, such as 2027 for CRA compliance, will likely result in costly and avoidable market-entry delays.