CE certification for IoT: What RED DA changes
Why RED DA changes the development brief? Hundreds of companies have had their own IoT devices developed in recent years. Development went well, the product works. Then comes the CE certification phase and it turns out that something essential is missing.
Where most companies make a mistake
A company has an idea. It approaches an individual developer or a development firm and agrees on functionality, deadline, and price. Development is completed, the prototype works. And then the question comes: who will handle CE certification? Very often the answer is: we'll take care of it ourselves. And this is the stage where complications start to appear.
CE certification is not just a formal stamp. For wireless devices, it is a technical process that requires specific documentation, and that documentation can only be supplied by the developer. If you have not agreed on this with your hardware supplier in advance, the documentation may simply not exist.
And the result? Delayed market launch, unexpected costs, and in the worst case the need to redesign the product.
What is RED DA and why it concerns you
Since August 2025, the RED Delegated Act (RED DA) has been in force; an extension of the existing Radio Equipment Directive. Every product with a wireless interface sold in the EU must undergo a cybersecurity assessment as part of CE certification.
A wireless interface means anything that transmits or receives a signal: WiFi, Bluetooth, LoRaWAN, NB-IoT, ZigBee, wM-Bus, and others. In practice, every modern IoT device.
Who exactly is affected by RED DA
If you develop or place any of the following types of products on the market, RED DA requirements directly apply to you:
- smart meters and converters for remote reading (wM-Bus, NB-IoT, LoRaWAN)
- sensors and concentrators in industrial automation
- gateways and routers for IoT networks
- smart home and building management devices
- wearables and medical devices using Bluetooth or WiFi
- industrial controllers communicating wirelessly with a higher-level system
If your product contains a wireless interface and does not meet RED DA requirements, it cannot be legally sold in EU countries. The certification laboratory will not issue CE, or will issue it with conditions you will need to fulfil retroactively.
What you specifically need from your developer
CE certification for IoT devices today requires technical documentation describing the product's security design. And only the party that actually designed the product can supply it. Specifically, the documentation must cover the following areas:
- Threat analysis and security design (threat model): how the product was designed with cybersecurity risks in mind
- Firmware update mechanism (FUOTA): how the device can be safely updated in the field
- Authentication and access rights: who can communicate with the device and how
- Communication encryption: how data is transmitted and stored
- Credential management: how default passwords and certificates are handled
- Privacy by Design: particularly relevant if the device collects any data
If you do not request this documentation from your supplier, or if your supplier does not deliver it as a standard part of development, you face a choice: pay for it to be prepared retroactively, or redesign the product with a different partner.
Always ask your current supplier whether they will deliver cybersecurity documentation for RED DA as part of the project. The answer will tell you how prepared the supplier is for the current regulatory environment.
And that's not all that's changing: CRA is coming
RED DA is not the only regulation IoT device manufacturers will encounter soon. From October 2027, the Cyber Resilience Act (CRA) enters into full force. It goes considerably further.
While RED DA addresses the security design of the product as a condition of CE certification, CRA introduces cybersecurity as a separate and ongoing manufacturer obligation. Specifically, this means mandatory security support for the product throughout its entire lifecycle, reporting of actively exploited vulnerabilities within 24 hours, and maintaining an SBOM (Software Bill of Materials); documentation of all software components.
If you are developing an IoT product today, it is wise to design it with both regulations in mind from the start. Addressing them separately, retroactively, and under time pressure is usually significantly more expensive. A well-designed product compliant with RED DA also has a solid foundation for CRA; these are not two separate sets of requirements.
What to do if you find that documentation is missing
If you have concluded that your supplier probably does not have documentation prepared, here are the practical next steps:
- Contact a certification laboratory as soon as possible. The earlier you know exactly what you need, the easier it is to still complete it in time.
- Verify with your supplier what they can deliver retroactively. Sometimes it is possible; the question is the cost and time.
- If the product is at the prototype stage, consider a redesign with a partner who includes RED DA in the standard development process.
- If you are just starting: when selecting a developer, ask directly how they handle cybersecurity documentation as part of CE certification. The answer will tell you a lot about the supplier.
Our practice
At ACRIOS, technical documentation for cybersecurity, including the materials needed for RED DA, is a standard part of every development project. You don't find this out at the end. We address it from day one of architecture design.
This is why our projects pass CE certification without unexpected stops. And our customers know what they will receive; including what will be needed for the regulatory environment that is coming.
Every product has a different architecture, different communication interfaces, and a different scope of personal data processing. The exact scope of RED DA requirements for your product is best confirmed by an accredited certification laboratory together with the development team. We are happy to help you assess what your project needs for smooth CE certification, and what will be required for CRA, which enters into force from October 2027.
FAQs
RED DA applies to products placed on the EU market from 1 August 2025 onwards. If your product was demonstrably placed on the market before that date, RED DA requirements do not directly apply to it. However, as soon as you place the product on the market in a new version, redesigned, or in a new production batch with a new CE declaration, it is assessed as new, and must meet RED DA requirements. In practice, it is therefore worth preparing documentation even for existing products if you anticipate further lifetime for them.
RED DA and CRA both address cybersecurity for IoT devices, but from different angles. RED DA is a CE certification requirement at the moment of placing the product on the market. CRA, from October 2027, introduces ongoing manufacturer obligations throughout the product's lifetime: security support, vulnerability reporting, SBOM maintenance. If a product is designed only to meet RED DA without considering CRA, there is a risk that its architecture will need to be adjusted within two years. Conversely, a product designed for CRA will meet RED DA almost automatically. For projects with a lifetime extending beyond 2027, it is therefore worth working with both regulations from the start.
It depends on how the product is designed. If the basic security mechanisms (authentication, encryption, secure updates) actually exist in the product and are simply undocumented, this is primarily documentation work taking a matter of weeks. If some mechanisms are missing or inadequately designed, this becomes a firmware change, sometimes a hardware change as well, and that can mean months of work and repeating part of the certification process. This is why it pays to ask about documentation before development starts, not before certification.
Not sure whether your project meets RED DA requirements? Contact us, we'll be happy to look at your specific case and tell you straight away what will be needed for certification.
Blog
Manufacturer as a technology partner
Why a device without an antenna fails
Water losses in utility networks: The hidden cost of leaks
Pressure monitoring in water networks: Early fault detection
M-Bus pressure sensor: Leak detection for water utilities
The cost of measurement data errors and how to prevent them
Smart Readiness Indicator (SRI): All you need to know
M-Bus installation tool Wizard from ACRIOS
Coulomb meter: Everything you need to know
ACR-EX in water utilities: remote reading of pulse water meters
ACRIOS and Quectel announce partnership
External or internal? How custom development works
Proven deployment of 10,000 wM-Bus converters for EED
Choosing a remote reading system for water utilities
Open data interfaces pay off for reporting and integration
15-minute vs daily meter readings frequency explained
Scripting in IoT: Flexibility, sustainability, and protection
Gas meter data to dashboard: ACR-EX meets Datacake
EPBD is coming: what BACS means for your building
When DTLS makes sense. Know before you deploy
Not your keys, not your hardware
868 MHz or 433 MHz? The right choice for your wM-Bus
Everything you need to know, documented. ACRIOS wiki.
End-to-end custom hardware and software development
How to collect energy data to support ISO 50001
Lowering IoT TCO through smart manufacturing
Reading Sensus meters with zero hardware changes
Why 15-minute data matters in district heating
Give me a tool that works. Not a manual.
5 most common myths about remote meter reading
Battery-powered vs wired: What really costs more?
Cyber Resilience Act and IoT hardware
Next-gen meter readings, no replacements needed
Modernising metering infrastructure
M-Bus to IoT integration explained
Understanding TCO: More than just hardware
NB-IoT technology: All you need to know
LoRaWAN: All you need to know
M-Bus, wM-Bus, and RS-485: A technology guide
LoRaWAN vs. NB-IoT: Which technology is right for you?
Smart metering: What it is and why it matters
IoT: Technology that saves time and money
