Before you read a NOTE: For more detailed information on the new cybersecurity regulations and how they might impact your devices, check out our comprehensive guides:
- Understanding the 2025 Cybersecurity Regulations for EU Compliance
- Get Ready for the 2025 EU Cybersecurity Regulations: What You Need to Know
Is Your IoT Equipment Affected by the New EU Cybersecurity Regulations?
With the new EU cybersecurity regulations coming into effect on August 1, 2025, many manufacturers are uncertain whether their IoT devices fall under these new requirements. This guide will help you determine if your equipment needs to comply with Directive 2014/53/EU, specifically the essential requirements 3.3 (d), (e), and/or (f), and outline the steps you should take to achieve compliance.
Key Compliance Requirements
Directive 2014/53/EU outlines essential cybersecurity requirements in Article 3.3. Here’s how to assess if your equipment must comply:
Article 3.3(d): Internet Connectivity
- Direct Connection: Does your device connect directly to the internet (e.g., through Wi-Fi or Ethernet)?
- Indirect Connection: Does it connect to the internet through another device (e.g., via a smartphone or gateway)?
If your device connects to the internet in any form, whether directly or indirectly, it must comply with Article 3.3(d). This requirement ensures that all internet-connected devices meet essential cybersecurity standards.
For more details, refer to Delegated Regulation (EU) 2022/30, Article 1.1.
Article 3.3(e): Data Processing
Your device must comply with Article 3.3(e) if it processes the following:
- Personal Data: Information that identifies an individual, as defined in Regulation (EU) 2016/679, Article 4(1).
- Traffic and Location Data: Data used for communication or geographic tracking, as specified by Directive 2002/58/EC, Articles 2(b) and 2(c).
This requirement ensures that devices handling sensitive data adhere to privacy and security measures.
For more information, see Delegated Regulation (EU) 2022/30, Article 1.2.
Article 3.3(f): Financial Transactions
If your device facilitates payments or handles virtual currency, it must comply with Article 3.3(f). Devices involved in financial transactions must meet the rigorous security standards outlined in Article 3.3(f).
For more details, consult Delegated Regulation (EU) 2022/30, Article 1.3.
Exceptions and Derogations
Certain devices may be exempt from these requirements based on other Union legislation:
- Articles 3.3(d), (e), and (f) do not apply to devices under Regulation (EU) 2017/745 (medical devices), as outlined in Delegated Regulation (EU) 2022/30, Article 2(a).
- Articles 3.3(e) and (f) do not apply to equipment regulated by:
- Regulation (EU) 2018/1139 (aviation safety),
- Regulation (EU) 2019/2144 (vehicle safety),
- Directive (EU) 2019/520 (electronic toll systems),
- Regulation (EU) 2017/746 (in vitro diagnostic medical devices), as specified in Delegated Regulation (EU) 2022/30, Article 2(b).
What Should You Do Next?
To determine if your equipment needs to comply with Article 3.3(d), (e), or (f), ask yourself these questions:
- Does it connect to the internet, either directly or indirectly?
- Does it process personal OR traffic AND location data?
- Does it facilitate financial transactions or handle virtual currency?
If you answered “yes” to any of these questions:
- Article 3.3(d) and/or Article 3.3(e) of the directive 2014/53/EU will apply to your device.
- Additionally, if your device facilitates financial transactions or handles virtual currency, Article 3.3(f) will also apply.
Ensure Full Compliance Before August 1, 2025
Start preparing now to ensure your device meets all necessary regulations and avoid compliance issues. For expert guidance and support in navigating these new requirements, contact IoT Consulting Partners.
Do You Have Questions? Schedule a Free Consultation Now! |