EU CE Marking & Compliance — Full Lifecycle Management
CE marking is not a single stamp. It is a legal declaration covering multiple directives — and getting any one wrong makes the entire mark invalid.
Inovasense manages the complete CE compliance path for B2B hardware products — from Conformity Assessment Planning and architecture reviews, to laboratory testing coordination, Technical File compilation, and post-market SBOM surveillance. We work with both new product development (compliance built in from day one) and existing product redesigns (gap analysis and remediation). Book a Conformity Assessment Session →
What CE Marking Actually Means
CE marking is not a quality label or a single certification. It is a self-declaration (or Notified Body-attested declaration) that your product complies with all EU directives and regulations that apply to it. The manufacturer draws up a Declaration of Conformity and affixes the CE mark — taking full legal responsibility for the claim.
The complexity lies in the word all. Depending on what your product does, it may need to comply with two, five, or more different European directives simultaneously. Each directive has its own harmonised standards, test requirements, and conformity assessment routes.
Getting one directive wrong does not just fail that directive — it invalidates your entire CE mark and makes your product illegal to sell in the EU.
Which EU Directives Apply to Your Product?
The first mandatory step in any compliance project is Conformity Assessment Planning — identifying exactly which directives govern your product. The table below covers the directives most commonly applicable to B2B hardware, IoT, and embedded products:
| Directive / Regulation | EU Number | Applies When | Key Standards | Assessment Route |
|---|---|---|---|---|
| EMC Directive | 2014/30/EU | Any electronic device — virtually always | EN 55032, EN 55035, EN 61000-3-2/-3-3 | Self-declaration with harmonised standards |
| Low Voltage Directive (LVD) | 2014/35/EU | Equipment operating at 50–1000V AC or 75–1500V DC | EN 62368-1, EN 60335-1 | Self-declaration with harmonised standards |
| Radio Equipment Directive (RED) | 2014/53/EU | Any product with a radio transmitter or receiver (Wi-Fi, Bluetooth, LoRa, cellular, GNSS…) | EN 300 328, EN 301 893, EN 300 220, EN 303 413 | Self-declaration or Notified Body |
| RED Delegated Act | EU 2022/30 | Internet-connected radio equipment — cybersecurity baseline | EN 303 645, EN 18031 series | Deadline: August 2025 |
| Cyber Resilience Act (CRA) | EU 2024/2847 | Products with digital elements (connected/networked) | EN 303 645, IEC 62443 | Self-declaration (Default); Notified Body for Important/Critical class |
| RoHS Directive | 2011/65/EU | Most electrical and electronic equipment | Material declarations, supply chain documentation | Self-declaration |
| Machinery Regulation | EU 2023/1230 | Machinery, safety components, interchangeable equipment | EN ISO 13849-1, IEC 62061, EN ISO 12100 | Self-declaration (low risk) or Notified Body (safety-critical) |
| AI Act | EU 2024/1689 | Products with embedded AI inference classified as Limited or High Risk | EN ISO/IEC 42001, sector-specific standards | Self-assessment (Limited Risk); Notified Body (High Risk) |
| ATEX Directive | 2014/34/EU | Equipment for explosive atmospheres (mining, chemical, oil & gas) | EN 60079 series | Notified Body mandatory |
| Medical Device Regulation (MDR) | EU 2017/745 | Medical devices and in vitro diagnostic devices | EN ISO 13485, IEC 62304 | Notified Body mandatory for Class IIa+ |
Key principle: If your product has a radio module (Wi-Fi, BT, LoRa, cellular), the RED replaces (not supplements) the EMC Directive and LVD for the radio aspects — but EMC and LVD still apply to non-radio parts of the same product. In practice, both sets of tests are often conducted in a single laboratory visit.
Two Paths to CE Compliance
Path A: New Product — Compliance By Design
If your product is in the concept or early design phase, compliance is an architecture input, not an afterthought. This is the most cost-efficient path:
- We conduct a Conformity Assessment Planning session during requirements definition — identifying all applicable directives, selecting harmonised standards, and deciding the self-declaration vs. Notified Body route.
- Compliance requirements are entered as formal system requirements in the V-model, traced through design to test cases.
- Component selection considers compliance from the start: the right MCU with hardware security (for CRA/RED Delegated Act), components with RoHS material declarations, EMC-conscious PCB layout rules baked into design reviews.
- Pre-compliance EMC screening is conducted at prototype stage — catching issues before the formal laboratory visit costs €3,000–8,000+.
- The Technical File is built iteratively throughout the project, not scrambled together at launch.
Result: Pre-compliance screening at prototype stage significantly reduces the risk of failure at formal certification — catching issues before a formal laboratory test campaign, not after. Technical File compiled in parallel with development, ready at product launch rather than scrambled together after it.
Path B: Existing Product — Gap Analysis & Remediation
If your product is already on the market or in final design, we assess the gap between your current state and full compliance:
- CRA & RED Delegated Act Gap Analysis — the most urgent review for connected products, given the August 2025 and December 2027 deadlines.
- Full-Directive Gap Analysis — we review your existing Technical File (if any), test reports, BOM, and architecture against all applicable directives.
- For each gap, we provide a RAG (Red/Amber/Green) assessment: what passes, what needs remediation, and the exact engineering effort required.
- We then execute the remediation — whether that means a partial board revision, a new hardware revision, or only process/documentation changes.
The 2026 Regulatory Upgrade: CRA & RED Delegated Act
Two directives are creating an extraordinary compliance challenge for products already on the EU market — because they require hardware capabilities that cannot be added through software:
Why Firmware Patches Won’t Save You
The CRA and RED Delegated Act require security capabilities that are physically impossible without the right silicon:
| Requirement | What It Actually Means | Can Firmware Fix It? |
|---|---|---|
| Hardware Root of Trust | Immutable boot code in ROM/OTP verifying every subsequent boot stage | ❌ Requires dedicated silicon (Secure Element or hardware security module) |
| Tamper-resistant key storage | Cryptographic keys stored in hardware that resists physical extraction | ❌ Software keys in flash can be dumped with a €50 logic analyser |
| Authenticated OTA updates | Firmware signed with keys that cannot be extracted or cloned | ❌ Without hardware key storage, signing keys are exposed |
| Secure device identity | Each device has a unique, unforgeable cryptographic identity | ❌ Software identities can be cloned; hardware attestation cannot |
| Vulnerability reporting | 24-hour notification to ENISA + continuous SBOM monitoring | ⚠️ Achievable in software, but requires dedicated tooling and process |
| 5-year security updates | Guaranteed security patches for the product’s supported lifetime | ⚠️ Achievable, but only if OTA infrastructure is truly secure |
Timeline reality: If your current board design lacks a Secure Element, starting a redesign today means the earliest you’ll have certified production units is Q3 2027 — just as the CRA deadline hits. Every month of delay narrows this margin further.
Our 4-Step CE Compliance Process
Step 1 — Conformity Assessment Planning
What it is: A structured session (2–4 hours, remote or on-site) where our engineers determine the complete compliance scope for your product.
What we establish:
- Definitive list of applicable EU directives and regulations
- Applicable harmonised standards for each directive
- Self-declaration vs. Notified Body route for each directive
- Pre-compliance testing strategy and laboratory partner selection
- Technical File structure and division of responsibilities
- Compliance milestone plan integrated with your product development schedule
Output: A Compliance Scope Document — the binding technical and regulatory specification that governs every subsequent compliance decision on the project.
Pricing: Fixed price from €1,400 for a single product. Credited toward the full project if you proceed.
Step 2 — Architecture Design or Gap Analysis
For new products: Compliance requirements from Step 1 are integrated into the hardware architecture. Component selection, PCB layout rules, security silicon selection (Secure Elements, TPMs), EMC shielding strategy, and software security architecture are all defined with compliance as a first-class input.
For existing products: We conduct a full architecture review against all identified directives. Our engineers analyse your BOM, schematics, block diagram, and firmware update mechanism. You receive a RAG Compliance Report — Red/Amber/Green assessment of every requirement — with exact remediation specifications: which components to replace, which architectural changes to make, and what the cost and timeline will be.
Specific capabilities:
- EAL6+ Secure Element integration (STSAFE-A110, OPTIGA Trust M, SE050) for CRA Hardware Root of Trust
- FPGA-based security functions for products requiring hardware-level crypto acceleration
- EMC-compliant PCB layout and grounding strategy
- Dual-source BOM with full RoHS material declarations
- Machinery functional safety (EN ISO 13849-1, IEC 62061) where applicable
- Edge AI compliance against EU AI Act risk classification
Pricing (Gap Analysis): Fixed price from €2,900 depending on architecture complexity. Turnaround: 5–10 business days for standard architectures; complex multi-directive or large-BOM products may require additional time. Fee credited toward full redesign project.
Step 3 — Testing Coordination & Technical File
We manage the laboratory testing process end-to-end:
- Pre-compliance EMC/EMI screening — conducted at prototype stage at our EU partner laboratories to identify failures before the formal test campaign; catching issues at this stage is substantially less expensive than re-tests at an accredited laboratory
- Formal laboratory coordination — we select the accredited laboratory, prepare test samples, write test plans, attend tests where feasible, and review test reports
- Technical File compilation — we build and maintain the full Technical File: product description, list of directives and standards, design documentation, risk assessment (EN ISO 12100 or IEC 62368-1 as applicable), test reports, and Declaration of Conformity
- Notified Body liaison — for directives requiring third-party attestation (Machinery safety-critical functions, High-Risk AI), we manage the complete Notified Body engagement
Standards we routinely handle:
| Standard | Directive | Covers |
|---|---|---|
| EN 55032 / EN 55035 | EMC | Multimedia emissions and immunity |
| EN 61000-3-2 / -3-3 | EMC | Power line harmonics and flicker |
| EN 62368-1 | LVD / RED | Audio/video and IT equipment safety |
| EN 300 328 | RED | 2.4 GHz (Wi-Fi, Bluetooth) |
| EN 301 893 | RED | 5 GHz (Wi-Fi 5/6) |
| EN 300 220 | RED | Sub-GHz (LoRa, Sigfox, 868 MHz) |
| EN 303 645 | RED Del. Act / CRA | Cybersecurity for consumer IoT |
| EN 18031 series | RED Del. Act | Network/privacy/anti-fraud baseline |
| IEC 62443-4-2 | CRA | Hardware security component requirements |
| EN ISO 13849-1 | Machinery | Safety-related control systems (PLr) |
| IEC 62304 | MDR¹ | Medical device software lifecycle |
¹ MDR projects are assessed individually — engagement subject to project scope and applicable quality system requirements.
Step 4 — Post-Market Surveillance & SBOM Monitoring
Compliance does not end at product launch. EU regulations impose ongoing obligations throughout your product’s market lifetime:
- Automated SBOM monitoring — your Software Bill of Materials continuously checked against CVE databases (NVD, OSV, GitHub Advisory Database)
- 24-hour ENISA notification — we prepare and submit vulnerability notifications to ENISA on your behalf; legal responsibility for the notification remains with you as the manufacturer (CRA requirement from September 2026)
- Security advisory triage — our team assesses severity and impact for your specific bill of materials and deployment context
- OTA patch preparation — for products developed or co-developed with Inovasense, we prepare and test security patches ready for deployment
- Post-market surveillance file maintenance — tracking field incidents, complaints, and corrective actions as required by CE directives
- Quarterly compliance reports — formal documentation of ongoing compliance for auditors, customers, and regulatory enquiries
- Directive change monitoring — we track amendments to applicable harmonised standards and notify you when your Technical File needs updating
Pricing: Monthly subscription from €800/month per product line.
Who This Is For
This service is designed for:
- Hardware startups building their first connected product for the EU market — compliance planning before any silicon is committed is 10× cheaper than fixing it at prototype stage
- B2B electronics manufacturers with existing products facing CRA and RED Delegated Act deadlines (August 2025 — RED; December 2027 — CRA full compliance)
- OEMs and system integrators whose end-customers (NIS2 entities) are now requiring documented proof of hardware compliance
- CTOs and engineering directors who need a data-driven compliance report to justify board redesign budget to leadership
- Companies with radio equipment (Wi-Fi, Bluetooth, LoRa, cellular) — already under RED Delegated Act deadline as of August 2025
- Industrial equipment manufacturers needing Machinery Regulation compliance for safety-critical control systems
- Edge AI product companies navigating EU AI Act conformity assessment alongside CRA
Why Inovasense
We are not compliance consultants who hand you a checklist. We are the engineers who design, build, and test the compliant hardware:
- Full hardware security stack — EAL6+ Secure Element integration, secure boot implementation, post-quantum cryptography readiness
- FPGA design capability — custom security and signal-processing implementations in programmable logic when standard MCUs cannot meet requirements
- 100% EU supply chain — your product is developed, tested, and manufactured entirely within the EU, under EU IP and trade secret law
- Edge AI compliance — EU AI Act risk classification and conformity assessment for products with on-device inference
- Product lifecycle management — compliance is woven into V-model gate reviews from CR through DV/PV; not bolted on at the end
- Defense-grade methodology — V-model, DO-254, IEC 62443 experience applied to commercial product compliance programmes
The Conformity Assessment Planning session is an engineering deliverable — not a sales call. And when you need the design and certification executed, the same team that planned the compliance path builds and certifies the product.
Start with a Conformity Assessment Planning Session
Fixed price from €1,400. NDA-first. Remote or on-site. We determine exactly which directives apply, which standards to use, and your full compliance roadmap — before you commit to any design decision or laboratory booking.
Existing product with urgent CRA/RED gaps? Our Gap Analysis starts from €2,900 with results in 5–10 business days. Gap Analysis fee credited toward the full project.
Book a Compliance SessionFrequently Asked Questions
What does CE marking actually require?
CE marking is not a single standard — it is a declaration that your product complies with all applicable EU directives and regulations. Depending on your product, this may include the EMC Directive, Low Voltage Directive, Radio Equipment Directive (RED), Cyber Resilience Act (CRA), RoHS, Machinery Regulation, and others. The first step is always identifying which directives apply before any testing or documentation begins.
Do I need a Notified Body for CE marking?
It depends on the directive. For EMC, LVD, and RoHS, you can self-declare conformity using harmonised standards (no Notified Body required). For RED, self-declaration is allowed if you use harmonised standards from the OJEU list. For Machinery (safety-critical functions) and Medical Devices, a Notified Body is mandatory. For CRA, the conformity assessment route (self vs. Notified Body) depends on the product risk category.
What is the difference between a Gap Analysis and a Requirements Workshop?
A Gap Analysis is for existing products — we analyse your current hardware architecture against applicable EU directives and identify what must change. A Requirements Workshop is for new products — we define compliance requirements from the start, so they are designed into the architecture rather than retrofitted. Both result in a binding Technical Specification that guides design and certification.
When does the CRA become mandatory?
The EU Cyber Resilience Act requires vulnerability reporting from September 2026. Full compliance (secure boot, Hardware Root of Trust, SBOM, 5-year security updates) is mandatory from December 2027. Products without compliance lose their CE mark and cannot be sold in the EU.
What is included in a Technical File?
A Technical File (required for CE marking) includes: product description and intended use, list of applicable directives and harmonised standards, design documentation (schematics, BOM, software description), risk assessment, test reports, Declaration of Conformity, and for CRA: the SBOM and vulnerability management plan. We compile and maintain this documentation as a living deliverable throughout the project.
How much does CE compliance management cost?
It depends on which directives apply and your product complexity. A Conformity Assessment Planning session starts from €1,400. A full Gap Analysis for existing products starts from €2,900. New product compliance design is included in the V-model project scope. Post-launch SBOM and post-market surveillance starts from €800/month. Contact us for a tailored quote.
Regulatory References (Authority Source)
- EU Cyber Resilience Act (2024/2847) (opens in new tab)
- Radio Equipment Directive (2014/53/EU) (opens in new tab)
- RED Delegated Act (EU 2022/30) (opens in new tab)
- EMC Directive (2014/30/EU) (opens in new tab)
- Low Voltage Directive (2014/35/EU) (opens in new tab)
- RoHS Directive (2011/65/EU) (opens in new tab)
- Machinery Regulation (EU 2023/1230) (opens in new tab)