EU compliance for electronics means meeting the regulatory requirements to legally sell electronic products within the European Economic Area (EEA). The foundation is CE marking — the manufacturer’s declaration that the product meets all applicable EU directives. But the regulatory landscape is expanding rapidly: between 2024 and 2027, three major new regulations (Cyber Resilience Act, RED delegated acts, AI Act) will fundamentally change what’s required for connected electronic products.
This article maps every relevant regulation, its technical requirements, and its timeline.
The EU Regulatory Landscape for Electronics (2025–2027)
| Regulation | EU Reference | Effective Date | Applies To | Key Requirements |
|---|---|---|---|---|
| EMC Directive | 2014/30/EU | Existing | All electrical/electronic equipment | EN 55032 (emissions), EN 55035 (immunity) |
| Low Voltage Directive | 2014/35/EU | Existing | Equipment 50–1000V AC / 75–1500V DC | EN 62368-1 (safety) |
| RoHS Directive | 2011/65/EU | Existing | All EEE | Restricted substances (Pb, Hg, Cd, Cr6+, PBBs, PBDEs, DEHP, BBP, DBP, DIBP) |
| REACH Regulation | 1907/2006 | Existing | All products | SVHC declaration, SCIP database registration |
| Radio Equipment Directive | 2014/53/EU | Existing | All wireless devices | EN 300 328 (2.4 GHz), EN 300 220 (sub-GHz), EN 303 345 (chargers) |
| RED Delegated Acts | 2022/30, 2024/xxx | August 2025 | Wireless devices with internet connectivity | Cybersecurity (Art. 3.3d), privacy (Art. 3.3e), fraud protection (Art. 3.3f) |
| Cyber Resilience Act | 2024/2847 | Sep 2026 (reporting), Dec 2027 (full) | All products with digital elements | Secure development lifecycle, vulnerability handling, SBOM |
| AI Act | 2024/1689 | Aug 2025 (prohibitions), Aug 2026 (general), Aug 2027 (high-risk) | AI systems by risk category | Conformity assessment for high-risk AI, transparency for limited-risk |
| WEEE Directive | 2012/19/EU | Existing | All EEE | Producer registration, collection & recycling obligations |
| Ecodesign Regulation | 2024/1781 | Phased | Energy-related products | Repairability, durability, recycled content requirements |
CE Marking: What It Actually Means
CE marking is not a quality certification — it’s the manufacturer’s self-declaration that the product meets all applicable EU directives. The process involves:
- Identify applicable directives — Determine which EU directives apply to your product (EMC, LVD, RED, RoHS, Machinery, Medical Devices, etc.)
- Apply harmonized standards — Use the latest versions of EN standards listed in the Official Journal
- Perform conformity assessment — Testing, documentation, and (for some product categories) notified body involvement
- Create Technical File — Complete documentation including test reports, risk assessments, schematics, BOM, and user instructions
- Draft Declaration of Conformity (DoC) — Formal document declaring compliance with listed directives
- Affix CE marking — Only after all the above steps are complete
EMC Testing: The Most Common Hurdle
EMC (Electromagnetic Compatibility) testing is where most electronic products encounter problems:
| Test | Standard | What It Measures | Typical Issues |
|---|---|---|---|
| Radiated emissions | EN 55032 Class B | RF energy emitted by the device | Clock harmonics, switching noise, unshielded cables |
| Conducted emissions | EN 55032 Class B | Noise on power/signal cables | SMPS switching ripple, missing input filtering |
| ESD immunity | EN 61000-4-2 | Electrostatic discharge resistance | Missing TVS diodes, inadequate grounding |
| Surge immunity | EN 61000-4-5 | Power line surge protection | Missing MOVs, insufficient creepage/clearance |
| Radiated immunity | EN 61000-4-3 | Susceptibility to external RF fields | Poor PCB layout, inadequate filtering |
Pro tip: Always perform pre-compliance EMC testing on the first prototype. A full EMC test suite at an accredited lab costs €3,000–8,000. Failing means redesign + retest. Pre-compliance screening (€500–1,000 with basic equipment) catches 80%+ of issues before the expensive lab visit.
The Cyber Resilience Act: What Changes in 2027
The CRA (EU 2024/2847) is the most significant regulatory change for connected electronics since CE marking. It applies to all products with digital elements sold in the EU — which includes virtually every IoT device, embedded system, and smart product.
Technical Requirements
- Secure by default — Products must ship in a secure configuration with no default passwords
- Secure boot — Cryptographic verification of firmware integrity at every startup
- Authenticated updates — Signed firmware packages with rollback protection; security updates must be free for the product’s expected lifetime (minimum 5 years)
- Vulnerability handling — Manufacturer must have a coordinated vulnerability disclosure process and report actively exploited vulnerabilities to ENISA within 24 hours
- SBOM — Software Bill of Materials documenting all software components, versions, and known vulnerabilities
- Data minimization — Collect only data necessary for the product’s function (aligned with GDPR Art. 5)
Compliance Timeline
| Date | Obligation |
|---|---|
| September 2026 | Vulnerability reporting obligations begin |
| December 2027 | Full compliance required for all new products |
| Ongoing | Security updates for expected product lifetime (min. 5 years) |
Products classified as “important” (Class I/II) or “critical” require third-party conformity assessment by a notified body, not just manufacturer self-declaration.
Impact on Hardware Design Architecture
These regulations aren’t just paperwork — they impose architectural requirements that must be designed in from the start:
- Secure Element or TPM — Hardware key storage (e.g., Infineon OPTIGA Trust M, NXP SE050) for secure boot, firmware signing, and TLS authentication
- Cryptographic accelerator — Hardware AES, SHA, ECC for performant security without CPU overhead
- Protected bootloader — Immutable first-stage bootloader in OTP or protected flash
- Partitioned memory — Separation between secure and non-secure worlds (ARM TrustZone, RISC-V PMP)
- OTA update infrastructure — Dual-bank flash for A/B updates with automatic rollback on failure
Retrofitting these capabilities into an existing design is extremely difficult and expensive. Security must be an architecture decision, not a firmware patch.
Environmental Compliance: RoHS, REACH, and WEEE
Environmental compliance is often overlooked during development but creates significant problems during market entry:
- RoHS — All components must be lead-free (RoHS compliant). Verify RoHS status in component datasheets; some legacy parts are still only available in leaded variants
- REACH — Any product containing Substances of Very High Concern (SVHCs) above 0.1% w/w must be registered in the EU’s SCIP database
- WEEE — Producers of electronic equipment must register with national WEEE schemes and provide collection/recycling for end-of-life products. Registration requirements vary by EU member state
At Inovasense, regulatory compliance is an architecture-level design input — not an afterthought. We map applicable directives during the requirements phase, design hardware with security and compliance features built in, and manage the CE marking process including test lab coordination, technical file preparation, and DoC drafting. Contact us to ensure your product is market-ready from day one.