Product type
Consumer IoT devices: which EU regulations apply
e.g. smart thermostats, smart speakers, connected doorbells, fitness bands
Mains- or battery-powered connected products sold to the public — typically with a wireless radio, a companion app and an account.
Regulations that typically apply
- CRAmandatory
It is a product with digital elements that runs software and connects to a network.
Open reference → - REDusually
Most consumer IoT uses Wi-Fi or Bluetooth, which makes it radio equipment.
Open reference → - EMCmandatory
Electromagnetic-compatibility requirements apply to all electronics — under the EMC Directive for wired equipment, or folded into the RED for radio equipment.
Open reference → - RoHSmandatory
It is electrical and electronic equipment, so restricted substances apply.
Open reference → - LVDconditional
Applies when the device (or its supply) operates in the LVD voltage range — e.g. a mains-powered unit or its PSU; pure low-voltage battery devices may fall outside it.
Open reference → - GDPRusually
A user account, app or device identifier means personal data is processed.
Open reference →
A starting map, not a binding assessment — applicability depends on your product’s exact features and target markets.
What’s different about compliance here
For consumer IoT the live issue is the move from the RED cybersecurity delegated act to the Cyber Resilience Act: the RED requirements (demonstrated through EN 18031) have been mandatory since August 2025, and the CRA supersedes them from December 2027 — so which obligation bites depends on your product’s timeline. Because these are mass-market goods, market-surveillance attention and the expectations on default settings, update mechanisms and vulnerability handling are high.
Check your specific product