Your regulatory landscape
If you ship connected hardware to the EU market, you face three concurrent regulations :
- CRA (Cyber Resilience Act) — full enforcement 11 Dec 2027. Mandatory cybersecurity for products with digital elements. €15M / 2.5% turnover max.
- RED (Radio Equipment Directive) — Article 3(3)(d)(e)(f) cybersecurity live since 1 Aug 2025. Network resilience + data protection + fraud prevention. Market withdrawal + national penalties.
- NIS2 (if your buyers are essential entities) — your IoT product becomes a piece of their supply chain. They pass you the risk through procurement clauses.
Each of these wants : an SBOM, vulnerability handling, conformity dossier, CE marking, secure-by-design proof.
How NexCyber consolidates
One SBOM, three regulations. Your SPDX or CycloneDX file is auto-mapped to CRA Art. 13 + RED Art. 3 cybersecurity + NIS2 supply chain Article 21.
One conformity dossier. Module A self-assessment OR Module B+C Notified Body workflow — ready to hand over.
One MRCC. A single signed certificate that covers all three regulations, verified cryptographically by your customers' procurement teams.
IoT-specific value
- EN 18031 / EN 303 645 baseline — consumer IoT requirements pre-filled
- CRA Class I / II classification — automated based on your product specs
- Supply chain visibility — track third-tier component vendors
- Vulnerability monitoring — known CVE mapping across your dependency tree, alerts when new CVEs hit your SBOM
Get started
Free assessment in 5 minutes — detects which regulations apply to your specific IoT product.