Contact sales

New EU cybersecurity requirements for connected devices take effect August 2025

The Particle Team article author avatarThe Particle TeamMay 28, 2025
New EU cybersecurity requirements for connected devices take effect August 2025

On August 1, 2025, new European Union regulations will come into effect that significantly raise the bar for the cybersecurity and privacy of wireless-connected consumer devices. If you’re planning to launch a new product in the EU that includes Wi-Fi, LTE, BLE, or similar wireless tech, it’s time to prepare.

These changes are not just regulatory red tape, they’re a fundamental shift in how connected devices are evaluated and certified. The core message of the standard is overwhelmingly positive for device security and improving the privacy of your customers: your product must be provably secure.

What’s changing?

The new rules are being introduced via Market Surveillance Regulation (EU 2019/1020), which strengthens market oversight, and a Delegated Act under the Radio Equipment Directive (RED), which mandates cybersecurity features in connected devices.

Together, they require demonstrable cybersecurity and privacy protections in all new products containing wireless communication components that are sold to EU consumers.

What’s required?

To meet the new requirements, devices must include critical cybersecurity features, such as:

  • Secure boot
  • Encrypted communications
  • Privacy-by-design (including just privacy-by-policy)
  • Tamper resistance
  • Secure update mechanisms
  • Compliance documentation, including threat modeling and risk analysis

The key takeaway: Devices must be certified as secure, not just functionally safe.

Who’s affected?

The requirements apply to any newly introduced products after August 1, 2025, that use wireless communication (e.g. Wi-Fi, LTE, BLE), and are marketed to EU consumers.

Products already in the market before this date are not retroactively impacted, but any significant modifications might trigger re-certification.

Are there exemptions?

There is a narrow exemption for devices that do not process or transmit personal data (PII). However, this is not a blanket exemption:

  • Location data, user credentials, or even anonymized sensor inputs could qualify as PII depending on context.
  • Your legal and compliance teams must assess this — Particle cannot make that determination.

What should you do now?

If you plan to launch a connected product in the EU:

  1. Consult your legal team to understand how these rules apply.
  2. Evaluate your certification strategy early — the bar is higher and the review may take longer.
  3. Talk to us! If you’re using Particle modules, we can help assess compliance options and share what’s changing in our software and hardware.

What is Particle doing?

Particle is actively preparing to support customers with this transition:

  • Many of the required features such as encrypted communication and tamper resistance are already built into Particle’s Device OS and Device Protection features.
  • We’re updating modem firmware and expanding our Device Protection capabilities to meet the new RED cybersecurity requirements.
  • We will also provide supporting materials to help with certification, including:
    • Threat models
    • Risk analysis summaries
    • EU Declarations of Conformity (DoC)
    • A structured approach to documenting compliance using Particle’s platform

We are working to ensure that customers using Particle modules and cloud services can navigate the EU’s new cybersecurity landscape with confidence and clarity.

We’re here to help

If you’re not sure whether these regulations impact you or what you’ll need to do, please do not hesitate to reach out. Our goal is to make this transition as seamless as possible for your team.

Resources: We’ll be publishing additional guidance, templates, and FAQs as the enforcement date approaches.

Comments are not currently available for this post.