Cybersecurity in IoT: Mandatory from August 2025

Why is cybersecurity so critical?

“Today, we all have a phone, a computer, a watch — everything connected to the internet. Even a microwave, a coffee machine, a dishwasher, or a TV can now be online,” said Pascal Baranger of Würth Elektronik. Together with Jan Norder, Baranger spoke at this year’s Evertiq Expo in Krakow about upcoming changes in EU cybersecurity regulations for the Internet of Things (IoT).

As representatives of Würth Elektronik pointed out, the number of connected devices is rising every year — and so is the cost of cybercrime. By 2025, global losses from cyber attacks are expected to exceed €10 trillion.

The speakers recounted a notorious 2017 incident in Las Vegas, where hackers gained access to a casino network via an aquarium sensor that had not been properly secured.

“As we like to say, a system is only as secure as its weakest link,” said Norder.

New EU Regulations: RED and the Cyber Resilience Act

The presentation focused on two pivotal EU regulations: the Radio Equipment Directive (RED) and the Cyber Resilience Act. Both will raise the cybersecurity bar for internet-connected devices.

From 1 August 2025, the RED directive will require all radio equipment sold in the EU to adhere to three new cybersecurity requirements (Articles 3.3 D–F):

• 3.3 D: Network protection
• 3.3 E: Protection of personal data
• 3.3 F: Protection against fraud

“As of this date, any radio-connected device introduced to the EU market must satisfy these requirements. This isn’t a suggestion — it’s a legal obligation,” emphasized Baranger.

The Cyber Resilience Act, set to come into force in December 2027, goes even further, extending cybersecurity obligations across a wider range of products and services. It will require risk assessments at every phase of a product’s lifecycle, prompt vulnerability mitigation, and regular security updates.

The speakers also noted that the EU is leading the way globally when it comes to cybersecurity regulations. “In the US, only two states — California and Oregon — have similar laws. In Africa, none at all,” Norder explained.

This regulatory gap could be a serious threat, potentially locking exporters from certain countries out of the EU market if their products lack the required cybersecurity safeguards.

From theory to practice

How can you assess if a device falls under the new rules? The Würth Elektronik representatives introduced a decision tree available in the EU standards EN 18031-2 and EN 18031-3. These standards, published in January 2025 (and available for roughly €420 each), can be used repeatedly as implementation guides.

“It’s like a checklist,” explained Baranger. “If your device connects to the internet and processes or stores personal or financial data, you must implement an adequate level of protection, demonstrate it, and document it.”

To illustrate, the speakers gave an example: A walkie-talkie that doesn’t connect to the internet or process any personal data wouldn’t fall under the new rules. But a Raspberry Pi used in a smart home? Absolutely. “Even if it’s just a light switch app, if it contains a user’s email address, it’s subject to article 3.3 E,” Baranger explained.

What if you’re running out of time?

The standards were published in January 2025, leaving companies only a few months to adapt. “In many countries, even in Germany, manufacturers are surprised. In Bulgaria, many had never even heard of these changes,” Norder said.

Compliance testing in laboratories is already challenging due to overwhelming demand and limited availability. “You can still launch a product before 1 August, when the new rules won’t apply. But what then?” the speakers wondered.

To help, Würth Elektronik presented its cybersecurity-focused solutions. Its Wi‑Fi and Bluetooth Low Energy modules enable:

• Secure boot
• Secure data storage
• Secure connections
• Over‑the‑air (OTA) updates with verified security

The company also introduced its flagship solution, the Cordelia 1 module, developed with Crypto Quantique. Its QuarkLink system allows for zero‑touch provisioning — a fully automated method for inserting passwords and configuration data securely, without human involvement. “No intermediaries, no risk of passwords being exposed,” emphasized Baranger.

For IoT manufacturers in Europe, the final deadline has arrived. The price of falling behind? Potential exclusion from the EU market.

“Cybersecurity is no longer a luxury — it’s like seatbelts in a car. From 1 August, it will be mandatory,” the speakers concluded.

Jan Norder and Pascal Baranger of Würth Elektronik spoke at the conference held during Evertiq Expo Kraków 2025. The next edition of this leading electronics industry event in Poland will take place on 7 May 2026 at CKF13, Fabryczna Street, Kraków. Register your spot now.