Blog

September 2026 and December 2027:  Two Milestones That Will Redefine IoT Security in Europe

The European Union’s Cyber Resilience Act (CRA) is reshaping cybersecurity requirements for connected devices, especially cellular IoT products such as smart meters, industrial gateways, trackers, telematics systems, and connected medical devices.

Two dates are critical for manufacturers:

• 11 September 2026 — vulnerability and incident reporting obligations begin
• 11 December 2027 — full CRA compliance becomes mandatory

These milestones will significantly impact product design, software maintenance, and lifecycle security management.

Why Cellular IoT Is Impacted

Cellular IoT devices are considered high-risk because they:

• Connect directly to public telecom networks
• Remain deployed for many years
• Rely on embedded software and remote updates
• Often operate unattended in critical environments

As a result, the CRA forces a fundamental shift from a traditional “ship-and-forget” model to one of continuous cybersecurity accountability.

September 2026: Start of Mandatory Reporting

From September 2026 onward, manufacturers must implement processes to:

• Detect and assess vulnerabilities
• Monitor cybersecurity incidents
• Report actively exploited weaknesses
• Notify serious incidents to authorities
• Provide mitigation guidance to users

This marks the transition toward formalized cybersecurity operations, requiring dedicated vulnerability management and incident response capabilities. 

The Role of the SBOM

A Software Bill of Materials (SBOM) becomes essential, providing full visibility into:

• Operating systems
• Open-source components
• Firmware
• Third-party dependencies

Non-compliant products risk exclusion from the EU market.

December 2027: Full CRA Compliance

By December 2027, cybersecurity will be a prerequisite for CE marking digital products in the EU. Manufacturers must demonstrate secure‑by‑design principles, including:

• Secure boot and authentication controls
• Encrypted communications
• Secure firmware update mechanisms
• Long-term vulnerability management

Failure to comply may result in loss of access to the EU market.

Alignment with RED EN 18031

Cellular IoT devices are also subject to the Radio Equipment Directive (RED) cybersecurity standard EN 18031, which addresses:

• Network protection
• Data privacy
• Fraud prevention

While RED focuses on device-level security requirements, the CRA extends these obligations across the entire product lifecycle, emphasizing continuous updates, monitoring, and incident response.

Conclusion

The CRA introduces a two-phase transformation:

• September 2026: Beginning of mandatory cybersecurity operations
• December 2027: Full regulatory enforcement across all connected products

Together, these milestones redefine cybersecurity as a continuous responsibility rather than a one-time feature.

Sequans is proactively preparing for this evolution with a fully controlled Western value chain—from chipset to module, firmware, and software—enabling customers to meet emerging CRA requirements while strengthening supply chain security and trust.