As we move into 2026, the Internet of Things continues to grow at a breathtaking pace — with estimates now exceeding 80 billion connected devices worldwide. From industrial sensors and smart appliances to wearables, connected medical devices, children’s toys, and home automation systems, IoT touches almost every part of modern life.
That scale has triggered unprecedented regulatory scrutiny. Major recalls, eight-figure fines, blocked shipments, and new mandatory cybersecurity laws have made safety and compliance non-negotiable. A single failure can destroy years of work overnight.
Since 1988, Product Safety Consulting Inc has helped hundreds of IoT companies — startups and global enterprises alike — ship safe, legally compliant products to every major market on time and on budget.
Here are the thirteen questions we hear most in 2026, now with detailed answers.
Top 13 IoT Safety & Compliance Questions We Hear in 2026
1. What are the main safety standards that apply to IoT devices in 2026?
The vast majority of consumer, commercial, and professional IoT devices are governed by IEC 62368-1 — the hazard-based safety engineering standard that fully replaced the older IEC 60950-1 and IEC 60065 in every major market. It covers electrical, thermal, mechanical, chemical, and fire hazards in one flexible framework. Medical IoT devices must meet the more stringent IEC 60601-1 family (including collateral and particular standards for connectivity). Connected toys for children fall under EN 71 (Europe) or ASTM F963 (U.S.) plus strict chemical limits. Industrial sensors and control equipment usually follow IEC 61010-1. Knowing which standard applies early prevents expensive re-testing later.
2. Do all IoT devices still need FCC certification in the United States?
Any device with an intentional radiator — Wi-Fi, Bluetooth, Bluetooth LE, Zigbee, Thread, LoRa, LTE-M/NB-IoT, 5G, or even proprietary sub-GHz radios — requires formal FCC certification (Part 15 Subpart C or E). Devices without transmitters only need a Supplier’s Declaration of Conformity for EMC, but since mid-2025 the FCC also mandates the U.S. Cyber Trust Mark (cybersecurity labeling) for all radio-equipped consumer IoT. Missing either the traditional FCC ID or the new cybersecurity attestation means Amazon, Walmart, and most big-box retailers will simply reject your listing.
3. What is the biggest regulatory change affecting IoT devices in Europe right now?
Two massive changes are in full force: the Radio Equipment Directive (RED) Article 3.3(d),(e),(f) cybersecurity requirements and the EU Cyber Resilience Act (CRA). Together they require every connected device sold in the EU/EEA to demonstrate secure boot, signed firmware updates, protection against unauthorized access, and an active vulnerability-handling process for at least five years. Harmonized standards are the EN 18031 series and (still accepted) ETSI EN 303 645. Market surveillance authorities are now actively pulling non-compliant products off shelves and issuing major fines.
4. I’m a European manufacturer — does the EU Cyber Resilience Act (CRA) apply to my IoT product in 2026?
Almost certainly yes. The CRA classifies virtually all IoT hardware as “products with digital elements.” Consumer and most professional devices fall into Class I or II (“important “important”” or “”critical””), triggering formal CE conformity assessment, a technical file that includes an SBOM (software bill of materials), a signed EU Declaration of Conformity specific to the CRA, and a commitment to provide security updates and vulnerability fixes for a minimum of five years (or the expected product lifetime if shorter). Fines can reach €15 million or 2.5 % of global annual turnover — whichever is higher. Even firmware-only updates released in 2026 for older products can bring legacy devices into scope.
5. My IoT device is 5V, why is the Low Voltage Directive (LVD) required?
The Radio Equipment Directive (RED) requires that devices comply with the LVD regardless of input voltage ratings. So, although the risk of shock may be eliminated, anything over 15Watts is considered a fire hazard. The LVD also requires a risk assessment be conducted and held in the Technical File.
6. As an EU-based company selling globally, who carries legal responsibility for compliance?
Under EU law, the manufacturer (the company whose name or trademark appears on the product, packaging, or user manual) always carries primary legal liability — regardless of where the product is actually made or sold. If the manufacturer is based outside the EU but places products on the EU market, an EU Authorized Representative is mandatory under the RED and most other directives, and from 2026 an official “Responsible Person”” under the CRA is also required. For sales into the UK a separate UK Responsible Person is still needed post-Brexit. Missing these roles is currently the 1 reason shipments are stopped and destroyed at EU and UK borders.
7. My IoT device has a lithium battery. What battery certifications do I need in 2026?
Every lithium cell or pack requires UN 38.3 transportation testing for every single shipment (air, sea, or ground). The cells themselves must carry IEC 62133-2 (or equivalent UL 1642/UL 2054) certification, or the entire battery system must be fully evaluated inside the end product under IEC 62368-1 Clause 6 (overcharge, short-circuit, crush, thermal abuse, etc.). Protection circuitry, cell balancing, and proper charge termination are closely scrutinized. Battery-related incidents remain the top cause of IoT recalls and retailer de-listings worldwide.
8. How do I meet IoT cybersecurity requirements without becoming a security expert?
Most companies in 2026 satisfy both regulators and major retailers by following either ETSI EN 303 645 (still widely accepted) or the newer harmonized EN 18031 series. Key requirements include secure boot, cryptographic signing of all firmware updates, no hard-coded or default passwords, encrypted communication where applicable, and a public vulnerability disclosure policy with a defined reporting channel. We create a complete evidence package — policies, test reports, SBOM template, and conformity declaration — that you can hand to Amazon, the EU notified body, or U.S. retailers in one clean folder.
9. Do consumer/smart-home IoT devices need a UL or ETL mark in North America?
Strictly speaking, no federal law requires it, but in reality, yes — virtually every major retailer (Amazon, Walmart, Target, Best Buy, Home Depot), online marketplace, and liability insurer now demands an NRTL (Nationally Recognized Testing Laboratory) mark such as UL, ETL, SGS, TÜV, or CSA on consumer-connected products. Many will not even review a new vendor application without it. The mark proves independent third-party review of safety, EMC, and (increasingly) cybersecurity, giving buyers and insurers confidence the product won’t burn down a house or create liability.
10. How early in development should we start thinking about compliance?
The correct answer is: as soon as you have a block diagram and industrial-design render. Approximately 80 % of total certification cost and schedule delay comes from changes required after PCBs are laid out or enclosures are tooled. A 2–4 hour pre-compliance review at the concept stage routinely saves 3–9 months and six-figure sums later. We look at antenna placement, battery chemistry, enclosure flammability rating, thermal hotspots, and connector safety in one quick session and give you a clear go/no-go list before you spend real money.
11. What extra rules apply to connected children’s toys or devices in 2026?
Any product intended for — or realistically likely to be used by — children 12 and under triggers an entirely separate layer of rules on top of normal IoT requirements. In the U.S.: CPSIA (lead, phthalates, tracking labels), ASTM F963 (mechanical, flammability, battery safety), and extremely low RF exposure limits. In Europe: Toy Safety Directive 2009/48/EC, EN 71 series, REACH chemical restrictions, plus full RED and CRA compliance. Third-party testing and formal certification reports are almost never optional for children’s connected products.
12. How long does full global IoT certification take in 2026?
When we are involved from the block-diagram stage, a typical consumer device with Wi-Fi, Bluetooth, rechargeable lithium battery, and plastic enclosure achieves FCC, CE, UKCA, Canada ISED, Australia RCM, and Japan MIC approval in 8–10 weeks with one coordinated test plan and single final report package. Projects that reach us only after hardware is frozen routinely stretch to 5–10 months because of multiple redesign and re-test cycles. Early planning is the single biggest time-and-money saver.
13. My IoT sensor is coin-cell or energy-harvesting — do I really need all these certifications?
Absolutely yes. Even the tiniest BLE beacon, LoRa soil-moisture sensor, or NFC tag must meet radio (RED/FCC), EMC, electrical safety, and — in most markets — cybersecurity rules if it connects to the internet or another device. Coin-cell devices still contain lithium (triggering UN 38.3 and battery safety rules), and their antennas still emit RF energy. The persistent myth that “if it’s small and low-power it’s exempt” continues to cost startups huge money when shipments are seized by customs or rejected by Amazon, Walmart, and European distributors.
Ready to launch your 2026 IoT product safely and on schedule?
Compliance doesn’t have to be painful or expensive — when it’s built in from day one, it actually speeds up your time-to-market. Product Safety Consulting Inc turns complicated global requirements into simple, predictable roadmaps so you can focus on building great products.
Book your free 30-minute compliance strategy call or download our updated 2026 IoT Compliance Checklist today at https://productsafetyinc.com/.
Product Safety Consulting Inc has been helping hardware and IoT companies ship safe, compliant products worldwide since 1998. Learn more at https://productsafetyinc.com/
Disclaimer: This content was developed with contributions from multiple sources and reflects general industry knowledge about safety certification requirements. Product Safety Consulting Inc provides this information for educational purposes only. Specific certification requirements vary by product, application, and jurisdiction. Always consult with qualified certification professionals and testing laboratories for guidance on your particular situation.