Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
Home/By vertical/IoT & connected hardware

Regulatory scoping for IoT and connected hardware

A connected product carries security obligations that a pure software service does not. The EU CRA and the UK PSTI regime both put baseline duties on the manufacturer — no default passwords, a vulnerability disclosure path, a defined support period — with the CRA adding a full conformity-assessment apparatus on top.

Product securityVulnerability disclosureSecurity updatesProduct safety

Regulations Magist tracks for this vertical

  • EU CRA →
  • UK PSTI →
  • NIS2 →
  • EU GPSR →

Coverage of these newer regimes is published as draft and reviewed on a rolling basis.

Questions that determine your footprint

  • Is the product made available to UK consumers?

    The UK PSTI regime requires no universal default passwords, a published vulnerability disclosure policy, and a published minimum support period for relevant connectable products — all three, not just the password requirement.

  • Will it be placed on the EU market?

    The EU Cyber Resilience Act adds secure-by-design essential requirements, an SBOM, conformity assessment, and CE marking, with reporting obligations from September 2026 and main obligations from December 2027.

  • Who in your supply chain is the manufacturer?

    Both regimes place primary duties on the manufacturer and cascade duties to importers and distributors, so the in-scope role determination shapes which obligations attach to you.

See exactly which of 155+ regulations apply to your iot & connected hardware product.

Run your analysis →See the EU Cyber Resilience Act in depth

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone.

Magist provides legal information, not legal advice. Consult a licensed attorney.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn