How to use this guide
The European regulatory ecosystem has grown significantly between 2023 and 2026. Manufacturers, importers, and distributors operating on the EU market face a landscape where up to ten different regulations can affect a single product, depending on its nature, connectivity, function, and target sector. This guide analyzes each product type separately and explains, always citing the scope article of each regulation, why it could be applicable or why it falls outside its scope.
It is important to note that this page says "could apply," not "applies." The final determination of scope depends on the specific characteristics of each product and, in many cases, on delegated acts, European Commission guidance, and the interpretation of national market surveillance authorities. This page is an informed starting point for professionals to identify which regulations they need to examine in detail.
Connected electronic hardware (WiFi / BLE / cellular)
An electronic device with wireless connectivity — whether via WiFi, Bluetooth Low Energy, or cellular network — is arguably the product type that accumulates the greatest regulatory burden under the current European framework. The reason is simple: it combines digital elements with radio connectivity and, if intended for consumers, also falls within the orbit of general product safety.
The Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, applies to "products with digital elements marketed on the market whose intended or reasonably foreseeable use includes a logical or physical, direct or indirect, connection to a device or network" (Art. 2(1)). A WiFi/BLE/cellular device fits directly within this definition. The CRA will be generally applicable from December 11, 2027, although vulnerability notification obligations are brought forward to September 11, 2026.
The Radio Equipment Directive (RED), Directive 2014/53/EU, is the reference regulation for all equipment using the radio spectrum for communication or radiodetermination (Art. 1(1)). A WiFi, BLE, or cellular device is radio equipment by definition. Furthermore, Delegated Regulation (EU) 2022/30 activates from August 1, 2025 the essential requirements of Art. 3(3)(d), (e), and (f) of the RED for internet-connected equipment, equipment processing personal data, and equipment enabling monetary transfers, introducing cybersecurity, data protection, and fraud protection obligations. Delegated Reg. 2022/30 is expected to be repealed from December 11, 2027, when the CRA enters full application.
The RoHS Directive (Dir. 2011/65/EU) restricts the use of hazardous substances in electrical and electronic equipment (Art. 2(1)). A connected electronic device is electrical and electronic equipment for the purposes of this Directive, unless it falls within one of the exclusions in Art. 2(4), such as medical devices, military equipment, or non-road mobile machinery intended exclusively for professional use.
The Data Act (Reg. 2023/2854) applies to "connected products" that obtain, generate, or collect data relating to their performance, use, or environment and that can communicate such data (Art. 1(2) and definition in Art. 2(5)). A WiFi/BLE/cellular device that generates usage data falls within its scope. The Data Act has been applicable since September 12, 2025.
If the device incorporates an artificial intelligence system, the AI Act (Reg. 2024/1689) could apply. The AI Act applies to providers that market or put into service AI systems in the EU, as well as to importers and distributors (Art. 2(1)). Application depends on whether the product contains an "AI system" as defined in Art. 3(1) and its risk level.
If the product is intended for consumers, the GPSR (Reg. 2023/988) acts as a safety net for aspects and risks not covered by specific sectoral legislation (Art. 2(1)). The GPSR excludes products entirely covered by EU harmonization legislation, but applies complementarily for aspects not covered.
If the device is a general-purpose computer, a smartphone, or a terminal accessing electronic communications services or audiovisual services, the European Accessibility Act (EAA), Directive 2019/882, could apply (Art. 2(1)). Accessibility obligations have been applicable since June 28, 2025. Micro-enterprises (fewer than 10 employees and turnover or balance sheet not exceeding €2M) are exempt regarding services.
Software / SaaS / App
Software, whether distributed as a standalone product, a cloud service (SaaS), or a mobile application, has a regulatory treatment that has changed substantially with the arrival of the CRA and the AI Act.
The CRA expressly includes software as a "product with digital elements." The definition in Art. 3(1) of the CRA covers "a software or hardware product and its remote data processing solutions, including software or hardware components marketed separately." Software marketed independently, including mobile applications, is within the scope of the CRA (Art. 2(1)), provided its intended use includes a connection to a device or network. Free and open-source software is only subject to the CRA insofar as it is intended for commercial activities (Recital 19).
If the software incorporates or constitutes an AI system, the AI Act is potentially applicable (Art. 2(1)). This includes both AI system providers and general-purpose AI model providers. The level of obligation depends on the system's risk classification.
If the software is a digital service related to a connected product (e.g., the companion app for an IoT device), the Data Act could apply through the concept of "related service" (Art. 2(6)), which includes digital services connected to the product such that, without them, the product could not perform some of its functions.
Regarding the EAA, Directive 2019/882 includes in its scope services such as e-commerce, banking services, e-books, and passenger transport services (Art. 2(2)). If the software provides any of these services, accessibility obligations apply from June 28, 2025.
RED, RoHS, and Toy Safety do not apply to pure software, as they refer respectively to radio equipment, physical electrical and electronic equipment, and toys. The EUDR and Pay Transparency also have no relevance to software as a product. The GPSR, for its part, applies to "products" in the sense of movable goods, so pure digital services generally fall outside its scope, although software embedded in a physical consumer product would be covered indirectly.
Connected toys
A connected toy — for example, a doll with Bluetooth, a children's tablet with WiFi, or a toy drone with app control — is perhaps the product type with the highest regulatory density. It combines the status of toy, electronic equipment, radio equipment, product with digital elements, and potentially, connected product for data purposes.
The Toy Safety Regulation (Reg. 2025/2509) applies to all products designed or intended, whether exclusively or not, for use in play by children under 14 years of age (Art. 2(1)). A product shall be deemed intended for play by children when a parent or supervisor could reasonably assume, by virtue of its functions, dimensions, and characteristics, that it is intended for such use. The new Regulation, published on December 12, 2025, will be generally applicable from August 1, 2030, replacing Directive 2009/48/EC. It includes specific essential safety requirements for toys with digital elements and internet-connected toys, requiring cybersecurity safeguards and privacy protection.
The CRA applies to the connected toy as a product with digital elements (Art. 2(1)). The RED applies if the toy uses the radio spectrum (Art. 1(1)), and Delegated Reg. 2022/30 extends privacy and personal data protection obligations specifically to toys covered by the Toy Directive and to childcare equipment, even without an internet connection (Art. 1(2)(a)). RoHS applies to the toy's electronic component as electrical and electronic equipment (Art. 2(1)).
The Data Act could apply if the toy is a "connected product" that generates data about its use (Art. 2(5)). The GPSR applies as a complementary safety net for aspects not covered by sectoral legislation (Art. 2(1)). If the toy incorporates AI, the AI Act could apply, and since AI toys interact with minors, they could be classified as high-risk under the criteria of Annex III of the AI Act.
Non-electronic consumer product
A non-electronic consumer product — a chair, a textile garment, a kitchen utensil, a backpack — sits on a different regulatory tier. Having no digital components or radio connectivity, it falls outside the scope of the CRA, RED, RoHS, the Data Act, and the AI Act.
The main regulation is the GPSR (Reg. 2023/988). This Regulation applies to all products intended for consumers or that can be used by consumers under reasonably foreseeable conditions, provided they are not entirely covered by sectoral harmonization legislation (Art. 2(1)). It explicitly excludes food, feed, medicines, plant protection products, and others regulated by specific sectoral legislation. The GPSR has been applicable since December 13, 2024.
If the product is made from or contains any of the seven commodities regulated by the EUDR — cattle, cocoa, coffee, palm oil, rubber, soy, or wood — and is marketed in the EU, the EUDR due diligence obligations could apply (Art. 1(1) and Annex I). A wooden furniture piece, a bovine leather bag, or a product with natural rubber are examples of non-electronic products that could fall within the scope of the EUDR. The EUDR application dates, following the amendment by Reg. 2025/2650, are December 30, 2026 for large and medium enterprises and June 30, 2027 for micro and small enterprises.
If the product is a non-electronic toy intended for children under 14, the Toy Safety Regulation (Reg. 2025/2509) is applicable (Art. 2(1)), regardless of whether the toy has digital components.
Industrial machinery
Industrial machinery intended exclusively for professional use has a different regulatory profile from consumer products. The GPSR generally does not apply, as it targets products intended for consumers or that can foreseeably be used by consumers (Art. 2(1)). B2B industrial machinery falls outside this definition unless, by its characteristics, a consumer could reasonably come to use it.
If the machinery incorporates digital elements with network connectivity — a PLC controller with Ethernet, an HMI interface with WiFi, industrial IoT sensors — the CRA could apply (Art. 2(1)). The CRA does not distinguish between consumer and industrial products: its scope covers all products with digital elements marketed on the EU market whose intended use includes a connection to a device or network. Recital 12 of the CRA confirms that it covers from consumer products to industrial systems.
RoHS applies to electrical and electronic equipment across all Annex I categories, including category 11 "Other EEE not covered by the above categories" (Art. 2(1)). However, Art. 2(4) specifically excludes large-scale stationary industrial tools, large-scale fixed installations, and non-road mobile machinery intended exclusively for professional use.
If the machinery uses radio modules (WiFi, Bluetooth, cellular), the RED applies to the radio module (Art. 1(1)). If it generates usage data and can communicate it, the Data Act could apply (Art. 2(5)). If it incorporates an AI system — for example, an artificial vision system for quality control or a predictive maintenance system — the AI Act could apply (Art. 2(1)), and certain industrial AI uses are classified as high-risk in Annex III of the Regulation.
Agricultural commodities (7 commodities)
The agricultural commodities regulated by the EUDR (Reg. 2023/1115, amended by Reg. 2025/2650) constitute a special case: it is the only regulation among the ten analyzed whose scope is defined not by the type of final product but by the source commodity.
The EUDR applies to seven commodities — cattle, cocoa, coffee, palm oil, rubber, soy, and wood — and to derived products that contain them, have been fed with them, or have been manufactured using them, according to the product list and CN codes in Annex I (Art. 1(1)). Examples of derived products include leather, chocolate, wooden furniture, natural rubber tires, cosmetics with palm oil, and feed with soy.
The EUDR obligations center on due diligence: operators must demonstrate that products are deforestation-free, produced in compliance with the legislation of the country of production, and covered by a due diligence statement (Art. 3). Following the amendments by Reg. 2025/2650, the application dates are: December 30, 2026 for large and medium enterprises and June 30, 2027 for micro and small enterprises.
The other regulations analyzed — CRA, AI Act, RED, RoHS, EAA, Pay Transparency, Data Act, and Toy Safety — have no direct relevance to agricultural commodities as such. The GPSR could apply if the derived product is intended for consumers and is not entirely covered by other harmonized legislation.
Digital service / platform / e-commerce
A pure digital service — an e-commerce platform, a SaaS web application, a streaming service — has a different regulatory profile from physical products. The CRA, RED, RoHS, and the Toy Safety Regulation apply to products, not services, so they fall outside their scope.
The most relevant regulation is the European Accessibility Act (EAA), Directive 2019/882, which includes in its scope services provided to consumers such as e-commerce, consumer banking services, access services to audiovisual media, and certain passenger transport services (Art. 2(2)). If the platform or digital service provides any of these services, accessibility obligations have been applicable since June 28, 2025. Micro-enterprises providing services are exempt.
If the digital service uses or constitutes an AI system, the AI Act could apply (Art. 2(1)). The AI Act applies to AI system providers that market or put them into service in the EU, regardless of where they are established, as well as to those who deploy them in the EU.
If the service is a "related service" to a connected product — for example, the cloud platform that collects data from an IoT device — the Data Act could apply, imposing data access obligations for connected product users (Art. 2(6) and Chapter II).
If the platform is an online marketplace, the GPSR imposes specific obligations on online marketplace providers (Art. 22), including Safety Gate registration, designation of contact points, and cooperation with authorities to remove dangerous products. The EUDR and Pay Transparency are not applicable to digital services as such.
Company with employees in the EU
The Pay Transparency Directive, Directive (EU) 2023/970, has a fundamentally different scope than the other regulations in this guide: it does not apply to a product, but to an employment relationship. It applies to all workers who have an employment contract or employment relationship in accordance with the legislation, collective agreements, or practices of each Member State (Art. 2(2)). It also applies to job applicants regarding pre-employment pay transparency (Art. 2(3)).
Any company with employees in the EU — regardless of its size, sector, or the products it manufactures or markets — will be subject to the national transposition of this Directive. Member States must transpose the Directive by June 7, 2026 at the latest. The main obligations include pay transparency in job postings, the right of workers to request information on average pay levels by gender, and for companies with 100 or more employees, the obligation to prepare gender pay gap reports. If the gap exceeds 5%, the obligation to carry out a joint pay assessment is triggered.
If the company uses AI systems in human resources processes — for example, in resume screening, performance evaluation, or employee decision-making — the AI Act could apply. AI systems used in employment are classified as high-risk in Annex III, point 4, of the AI Act, which implies enhanced obligations for transparency, human oversight, and risk assessment (Art. 6(2) and Annex III).
The other regulations in this guide (CRA, RED, RoHS, GPSR, EAA, Data Act, EUDR, Toy Safety) do not apply to a company "for having employees," but could apply depending on the products or services that company manufactures, imports, distributes, or provides.
Summary table: regulations by product type
This table summarizes which regulations could apply to each product type. ✓ indicates direct applicability per the scope article. ● indicates conditional applicability (depends on specific product characteristics). — indicates not applicable.
| Product type | CRA | AI Act | EUDR | GPSR | EAA | Pay Transp. | Data Act | RED | RoHS | Toy Safety |
|---|---|---|---|---|---|---|---|---|---|---|
| Hardware conectado | ✓ | ● | — | ● | ● | — | ✓ | ✓ | ✓ | — |
| Software / SaaS / App | ✓ | ● | — | — | ● | — | ● | — | — | — |
| Juguete conectado | ✓ | ● | — | ● | — | — | ✓ | ✓ | ✓ | ✓ |
| Non-electronic consumer | — | — | ● | ✓ | — | — | — | — | — | ● |
| Industrial machinery | ● | ● | — | — | — | — | ● | ● | ● | — |
| Agricultural commodity | — | — | ✓ | ● | — | — | — | — | — | — |
| Servicio digital / e-commerce | — | ● | — | ● | ✓ | — | ● | — | — | — |
| Company with employees (EU) | — | ● | — | — | — | ✓ | — | — | — | — |
Official sources
All data on this page comes exclusively from the following official sources. Each scope article has been consulted in the consolidated or published version in EUR-Lex.
eur-lex.europa.eu/eli/reg/2024/2847/oj
eur-lex.europa.eu/eli/reg/2024/1689/oj
eur-lex.europa.eu/eli/reg/2023/1115/oj
eur-lex.europa.eu/eli/reg/2025/2650/oj
eur-lex.europa.eu/eli/reg/2023/988/oj
eur-lex.europa.eu/eli/reg/2023/2854/oj
eur-lex.europa.eu/eli/dir/2019/882/oj
eur-lex.europa.eu/eli/dir/2023/970/oj
eur-lex.europa.eu/eli/dir/2014/53/oj
eur-lex.europa.eu/eli/reg_del/2022/30/oj
eur-lex.europa.eu/eli/dir/2011/65/oj
eur-lex.europa.eu/eli/reg/2025/2509/oj