Does a pre-certified module mean my device is automatically certified?

No. The module's certification covers the module. Your host device still needs: radiated emissions testing (the antenna, enclosure, and PCB change RF behavior), EMC testing of the complete product, EN 18031 cybersecurity testing (firmware and data path, not just the radio), and SAR testing if body-worn. Pre-certification reduces cost and time by 30-50% — it does not eliminate certification.

Is EN 18031 cybersecurity testing required for industrial IoT devices?

Yes. The mandate applies to ALL internet-connected radio equipment — not just consumer products. Industrial gateways, NB-IoT sensors, and LTE-M trackers with IP connectivity are in scope. The only exemption: devices that do not connect to the internet. A private LoRaWAN sensor with no IP stack is exempt. A cellular IoT sensor that transmits to a cloud platform is not.

PTCRB and GCF — do I need both?

PTCRB is required for North American carrier acceptance. GCF is required globally by many operators. They overlap approximately 70% in test cases — run them in parallel at the same ISO 17025 lab to save 2-4 weeks and $5k-10k versus running sequentially. For devices targeting North America only, PTCRB alone may be sufficient. For global deployment, both.

FCC, CE/RED, PTCRB, GCF: The Four Certifications Your Cellular IoT Device Needs Before It Ships — and the One That Changed in August 2025

June 4, 2026 · 7 min read · Technical Whitepapers

Since August 2025, every internet-connected radio device sold in the EU must pass EN 18031 cybersecurity testing — no exceptions. A cellular IoT device that passed CE/RED in June 2025 is no longer compliant. Meanwhile, PTCRB added NTN and 5G RedCap testing categories, and the EU Cyber Resilience Act imposes fines up to EUR 15 million from December 2027. If your device certification plan was written before 2025, it is out of date.

A cellular IoT device needs four certifications to ship globally: FCC (US market access), CE/RED (EU market access), PTCRB (North American carrier acceptance), and GCF (global interoperability). A fifth — the EU Cyber Resilience Act — is not a certification but a legal obligation with fines up to EUR 15 million from December 2027. The certification landscape changed on August 1, 2025 when RED Article 3.3(d/e/f) became mandatory: every internet-connected radio device must now pass EN 18031 cybersecurity testing. No default passwords. AES-256 encryption. Secure firmware updates. A device certified in June 2025 is not compliant today. If your certification timeline was planned before 2025, re-plan it.

The Four Mandatory Certifications

| Certification | Jurisdiction | What It Verifies | Without It | Timeline | Cost Range |

|--------------|-------------|-----------------|-----------|----------|-----------|

| FCC | United States | RF emissions do not cause harmful interference | Cannot be sold in US | 4-8 weeks | $5k-15k |

| CE/RED | European Union | Safety, EMC, spectrum efficiency, cybersecurity (since Aug 2025) | Cannot be sold in EU/EEA | 6-12 weeks | EUR 15k-60k |

| PTCRB | North America | Device does not harm operator networks; 3GPP compliant | AT&T/Verizon/T-Mobile may refuse network access | 4-8 weeks | $10k-25k |

| GCF | Global | Interoperability across different networks worldwide | Some operators block non-GCF devices | 4-8 weeks | $10k-20k |

Most device makers pursue FCC + CE/RED first (legal requirement), then PTCRB + GCF (carrier requirement). PTCRB and GCF test cases overlap significantly — run them in parallel at the same lab to save 2-4 weeks and $5k-10k.

EN 18031: The Cybersecurity Mandate That Changed Everything in August 2025

RED Article 3.3(d/e/f) requires three cybersecurity standards under EN 18031. They apply to every internet-connected radio device — not just consumer products. Industrial IoT gateways, NB-IoT sensors with IP connectivity, and LTE-M asset trackers all fall within scope:

1. EN 18031-1 (Network protection): No default passwords, secure firmware update mechanism, authentication on all network interfaces.

2. EN 18031-2 (Data privacy): AES-256 or equivalent encryption for personal data in transit and at rest, user control over data collection.

3. EN 18031-3 (Fraud prevention): Device identity verification, anti-tampering, secure boot.

A device that passed CE/RED in June 2025 without EN 18031 is no longer legally compliant. Customs authorities in the EU are enforcing this. Online marketplaces are delisting non-compliant products. The practical impact: a cellular module that was CE-certified in 2024 may need re-testing if the host device's firmware, authentication mechanism, or data path has changed. The module itself is not the problem — the integration is.

Source: GTG Group, "CRA Certification for Wireless Products: Framework, Scope, and Core Obligations", 2025. Available at https://en.gtggroup.cn/457.html

PTCRB v6.22 — What Changed in 2025

PTCRB NAPRD03 Version 6.22 (September 2025) added: 5G RedCap testing (3GPP Release 17 devices), NTN (Non-Terrestrial Network) testing for satellite IoT modules, a new Utility IoT Device Evaluation category (Section 4.4), and IoT Cybersecurity Assessment moved to Section 4.2. Sony Altair ALT1350 became the first pre-certified LTE-M/NB-IoT/NTN chipset in April 2025 — chipset test data re-use now reduces derivative product certification costs.

The practical procurement takeaway: specify "pre-certified module with PTCRB certification" in the RFP. A module that already holds PTCRB reduces host device testing to radiated performance and antenna verification — approximately 40% less time and cost than certifying from scratch. Accept no module without a valid PTCRB certificate number you can verify on ptcrb.com.

Source: PTCRB, "NAPRD03 Version 6.22", September 2025. Available at https://www.ptcrb.com/wp-content/uploads/2025/09/NAPRD03-V6.22.pdf

The EU Cyber Resilience Act — What Hits in 2027, What You Do Now

The CRA applies fully from December 11, 2027. But vulnerability reporting obligations start September 11, 2026 — 15 months from now. Five core obligations: secure-by-design and secure-by-default development, documented risk assessment for every product, vulnerability management process with disclosed reporting channel, third-party component due diligence (every software library, every open-source dependency), and security updates for the expected product lifetime (minimum 5 years).

CRA fines: up to EUR 15 million or 2.5% of global annual turnover — whichever is higher. The CRA is independent of RED EN 18031. Passing cybersecurity testing under RED does not satisfy CRA. They address different legal obligations with different enforcement mechanisms.

What to do now: if your device contains open-source software (it does), start cataloging every library, every version, every CVE. If you do not have a documented vulnerability disclosure process, create one before September 2026. If your device cannot receive OTA firmware updates, the CRA effectively prohibits its sale after December 2027 — because you cannot satisfy the security update obligation without remote update capability.

Pre-Certified Modules: The Shortcut That Works

A cellular module that already holds FCC, CE/RED, PTCRB, and GCF certifications reduces host device testing by 30-50%. But pre-certification does not cover: the antenna (radiated performance must be tested on the final product), the enclosure (SAR testing for body-worn devices), EMC of the complete host (the module's EMC report does not cover your power supply, your display, your motor controller), and EN 18031 cybersecurity (the host device's firmware, authentication, and data path must be tested — the module's certification covers only the module).

Source: dev.to / AppleKo, "A Developer's Guide to FCC, CE, PTCRB, and GCF Certifications for IoT Devices", 2025. Available at https://dev.to/applekoiot/a-developers-guide-to-fcc-ce-ptcrb-and-gcf-certifications-for-iot-devices-4999