Skip to content

EU Regulations

EU Taxonomy: Eligibility vs Alignment

If you work in corporate sustainability, you have heard two words repeated endlessly: "EU Taxonomy." You have probably also heard two more: "eligible" and "aligned." And if you are like most people, the distinction has been explained to you once — possibly by a consultant using a slide deck — and you nodded and never quite felt certain.

Here is the distinction, clearly, with no slide deck.

GDPR Compliance for Manufacturers: A Practical Guide

In June 2026, the UK's Information Commissioner's Office announced a formal probe into how smart TV manufacturers use consumer data and published final guidance on IoT products, warning that most IoT data processing "is likely to result in a high risk." The same month, Italy's antitrust authority opened proceedings against Vorwerk over the shutdown of cloud services for Neato robot vacuums — a landmark case examining whether manufacturers can devalue connected products through service termination.

Product manufacturers consistently tell us GDPR is a "tech company problem." Then we show them the connected product they're shipping — the one collecting sensor data and communicating with a smartphone app — and it clicks.

If your company places products on the EU market, you are almost certainly processing personal data in ways that trigger the General Data Protection Regulation (GDPR). Connected devices, supplier records, employee data — all of it counts. On the Sustalium platform, we handle GDPR declarations for IoT manufacturers, industrial equipment makers, and consumer goods companies. Here is what actually applies to product businesses.

Toy Safety: EU vs. US Requirements

Toys are one of the most heavily regulated consumer product categories in the world — and for good reason. A defective toy can cause choking, lacerations, chemical poisoning, or strangulation in a matter of seconds. Because the end-user is a child, regulators apply a zero-tolerance approach to non-compliance.

If you manufacture, import, or sell toys in the European Union or the United States, you must navigate two distinct but equally demanding regulatory regimes: the EU Toy Safety Directive (2009/48/EC) and the US Consumer Product Safety Act (CPSIA), which mandates a Children's Product Certificate (CPC). Understanding the differences — and producing compliant documentation for both markets — is essential for uninterrupted market access.

What Is a Declaration of Conformity?

Every product that enters the European market under a CE marking directive must be accompanied by a Declaration of Conformity. It is the single most important compliance document a manufacturer signs — and yet most first-time importers and SME manufacturers cannot answer three basic questions: what it is, what it must contain, and who is legally responsible for signing it.

This guide answers all three.

EU AI Act Compliance for Product Manufacturers

If your products contain software that makes decisions, recognizes patterns, generates outputs, or interacts with users — even basic features like predictive text, smart sensors, or automated quality grading — you are now regulated under the EU Artificial Intelligence Act (Regulation [EU] 2024/1689).

This is not a law for Silicon Valley alone. The EU AI Act applies to every manufacturer, importer, and distributor placing AI-enabled products on the European market. And because the Act is integrated with the New Legislative Framework (NLF), AI compliance is now directly tied to your CE Mark. If your AI system does not meet the Act's requirements, your product cannot legally carry the CE Mark — and cannot be sold in the European Union.

WEEE Compliance: E-Waste Producer Responsibility

If you sell electrical or electronic equipment in the European Union, your responsibilities do not end when the consumer opens the box. Under the Waste Electrical and Electronic Equipment Directive (WEEE — Directive 2012/19/EU), you remain legally responsible for the safe disposal and recycling of your products at the end of their life.

The WEEE Directive establishes the principle of Extended Producer Responsibility (EPR). You — the manufacturer, importer, or distributor — bear the financial and operational burden of collecting, treating, recovering, and disposing of the electronic waste your products generate. This is not a voluntary sustainability program. It is a legally enforced obligation in every EU Member State.

EUDR Compliance: Due Diligence & Key Deadlines

In 2025, Dutch authorities conducted pilot inspections across 20 operators and found widespread shortcomings in due diligence documentation. Dry runs led by German, Belgian, Dutch, and French regulators confirmed that authorities expect a complete "paper trail" for each specific shipment — not just a general due diligence system on paper. Rotterdam, Europe's largest port, is now a regulatory checkpoint where shipments without verified geolocation data can be stopped.

A cocoa importer we onboarded last quarter had their entire shipment flagged at Rotterdam port. The problem wasn't that their supply chain was deforestation-linked — it was that they couldn't produce the geolocation data fast enough. On the Sustalium platform, we see this pattern repeat across commodities: the legal burden is on the importer, not the supplier.

The EU Deforestation Regulation (EUDR — Regulation [EU] 2023/1115) is now fully enforced. Unlike voluntary sustainability pledges, it makes it a criminal offense to import commodities produced on land deforested or degraded after December 31, 2020. The burden of proof is entirely on your business.

Cybersecurity for Hardware & IoT SMEs: NIS2 & CRA

Building a great piece of hardware or an innovative IoT device used to be about functionality and design. Today, if your product connects to a network, it is a target. And governments are no longer politely asking you to secure it—they are legally demanding it.

With the enforcement of the EU NIS2 Directive and the rollout of the Cyber Resilience Act (CRA), hardware manufacturers and software vendors are suddenly facing enterprise-grade security mandates.

Submit Your First Definitive CBAM Report

If you import cement, iron, steel, aluminum, fertilizers, electricity, or hydrogen into the European Union, the regulatory training wheels have officially come off. As of January 1, 2026, the Carbon Border Adjustment Mechanism (CBAM) has exited its transitional phase and entered its definitive, financially binding regime.

During the transitional period (October 2023 to December 2025), the European Commission allowed importers significant leniency. If you could not obtain actual emissions data from your non-EU suppliers, you were permitted to use EU-published "default values" to fulfill your quarterly reporting obligations without financial penalty.

That era is over. To maintain EU market access today, you must report the actual, verified embedded emissions of your imports. More importantly, you must surrender CBAM certificates corresponding to those emissions. This guide breaks down the exact technical steps, methodologies, and verification requirements needed to successfully submit your first definitive EU CBAM Declaration.

Preparing for the EU CRA: SBOM Requirements

If you manufacture hardware, connected consumer electronics, IoT devices, or develop commercial software sold in the European Union, a massive regulatory wave is about to hit your engineering team.

The EU Cyber Resilience Act (CRA) represents the most sweeping cybersecurity law for physical and digital products in the world.

Under the CRA, cybersecurity is no longer treated as a post-launch software update or a marketing feature. It has become a mandatory condition for CE Marking.

If your "product with digital elements" does not meet the CRA's strict security-by-design standards, you cannot legally affix the CE Mark, and your product is banned from entering the European market. Penalties for non-compliance are severe, reaching up to €15 million or 2.5% of global turnover.

To maintain EU market access, software and hardware product teams must master the CRA's core technical requirement: the Software Bill of Materials (SBOM).