A Beginner's Guide to IoT Product Compliance

Ensure your IoT products meet regulatory compliance standards before launch.

Adam Drewery

Embedded/Electrical Engineer

As an Embedded/Electrical Engineer at Very, Adam Drewery works with clients to build hardware-powered solutions. Adam is motivated by the feeling of accomplishment when he gets something working correctly for the first time — even if it’s something as simple as getting an LED light to blink on a new set of hardware.



Improper procedure when it comes to getting your IoT products certified by the correct regulators can have serious impacts on time to market, as well as enormous legal and financial ramifications.

The most challenging thing I’ve encountered while researching compliance standards over the years is the lack of resources out there to help someone without a law degree understand what they need to do to get their products certified. With so much on the line, I wanted someone to explain to me in plain language exactly what matters and what doesn’t.

To that end, I’ve compiled this high-level overview of the regulations you need to know about as an electrical engineer and as a business leader to ensure your hardware meets the right standards. Note that throughout this guide, we’ll be focusing primarily on standards in the United States and Canada, with some mention of the regulations in Europe.

**The information provided on this document does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available are for general informational purposes only. Readers of this document should contact their attorney to obtain advice with respect to any particular legal matter.

Why Product Certification Matters for IoT

The FCC rules (specifically 47 CFR 2.803) state that prior to being marketed and sold in the US, any device that emits RF energy must be, “properly authorized, labeled, and furnished with the proper user information disclosures. Failure to comply may subject the violator to substantial monetary penalties that could total more than $150,000 per violation.” Not to mention the additional delay to schedule and the expense associated with pulling products and rushing them through certification. Let’s go through a quick hypothetical product launch to explore what this might look like: 

Let’s say your company’s done all the market research, completed the entire product design lifecycle, gone through the painstaking process of getting through production, and have your first models out in the field. 

As you’re planning your next production run, you get a call from an electrical inspector asking for the results from your compliance tests, and why the appropriate markings aren't displayed on the product. It turns out, a competitor actually reported your product as unsafe, because their version of the product has not launched. If you have considered and performed compliance testing, the path out of this jam is much more straightforward. However, if you have not considered compliance then you now have to halt production of that product until you have gone through the appropriate testing and filed any associated paperwork.

With this product serving as one of your key revenue streams, you can’t afford to halt production, so you do whatever you can to get your compliance testing completed as quickly as possible. Typically, this means shelling out a lot more cash than you budgeted for, only to realize that because you didn’t test the product earlier, you failed the compliance testing. 

Now, you have to perform a lengthy diagnostic investigation to fix some spurious emissions. Or, even worse, you have to address that one weird failure that you can only seem to reproduce if you’re standing on one leg during an eclipse that happens to coincide with a sea turtle spawning event. Then, you have to pay to either rework or remake the product to meet compliance standards. Then, you have to re-test and hope that something else doesn’t start failing. When you add it all up, the cost of failing to go through compliance now totals in the hundreds of thousands of dollars, and that is after potentially paying fines levied by the FCC that were mentioned above.

While this story describes a worst-case scenario from a business perspective (and is actually not all that hypothetical as I have seen similar things happen in my career), there are other negative outcomes from neglecting compliance as well. For example, distributors may not carry your product without UL and FCC markings, which limits your distribution network. 

Finally, there is, of course, the safety of your consumers. Even if you feel confident that your product is safe, testing for certifications can reveal things you may not have previously considered, protecting both your users and your business. To avoid finding yourself in this trap consider certifications at the beginning of the product development cycle. 

An Overview of the Major Regulators and Standards

Depending on where your product will be manufactured and sold, there are different regulatory agencies and standards with which you’ll need to comply. We’ll focus primarily here on the U.S., Canada, and Europe. 

International Electrotechnical Commission (IEC) Certification

The IEC is an international organization that prepares and publishes “International Standards for all electrical, electronic and related technologies.” The United States, Europe, and Canada largely base their own national certification standards on those developed by the IEC, so you can think of it as the overarching regulatory body. The IEC has multiple committees and subcommittees which regulate different kinds of products and technologies.

Comité International Spécial des Perturbations Radioélectriques (CISPR) Certification

In English, the Comité International Spécial des Perturbations Radioélectriques means International Special Committee on Radio Interference. CISPR is an IEC committee that defines the specific set of tests that you need to do to comply with a certain standard, plus all the relevant details, including how to do the tests and how often. 

In North America and Japan, CISPR-22 (known as EN-5022 in Europe) is the most relevant standard for information technology devices (like printers, computers, single word computers, etc.), and is used to regulate radiofrequency (RF) emissions and electromagnetic compliance (EMC). 

Federal Communications Commission (FCC) Certification

FCC testing, along with UL standards (explained below), is the most relevant to products developed and sold in the United States. The FCC approval process is primarily focused on determining whether your product is emitting RF energy outside of your allowed limits, and on prohibiting interference with other devices and systems. 

For most electronic equipment, FCC Part 15 standards are the most relevant and are divided into Class A (industrial, non-residential products) and Class B (consumer, residential products).

Here’s an informative guide from the FCC about how to certify computers and other digital devices.    

Industry Canada (IC) Certification

IC is the Canadian counterpart to the United States’ FCC, also focusing on RF emissions. The certification procedure for IC closely matches that of the FCC. To get certified for both, there are generally not many differences between the tests. The only added costs come with two separate application fees, one for each agency. If the manufacturer is not located in Canada, they will need an in-country representative.

Underwriters Laboratories (UL) Certification

UL is a global organization headquartered in the United States that sets standards for products ranging from mobile phones to plastic materials. While many of the regulations from organizations like FCC and CISPR are concerned with limiting RF emissions, UL regulations are focused on product safety (e.g., preventing electrical fires). 

The UL safety standard that is currently used in the United States is UL 62368 (for Audio/Video, Information & Communication Technology Equipment).

Conformité Européenne (CE) Certification

Conformité Européenne is French for European Conformity, and it’s the universal standard for health, safety, and environmental regulatory compliance within the European Economic Area (EEA). Nearly every kind of product you could manufacture must have a CE marking and corresponding Declaration of Conformity in the EEA, from toys to water boilers, so this will most likely apply if you plan to market, manufacture, or sell there. 

In order to get the official CE mark on your product, you’ll need to identify the EU regulations that apply to your product, complete your own conformity assessment, and create a technical file. Finally, you’ll need to make a Declaration of Conformity, which is a document signed by you confirming that your product complies with CE regulations. The regulations that apply to your product will determine what needs to be included in your declaration.

In Europe, the Declaration of Conformity is a legally binding document placing all liability on you, the manufacturer’s, shoulders. If your product is found to be non-compliant, it will be your responsibility to address and remedy any issues.

PTCRB Certification

The acronym for this regulator previously stood for PCS Type Certification Review Board, but it’s now a pseudo-acronym. They are “a certification organization established in 1997 by leading wireless operators to define test specifications and methods to ensure device interoperability on global wireless networks,” according to their website. Basically, this organization ensures that your product works well with cellular carriers like AT&T and T-Mobile. Verizon has its own carrier test you’ll need to perform. 

GCF Certification

The acronym stands for Global Certification Forum. It is a world-wide certifying agency that consists of a network of “Operators, Manufacturers, and Observers.” Operators are typically carriers, manufacturer memberships are for those who either manufacture directly or put a product on the marketplace, and observer members are for anyone else who has an interest in cellular technology.

Annual membership is required in order to achieve product certification, and then an approved test facility must perform the compliance testing. Once a device is certified, the certification stays valid if the manufacturer does not wish to maintain an annual membership.

Perhaps the most notable benefit of obtaining GCF certification is that it is recognized worldwide. While it may not cover a device for all carriers, the test results from this test can minimize the number of carrier-specific tests that are required. This can not only save money but also time to market.


The Wi-Fi Alliance champions the use of Wi-Fi technologies to solve a wide range of problems. More importantly, they set the standards that help to ensure interoperability between the different generations of Wi-Fi devices. A Wi-Fi CERTIFIED product has been tested to ensure that these standards are met. In most industrial applications, the Wi-Fi module itself has been through this testing. In consumer markets, however, most components are Wi-Fi CERTIFIED, and not obtaining this certification can be a competitive disadvantage.

Bluetooth Special Interest Group (SIG)

The Bluetooth SIG is analogous to the Wi-Fi Alliance in championing the use of its technology. They also maintain the Bluetooth standard. Much like the W-Fi certification, Bluetooth qualification testing ensures that a device will maintain interoperability with other devices. In most situations, it is advised to build around radios that currently possess a Bluetooth declaration ID, and then pay a one time $9,600 declaration fee for your own product. This legally allows you to use the Bluetooth logo. If not done, your device may actually be held in customs. Note that you will have to become a Bluetooth SIG member, but there is a free tier.

Which Devices Need To Be Certified?

We know that certification needs to happen. We know which regulators control which kinds of tests/standards. So, what kinds of devices and products do the rules apply to? Technology has evolved significantly in the past few decades and the same kinds of certification rules that would have been applied only to a camcorder in the 1980s can now also be applied to your mobile device. In addition to a video recorder, it is also a camera for still photos, and a computer, and a cellular phone, and a navigation device, and a flashlight, and a lot of other things. 

Here’s a list of the kinds of information technology devices you’ll need to certify with one or more of the regulators we looked at in Part 1 of our guide, depending on where you plan to manufacture and market the product. Note that just one product could include multiple categories, so it might also be helpful to modularize each component during the design process to make it easier to test: 

  • Any electronic product that operates at frequencies 9 kHz or higher (FCC & IC)
  • Any product connecting to the alternating current (AC) power grid
  • Most intentional radiators (includes the majority of IoT devices)
    • Cellular devices
    • Bluetooth devices
    • Wi-Fi devices
    • ZigBee radios
    • WLAN
    • LoRA (Long Range)

Types of RF Devices 

There are five types of RF devices governed by the FCC. The complexity and amount of testing required are primarily dependent on the type of RF device.

Low Test Effort

Incidental radiators (non-digital devices) and unintentional radiators (digital devices) are common in day-to-day life. They are things like air conditioners and alarm clocks, respectively. The tests for these products generally take less time. Interestingly, neither of these types of devices contains a radio transmitter, but they can ultimately emit a fair amount of RF noise if not properly designed. 

High Test Effort

Going to the other end of the spectrum in terms of testing complexity are Industrial, Science, and Medical (ISM) band transmitters that operate in several different bands. The most common are 902 - 928 MHz (LoRa), 2.4 GHz (Wi-Fi and Bluetooth), and 5 GHz (Wi-Fi). These are typically low-power devices that transmit less than a single watt of power, and they are required to frequency hop within their respective band. These are sometimes referred to as unlicensed transmitters. 

The most complicated in terms of compliance testing are licensed transmitters such as cellular technology. The ISM and licensed transmitters are commonly put on a pre-certified module that is then included in large assemblies, but that does not always have to be the case. Most IoT devices will be unlikely to fall into this classification. 

IoT Devices

In the IoT space, almost everything has a radio and is considered an intentional radiator. If the product has a single radio that is pre-certified, then the testing is relatively easy. If the product contains more than one radio, however, things become a little more difficult — even with pre-certified modules — and particularly if there are collocated transmitters. This is only an issue if the two (or more) antennas are within 20 cm of one another. Alternatively, if you can guarantee that the two radios will never transmit simultaneously, then this requirement is laxer. Lastly, depending on the type of radio module utilized, entire sets of testing can be avoided. 

Device Classes

All RF devices can be grouped into either class A or class B devices. Class A devices are intended for use in industrial or business applications. Class B devices are intended for use in residential or personal applications. This does not have a major impact on the tests required but it does change the allowed energy levels in a few frequency bands. The device class will also impact some verbiage required in your documentation and on labels.

Pre-Certified Components

It’s true that you can expedite or even avoid some certification tests of your finished product if you use pre-certified parts (like an end-certified cellular module). It’s critical to note, however, that using a pre-certified device for your product doesn’t guarantee that it will pass or even skip a compliance test. (I know — this flummoxed me at first, too.) 

There are four levels, so to speak, of pre-certified radios that are “put down” on a device. In order to choose the right solution for your product, you should ask yourself three things: 

  • What is my anticipated annual production volume?
  • What is the cost of goods sold (COGS) target?
  • How quickly does it need to get to market?

While actual certification requirements will be much more nuanced than the information provided below, it helps to have a general understanding of how these three questions ultimately will impact radio device selection. Note: the manufacturers and components listed below are not endorsements, but examples. 


  • This solution requires the selection of the integrated circuit (IC) itself along with all the required supporting circuitry. 
  • Qualcomm is perhaps the best-known manufacturer of cellular chipsets. 
  • Texas Instruments provides several chipsets for ISM applications with their CC series.

Module (often called a pre-certified module)

  • Modules that require a host circuit board. 
  • Contains an RF chipset plus other components.
  • If power were applied only to the module itself, it would be unable to operate. 
  • May require an external RF connector, SIM card, and/or other minimal circuitry. 
  • Cellular module manufacturers include Telit, U-Blox, and Sierra Wireless. 
  • Microchip provides several WiFi and/or Bluetooth modules. 
  • The end-product must go through additional testing because it is an intentional radiator.

End-Certified Module

  • These are typically devices that are pluggable via standard connectors or they are soldered onto a host PCB. 
  • Essentially, it is a module, but it adds in the external antenna/RF path (perhaps an interface controller) and, for cellular, the SIM card. 
  • If powered, they could operate on some minimalistic level, if not fully. 
  • Companies like Digi have both cellular and ISM offerings. • Multitech and Nimbelink also have cellular end-certified modules. 
  • The end-product must go through basic FCC and UL testing because it contains an intentional radiator that has been independently approved.
  • “Inherits” the module certification.

Dev Kit

  • Essentially an end-certified module. 
  • Can typically plug into a USB connector or other common household style of connector. 
  • Primarily suited for prototype and proof-of-concept deployments.

Device Level Starting EAU COGS Design Effort Testing Required
Chipset 50k+ Lowest 6 months + 6 months +
> $10,000 (ISM)
> $100,000
Module 1k - 10k Middle < 6 months 3 months +
< $10,000 (ISM)
> $10,000
End-Certified Module 10 - 100 High < 3 months < 1 month
< $10,000
Dev Kit Prototype Highest <1 month Not

It is important to note that, more often than not, devices including ISM technologies are going to be fairly straightforward as far as compliance testing is concerned. For end-products utilizing a cellular connection, however, there may be carrier testing, in addition to FCC and UL testing, required if not using an end-certified module. 

For a module, the radio itself may have been certified, however, your device is almost certainly using it in a new configuration, may use a different PCB material, or it is used in conjunction with another product that alters the radio’s performance. However, on an end-certified module, the relationship between the various components of the radio is fixed, and the material of the PCB is guaranteed not to change. There is also generally a controller on an end-certified module that takes commands from the host processor and then interfaces with the RF chipset.

The Cost and Process of Product Certification

While the price of doing your product certification up-front is substantially lower than the cost of a lawsuit or the halting of production that a lack of certification could cause, there are associated costs requirements to note: 

The overall process should begin when the project first starts. The regulations with which the product must comply must be understood upfront because the overall process is quite lengthy. A little bit of planning now can save a lot of time and money later. 


This is usually the most fun part of developing a new product. Knowing what regulations are going to be required informs the components that can be utilized within the system. There are a lot of application notes available from a wide variety of manufacturers informing you (usually with a bit of a sales pitch) about designing for meeting various regulations. Again, spending a little bit more time in this stage can save a lot of time later.


This step is often skipped until the test lab asks you for something, and then you stand there with a blank look on your face as you try to understand what they’ve asked. In most cases, the following documents should be ready to go before pursuing any kind of testing. Keep in mind that some of the documents may be made public domain. Be sure to work with your compliance consultant or test houses to ensure you understand what documents are required and which ones will be public. 

Block Diagram

This is a high-level document that outlines what makes up a product. It’s good to include things like processor clock speeds, communications bus clock speeds, any RF peripherals, and any physical ports that connect inbetween sub-assemblies of the product or to the outside world. 


This details the requirements of the product. Things like input voltages, current ratings, approved peripherals, RF frequencies, etc. should be included here. 

User’s Guide

This should contain guides for installation, maintenance, and troubleshooting. This also should contain verbiage specific to any relevant standards the product holds. 

Schematics (Not Public)

Schematics are required by the test house to ensure they understand what they are testing. Sometimes, you might think you’ve explained all of the relevant details to the test house, but when you start testing something else comes up.


If the product is large enough for a label, it should contain the appropriate verbiage. If applicable, device IDs of pre-approved modules contained within the product should be included. Also, any appropriate logos should be placed in an “easily visible location.”

Pre-Compliance Testing

One thing I’ve found helpful in reducing the overall cost of certification testing is to make sure that you’ll pass the test ahead of time by pre-compliance testing your device. While the product testing necessary for official certification almost always needs to be performed in an accredited lab, you can do your own product testing in a non-accredited lab first to verify that your product meets all the requirements. If something is amiss, you can then go back and make adjustments without having to pay for a fully accredited lab to test your product multiple times. Many good pre-compliance test labs will also work with you on the design in order to meet the requirements. 


In an ideal world, this step is skipped altogether. Unfortunately, we live in the real world. As a result, things often break in unexpected ways — especially as more ports and peripherals are added to a product. If you’ve come to this step from pre-compliance testing, then you will be appreciative that you will have a much better chance of passing the actual compliance tests. If you’ve come here from the actual compliance tests, then you’re probably pretty frustrated that you didn’t consider compliance from the start or perform pre-compliance testing. 

Compliance Testing

This is it! If everything has been considered from a compliance standpoint, these tests are relatively painless. If your product is really complicated, that could also make the tests more complicated. However, sometimes your product begins to fail in a new way during testing. Most test houses are willing to work with you on this, but it is better to try to get a sense of that before an issue arises during testing. The worst-case scenario is a major re-design, but even minor re-designs require the whole test suite to be performed again.


Now, this is really it! If you’ve reached this point, then you’ve passed your compliance tests. The test lab should provide a report. You (or your representative) will work to get all of the necessary paperwork in order, the test lab will write the report, and then the filing will be sent for review. If the documentation is in order, the review board may request some clarifications. If the documentation is incomplete, this will cause this final stage of the process to drag out. 

The end result of filing should be a Declaration of Conformity (DoC) which states that your product has been tested and complies with the necessary standards. In order to legally put labeling bearing any regulatory agency markings, the DoC should be completed.

In Conclusion

While this guide is certainly not comprehensive for every type of product testing and certification you might ever need to know about (a book would be a better format for that), this overview should provide you with some high-level guidance as you develop your next product.

We are ready to get your IoT project started

Focused on speed, efficiency, and scalability, our teams de-risk IoT projects through trusted partnership, easy communication, and an Agile workflow.

Focused on speed, efficiency, and scalability, our teams de-risk IoT projects through trusted partnership, easy communication, and an Agile workflow.