Worked example: an IoT sensor through RED and FCC
Guide, worked example
This is a fully hypothetical, illustrative walkthrough: no real client, no real product, no confidential data. To make the certification sequence concrete, we follow an invented battery-powered environmental sensor, the "Aurora ENV-1", from a blank specification to a product carrying both a CE mark and an FCC ID. The device combines a Bluetooth Low Energy radio for local configuration with a sub-GHz radio for long-range telemetry, runs on a coin cell, and reports temperature and humidity. Every number quoted for time or cost is an illustrative range, not a promise. The aim is to show how the European Union Radio Equipment Directive route and the United States FCC route run in parallel, which standards attach where, and the order in which the work actually has to happen.
The hypothetical product
Section titled “The hypothetical product”The Aurora ENV-1 is a sealed, wall-mounted indoor sensor. Defining its characteristics early is what fixes the entire compliance scope, so the specification is the first deliverable, not the last.
| Attribute | Value (illustrative) |
|---|---|
| Local radio | Bluetooth Low Energy, 2,4 GHz |
| Telemetry radio | Sub-GHz, 868 MHz (EU868) and 915 MHz (US915) |
| Power | Single non-rechargeable lithium coin cell |
| Enclosure | Sealed plastic, fixed internal antennas |
| Function | Temperature and humidity reporting |
| Target markets | European Union and United States, first release |
Two design choices drive most of the work. First, two radios in one enclosure means simultaneous-transmission and intra-device interference have to be assessed, not just each radio in isolation. Second, picking pre-approved radio modules versus designing radios from chips changes how much spectrum testing repeats at the finished-product stage. For the example we assume two distinct pre-approved modules, which is the common small-team strategy. For the broader starting framework, see certification getting started.
Step 1: map the product to directives and rules
Section titled “Step 1: map the product to directives and rules”Before any standard is chosen, the product is mapped to the legal instruments that apply in each market. This mapping is the backbone of the whole project.
European Union
Section titled “European Union”As radio equipment, the sensor falls squarely under 2014/53/EU, the Radio Equipment Directive (RED). RED is a self-contained instrument: it absorbs the safety objectives that would otherwise come from the Low Voltage Directive and the protection requirements of the EMC Directive, so for a radio product you do not separately invoke 2014/30/EU or the LVD. The four essential-requirement strands are:
| RED article | Requirement | Typical harmonised standard |
|---|---|---|
| 3.1(a) | Safety and health | EN 62368-1, RF exposure route |
| 3.1(b) | Electromagnetic compatibility | EN 301 489 series |
| 3.2 | Effective use of spectrum | EN 300 328 (BLE), EN 300 220 (sub-GHz) |
| 3.3(d) | Cyber security | EN 18031 family |
The Article 3.3(d) strand is the newest. It is activated by 2022/30, the delegated regulation that made the cyber requirements mandatory from 1 August 2024, so a sensor placed on the market now must address it in the technical file. Conformity is declared in an EU declaration of conformity backed by a technical documentation file, and the article-by-article scoping lives in the RED checklist.
United States
Section titled “United States”In the United States the product splits across two FCC subparts. The digital electronics, the microcontroller and its clocks, are an unintentional radiator under Part 15 Subpart B. The two radios are intentional radiators under Part 15 Subpart C. This split is the single most important FCC fact to get right for this product, and it is covered in FCC ID, grantee and TCB equipment authorization.
| FCC scope | Part | Authorisation route | Output |
|---|---|---|---|
| Digital electronics (unintentional) | 15 Subpart B | Supplier's Declaration of Conformity | Internal SDoC record |
| BLE radio (intentional) | 15 Subpart C, 15.247 | TCB certification | FCC ID |
| Sub-GHz radio (intentional) | 15 Subpart C, 15.247/15.249 | TCB certification | FCC ID |
The EMC philosophy differs between the two regions, which matters when planning shared tests; the contrast is set out in CE vs FCC EMC and the whole dual-market logic in EU and US dual certification.
Step 2: select the standards
Section titled “Step 2: select the standards”With the mapping fixed, each strand resolves to specific test standards. Choosing the exact standard version and the exact operating clause is done with the laboratory, because it determines limits and report content.
- Spectrum, BLE: EN 300 328 for the 2,4 GHz wideband band in the European Union, and 47 CFR Part 15.247 for the same band in the United States.
- Spectrum, sub-GHz: EN 300 220 for the 863 to 870 MHz SRD band in the European Union, and 47 CFR Part 15.247 or 15.249 for 902 to 928 MHz in the United States.
- EMC: the EN 301 489 series for the European Union, with the radio-specific parts layered on the general part.
- Safety: IEC 62368-1 (as EN 62368-1) for the electronics, plus an RF exposure justification.
- Cyber: the EN 18031 family for RED 3.3, aligned with the consumer baseline EN 303 645.
Because the sensor is a product with digital elements, the horizontal 2024/2847 Cyber Resilience Act also applies on its own timeline, layered on top of the RED 3.3 obligation; both lean on the same EN 303 645 provisions, detailed in EN 303 645 IoT cyber security and Cyber Resilience Act (CRA).
Step 3: pre-compliance
Section titled “Step 3: pre-compliance”Pre-compliance is the cheapest insurance in the whole programme. It is informal testing run by the development team to catch failures before the accredited laboratory bills for chamber time.
For the Aurora ENV-1 the pre-compliance loop covers:
- Radiated emissions sweeps on a bench with a near-field probe and a low-cost spectrum analyser to spot clock harmonics early.
- A quick check of BLE and sub-GHz spurious emissions and band-edge behaviour against the limits in EN 300 328 and EN 300 220.
- Simultaneous-transmission checks: turn both radios on together and confirm one does not desensitise or pull the other.
- Basic immunity exposure, for example electrostatic discharge to the enclosure seams and ports.
- A cyber gap review against EN 18031 and EN 303 645 provisions: no universal default password, a secure update path, minimised exposed interfaces.
Each failure found here is fixed in firmware or layout, then re-checked. Only when the bench results sit comfortably inside the limits does the product go to the accredited laboratory. The test plan that structures this is the same one used for the formal campaign, drawn from the certification test plan template.
Step 4: the laboratory test plan
Section titled “Step 4: the laboratory test plan”The formal test campaign is run at an accredited laboratory and documented in a test plan that ties each test back to the directive mapping. A single plan covers both regions, with per-region columns where limits differ.
| Test group | EU basis | US basis | Notes |
|---|---|---|---|
| BLE spectrum | EN 300 328 | 47 CFR 15.247 | Power, bandwidth, band edge, duty |
| Sub-GHz spectrum | EN 300 220 | 47 CFR 15.247/15.249 | Per band: EU868 and US915 |
| Radiated and conducted emissions | EN 301 489, EN 55032 | 47 CFR 15 Subpart B | Unintentional radiator |
| Immunity | EN 301 489 series | Not required by FCC | EU only |
| RF exposure | RF exposure route | OET Bulletin 65 | Low power exemption likely |
| Electrical safety | EN 62368-1 | Not an FCC matter | Coin cell, low voltage |
| Cyber | EN 18031 | Not an FCC matter | Documentation and assessment |
Two finished-product points matter even with pre-approved modules. First, the host integration conditions in each module grant must be respected, or the module approvals do not carry over. Second, the composite device, both radios in their final enclosure with the final antennas, has to be measured for emissions and simultaneous operation regardless of module pedigree. A pre-approved module reduces repeated radio work; it does not remove finished-product testing.
Step 5: the EU technical file and declaration of conformity
Section titled “Step 5: the EU technical file and declaration of conformity”On the European side, conformity is self-declared because harmonised standards are used in full and no notified body is mandatory for this class of radio product when those standards are applied. The work product is a technical file that an authority can demand at any point during the ten years after the last unit ships.
The file assembles:
- Product description, photographs, block diagram and a list of variants.
- The directive mapping and the list of standards applied, with versions.
- The full set of accredited test reports (spectrum, EMC, exposure, safety).
- The risk analysis, built with the methods in risk management with ISO 14971, IEC 31010, FMEA and FTA.
- The cyber documentation for RED 3.3 and the CRA gap analysis.
- The signed EU declaration of conformity, naming the manufacturer, the product, the directives and the standards.
Once the declaration is signed, the CE mark is applied and the product can be placed on the European Union market. The composition of the file is detailed in technical documentation file contents.
Step 6: the FCC ID through a TCB
Section titled “Step 6: the FCC ID through a TCB”On the United States side the two intentional radiators must be certified, and certification is granted by a Telecommunication Certification Body, a private accredited organisation authorised to issue FCC grants. The unintentional-radiator behaviour is handled separately by the manufacturer's own Supplier's Declaration of Conformity, which is kept on file rather than submitted.
The certification flow for the Aurora ENV-1:
- Obtain an FCC Registration Number and a Grantee Code, which forms the prefix of the FCC ID.
- Submit the accredited radio test reports, the operational description, internal and external photographs, and the label artwork to the TCB.
- The TCB reviews and, if compliant, issues the grant of equipment authorisation and the FCC ID.
- The grant is published in the FCC equipment authorisation database.
Because both radios sit in one enclosure, they can be filed as a composite device under one FCC ID, but each transmitter keeps its own measurement set and the simultaneous-transmission case is assessed. The grantee, TCB and database mechanics are covered in FCC ID, grantee and TCB equipment authorization.
Step 7: labelling and marking
Section titled “Step 7: labelling and marking”The finished product carries the marks and identifiers that prove each approval. For a small sealed enclosure, electronic labelling (e-labelling) may carry some of this where the rules allow, but the physical minimum still applies.
| Mark or identifier | Market | Source |
|---|---|---|
| CE mark | European Union | RED conformity |
| FCC ID | United States | TCB grant |
| FCC compliance statement | United States | Part 15 SDoC and Subpart C |
| Crossed-out wheelie bin | European Union | WEEE |
| Battery and recycling marks | European Union | EU Battery Regulation |
Environmental marking pulls in RoHS, WEEE, REACH SVHC and the EU Battery Regulation for the coin cell. The cell also drags in UN 38.3 transport testing before the product can ship, separate from any market approval.
Step 8: the illustrative timeline and budget
Section titled “Step 8: the illustrative timeline and budget”To make the sequence tangible, here is a hypothetical timeline. Treat every figure as an illustrative range; real projects vary with product maturity and laboratory queues, as explained in certification timeline and certification costs.
| Phase | Illustrative duration | What dominates it |
|---|---|---|
| Specification and directive mapping | 2 to 4 weeks | Decisions, not testing |
| Module selection and design | 4 to 8 weeks | Hardware and firmware |
| Pre-compliance iterations | 4 to 10 weeks | Firmware and layout fixes |
| Accredited testing (EU and US) | 3 to 6 weeks | Laboratory scheduling |
| Technical file and DoC | 2 to 3 weeks | Document assembly |
| FCC TCB review and grant | 1 to 3 weeks | TCB queue |
The lesson the timeline teaches is that the formal test weeks are rarely the bottleneck. Firmware stabilisation, pre-compliance rework and laboratory queues consume far more calendar time, which is why an early, accurate directive mapping pays back so heavily.
Common pitfalls
Section titled “Common pitfalls”| Pitfall | Consequence | Avoid by |
|---|---|---|
| Assuming a pre-approved module needs no finished-product testing | Failed composite emissions or exposure, blocked launch | Measuring the finished device and honouring module host conditions |
| Forgetting the RED Article 3.3 cyber file | Technical file incomplete, market access at risk | Building the EN 18031 evidence in from the design stage |
| Confusing FCC SDoC and certification scope | Wrong filing, rejected or non-compliant | Splitting unintentional (Subpart B) from intentional (Subpart C) clearly |
| Skipping simultaneous-transmission tests | Real-world desensitisation, surprise field failures | Testing both radios live together during pre-compliance |
| Missing band-edge and spurious measurements | Spectrum non-compliance in one region | Per-band test lines in a single shared test plan |
| Ignoring the coin cell for shipping | Held shipments, carrier rejection | UN 38.3 transport testing alongside market approvals |
| Treating CE and FCC as the same EMC evidence | Re-test or non-compliance in one market | Mapping the differing limits and immunity rules early |
Further reading
Section titled “Further reading”- RED checklist
- FCC ID, grantee and TCB equipment authorization
- EU and US dual certification
- Certification test plan template
- EN 303 645 IoT cyber security
- Certification timeline
Sources and references
Section titled “Sources and references”Sources & references
- Directive 2014/53/EU (Radio Equipment Directive) , EUR-Lex eur-lex.europa.eu/eli/dir/2014/53/oj
- Commission Delegated Regulation (EU) 2022/30 (RED Article 3.3 cyber security) , EUR-Lex eur-lex.europa.eu/eli/reg_del/2022/30/oj
- ETSI EN 300 328, wideband transmission systems in the 2,4 GHz band , ETSI www.etsi.org/deliver/etsi_en/300300_300399/300328/
- ETSI EN 300 220, short range devices in the 25 MHz to 1000 MHz range , ETSI www.etsi.org/deliver/etsi_en/300200_300299/30022002/
- 47 CFR Part 15, radio frequency devices (Subparts B and C) , FCC www.ecfr.gov/current/title-47/chapter-I/subchapter-A/part-15
- 47 CFR Part 15.247, operation within the bands 902-928 MHz, 2400-2483.5 MHz and 5725-5850 MHz , FCC www.ecfr.gov/current/title-47/chapter-I/subchapter-A/part-15/subpart-C/section-15.247
- ETSI EN 18031, common security requirements for radio equipment , ETSI www.etsi.org/standards
- Regulation (EU) 2024/2847 (Cyber Resilience Act) , EUR-Lex eur-lex.europa.eu/eli/reg/2024/2847/oj
Frequently asked questions
- Is this worked example based on a real product or client?
- No. The "Aurora ENV-1" sensor described here is entirely fictional and used only to illustrate a method. No real client, design or test report is referenced, and the figures for timing and cost are illustrative ranges, not commitments. The point is to show how the obligations connect and in what order, so you can map the same sequence onto your own product.
- Which RED essential requirements apply to a BLE plus sub-GHz sensor?
- A radio sensor engages all of the Radio Equipment Directive essential requirements: Article 3.1(a) safety and health, Article 3.1(b) electromagnetic compatibility, Article 3.2 effective use of spectrum, and the Article 3.3(d) cyber security requirement now activated by the delegated regulation. Each requirement maps to one or more harmonised standards, for example EN 300 328 and EN 300 220 for spectrum and EN 18031 for cyber.
- Does the example product use FCC SDoC or full certification?
- Both, on different parts. The unintentional radiator behaviour of the digital electronics falls under FCC Part 15 Subpart B and is handled by the Supplier's Declaration of Conformity route. The intentional radiators, the BLE radio and the sub-GHz radio, fall under Part 15 Subpart C and require full certification through a Telecommunication Certification Body, which issues an FCC ID.
- When does the Article 3.3 cyber requirement actually apply?
- The delegated regulation (EU) 2022/30 brings RED Article 3.3(d), (e) and (f) into force for in-scope radio equipment, with mandatory application from 1 August 2024. EN 18031 is the harmonised standard family used to demonstrate conformity. A connected sensor placed on the European Union market from that date must address these requirements in its technical file.
- Why run pre-compliance testing before the formal lab visit?
- Pre-compliance testing on the bench or at a screened site finds emissions failures, spurious radio outputs and immunity weaknesses while they are still cheap to fix in firmware or layout. Discovering the same fault in the accredited laboratory means paying for chamber time twice and slipping the schedule. Pre-compliance does not replace the accredited test, but it greatly improves the odds of passing first time.
- Can one FCC ID and one CE file cover both radios?
- A single FCC grant can list multiple transmitters under one FCC ID if they are tested together as a composite device, and a single EU technical file and declaration of conformity cover the whole product. However each radio still needs its own spectrum measurements, and simultaneous transmission has to be assessed. The administrative wrappers are shared, the radio evidence is per transmitter.
- What goes wrong most often in a dual RED and FCC project?
- The recurring failures are: assuming a pre-approved module removes all finished-product testing, forgetting the Article 3.3 cyber file, mislabelling the FCC SDoC versus certification split, and missing the simultaneous-transmission and band-edge measurements when two radios share an enclosure. Each is avoidable with an early test plan and a clear directive mapping.
- How long does the illustrative timeline run end to end?
- In this hypothetical the design-to-market path runs roughly six to nine months, dominated by firmware stabilisation, pre-compliance iterations and laboratory scheduling rather than the formal test weeks themselves. Real timelines vary widely with product maturity, module reuse and laboratory queues; see the certification timeline guide for the drivers.