EU Proposes Cybersecurity Certification for Smart Lighting Controls

On 30 April 2026, the European Commission submitted a proposal to the European Parliament requiring all smart lighting controls — including those using DALI-2, Bluetooth Mesh, and Matter protocols — to obtain EN 303 645:2025 cybersecurity certification before entering the EU market. The measure directly impacts lighting OEMs, IoT device manufacturers, importers, and distributors operating in or exporting to the EU.

Event Overview

On 30 April 2026, the European Commission formally submitted the proposal ‘On Strengthening Cybersecurity Oversight for Networked Lighting Control Systems’ to the European Parliament. The proposal mandates that all Smart Lighting Controls placed on the EU market must comply with EN 303 645:2025 and carry the ‘EU Cyber Verified’ label. A pre-assessment channel is currently open. Formal adoption is expected in Q1 2027.

Industries Affected by This Proposal

Lighting Equipment Manufacturers (OEM/ODM)
Manufacturers producing smart lighting control devices — such as DALI-2 gateways, Bluetooth Mesh lighting controllers, or Matter-enabled dimmers — will face mandatory conformity assessment prior to CE marking. Impact includes extended time-to-market, revised product documentation, and potential redesign of firmware security architecture to meet EN 303 645:2025 requirements.

Importers and EU Authorised Representatives
Importers placing non-EU-manufactured smart lighting controls on the EU market become legally responsible for verifying compliance under the proposed regulation. This shifts liability from suppliers to importers, increasing due diligence obligations — especially for products already in distribution pipelines but not yet certified.

Distribution and Channel Partners
Wholesalers, e-commerce platforms, and system integrators selling smart lighting controls in the EU may face inventory devaluation risks for uncertified stock post-enactment. Shelf-ready labeling (e.g., ‘EU Cyber Verified’) becomes a prerequisite for listing or resale, affecting procurement cycles and catalog management.

Testing and Certification Service Providers
Accredited labs offering EN 303 645 assessments are likely to see increased demand. However, only bodies designated under the EU Cybersecurity Act framework will be accepted — limiting eligibility to a subset of current testing providers. Capacity constraints and lead-time extensions are foreseeable.

What Relevant Enterprises or Practitioners Should Monitor and Do Now

Track official updates from the European Commission and ETSI

The proposal remains subject to parliamentary review and possible amendment. Stakeholders should monitor the European Parliament’s legislative file (e.g., REF: COM(2026) 287 final) and any technical guidance issued by ETSI or CEN-CENELEC regarding EN 303 645:2025 implementation timelines and scope clarifications.

Identify affected product categories and assess certification readiness

Companies should map their smart lighting control portfolio against the defined scope: devices with network connectivity (wired or wireless), remote configuration capability, or cloud interaction fall under the proposal. Prioritize high-volume or high-risk SKUs — especially those shipping to EU customers in H2 2026 — for early pre-assessment via the open channel.

Distinguish between policy signal and enforceable requirement

As of now, the proposal is not law. Enforcement begins only after formal adoption in Q1 2027 and application dates are set. Current obligations are limited to voluntary pre-assessment. Avoid premature retooling or contractual commitments based solely on the proposal’s current status.

Prepare internal alignment across R&D, compliance, and supply chain teams

Initiate cross-functional reviews to identify firmware update needs, documentation gaps (e.g., security development lifecycle records), and supplier dependencies (e.g., chipset vendors’ security attestations). Where third-party components are used, verify whether they already support EN 303 645:2025-aligned security features.

Editorial Perspective / Industry Observation

Observably, this proposal signals a structural shift — from voluntary cybersecurity best practices to mandatory, harmonised conformity for connected building infrastructure. It does not yet constitute binding law, but reflects growing regulatory attention on embedded IoT systems beyond consumer electronics. Analysis shows the inclusion of DALI-2, Bluetooth Mesh, and Matter explicitly indicates the EU’s intent to cover both legacy industrial protocols and emerging interoperability standards. From an industry perspective, this is less a near-term compliance deadline and more a medium-term strategic inflection point: companies that treat cybersecurity as a post-design add-on may face disproportionate adaptation costs once the regulation enters force.

Current more appropriate interpretation is that the proposal serves as a strong anticipatory signal — one that validates long-standing industry concerns about fragmentation in IoT security assurance, while also exposing gaps in current supply chain accountability models for networked lighting hardware.

Conclusion
This proposal marks a formal step toward embedding cybersecurity into the regulatory baseline for smart lighting controls in the EU. Its significance lies not in immediate enforcement, but in establishing clear expectations for product design, responsibility allocation, and market access criteria well ahead of legal implementation. For stakeholders, it is best understood today as a preparatory milestone — not a trigger for urgent action, but a definitive cue to initiate structured, evidence-based readiness planning.

Information Sources
Main source: European Commission Proposal COM(2026) 287 final, submitted 30 April 2026. Pre-assessment channel status confirmed via official EU Cybersecurity Act portal. Note: Legislative timeline (Q1 2027 adoption) and final scope details remain subject to ongoing parliamentary deliberation and are therefore under continuous observation.