Just recently I had the pleasure of attending the local IoT Day in Jönköping. During a session on cybersecurity, one of the participants stated that LoRaWAN is not cyber-secure. There was a murmur in the room – what did he mean? That LoRaWAN wasn’t secure? It was clear that many were caught off guard, despite new regulations such as NIS2 and the updated RED directive.
That got me thinking: it’s time to revisit a post I wrote back in May and update it with relevant information regarding EN 18031 and the RED directive. In the presentation, an ethical hacker described how, in industrial IoT systems, he often saw a lack of basic security measures: missing updates, no encryption, weak physical security, and limited monitoring. Many of these aspects are now central requirements under the new cybersecurity regulations.
A wake-up call on IoT security
With the introduction of the harmonised EN 18031 standard and the updated Radio Equipment Directive (RED), the regulatory landscape for connected devices in Europe is entering a new phase. From 1 August 2025, cybersecurity compliance will no longer be optional—it becomes a prerequisite for market access. This milestone marks a decisive step toward a more secure and trustworthy IoT ecosystem, but it also represents a regulatory shake-up that compels developers, system integrators, and device manufacturers to scrutinize their designs—and, in some cases, to reconsider their wireless technology choices altogether.
Low-power wide-area (LPWA) technologies—NB-IoT, LTE-M, and LoRaWAN—have each carved out a distinct niche in the IoT landscape. From a wireless perspective, they share many characteristics. Yet in this market, allegiance to a protocol often resembles a matter of faith—each one seen as the wireless saviour. But as cybersecurity requirements tighten, energy efficiency and cost-effectiveness are no longer sufficient. The real question is: Which of these technologies is genuinely ready to deliver secure, standards-compliant connectivity—at scale?
My answer may surprise you—or perhaps not. It may even irritate some of you. If so, I encourage you to take a closer look at the EN 18031 standard and reassess your position—this time without the wireless religion filter.
Understanding the regulatory shift
EN 18031 introduces a significant tightening of cybersecurity requirements for wireless-connected products in the EU, and therefore IoT products are affected.
The regulation mandates that devices must resist cyber threats and unauthorized access and that they must be securely configurable, updatable, and monitorable throughout their operational life. Combined with the RED’s expanded scope—which now covers software updates, data protection, and user privacy—the impact on wireless IoT design is profound.
One explicit requirement is security throughout the device’s expected lifespan. But how can a manufacturer credibly ensure that a device deployed today will remain secure seven to ten years from now? That question sits at the core of the new compliance challenge. And with the potential arrival of quantum computing, the definition of “secure” could shift almost overnight—rendering once-trusted algorithms suddenly fragile.
For designers of battery-powered, long-range devices, the obligations create sharp trade-offs. Energy budgets are minimal, yet compliance now requires encrypted firmware updates, authenticated network access, and even anomaly detection. In this landscape, the wireless protocol is no longer a neutral transport layer—it is either an enabler of compliance or a bottleneck that blocks it.
And this is where a crucial technical distinction comes into play: protocols that rely only on shared secrets—such as a username/password pair or a static symmetric key—provide far weaker security than those leveraging X.509 certificates, mutual authentication, and public key infrastructure (PKI). These are not academic differences anymore; they are the line between compliance and failure. Beyond certification, though, the real imperative remains: security must always be engineered in, legislation or not.
LoRaWAN: Open standards, limited control
LoRaWAN has gained traction for its open architecture, long battery life, and affordability. Yet under EN 18031 its decentralized design presents compliance challenges. The specification includes mechanisms such as AES-128 encryption, join-server separation, and session key derivation. On paper, these provide strong protection. In practice, however, their effectiveness depends heavily on deployment choices. When key management or join servers are operated by third parties, manufacturers may lose visibility and control—both of which EN 18031 places at the core of compliance.
For public or shared LoRaWAN networks, this is a structural problem. Manufacturers cannot always dictate how keys are stored, how traffic is routed, or how backend exposure is minimized. Flexibility in the standard becomes a liability in this context: optional security features are no longer sufficient when regulation demands mandatory assurance. By contrast, in tightly managed private deployments, LoRaWAN can achieve a higher degree of control, though not without extra effort.
The most difficult gap remains firmware lifecycle protection. The LoRa Alliance has specified a firmware update protocol (FUOTA), and several vendors offer proprietary solutions. But adoption is patchy, and there is no single standardized, widely deployed OTA process. This creates fragmentation and certification uncertainty. EN 18031 does not explicitly mandate OTA updates, but it does require manufacturers to guarantee secure patching throughout a device’s lifespan. That obligation still applies whether updates are delivered wirelessly or manually.
If OTA is not feasible, responsibility shifts back to the manufacturer to provide an alternative update method. The practical implications can be severe: recalling and physically reflashing 10,000 deployed water meters is not just prohibitively expensive—it may be operationally unmanageable.
NB-IoT: Deep coverage, but fragmented security
NB-IoT, as a 3GPP-standardized cellular technology, provides a stronger baseline security posture than LoRaWAN. SIM-based authentication, mutual device–network verification, integrity protection, and encryption (typically 128-bit AES) are embedded in the cellular stack. Additional isolation can be achieved through a private APN, ensuring device traffic remains off the public internet—a key advantage for sensitive or critical applications.
Originally designed for static, low-throughput sensors, NB-IoT carries architectural legacies that still influence deployment. Support for mobility, TCP/IP connectivity, and low-latency transmission is limited. These constraints can complicate secure provisioning, credential updates, and rapid reconfiguration, especially in large-scale or dynamic environments.
A significant challenge comes from variability in operator implementations. While 3GPP defines robust security features such as EPS encryption for both control and user planes, not all operators enable them by default. Roaming support varies across networks and countries, and when available, it may not offer full parity with the home network. Compliance therefore depends not only on device hardware or firmware, but also on mobile network operator policies—factors largely outside the manufacturer’s control.
Firmware updates over the air (FOTA) are technically possible and supported by some NB-IoT modules and operators. Yet low bandwidth, narrow uplink/downlink profiles, and limited TCP/IP support in many stacks can make certificate-based mutual authentication and large-scale updates cumbersome, if not impractical.
In comparison to LoRaWAN, NB-IoT is generally better positioned for security and updates. However, when measured against EN 18031 and the updated RED—which emphasize lifecycle security and reliable update mechanisms—it is still far from ideal, particularly for large-scale or mission-critical deployments.
LTE-M: Built-in readiness for compliance
Among low-power wide-area (LPWA) technologies, LTE-M stands out for its comprehensive security and lifecycle support. As part of the LTE family, it inherits the full LTE security stack: mutual authentication via SIM, 3GPP-standardized encryption, integrity protection, and network-based anomaly detection. Unlike NB-IoT, LTE-M also supports mobility, voice fallback, and native TCP/IP transport—features that simplify secure provisioning, configuration, and firmware updates across the device lifecycle.
From a lifecycle security perspective, LTE-M is currently the only LPWA technology capable of supporting standardized, certificate-based firmware-over-the-air (FOTA) updates in a way that aligns with operator-managed, compliance-ready deployments. This directly addresses EN 18031 and RED requirements, where authenticated communication, updateability, and resilience against future threats are mandatory, not optional.
Another differentiator is consistency. LTE-M is integrated into existing LTE networks, so most commercial deployments come with security features enabled by default. Roaming scenarios preserve encryption and session integrity, reducing variability caused by operator-specific configurations—a key compliance advantage compared with NB-IoT.
While no technology is completely future-proof, LTE-M’s architecture offers a balanced trade-off between energy efficiency, wide-area coverage, and regulatory alignment. It minimizes the need for custom security workarounds and provides a more predictable path to compliance, making it particularly well-suited for large-scale, secure, and long-lived IoT deployments in Europe post-2025.
Turning regulation into implementation
Complying with EN 18031 and the updated Radio Equipment Directive is not a matter of ticking boxes—it requires field-proven, operational capabilities. Devices must withstand cyberattacks, prevent unauthorized modifications, and support secure updates over time. Achieving this at scale in battery-powered IoT deployments is far from trivial. LTE-M demonstrates maturity here, not just as a communication protocol, but as a practical enabler of secure lifecycle management when combined with appropriate operator and platform support.
Secure provisioning and onboarding
With SIM-based authentication managed by operators, LTE-M devices receive a secure identity from day one. This reduces or eliminates reliance on pre-shared keys or insecure provisioning workflows, establishing a hardware-rooted trust anchor. While the effectiveness depends on operator support and backend integration, this approach provides a strong foundation for regulatory compliance.
Encrypted firmware updates over the air
Unlike LoRaWAN, where firmware updates are often proprietary add-ons, LTE-M supports standardized, IP-based update mechanisms using protocols such as LwM2M or HTTPS. Manufacturers can push authenticated, encrypted firmware updates within widely accepted frameworks while maintaining detailed audit logs. These capabilities directly address RED and EN 18031 requirements for secure, traceable, and maintainable updates over the device lifecycle.
Continuous monitoring and incident response
EN 18031 emphasizes the need to detect anomalies and respond to potential threats. LTE-M supports IP-based telemetry, allowing near real-time reporting of device logs, system health, and intrusion attempts to centralized monitoring platforms. Combined with QoS, TCP/IP support, and lower latency, this enables active diagnostics, fallback behaviors, and even remote containment—capabilities that are either impractical over LoRaWAN or inconsistently supported in NB-IoT deployments. Effective implementation, however, relies on integrated platform services in addition to the LTE-M network itself.
Roaming and lifecycle traceability
Compliance does not stop at national borders. LTE-M’s integration into global LTE networks and compatibility with standard roaming frameworks help maintain a predictable and consistent security posture across geographies. While the precise level of protection can still depend on the policies of the visited network, LTE-M provides a stronger baseline for managing security in roaming scenarios than NB-IoT or LoRaWAN.
In practical terms, LTE-M enables more auditable and manageable deployments. Its IP-based architecture supports lifecycle traceability, provided it is paired with suitable backend and monitoring platforms. This alignment with European regulatory expectations allows manufacturers to focus on functionality while maintaining compliance over the full device lifecycle.
Ultimately, the choice of wireless technology may come down to a deceptively simple question: Are we designing for the limitations of yesterday, or for the regulatory and operational realities of the connected world that is coming next?
Choosing what lasts
As the European IoT landscape matures, manufacturers, solution providers, and property owners face increasing pressure to ensure devices are secure, updatable, and traceable. Choosing a wireless technology is no longer only about energy efficiency, signal range, or module cost—it is about enabling trust, accountability, and regulatory compliance in a connected world.
LoRaWAN remains attractive for simple, local deployments where lifecycle security demands are limited, and device owners control the network. NB-IoT can be cost-effective, particularly in narrow, operator-managed use cases, but variability in operator implementations and limitations in large-scale updates make it less predictable for long-term, compliance-driven projects. Neither technology currently provides the same level of lifecycle security, traceability, or international operability as LTE-M.
EN 18031 is only the beginning of Europe’s move toward stricter digital product regulation, including initiatives like the Cyber Resilience Act and the Digital Product Passport. LTE-M aligns closely with this trajectory, supporting encrypted traffic, secure boot, operator-managed identity, remote management, and roaming-aware security policies. Selecting LTE-M today positions connected products not just for current standards, but for the regulatory landscape of the next decade.
While the industry scrambles to retrofit security into legacy protocols, LTE-M offers a more predictable, compliance-ready foundation for large-scale, secure IoT deployments.
Ultimately, the question is not merely whether LTE-M is technically superior, but whether a connected product strategy can afford to rely on anything less.
The rules of the game have changed — and your devices need to be ready. Because that is the starting-point, a device that meets the new RED2 regulations. Reach out if you don´t know where to start, we have several devices in our range where manufacturers have taken RED2 seriously, and are ready to rock.