You can put sensors on almost anything, almost anywhere. The technical part of an IoT project is rarely the thing that stops a deal. You build the gateway, wire the dashboards, prove the use case in a pilot, and everyone is happy.
But selling into European enterprise and public-sector buyers means proving how data is handled, and that is where deals stall. Procurement sends a security questionnaire. Legal asks who the data controller is. Someone wants to know where the data physically lives, and whether your platform is certified. If you do not have clean answers, the project sits in limbo while everyone waits on a document you do not have.
So here is the compliance map an integrator or managed-service provider actually needs to sell IoT services in Europe, and how choosing the right platform shortens the path. Throughout, I will keep two things separate: what you as the seller must hold or do, and what your platform vendor can provide for you. Those are not the same, and conflating them is how people get blindsided in a procurement review.
A quick note before we start: this is general guidance, not legal advice. Use it to get oriented, then confirm the specifics with your own counsel.
GDPR: the question every European buyer asks first
GDPR governs personal data in the EU and the UK. If your IoT solution touches anything that can identify a person, GDPR is in scope. That includes more than you might expect. A smart-building deployment that logs which badge entered which room, a fleet system that tracks drivers, an occupancy sensor tied to named desks: all of it can involve personal data.
The first thing buyers want to understand is roles. GDPR splits responsibility between the data controller and the data processor. The controller decides why and how personal data gets processed. The processor acts on the controller’s instructions. In a typical IoT services deal, your customer is usually the controller, and you may be a processor, and your platform vendor may be a sub-processor underneath you. Getting this chain right matters, because each link has obligations.
What you as the seller must do
A Data Processing Agreement (DPA) is usually required between the parties. If you handle personal data on behalf of your customer, expect to sign a DPA with them, and to have one in place with any vendor you rely on. You are responsible for understanding the data flow in your own solution and being able to describe it plainly.
Some clients also care about data residency. They want the personal data kept in the EU, full stop. This is common in regulated sectors and across the public sector. If you cannot tell a buyer where their data is stored, you will lose time, and sometimes the deal.
What your platform vendor can provide
A GDPR-aligned platform gives you a head start. If your platform vendor will sign a DPA with you and can confirm EU data residency, you inherit a chunk of the evidence you would otherwise have to assemble alone. TagoIO is GDPR-aligned and offers dedicated European servers in Ireland, selectable at signup, which supports EU data residency. That means when a buyer asks where the data lives, you have a concrete answer instead of a maybe.
What the vendor cannot do is take over your own obligations. You still need your own DPA with your customer, and you still need to handle the data you control correctly. The platform shortens the path. It does not walk it for you.
ISO 27001: yours versus your vendor’s
ISO 27001 is the information security management certification European buyers commonly ask for. When a procurement questionnaire asks whether you are certified, this is usually the one they mean.
Here is the distinction that trips people up. There are two separate questions:
- Is your own organization ISO 27001 certified?
- Is the platform you build on certified?
These are different, and buyers may ask about both. A large enterprise or public body may require their direct supplier (you) to hold ISO 27001. Getting certified yourself is a real project: it takes time, an audit, and an ongoing management system. That is on you, and no vendor can hand it to you.
But building on a certified platform helps. If your platform vendor is ISO 27001 certified, you can point to that for the part of the stack you do not run yourself, and it reduces the security evidence you have to produce about the underlying infrastructure. TagoIO is ISO 27001 certified, so the platform layer of your solution sits on a certified foundation. That does not make you certified. It means part of your answer is already written, and you can focus your own certification effort on the parts you actually operate.
CE marking and RED: the hardware side
If your solution includes hardware sold in the EU, there is a separate track that has nothing to do with your software platform. Hardware sold in the EU generally needs CE marking. Radio devices, which covers most wireless IoT gear, fall under the Radio Equipment Directive (RED).
Keep this at the right level: CE marking and RED conformity are usually the responsibility of the manufacturer of the device, not the integrator who deploys it. If you are buying off-the-shelf certified hardware, your job is to confirm the devices you ship are properly marked and conformant. If you are designing or rebranding hardware yourself, you take on more of this directly. Either way, a platform vendor cannot CE-mark your devices for you. This is a hardware obligation that lives with whoever puts the product on the market.
Sector and public-sector questionnaires
Beyond the horizontal rules, specific sectors and public-sector buyers add their own requirements. Procurement security questionnaires are routine. Expect questions about data-handling rules, access controls, breach procedures, sub-processors, and where data is stored. Healthcare, energy, transport, and government each carry extra expectations on top of GDPR.
The pattern is the same as everything above. Some answers are about your organization and your processes, which you own. Other answers are about the platform underneath you, which your vendor can supply. A vendor with published trust and privacy information makes filling out these questionnaires faster, because the answers about the platform layer are already documented. The TagoIO trust page exists for exactly this reason.
A readiness checklist
Before you pitch a European buyer, work through this:
- Map your data flow. Know what personal data your solution touches and where it goes. If you cannot draw it, you cannot defend it.
- Confirm your GDPR role. Are you a processor for this customer? A controller? Who is the sub-processor? Write it down.
- Get your DPAs in order. One with your customer where needed, and one with each vendor you rely on.
- Decide on data residency. If the buyer needs EU residency, confirm your platform supports it before you promise anything.
- Know your ISO 27001 status. Both yours and your platform vendor’s. Be honest about which is which.
- Verify hardware conformity. Confirm CE marking and RED conformity for any devices you ship.
- Pre-fill the questionnaire. Gather your vendor’s trust and certification documents now, not when procurement is waiting.
Where the platform actually helps
To be clear about the split: the platform vendor cannot make you GDPR-compliant, cannot certify your organization, and cannot CE-mark your hardware. Those are yours.
What the right platform does is shorten the path. Building on a foundation that is ISO 27001 certified, GDPR-aligned, and able to keep data in the EU means a large part of your compliance evidence is already produced by someone else. You inherit the platform layer’s certifications, you get a vendor who will sign a DPA, and you can answer the data residency question on day one. That turns weeks of scrambling into a conversation you are ready for.
This is not a shortcut around your obligations. It is the difference between assembling every piece of evidence from scratch and assembling only the pieces that are genuinely yours.
In short
Selling IoT into Europe is less about the sensors and more about proving you handle data responsibly. The map is: GDPR roles and DPAs, data residency, ISO 27001 for both you and your vendor, CE and RED for hardware, and sector questionnaires on top. Keep clear about what you must hold versus what your platform provides. Choose a certified, GDPR-aligned platform with EU data residency, and you spend less time stuck in procurement and more time delivering.
And once more, because it matters: this is general guidance, not legal advice. Confirm the specifics with your own counsel before you sign anything.
