Spreadsheets instead of a platform
Many B2B IoT initiatives start with spreadsheets, email attachments, and manual reports. That doesn't scale past a few hundred devices and makes EU Data Act access rights impossible to fulfil.
Industry · IoT
Mobile and Backend Software for IoT Platforms
Connected products continuously generate data — and new obligations. Since the EU Data Act (applicable 12 Sep 2025) manufacturers must enable structured data access for end customers. From the Cyber Resilience Act (fully applicable 11 Dec 2027) every connected product on the EU market must meet binding cybersecurity requirements.
Industry context
IoT applications typically span four layers: devices (sensors, actuators), a connectivity layer (BLE, MQTT, NB-IoT, LoRa), a data layer (telemetry ingestion, time-series database), and an application layer (mobile app, dashboard, alerts). Beyond a certain device count, the backend platform — not connectivity — becomes the bottleneck.
In 2026 two regulatory currents converge for DACH Mittelstand IoT: data sovereignty (EU Data Act, end-customer data access right) and cybersecurity-by-design (Cyber Resilience Act, with fines up to €15 million or 2.5% of global annual turnover). Architecture decisions made now shape the compliance posture for the next 5–10 years.
Typical challenges
Retrofitted cybersecurity
Devices shipped without an update mechanism, without encryption, and without vulnerability reporting must be retrofitted for CRA — or taken off the market.
Connectivity silos
The app speaks one protocol, the backend another, legacy devices a third. Without a clean protocol bridge (e.g. MQTT-to-HTTP), every extension turns into plumbing work.
Regulatory framework
EU Data Act
Glossary →Regulation (EU) 2023/2854 grants users of connected products the right to access, use, and share the data generated through their use. Manufacturers must design devices and related services so this access is technically possible.
Applicability: Applicable since 12 September 2025
- Regulation (EU) 2023/2854 — EUR-Lex
Cyber Resilience Act (CRA)
Regulation (EU) 2024/2847 mandates security-by-design for all products with digital elements on the EU market: vulnerability handling, security updates, conformity assessment, incident reporting. Fines up to €15 million or 2.5% of global annual turnover.
Applicability: In force since 10 Dec 2024 · Reporting obligations from 11 Sep 2026 · Fully applicable 11 Dec 2027
- Cyber Resilience Act — Summary — European Commission
- Regulation (EU) 2024/2847 — EUR-Lex
DSGVO / GDPR
Glossary →Telemetry streams often contain personal data (location, usage patterns). The entire data model must be GDPR-compliant — from collection through retention to the right to erasure.
- Regulation (EU) 2016/679 (GDPR) — EUR-Lex
Architecture pattern for B2B apps
Edge & devices
BLE 6.0 · MQTT 5 · NB-IoT · LoRaWAN · firmware update channel
Bidirectional connection with device authentication (certificate or pre-shared key) and a reliable update mechanism — the prerequisite for CRA conformity.
Telemetry ingestion
NestJS · Fastify · MQTT broker · WebSocket · BullMQ
High-throughput device data intake, cleanly separated from the application API. Background jobs for aggregation and alerting.
Data & lifecycle layer
PostgreSQL · TimescaleDB · Redis · append-only event log
Structured lifecycle data (birth snapshot, service history) plus time-series telemetry. Auditability via an immutable event log.
Mobile & portal layer
Flutter · Next.js · OIDC (Authentik) · Firebase Auth
One codebase for iOS/Android (Flutter), a self-service portal with structured data export (Data Act ready), and an admin cockpit for service.
Recommended stack
| Technology | Rationale |
|---|---|
| Flutter | One codebase for iOS and Android, native BLE integration, fast iteration in B2B contexts. |
| NestJS auf Fastify | Structured TypeScript architecture, performant HTTP and WebSocket layer, clear modularity. |
| PostgreSQL + TimescaleDB | Relational integrity for lifecycle data, time-series extension for telemetry without a separate database. |
| MQTT 5 | OASIS standard for lightweight pub/sub messaging — the de facto IoT connectivity standard. |
| DigitalOcean / Hetzner (EU-Hosting) | EU region for data sovereignty and avoidance of US CLOUD Act exposure. Infrastructure control without hyperscaler lock-in. |
Sources
- Regulation (EU) 2023/2854 (Data Act) — EUR-Lex
- Regulation (EU) 2024/2847 (Cyber Resilience Act) — EUR-Lex
- MQTT Version 5.0 (OASIS Standard) — OASIS
- Bluetooth Core Specification 6.0 — Bluetooth SIG
As of: 2026-04-30
Read on
Other industries
Industry 4.0
Platform software for connected production: Asset Administration Shell, RAMI 4.0, and EU compliance.
Automotive
Companion apps, diagnostics tools, and telemetry backends for connected vehicles and Tier-1 suppliers.
Mechanical Engineering
Service apps, MES integration, and OPC UA connectivity for DACH machinery builders.
Facility Management
Apps and platforms for CAFM, smart building, and EU energy-efficiency compliance.
Construction & Trades
Mobile-first apps for trade businesses and construction sites — from order workflow to BIM integration.
Concrete project in this industry?
We build software that fits the regulatory, technical, and organisational realities of your industry — without excess complexity.