Be ready for the upcoming European cybersecurity requirements for IoT devices

The Delegated Act to the Radio Equipment Directive adopted aims to address that IoT devices are safe before being sold onto the EU market. This Act lays down legal requirements for cybersecurity safeguards, which manufacturers will have to consider in the design and production of wireless-connected products. It will also protect consumer privacy and personal data, reduce the risk of financial fraud as well as ensure better resilience of communication networks. 

The measures cover wireless and IoT devices such as mobile phones, tablets, and other products capable of communicating over the internet; toys and childcare equipment such as baby monitors; as well as a range of wearable equipment such as smart watches, wearables, or fitness trackers. Medical devices and motor vehicles, however, do not fall within the scope as cybersecurity provisions from other legislations are applicable for these products.

This means that the majority of global wireless Original Equipment Manufacturers (OEMs) placing IoT products onto the European market will be required to demonstrate compliance with these new requirements via testing. Currently, there are no harmonized standards in place; however, test standards are available such as ETSI EN 303 645 and IEC 62443-4-2, which are a good starting point on the journey to becoming ready to declare conformity to the upcoming cybersecurity requirements.

The Delegated Act will enter into force on 1 August 2025 after initial plans of August 2024. This 12 -month extension provides manufacturers with necessary time to fully understand the implications, prepare, and comply with the new regulations. This extension will also allow the European Commission more time for harmonized standards to be developed and provide a significant timeframe for manufactures to ensure that cybersecurity is considered in the design lifecycle of their products.

• Art 3.3 (d) requires that radio equipment does not harm the network or its functioning, nor misuse network resources, thereby causing an unacceptable degradation of service.
• Art 3.3 (e) incorporates safeguards to ensure that personal data and privacy are protected in cases when equipment is capable of processing such information.
• Art 3.3 (f) requires internet-connected radio equipment devices placed on the European market to support features for ensuring protection from fraud when they enable the holder or user to transfer money, monetary value, or virtual currency.

BSI, your digital trust testing and certification partner, is helping IoT manufacturers to attain confidence and trust that products will be compliant with these upcoming cybersecurity requirements by means of pretesting services against the available ETSI EN 303 645 standard, with a mapping against the new essential requirements using the recent publication ETSI TS 103 929.

Cyber-ready verification for devices

• Level 3: Providing a complete coverage of all ETSI EN 303 645 requirements including mandatory and recommended requirements to get ahead of the compliance curve. 
• Level 2: Providing coverage of all mandatory ETSI EN 303 645 requirements, to gain assurance and to cover potential gaps in the compliance of your product in the nearest future.
• Level 1: Designed to give you a quick practical initial assessment of the device against the new Articles for the RED Delegated Act. You will gain an understanding of where your product sits in relation to future compliance.