Managing Cyber Vulnerabilities Across International Boundaries

The advent of several regulatory initiatives in 2025 will make their impact on the wireless and communications industry. It is well-known and well-publicized that hacking and subversion of the communications infrastructure by bad actors continues to rise. The effect is experienced every day by consumers, public safety and services, defense, and by every sector of our modern society. The growing implementation of “connectivity everywhere, all-the-time” means that necessary measures must be taken to address security issues related to the design and testing of devices and their integration into networks. The actions by bad actors (for whatever gains they hope to achieve, monetary, civic instability, pilfering of design, etc.) mean that security precautions are now more necessary than ever.

There are many reported instances of cybersecurity weaknesses, and the industry and regulators are taking back the management of this space. In the U.S., the National Institute of Standards and Technology (NIST) has been at the forefront of leading cybersecurity infrastructure protections. The NIST Cybersecurity Framework (CSF 2.0) is designed to support industry, government, and other organizations. CSF 2.0 is becoming well-organized and accepted. I liken the current efforts to the early 1990s when the goals and objectives of telecom mutual recognition agreements (MRAs) were worked out and are still working well today.

This article outlines recent and near-term cybersecurity protections that are being enacted in the U.S., Canada, the European Union (EU), and other jurisdictions. At the core, achieving a balance between effective cyber protection and free trade can present multiple challenges when it comes to finding common ground.

Current Cybersecurity Initiatives

Current cybersecurity-focused efforts include:

• EU Cybersecurity Act: Introduces an EU-wide certification framework for ICT products, services, and processes.¹
• U.S. Federal Information Security Modernization Act (FISMA): Provides a framework to protect government information operations against cybersecurity threats.²
• Health Infrastructure Security and Accountability Act: Sets stringent minimum cybersecurity standards and requires annual audits for compliance.³

These are broad mandates driven by regulators but supported by many industries and industry sectors that recognize the real risks of penetration of networks and devices for ill gains. NIST in particular is taking strong positions on education and frameworks under the drive to provide cyber protection.

NIST’s CSF 2.0 is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. The CSF framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted globally across various industries, including government and private enterprises. The framework integrates existing standards, guidelines, and best practices to provide a structured approach to cybersecurity risk management.

So far, adopting the NIST CSF framework is voluntary, but it is increasingly being seen as a mandatory requirement in many organizations. Especially within federal government agencies, compliance with the NIST CSF is deemed mandatory for those vendors who wish to partner with those agencies. But more and more private enterprises are taking a strong stance to protect their operations against cyber exposure, balancing access with appropriate protections. Entities must continuously be vigilant against nominal hacking and vicious attacks and take appropriate measures to ensure immunity.

The U.S. FCC’s “Covered List”

There are broad and narrow protections that the U.S. federal government has taken at both the enterprise (business) level and at the device (consumer/user) level. Some of those protections include outright exclusion of certain entities from accessing the communications infrastructure in the U.S. And increasing threats from some of our largest international trading partners have forced the U.S. to take certain actions. Some of these efforts may seem draconian, but are deemed necessary to protect the security and integrity of communications and supply chain networks.

Toward that end, the U.S. Federal Communications Commission (FCC) has published a “Covered List” of such entities whose systems and devices pose a potential security threat to U.S. organizations. Published in August 2024, FCC document KDB 986446 D01 Covered Equipment Guidance v03, “Protecting Against National Security Threats to the Communications Supply Chain Through the Equipment Authorization Program,” details the names of entities that are deemed a “national security threat.” Almost all of these listed entities are based in the People’s Republic of China (PRC).

The FCC’s Covered List is regularly updated to include additional entities and communications service providers who are banned from connecting their equipment to the U.S. communications network. A current list of these companies and their restricted equipment and services is found in Table 1, with a short description of their infraction and the date they were placed on the Covered List. The most recent addition is Kaspersky Lab, Inc., a Russian-owned entity based in Moscow.

The FCC’s Cyber Trust Mark Program

Further, the FCC has recently implemented a Cyber Trust Mark program that mandates that certain equipment show protection against attacks that compromise data, penetration protections, and monetary losses. This particular action is mostly for the protection of consumers, but may be (and probably will be) broadened to include all systems and devices that must be reviewed and approved under the FCC’s Equipment Authorization program. That Program is a system that requires companies that have wireless equipment to have their devices “certified” by a testing laboratory authorized under the FCC’s Telecommunications Certification Body (TCB) program, which is tasked to test, review, and certify devices under the purview of the FCC’s Office of Engineering and Technology (OET).

The purpose of the Cyber Trust Mark is, again, to protect against compromising equipment that is exposed to the Internet. The program is still evolving, in real ways, but will ultimately lead to protections for the U.S. communications infrastructure.⁴

For the moment, the Cyber Trust Mark program is also voluntary but expect that to change as well. In my opinion, it won’t be long until this voluntary program becomes mandatory for device approvals. This is in step with the coming EU requirements for radio equipment under its Radio Equipment Directive (RED) and Cybersecurity Act, discussed in the next section.

What this means for device compliance is profound and must be considered for Internet of Things (IoT)-related devices that may be vulnerable (which is, to say, everything, from video systems to baby monitors to electric razors).

The FCC’s Cyber Trust Mark is shown in Figure 1.

As stated on the FCC’s information page on this topic, the FCC is still “standing up” to this comprehensive program. The rollout of this program is likely to be in the next year or two or by 2026. A structure is still being worked out under which U.S.-based firms (and, at this time, only U.S.-based firms) can issue the Cyber Trust Mark.

European Union Cyber-Security Activity

For context, the EU’s Radio Equipment Directive (2014/53/EU) has been a very successful program within the EU that provides a comprehensive route to protect the radio spectrum. Industry, regulators, and society (although only a small percentage of the population knows this) rely on standard approaches to control interference, improve communications performance, and ensure that the device in your hand will work across various networks.

These networks include, among others, cellular systems, local Wi-Fi, and something called LoRa (long-distance radio), which extends, in a sense, the connectivity of the Internet of Things (IoT) and other devices. In essence, the LoRa frequency ranges propagate farther than the Wi-Fi and cellular frequencies. This is handy for sensors and other communications implementations. The long-distance record for LoRa data transmission is now 1336 km or 830 miles!⁵

However, I digress. One can simply note that cyber protections address a sometimes-dizzying array of devices and technologies.

In addition to the EU’s RED, the European Union Agency for Cybersecurity (ENISA) has taken steps to integrate cybersecurity protections into RED requirements, most notably its efforts to integrate supplemental measures related to cybersecurity. Commission Delegated Regulation (EU) 2022/30 adds key changes to the requirements contained in Article 3.3 d/e/f of the RED, and serves as the basis for the EU’s Cybersecurity Act.

An August 1, 2025 deadline approaches for the updated RED requirements related to cybersecurity to come into force. There is a strong movement to comply, and opportunities await for multinational players to help the industry maintain their market access, which is difficult enough in the practical realities of global product approvals.

Article 3.3 d/e/f of the RED deals with network security, protection of personal data, and prevention of fraud. Article 3.3 d focuses primarily on devices to minimize the quasi-physical threats of compromising a device.

Article 3.3 e is self-explanatory but not always easy to follow. For example, how does a service provider or device manufacturer demonstrate that personal data is not subject to “spoofing.” In a practical way, this means solid fire walls and the education of operators and users so that they are not fooled by poaching attacks. And this is also tightly coupled with Article 3.3 f, which can occur if the proper protections are not imbued in the device design or the operation of the device.

Nonetheless, humans are subject to being “fooled,” and the best a device manufacturer or operator can do is to limit damage in some cases or have backups or built-in protections.

Evaluations of equipment and systems must include physical, data and protocols for “disaster recovery” which typically include some kind of risk assessment to ensure that procedures are in place to limit damage, physical or otherwise, from pernicious effects of the intent of “bad actors,” which can be domestic or foreign agents intent on disrupting or stealing from any manner of devices connected to the Internet, either directly or indirectly.

Eventually, these changes to the RED will affect broad areas of industry and nearly any internet device (connected directly or indirectly).  This act affects large swaths of the industry and will be mandatory for information and communication technology (ICT) devices, which include just about everything.

Industry Actions

Regardless of the regulatory environment, industry is taking on its own sets of protections, requiring that vendors demonstrate that suppliers have cyber protections in place. This requires a set of internal and external measures that protect design and data integrity, especially when dealing with personal information. Increasingly, vendors must build the operational infrastructure to manage internal affairs. Sometimes, these might just be “checklists” or the stuff of audits and more scrutiny by third parties. It all depends on a few things, each one of which adds a twist to staying in compliance, including:

1. Oversight by government or regulators
2. Internal policies
3. Industry trends

In our compliance world, accreditation bodies (ABs) may perform a role in having a third-party, independent assessment. This activity often involves a mix of remote or on-site reviews of documentation, procedures, training, or other proof of competence. A certification body (CB), notably under the FCC’s Equipment Authorization Program, has to comply with ISO 17065 and, potentially, ISO 17025 for testing laboratories. ABs may also follow ISO 17011 and Personnel Certification according to ISO 17024. Many of the same principles apply to the various ISO 170XX standards, but at the core is the demonstration of confidence.

This is extending into cyberspace, with its particular focus on the protection of networks, people, and personal information. The framework of the assessment is the same with the particular focus depending on the intent and content of the standard that is being assessed.

Many companies are taking matters into their own hands by requiring compliance with these ideals as a condition for working with them. It simply is what it is, and it is for a good cause. In any event, it becomes a business decision: if a company wishes to work in this increasingly complex space of interconnectedness, they must go through the actions, and it is not capricious. It involves a management-level decision to move the organization in that direction. The implementation of procedures affects all levels of an operation, from design to communication to inventory to supply chain verification.

This last point may be a little tricky because a vulnerability exists at the chip level. This is why suppliers on the FCC’s Covered List are suspect because it is conceivable, if not already happening, that malicious code can be embedded in the firmware of a microprocessor or other critical data part that can listen and report out activities of the user(s). For the integrator, there is practically no way to know this, and that is the difficult part for manufacturers who have wider goals and implementations of the technologies.

This goes right to the heart of the protection of IoT devices: “Someone might be listening…”

International Cooperation

The ISO documents referenced previously are International Standard Organization (ISO) documents, which implies that there are many organizations at the table. For the narrow purpose of the importance of U.S./EU trade, ISO documents are key. It is not uncommon for individual countries to adopt the ISO requirements to suit their own National Standards structure. However, in the majority of cases, the text(s) are the same.

A success story: the EU and North America (at least for now) have mutual recognition agreements (MRAs) which allow for a free flow of goods across the borders. The MRAs include EMC and radio regulations that have worked very well for U.S. and Canadian manufacturers.

Yet this structure does not only affect U.S./CN/EU trade, but the approvals are often used for market access for other countries wherein the regulatory structure is not in place, or the regulatory structures have not matured and (depending on the size of the economy) may not be warranted. That is, these countries don’t need a full-blown regulatory structure and often rely on “CE Marking” or “FCC Certification” for placing products on the market.

These MRAs have been in place for EMC and radio equipment for a few decades, allowing access to markets under a combined mix of international and domestic regulations.

It remains to be seen whether the MRAs will include some of these new cyber provisions. For the moment, the FCC is requiring any entity that issues a Cyber Trust Mark approval to be located in the U.S. Reciprocally, but perhaps malleable is the EU, which is currently not recognizing Notified Bodies for cyber approvals outside of the EU. In effect, each country/economy is becoming more focused on protecting its own industries.

Perhaps this will change. But with the current political climate in flux at the time this article was written, it is hard to predict what the picture will look like in the near future or in the next few years. But as happens with most regulatory actions (and practically so), they are unlikely to be rolled back.

Whatever the final outcomes (and they are not static, mind you!) these frameworks are here to stay.

Endnotes

1. “The EU Cybersecurity Act,” the European Commission’s webpage for the EU’s Cybersecurity Act (as of 4 May 2025).
2. “S. 2251, Cybersecurity Act of 2023,” the U.S. Congressional Budget Office webpage for the U.S. Federal Information Security Modernization Act (FISMA) (as of 4 May 2025).
3. “Health Infrastructure Security and Accountability Act: A New Era for Healthcare Cybersecurity,” an article posted to the website of law firm JD Supra (as of 4 May 2025).
4. Additional details about the FCC’s Cyber Trust Mark program are available at
   https://www.fcc.gov/CyberTrustMark.
5. A comprehensive overview regarding the parameters of LoRa can be found at
   https://www.thethingsnetwork.org/docs/lorawan/regional-parameters.