Steps to Take Now to Ensure Compliance
Editor’s Note: As we go to press, relevant cybersecurity requirements are still being developed, so the information presented here may change.
The European Union’s (EU’s) 2024 Cyber Resilience Act makes complying with the cybersecurity standards in the Radio Equipment Directive (RED) mandatory. If your product has Bluetooth, Wi-Fi, or other wireless connectivity in it, and you intend to sell in Europe, it is likely that you will need to comply with Chapter 1, Article 3, Item 3(d), 3(e), and 3(f) of the RED before August 1, 2025. Your firmware developers may need a significant amount of time to implement the provisions, so if you have not already started securing your product to the new regulation, you need to do so now.
Since the new regulation is extremely vague, the European Telecommunications Standards Institute (ETSI) came up with a set of related standards to clarify the requirements that include:
- ETSI EN 303 645 for the manufacturers to follow; and
- ETSI TS 103 701 for test labs to follow.
The new ETSI Cybersecurity standards state that the following products must comply:
- Devices capable of communicating over the Internet (either directly themselves or through another device, like a smartphone);
- Toys and childcare equipment; and
- Wearables (smartwatches, etc.).
There are exemptions for specific products that fall under the scope of their own medical, avionics, or automotive directives, as it will be up to those directives to add their own cybersecurity standards.
The RED, the Cybersecurity Act, and the Cyber Resilience Act
The EU tends to create directives/regulations that modify previous directives/regulations. As you can see below, this means that there is a tendency to end up with a chain of directives instead of a cohesive document. Here’s a brief overview of the relevant directives and regulations summarized above.
The Radio Equipment Directive (RED) (Directive 2014/53/EU)
In Article 3, Item 3, this directive includes provisions so that:
- (d) radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service;
- (e) radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected; and
- (f) radio equipment supports certain features ensuring protection from fraud.
However (d), (e), and (f) were “inactive” until 2022. It looks like there were no cybersecurity certification methods to accomplish this at the time, which might be what is meant by “inactive.”
The EU Cybersecurity Act (Regulation (EU) 2019/881)
This regulation created a framework for cybersecurity certification “schemes” in Europe. A scheme is the requirements for cybersecurity certification for one particular group of products/services.
Cyber Resilience Act Directive (EU) 2020/1828
This directive supplements Article 3 of the RED and sets out the essential requirements with which radio equipment placed on the EU market shall comply, in relation to:
- Article 3(1)(a) health and safety;
- Article 3(1)(b) electromagnetic compatibility;
- Article 3(2) the effective and efficient use of radio spectrum; and
- Article 3(3) those categories or classes of radio equipment specified in related Commission delegated acts.
The RED empowers the EU Commission to adopt delegated acts in order to render applicable any of the essential requirements set out in Article 3(3) by specifying each of those requirements that shall concern categories or classes of radio equipment. Three points of the second subparagraph of Article 3(3) are relevant to this initiative:
- 3(3)(d) to ensure network protection;
- 3(3)(e) to ensure safeguards for the protection of personal data and privacy; and
- 3(3)(f) to ensure protection from fraud.
2022 Supplement to the Radio Equipment Directive 2014/53/EU – COMMISSION DELEGATED REGULATION (EU) 2022/30
This regulation activates (d), (e), and (f) in RED and defines the products to which they apply to as:
- Devices capable of communicating over the Internet;
- Toys and childcare equipment; and
- Wearables (smartwatches, etc.).
The August 1, 2024 deadline was later changed to August 1, 2025.
On August 5, 2022, the EU Commission issued a standardization request to CEN and CENELEC to develop harmonized standards in support of Delegated Regulation 2022/30. In response, ETSI came up with:
- The “baseline” standards with which manufacturers need to comply (ETSI EN 303 645);
- The procedures the test lab uses to assess a manufacturer’s compliance (ETSI TS 103 701);
- “Vertical standards” – ETSI EN 303 645 interpreted for specific devices like smart locks, etc.; and
- If a product does not have a “vertical standard,” then the baseline standards apply.
Delegated Regulation C(2023)4823
This regulation changed the date of the deadline from August 1, 2024, to August 1, 2025.
Cyber Resilience Act (CRA) (Regulation (EU) 2024/2847)
This regulation adds requirements for manufacturers such as:
- Cybersecurity is considered throughout the product’s lifecycle (i.e. in the planning, design, development, production, delivery, and maintenance phases).
- All cybersecurity risks must be documented.
- Manufacturers will have to report actively exploited vulnerabilities and incidents.
- Once sold, manufacturers are responsible for ensuring that, for the expected product lifetime or for a period of five years (whichever is shorter), vulnerabilities are handled effectively.
- Clear and understandable instructions for the use of products with digital elements are available.
- Security updates are made available for at least five years.
Why Cybersecurity Rules Are Necessary
Improve Network Resilience
Most manufacturers of IoT devices have ignored cybersecurity issues while making products that are extremely vulnerable. You may remember when, on October 21, 2016, roughly ten percent of the websites on the internet became unreachable, including amazon.com, cnn.com, github.com, and many other popular sites, which broke additional sites that required those services to be functioning. Dyn, then the third largest DNS service provider, was taken down by a distributed denial of service attack (DDoS). At the time, Dyn was thought to be too large a DNS provider for a DDoS to work against them.
What had changed was that botnets, which were usually limited by the number of computers people had, started compromising vulnerable IoT devices which had far outnumbered the computers. With so many more devices under its control, the botnet was able to easily take down Dyn.
Improving network resilience means protecting the internet/phone network itself by making sure the network is protected from your product. But it goes beyond just IoT. For example, see “Hackers Remotely Kill a Jeep on the Highway – with me in it.” This video shows a person trying to drive down the highway while attackers start continuously spraying his windshield-wiper fluid, blurring his vision. It also shows a driver being unable to control his jeep when attackers remotely drive it into a ditch.
Consumer Privacy Issues
You have probably heard stories of people getting death threats through their Ring-connected doorbells/security cameras. Amazon had to pay out more than $5 million (USD), as summarized in “FTC Sends Refunds to Ring Customers Stemming from 2023 Settlement over Charges the Company Failed to Block Employees and Hackers from Accessing Consumer Videos.”
Reduce the Risk of Monetary Fraud
Under the EU’s RED, Article 3.3(f) focuses on monetary fraud prevention measures. It requires manufacturers to incorporate features in internet-connected devices that actively prevent fraudulent electronic payments and monetary transfers, particularly in devices handling financial transactions. Key points include:
- Focus on payment-related devices;
- User authentication controls;
- Secure communication protocols; and
- Compliance with industry standards.
Manufacturers are required to conduct thorough risk assessments to identify potential vulnerabilities within their devices that could be exploited for fraudulent activities. Ongoing updates and patches need to be provided to address emerging vulnerabilities and maintain security levels against evolving fraud tactics.
How the New Standard Addresses These Issues
ETSI EN 303 645 is a list of over 60 provisions (the precise number depends on the exact version). Following are some examples. While the rules themselves can be worded to try to cover all edge cases, this discussion will be about the rules in terms of what they mean for most people.
No Universal Default Passwords
Manufacturers were hard coding default login/password parameters (often times the login and password were both “admin”) without requiring the user to change the passwords. Since most users do not explicitly change the default admin password on their own, this allows an obvious compromise route for anyone who downloaded the user manual and looked up the password. So, this is about making the passwords non-obvious.
Securely Store Sensitive Security Parameters
Manufacturers must implement robust measures to protect sensitive data stored on connected devices, ensuring that this data is securely handled throughout the product’s lifecycle, as mandated by the CRA’s cybersecurity standards within the broader framework of RED compliance for wireless devices.
Key points include:
- Data protection;
- Secure storage mechanisms;
- Lifecycle security; and
- RED compliance.
Example scenarios:
- A smart home device storing user login credentials must encrypt the data using a strong encryption algorithm.
- A wearable fitness tracker collecting health data should use secure protocols to transmit that data to the cloud.
- Manufacturers need to implement regular software updates to address vulnerabilities that could compromise sensitive data storage.
Use Best Practice Cryptography in Communications
Basically, for most people, this will mean things like:
- Communicate over either TLS (formerly called SSL) or SSH; and
- Use a key size that is large enough so that the keys will still be considered secure when you end support for that product.
The Manufacturer Shall Publish the Defined Support Period
The manufacturer shall publish, in an accessible way that is clear and transparent to the user, the defined support period. Basically, this means management needs to decide on how long a period they are willing to commit to providing security updates for the product’s software/firmware (it must be at least 5 years). And, then to comply, they need to add the period that they commit to in the product specifications on the official website for the product.
Implement a Means to Manage Reports of Vulnerabilities
Once your product is on the market, most of your new security vulnerabilities will probably be found in your vendors’ libraries. You will need to set a policy and implement it for how people should send you vulnerability reports when they find one in your product. If you do not already have a Vulnerability Disclosure Policy, you will need to create one once your product is on the market. People need to be able to assess their risk by reading your Coordinated Accepting Vulnerability Reports when vulnerabilities are discovered in your product.
How to Comply
Determine Which Standard Applies to Your Product
Although most products will need to comply with ETSI EN 303 645, there will also be a special ETSI TS standard applicable to your product if it is covered in one of the “vertical standards.” For example, if your product is a home gateway, then your standard will be ETSI TS 103 928.
Download the Standard
As of March 10, 2025, the current version of ETSI EN 303 645 is v3.1.3; however, this may change between now and the time you read this article. You can download the current version of ETSI EN 303 645 on the ETSI website.1
Determining Provisions
Determine which provisions listed in Annex B with which you intend to comply and decide on your intention for each provision. Choose from the following:
- Mandatory provision (marked with an “M” in the status column)
- You intend to implement this provision;
- Your product does not meet the condition marked on the provision, i.e. not applicable; or
- Your product does not have the feature marked on the provision, i.e. not applicable.
- Recommended provision
- You intend to implement this provision; or
- You do not intend to implement this provision. You are required to mark the reason why you are not implementing it.
Attempt to Secure Your Product
Implement the provisions into your product.
Document Your Results in the Implementation Conformance Statement (ICS) Form
The Implementation Conformance Statement (ICS) form is generally found within the standard that applies to your product. When you finish implementing everything needed in your product, you must fill out the ICS Form to self-declare your conformity to the standard. This self-declaration states that you comply with all aspects of the regulation that apply to your product and that you are taking full responsibility for securing your product to the new requirements. It shows which requirements your product complies with, which requirements do not apply to your product, and why you did not implement the optional requirements.
You then have the option of sending your product, along with your ICS form and an IXIT form, to a third-party test lab for guidance, direction, and reassurance that no aspect of the new requirements has been missed. They will answer your questions and validate that the information in the form describes a complying product and that the product is consistent with what was filled out in the form.
IXIT Form
The test lab will send you an IXIT form. As a manufacturer, you must fill out this form, describing the details of the product and the process you went through to comply with each aspect of the standard that is applicable to your product. For example, it asks:
- What kind of authentication your network connection uses (e.g., TLS connections with public/private ECDSA keys);
- Your company’s policies for how quickly they will respond to vulnerabilities found in the device;
- Where the user can find your statement on what personal data is used and how it is used;
- How the device will get updates to get security patches whenever they come out; and
The test lab also validates that the product is consistent with what was filled out in the form and that it is a compliant product.
Is the Cybersecurity Requirement Only for Selling in Europe?
Other regions and other industries will also be making similar requirements. In the U.S., the Federal Communications Commission (FCC) is creating the “U.S. Cyber Trust Mark” to be implemented for IoT. Canada is also creating the “CyberSecure Canada Mark.” Cybersecurity requirements for the EU Machinery Directive will be going into effect in 2027.
