The security and safety of connected products is not only a customer-critical issue, it is now a legislative compliance issue for all manufacturers, importers and distributors across the UK and EU.
UK Cyber Security Standards
In the UK, the Product Security and Telecoms Infrastructure (PSTI) Bill became law in December 2022, with further secondary legislation outlining exact smart home cyber security requirements and enforcement now in place.
It sets out cyber security requirements, to ensure consumer security, as a condition for market entry for all internet or network-connected devices, underpinned by the European ETSI EN 303 645 standard.
These requirements impact all stakeholders throughout the supply chain – not just the manufacturers. While fundamentally ensuring all internet-connected equipment is tested for cyber security performance before it can access the market, responsibility (and therefore liability) also lies with importers, and distributors to ensure that the requisite tests have been done by the manufacturer.
European Cyber Security Standards
In the EU, recently activated articles within the Radio Equipment Directive (RED), mandate cyber security requirements for all internet-connected devices. The new three-part standard EN 18031 has now been approved and have been cited in the Official Journal of the EU (OJEU). However, the citation includes certain restrictions. These restrictions relate to clauses within the standards and means that in some cases a Notified Body opinion is still required to access the EU market if the notices in the implementation decision apply to your product. The enforcement deadline is August 1st 2025.
This will be followed by the Cyber Resilience Act in the EU. As in the UK, new requirements will apply not just to manufacturers, but also importers and distributors.
These exclusive guides to cyber security standards and assurance outline the precise tests that products and manufacturers need to pass, what they need to do, when they need to do it by and the implications for not acting swiftly enough or for non-compliance.
While (most) manufacturers clearly take security seriously, the nature of products in this market – which contain multiple software components from different sources – means it is much harder for manufacturers to have an overall comprehension of the cyber security performance of their products.
The common failure factor in each test case is that the manufacturer was not aware of the identified issues, much less their contravention of new standards and IoT requirements, despite their commitment to security and internal processes. It is therefore equally hard to determine PSTI and RED device compliance without independent, verified device testing.
SafeShark’s independent testing service, backed by DTG’s London testing house, gives manufacturers a true understanding of their product performance against UK and international standards. This cyber security certification, assurance and external verification provides clear proof of IoT device compliance. It provides a straightforward route to market and the confidence needed by those in the onward chain to the consumer.
