The security and safety of connected products is not only a customer-critical issue, it is now a legislative compliance issue for all manufacturers, importers and distributors.
UK Cyber Security Standards
In the UK, the Product Security and Telecoms Infrastructure (PSTI) Bill became law in December 2022, with further secondary legislation outlining exact smart home cyber security requirements and enforcement to follow shortly.
It sets out cyber security requirements, to ensure consumer security, as a condition for market entry for all internet or network-connected devices, underpinned by the European ETSI EN 303 645 standard.
The new requirements will impact all stakeholders throughout the supply chain – not just the manufacturers. While fundamentally ensuring all internet-connected equipment is tested for cyber security performance before it can access the market, responsibility (and therefore liability) also lies with importers, and distributors to ensure that the requisite tests have been done by the manufacturer.
European Cyber Security Standards
In the EU, recently activated articles within the Radio Equipment Directive (RED), will mandate cyber security requirements for all internet-connected devices and a new standard is being developed by CEN-CENELEC for manufacturers to test their products against to demonstrate conformity.
This will be followed by the Cyber Resilience Act. As in the UK, new requirements will apply not just to manufacturers, but also importers and distributors.
These exclusive guides to cyber security standards and assurance outline the precise tests that products and manufacturers need to pass, what they need to do, when they need to do it by and the implications for not acting swiftly enough or for non-compliance.
While (most) manufacturers clearly take security seriously, the nature of products in this market – which contain multiple software components from different sources – means it is much harder for manufacturers to have an overall comprehension of the cyber security performance of their products.
The common failure factor in each test case is that the manufacturer was not aware of the identified issues, much less their contravention of new standards and IoT requirements, despite their commitment to security and internal processes. It is therefore equally hard to determine PSTI and RED device compliance without independent, verified device testing.
SafeShark’s independent testing service, backed by DTG’s London testing house, gives manufacturers a true understanding of their product performance against UK and international standards. This cyber security certification, assurance and external verification provides clear proof of IoT device compliance. It provides a straightforward route to market and the confidence needed by those in the onward chain to the consumer.
