Radio Equipment Directive: New Cyber Security Requirements

It had taken effect on 1 February 2022, and will become mandatory 1 August, 2024, giving device manufacturers a 30-month transition period.

Currently, only some baseline security requirements for consumer IoT devices have been defined and issued in standards by numerous organizations as there are no harmonized standard covering this scope.

Latest regulations such as the EU Cybersecurity Act, GDPR, the California Consumer Privacy Act and state bills across the US are putting pressure on manufacturers and retailers to take action. Therefore, cybersecurity would be enforced within the national regulations in the coming future.  However, it is necessary to have assessment for the IoT devices to identify and evaluate the cybersecurity gaps in between hardware and software in their manufacturing stage.

ETSI EN 303 645

ETSI standard EN 303 645 is the first cybersecurity standard for consumer IoT devices that is applicable globally. It is the baseline requirements for consumer iOT (Internet of Things) that aims to bring together technical and organizational measures good practice for RED cybersecurity.

The content of ETSI EN 303 645 includes with 33 mandatory provisions and 35 recommendation provisions of below 13 cybersecurity aspects and the data protection aspect for consumer IoT:

• No universal default passwords
• Ensure software integrity
• Implement a means to manage reports of vulnerabilities
• Ensure that personal data is secure
• Keep software updated
• Make systems resilient to outages
• Securely store sensitive security parameters
• Examine system telemetry data
• Communicate securely
• Make it easy for users to delete user data
• Minimize exposed attack surfaces
• Validate input data

In today’s market, there are a wide range of consumer IoT devices, and their associated services which are covered in the ETSI EN 303 645 standard, such as:

Connected children's toys and baby monitors Connected smoke detectors, door locks and window sensor Smart cameras, TVs and speakers Wearable health trackers Connected home automation and alarm systems Connected appliances, such as washing machines and fridges Smart home assistants IoT gateways, base stations and hubs to which multiple devices connect

SGS provides conformity assessment program for consumer IoT manufacturers which offering four assessment levels M0 up to M3 for manufacturers and test program R0 to R2 for retailers that allows alignment of the risk exposure of the application to an appropriate assurance level based on ETSI standard 303 645.

Consumer IoT Quick Scan Assessment

Within the test level of stage M0, it is a quick scan assessment approach by conducting questionnaire / interview-based conformity assessment for consumer IoT with correspondence to assurance level “Basic”.

It would be important to implement this quick scan assessment of consumer IoT with the requirement of ETSI EN 303 645 as it is the foundation of the consumer IoT assurance which can help the consumer IoT products to maintain the good practice for future IoT cybersecurity certification schemes and minimize the gap on the trust and digital market.

Steps for Quick Scan Assessment

As the quick scan assessment is an interview and review-based approach where no independent 3rd party tests are performed, this allows a cost-effective way whenever independent testing is not required or for products with low-risk exposure and the final outcome of this activity is a conformity assessment report.

The quick scan assessment would be conducted in three steps: