- Building inspection
- Fire alarms system testing
- Household appliances
- Installation materials
- Industrial machinery
- IT & audio video
- Laboratory, test & measurement
- Lighting equipment
- Maritime, oil & gas
- Medical & healthcare equipment
- Military & aerospace product testing
- Wireless & telecom
Last updated: August 2023
From 1 August 2024*, compliance managers are facing new requirements for CE marking, as cyber security documentation for wireless products will become mandatory.
* The implementation date has been extended by 12 months, so the new implementation date is 1 August 2025. Read more here.
3 challenges compliance managers are facing
The upcoming requirements are in many ways an advantage for both consumers, manufacturers, and for society at large. Standardised requirements will make the products more secure than today, and provide manufacturers with a defined, acceptable level of security.
But they will also present some challenges for compliance managers, particularly within three areas:
- Time is of the essence
The requirements need to be documented for all products put on the market after 1 August 2024 which includes products being produced today (and of course any future products). This actually means that the products need to comply now, as some requirements are virtually impossible to retrofit in an existing product.
- The standards are still undefined
The required standards are expected to be published early 2024 as CENELEC (European Committee for Electrotechnical Standardization) currently are working on the development of European harmonized standards to cover the essential requirements.
- New parts of the organisation must be involved
Compliance managers are used to dealing with traditional safety standards and the respective departments for these in their organisation. But cyber security represents unfamiliar requirements and other parts of the organisation, e.g., software development will need to be included.
How to deal with these challenges?
We suggest you start considering these upcoming requirements today, and that you start by becoming familiar with relevant standards in order to identify gaps between the standard and your current or upcoming products.
Familiarize yourself with relevant standards
This not only goes for software developers, but for various members across department. As the standards will involve both software developers, technical staff, and more administrative roles, it is important that members across different departments of the company familiarise themselves with the relevant standards.
Depending on products, some of the relevant existing standards may be:
- ETSI/EN 303 645 — This European standard details outcome-focused best practices for the security of Internet-connected consumer devices to provide flexible security measures.
- IEC 62443 — This series of standards focuses on the cyber security of various aspects of industrial communications networks, including industrial automation and control systems and components, as well as requirements for IACS service providers.
Use your newly gained knowledge of the standards to do a GAP analysis of your existing product against the relevant standard(s). This will give you a list of requirements currently not being met by the product. Based on this you can decide how to address the shortcomings for the current product or upcoming products. But take note that existing products that has gaps to the relevant standard must be discontinued as of 1 August 2024!
How can Nemko help?
If you’re looking for a bit of professional assistance on how best to meet the new cyber security requirements, we can help you. Based on requests from customers, we have developed the following three services that can help you get a good head start on the new requirements:
- Gap analysis report: we do a GAP analysis of your product against the standard and provide a list the shortcomings and how you should address these. Such gap analysis may be combined with below trainings and workshops.
- Training: At Nemko, we have identified the most relevant standards and requirements to meet the regulations. We can take you on a “guided tour” through the standard(s) including examples of solutions.
- Workshops: we apply each clause of the standard to your specific product. Workshops are a very concrete and useful way to assess incompliance as they are based on one of your existing products.
If you have any questions or concerns, Nemko is always here to help you. Reach out to your local Nemko office or use the 'Contact us' form.
Geir Hørthe is responsible for the Nemko cyber security initiative. He has worked at Nemko for more than 30 years, in the capacity of test services, lab manager of safety, ATEX and medical departments. He has also been Managing Director at the Nemko office in London for two years. After he returned to Norway, he held...