Skip to content
Search our site  
    January 25, 2022

    Cyber security mandatory for CE marking

    Last updated: January 2024

    After years of discussions, the EU commission has decided to implement cyber security in the Radio Equipment Directive (RED) which covers the majority of IoT and wireless products. The final deadline for any further comments or delays ended in December, so as of 1 January 2022 the 30 months countdown started to August 2024 when cyber security will formally be a mandatory requirement for CE marking of radio equipment. This was extended by 12 months in July, 2023 to provide manufacturers with the necessary time to fully understand the implications of the new standards, effectively implement them, and prepare their compliance programs, which will also benefit the consumers. The new implementation date is 1 August 2025. 

    Note: The UK is introducing mandatory cybersecurity requirements 29 April 2024 - Read More.

    The background of the new requirements
    CE Mark

    The cyber security requirements have always been a part of the RED, however, due to uncertainties on how to demonstrate compliance, this part of the text was not implemented – until now.

    The relevant requirements are found in the RED in Article 3(3) d), e) and f) and in simple terms these are:

    (d) not to harm or misuse networks, causing unacceptable reduction of service
    (e) protection of personal data and privacy
    (f) protection from fraud

    There are currently no standards specified for these requirements, so the EU commission has requested that the European Standardisation Organisations (ETSI, CEN, and CENELEC) establish relevant standards so that manufacturers can assess their products accordingly.

    This, however, does not mean that there are no standards for cyber security. In 2020, ETSI published the ‘Cyber Security for Consumer Internet of Things’, which is regarded as a standard closest to the expected requirements.

    Learn more: On-demand webinar: Cyber security in CE marking
    Which products are part of the scope?
    The scope of the RED, as well as the cyber security article, is wide so most connected products, we use in our daily life are included in the new requirements.

    If we use the references described above the corresponding scopes are:
    (d) Any radio equipment communicating over the internet, directly or indirectly.
    (e) All radio equipment processing personal data or traffic data and location data e.g.
    • Internet-connected radio equipment
    • Radio equipment for childcare*
    • Radio equipment within Toys directive*
    • Wearable radio equipment
    (f) Any internet-connected radio equipment enabling the transfer of money

    *All equipment with radio for children is included – including those not connected to the internet.

    Specifically excluded are equipment covered by Medical Device or In-Vitro Regulation, Aviation, Vehicles, and Road Toll systems.
    How and when should you prepare
    Waiting for the final standards to be published is not a good product compliance strategy as the completion time of the standard may be delayed, while the implementation of the regulation will not. Therefore, the time between the standards being published and the requirement being in force could be very short, making it very difficult for you to implement requirements and changes.

    To prepare for the standards, we advise you to familiarize yourself with ETSI’s ‘Cyber Security for Consumer Internet of Things’, as this is perceived to be a good guideline for the upcoming standards. Another big advantage of evaluating your product now instead of waiting for the standard to be published is that this will give you time to implement any shortcomings into your next product, where the requirements will be mandatory on 1 August 2025.
    How to get started
    From our experience, many manufacturers delay the start of implementing and complying with cyber security standards – mainly for two reasons:
    1. Limited knowledge of cyber security regulations; Manufacturers, whose traditional products were not connected, often have limited experience with cyber security
    2. Limited knowledge of formal standards; Manufacturers who have wide experience making connected products but may not be experienced with cyber security standards, which often include requirements that are outside of what is traditionally thought of as cyber security.
    Both groups should start by having an introduction to the standard, focusing on the technical or formal part depending on the manufacturer’s experience.

    Another option is performing a gap analysis of the product to the standard. This leaves the manufacturer with a specific and valuable list of necessary improvements to implement within their next product.

    Reach out to Nemko to learn more about how we can help you with the services listed above, as well as to further assist in increasing security through for example, vulnerability and penetration testing.
    Nemko_Cyber security logo - RGB - color-jpg


    Geir Hørthe

    Geir Hørthe is responsible for the Nemko cyber security initiative. He has worked at Nemko for more than 30 years, in the capacity of test services, lab manager of safety, ATEX and medical departments. He has also been Managing Director at the Nemko office in London for two years. After he returned to Norway, he held...

    Other posts you might be interested in