Delay in Cybersecurity CE Marking Requirements until August 1, 2025

On July 20, 2023, the EU Commission adopted the Delegated Regulation that amends the Radio Equipment Directive (RED) Delegated Regulation on cybersecurity, privacy, and protection from fraud as regards the date of applicability. The latter is delayed until 1 August 2025.  

The RED cyber security requirements were originally planned to be applicable from 1 August 2024. This 12-month extension provides manufacturers with the necessary time to fully understand the implications of the new standards, effectively implement them, and prepare their compliance programs, which will also benefit the consumers.  

The development of harmonized standards to support the essential requirements laid out in Article 3.3 is still underway, with standards expected to be published by June 2024. The extension also provides additional critical time to the European Standardization Organizations (ESOs) to deliver the harmonized standards related to the RED Delegated Regulation 2022/30 on cybersecurity aspects.
 
Please, note that this legal act also includes the correction of the wording "traffic data AND location data," which is replaced by "traffic data OR location data."

The Delegated regulation, C(2023)4823, was published today and shall be submitted to the European Parliament and Council for scrutiny before publication in the Official Journal.
For the manufacturers, this means that they now stand a better chance to prepare in time, but they still need to start this process now, if not started already.


Is this good news or bad news?
For consumers, this is not good news. As cybersecurity is not a part of CE marking, consumers have today no good way to ensure the products they buy are sufficiently protected.  And now the date when CE marking verifies cybersecurity is postponed by one year. However, a too quickly implemented regulation could also have given a false sense of security if the reality would be that many manufacturers were not able to meet the deadline.

For manufacturers, this delay addresses one of the significant frustrations – the lack of a harmonised standard. The extended deadline was mainly given for the harmonised standard to be completed, and this date is now set to June 2024, giving the manufacturers ample time to document compliance. 

On the positive side, having more time to develop the standards means more robust standards, which in the long term provide better security for device types, ultimately benefiting the consumer’s security.  In the short term, some devices will still not have to meet new regulations, but if the standards are not fit for purpose (and there are many device types and standards to be published), then the goal of the requirement falls short.

Now what to do?
The worst pitfall after this extension would be to do nothing! The formal deadline for this CE directive implementation is postponed, but there are at least four good reasons to keep up the pace of cybersecurity:

⏳ Time. Yes, time is still of the essence. Not only are products to be securely designed, put into production, and shipped to market, but this needs to be done timely to the old products to be fully replaced by the implementation date.

🌏 Not only the EU. Cyber security requirements are not found only in the EU, as the rest of the world also are keeping a high pace by introducing several initiatives. This is true for both Asia and the Americas and as close to the EU as the UK. No longer being a member of the EU, the UK introduced mandatory requirements on 29 April 2024. The UK requirements are covered by ETSI EN 303 645 compliance. 

👾 The need for cyber security is not controlled by directives! Or, to put it as one of the speakers at the EU Cybersecurity Conference in Brussels – “Hackers do not wait for regulation!”. The threat to connected devices is increasing year by year, and combined with the growth of the number of such devices, the need for secure products is higher than ever. Also – the damage to a brand from a cybersecurity incident could be substantial. 

✔️ Demonstrating compliance. No one would even think of selling a product not complying with a relevant safety standard, and no large buyer would think of buying products not being able to document such compliance. This will also be the future for cyber security, where the accepted minimum level of security is defined through a standard, and manufacturers document their products by compliance with this standard. For Europe, it may be IEC or ETSI standards and e.g., for USA, it may be NIST standards. These are already similar and are likely to merge further in the future.


Conclusion – focus on standards.
The delay does not significantly change the need or the speed of addressing cybersecurity, but it addresses the confusion concerning harmonised standards for one of the major markets, the EU. Indicating significant changes to the ongoing standard it is also expected that many for the next year will choose to use other defined standards such as e.g., ETSI EN 303 645, NIST IR 8259A or IEC 62443. 

And being able to demonstrate and document cyber security compliance to both large buyers and consumers will set your product apart from those who are not addressing this adequately.

Read more: Why You Should Certify for Cyber Security