Is cyber security mandatory?

Last updated: August 2023

The most common question we get from customers about cyber security requirements is “Is this mandatory”? 

The simple answer is yes. But, as with everything else, there are details that are rapidly changing. Let’s take a quick look at what is mandatory today and what is expected to be mandatory going forward.

Many interpret the absence of a mandatory certification scheme as the absence of mandatory requirements. Of course, this is not so, and we can take the Low Voltage Directive in Europe as an example. There is no requirement for certification, yet the directive and the standards it lists are still mandatory for a product to comply with.

Let's look at the different regions:

Europe

GDPR – General Data Protection Regulation

Not thought of as typically “cyber security”, but information security is an integral part of cyber security. For the protection of e.g. personal information, cyber security is a prerequisite, and cyber security standards like the European norm for Consumer IoTs specify a set of requirements concerning the handling of various types of personal information. Using a product that does not comply with these requirements would jeopardize your GDPR compliance.

RED - Radio Equipment Directive

RED implementing cyber security requirements is a game changer as this puts cybersecurity into the CE marking for wireless products! From 1 August 2024*, wireless products sold in Europe will need to demonstrate compliance with the harmonised standard(s). The standards are being developed and are expected to be published in late 2023 or early 2024. These requirements will be valid for models also being on the market before August 2024, so it is important to verify compliance already now for products with sales period going past August. As the harmonized standards are not yet published, other international standards are commonly used as a preparation, and ETSI EN 303 645 is commonly used for most IoT products.  Please contact the author for any questions or guidance.

*The date has been postponed by 12 months so the new date for when the requirements become mandatory is 1 August 2025. Read more here.

EU Recillience Act

This coming regulation will change the cyber security requirements in Europe as it puts cyber security requirements into CE marking for all products with digital elements. The first proposal was published in late 2023 and based on the swiftness of this first draft, it may be expected to be implemented within a few years.
This regulation is similar to other directives and regulations describing CE marking, such as the RED or the EMC directive. It refers to harmonised standards, Declaration of Conformity, Technical files and also the use of Notified Bodies for high-risk products or when harmonised standards are not used.

EU Cyber Security Act

This act describes certification schemes for products, services and processes. A draft scheme for product certification (level 2 and 3) was published in July 2020 and a final version in Q2 2021. This certification will initially be voluntary, but the requirements will not. For consumer-grade IoT products, the expected standard is ETSI/EN 303 645, which is already in use by Nemko.

UK

The UK is implementing a mandatory cyber security regulation that will apply to all in-scope connected consumer products made available in the UK. Products must comply with specific security measures outlined in legislation through security requirements or designated standards. The recently published EN 303 645 is one such standard on the ‘designated list’, and it is anticipated that the list will grow over time to help firms streamline their efforts. Ironically, considering Brexit, the UK regulation is much more in line with the typical directives than the EU Cyber Security Act. The UK regulation has two alternative routes – either implementing the security requirements as detailed in the legislation or meeting the requirements of a listed standard. As the UK has been instrumental in the development of the ETSI/EN 303 645, this standard is mentioned in particular. Also, an enforcement body will be equipped with power to investigate and take steps to ensure compliance.

Finland

The Finnish authorities, represented by Traficom, have introduced a labelling scheme for IoT consumer products. This is done both to demonstrate security but also as a tool for raising general awareness. The labelling scheme uses ETSI/EN 303 645 with some additions. Traficom accepts Nemko as the basis for the Finnish cyber security label.

USA

The IoT Cybersecurity Improvement Act

In December 2020 the US president signed the IoT Cybersecurity Improvement Act setting out requirements for IoTs used by federal organizations. As federal organizations can use any IoT, this will be a de-facto requirement for the USA. The regulation is now only pending NIST (National Institute of Standards and Technology) to finalize standards and guidelines. This means we can expect US cyber requirements in the same way that we today have safety requirements.

California

As the fifth largest economy in the world, California introduced requirements for connected consumer products on 1 January 2020. The Nemko cyber certification, using the ETSI/EN 303 645 standard, will cover this law.

Oregon

The state of Oregon introduced similar requirements for IoT products, also on 1 January 2020. Just like for the California law, the Nemko scheme will cover these requirements.

Asia

Singapore

Mandatory requirements were introduced for all new residential gateways/routers in Singapore by Infocomm Media Development Authority (IMDA) on 12 April 2021. From 12 October 2021 all such products on the market must comply to these requirements, IMDA TS RG_SEC. These products are chosen because they are particularly important when it comes to security, as it is the first line of defence connected directly to the internet. Such products have been the target of several malicious and worldwide attacks, for instance the infamous Mirai worm.

The Singapore scheme has similarities to the European standard ETSI/EN 303 645.

China

In China there are a number of schemes, both mandatory and voluntary, depending on the products, their specifications and their use. To mention one mandatory scheme, there is the CNCA CCIS-2018 (Updated to CNCA CCIS-2034 in August 2023) , “The Safety Certification implementation rule for Network Key equipment and cybersecurity specialized product” run by the Chinese accreditation authorities CNCA. This scheme covers essential security components such as routers and switches, firewalls and IDS/IPS’s to mention a few. This scheme also carries the ISCC certification mark.

What should manufacturers do?

The focus on and knowledge of cyber security differs very much between manufacturers, but the vast majority do not meet the cyber security standards of today. These standards are not mandatory everywhere today, but standards will be required in most markets within the lifetime of products being designed now.

Depending on the maturity of the manufacturers, there are several entry points to the structured work of cyber security standards. Those new to the area could choose to have simple introductions to the standards or maybe workshops where their products are the basis for the presentation of the standard.

More mature manufacturers can choose to go directly to evaluate their product to the standard. In doing such an evaluation, it will be beneficial to involve a standards expert such as Nemko. This is both to have knowledgeable experts with experience in evaluating according to the standards and to be able to show customers that the evaluation is done by an independent third party.

For more information, please contact us.