The most common question we get from customers about cyber security requirements is quite simply “Is this mandatory”?
The simple answer is yes. But, as with everything else, there are details, and these details are rapidly changing. Let’s take a quick look at what is mandatory today, and what is expected to be mandatory going forward.
Many interpret the absence of a mandatory certification scheme as absence of mandatory requirements. Of course, this is not so, and we can take the Low Voltage Directive in Europe as an example. There is no requirement of certification, yet the directive and the standards it lists are still mandatory for a product to comply with.
Let's look at the different regions:
|GDPR - General Data Protection Regulation||Mandatory|
|RED- Radio Equipment Directive||Mandatory, but...|
|EU Cyber Security Act||Mandatory, but...|
|UK law on IoT||Soon to be mandatory|
|Finnish cyber security label||Voluntary|
GDPR – General Data Protection Regulation
Not thought of as typically “cyber security”, but information security is an integral part of cyber security. For the protection of e.g. personal information, cyber security is a prerequisite, and cyber security standards like the European norm for Consumer IoTs specifies a set of requirements concerning handling of various types of personal information. Using a product that does not comply to these requirements would jeopardize your GDPR compliance.
RED - Radio Equipment Directive
Again, this directive is not what many think of as cyber security, but the RED includes provisions on protecting network and personal information. However, these provisions have not been put into effect yet, but the work is ongoing.
EU Cyber Security Act
This act describes certification schemes for products, services and processes. A draft scheme for product certification was published in July 2020 and a final version is expected by Q2 2021. This certification will initially be voluntary, but the requirements will not. For consumer grade IoT products the expected standard is ETSI/EN 303 645, which is already in use by Nemko.
The UK is implementing a mandatory cyber security regulation that will apply to all in-scope connected consumer-products made available in the UK. Products must comply with specific security measures, outlined in legislation through security requirements or designated standards. The recently published EN 303 645 is one such standard on the ‘designated list’ and it is anticipated that the list will grow over time to help firms streamline their efforts. Ironically, considering Brexit, the UK regulation is much more in line with the typical directives than the EU Cyber Security Act. The UK regulation has two alternative routes – either implementing the security requirements as detailed in the legislation or meeting the requirements of a listed standard. As the UK has been instrumental in the development of the ETSI/EN 303 645, this standard is mentioned in particular. Also, an enforcement body will be equipped with powers to investigate and to take steps to ensure compliance.
The Finnish authorities, represented by Traficom, has introduced a labelling scheme for IoT consumer products. This is done both to demonstrate security, but also as a tool of raising general awareness. The labelling scheme uses ETSI/EN 303 645 with some additions. Nemko is currently completing a pilot project for Traficom to accept the Nemko IoT cyber certification scheme as basis for the Finnish cyber security label.
|The IoT Cybersecurity Improvement Act||Soon to be mandatory|
The IoT Cybersecurity Improvement Act
In December 2020 the US president signed the IoT Cybersecurity Improvement Act setting out requirements for IoTs used by federal organizations. As federal organizations can basically use any IoT, this will be a de-facto requirement for the USA. The regulation is now only pending NIST (National Institute of Standards and Technology) to finalize standards and guidelines. This means we can expect US cyber requirements in the same way that we today have safety requirements.
As the fifth largest economy in the world, California, introduced requirements for connected consumer products on 1 January 2020. The Nemko cyber certification, using the ETSI/EN 303 645 standard, will cover this law.
The state of Oregon introduced similar requirements to IoT products, also on 1 January 2020. Just like for the California law, the Nemko scheme will cover these requirements.
Mandatory requirements were introduced for all new residential gateways/routers in Singapore by Infocomm Media Development Authority (IMDA) on 12 April 2021. From 12 October 2021 all such products on the market must comply to these requirements, IMDA TS RG_SEC. These products are chosen because they are particularly important when it comes to security, as it is the first line of defence connected directly to the internet. Such products have been the target of several malicious and worldwide attacks, for instance the infamous Mirai worm.
The Singapore scheme has similarities to the European standard ETSI/EN 303 645.
In China there are a number of schemes, both mandatory and voluntary, depending on the products, their specifications and their use. To mention one mandatory scheme, there is the CNCA-CCIS-2018, “The Safety Certification implementation rule for Network Key equipment and cybersecurity specialized product” run by the Chinese accreditation authorities CNCA. This scheme covers essential security components such as routers and switches, firewalls and IDS/IPS’s to mention a few. This scheme also carries the ISCC certification mark.
What should manufacturers do?
The focus on and knowledge of cyber security differs very much between manufacturers, but the vast majority do not meet the cyber security standards of today. These standards are not mandatory everywhere today, but standards will be required in most markets within the lifetime of products being designed now.
Depending on the maturity of the manufacturers, there are several entry points to the structured work of cyber security standards. Those new to the area could choose to have simple introductions to the standards or maybe workshops where their products are the basis for the presentation of the standard.
More mature manufacturers can choose to go directly to evaluating their product to the standard. In doing such an evaluation it will be beneficial to involve a standards expert such as Nemko. This is both to have knowledgeable experts with experience in evaluating according to the standards and to be able to show customers that the evaluation is done by an independent third party.
For more information, please contact firstname.lastname@example.org
Geir Hørthe is responsible for the Nemko cyber security initiative. He has worked at Nemko for more than 30 years, in the capacity of test services, lab manager of safety, ATEX and medical departments. He has also been Managing Director at the Nemko office in London for two years. After he returned to Norway, he held...