The security and safety of wireless IoT devices took another step towards becoming part of EU CE compliance last Friday. The EU Commission announced its adoption of the delegated act to the Radio Equipment Directive https://ec.europa.eu/growth/news/commission-strengthens-cybersecurity-wireless-devices-and-products-2021-10-29_en.
As a result, this act will create legal requirements for the security of wireless IoT devices. This change to the Radio Equipment Directive has significant implications for the CE marking of wireless IoT devices.
In simple terms this will make certain cyber security measures mandatory as part of wireless IoT device CE compliance and marking. This is the route that Craig Ormerod from TUV SUD and I suggested that the EU might be expected to follow, in our presentation at the IoTSF’s 23rd Plenary back in 2019. The key requirement is that there are safeguards in the IoT device to protect the users’ personal data and privacy, along with fraud prevention measures.
Demonstrating compliance and Standards
Demonstrating compliance is normally done against standards, in some cases market specific ones. The Commission is asking the European Standardisation Organisations to develop relevant standards. However, there are some existing standards that are likely to be appliable:
In the Consumer market some or all of the 13 controls in the ETSI standard EN 303 645 ” CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements ” [1] are likely to mandated. Associated with this ETSI Consumer cybersecurity standard is it’s partner test standard EN 103 701 “CYBER; Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements” [2].
For the Industrial sector a likely standards family which could be used to to demonstrate compliance would be EN IEC 62443 “Security for industrial automation and control systems” [3].
Where there are no standards for a specific sector then it will be necessary to seek the opinion of a Notified Body, as to whether the security mitigations are sufficent to ensure the product is compliant. Hopefully this lack of standards situation will not last to long. Ahead of standards, there are also other sources of support for demonstrating security compliance. A a good example being the IoTSF’s Assurance Framework [4], of which Xitex’s Richard Marshall was a lead author.
Compliance methods will be the same as the existing compliance approach with the Radio Equipment Directive, either through self assessment or independent third party assessment.
Timescales
Unless the EU Council and Parliament raise no objections, the delegated act will come into force after a two month scrutiny period. Once the act comes into force, manufacturers will have a 30 months to make their products compliant, i.e. by mid 2024. In conclusion, with typical product development lifecycles being between 12 to 24 months, their security requirements need to be considered now for new and existing products.
Richard Marshall is Director and Managing partner at Xitex
Other useful related links:
[1] ETSI Standard ETSI 303 645 ” CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements” https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf
[2] ETSI Standard ETSI TS 103 701 ” CYBER; Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements” https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf
[3] EN IEC 62443 Standard “Security for industrial automation and control systems” https://webstore.iec.ch/searchform&q=62443
[4] IoTSF “Assurance Framework” 3.0 https://www.iotsecurityfoundation.org/best-practice-guidelines/
Xitex IoT Security and regulation blog post: https://www.xitex.uk/2018/11/26/being-regulation-ready/
Further information
If you have specific queries around IoT device security please contact us at: sales@xitex.co.uk
Image courtesy of Shutterstock.com