US Cyber Trust Mark Launched (nearly)

At CES in Las Vegas, a panel chaired by the Consumer Technology Association brought together Afero, Sony, Keysight and IoTX to outline progress on the US Cyber Trust Mark – the US attempt to align with the EU Cyber Resilience Act.

Despite conference listings suggesting the scheme was live, it is still being finalised. Some requirements are being worked through between standards bodies and the Federal Communications Commission, which owns the scheme.

What’s clear is the direction of travel. The Cyber Trust Mark is a voluntary, consumer-facing label for wireless, internet-connected products. Manufacturers that qualify can display the logo and must include a QR code on packaging, linking to key security information such as support periods, password management and how the product is secured.

Like the CRA, the scheme goes beyond devices. It spans equipment, apps, cloud services and APIs, with expectations around risk assessments, vulnerability reporting, SBOMs and even HBOMs. The draft specification (PSHSB 23-239), published via the FCC, is based on National Institute of Standards and Technology standards.

The big open question is uptake. As a voluntary mark, its impact will depend on whether consumers recognise and value it. That said, cybersecurity is increasingly influencing purchasing decisions – and a future mutual recognition agreement with the CRA could accelerate adoption on both sides of the Atlantic.

With final details expected to be resolved early this year and launch anticipated later in the year, this is another signal that global product security requirements are converging.

For manufacturers, the message is consistent: getting ahead of these frameworks – and understanding how they overlap – is no longer optional.

This is where SafeShark can help.

At SafeShark, we work directly with manufacturers navigating exactly these kinds of emerging and converging frameworks. From early scoping and gap analysis through to risk assessments, SBOMs, vulnerability processes and full assurance, we support teams end to end, removing uncertainty and accelerating compliance.

As schemes like the US Cyber Trust Mark and the CRA continue to take shape, having a trusted partner who understands both the regulatory intent and the technical detail makes the difference between reacting late and moving with confidence.

Alex Buchan
Director
SafeShark

UK leads global charge on connected device security

The UK has cemented its role as a global leader in connected device security, with new agreements announced during Singapore International Cyber Week set to align international standards and boost consumer protection.

Under a major deal between the UK and Singapore, devices meeting Singapore’s cybersecurity standards will now be recognised under the UK’s Product Security and Telecommunications Infrastructure (PSTI) regime – the world’s first legislation to introduce minimum cyber requirements for consumer devices.

The PSTI regime, built on the ETSI EN 303 645 standard, mandates key protections such as banning default passwords and ensuring transparency over software update support. This alignment will simplify compliance, reduce costs, and accelerate the rollout of secure products globally.

The announcement forms part of a wider Global Cyber Security Labelling Initiative launched by a coalition of countries including the UK, Singapore, Australia, Germany, Finland, Japan, and South Korea. The initiative aims to harmonise standards across markets, delivering safer devices to consumers and a clearer compliance framework for manufacturers.

Cyber Security Minister Liz Lloyd CBE said the initiative will provide “safer products for people, clearer rules for business and less duplication across borders.”

Domestically, the UK is also embedding cybersecurity more deeply into business governance through the Good Business Charter, which now includes cyber resilience as a key accreditation criterion. The forthcoming Cyber Security and Resilience Bill will further strengthen protections for essential and digital services, reinforcing the UK’s leadership in the global cybersecurity landscape.

As more nations adopt the UK’s approach, the PSTI framework – and the EN 303 645 standard that underpins it – continues to set the global benchmark for smart device security, supporting innovation while protecting consumers.

For more on compliance with this, The Radio Equipment Directive and the upcoming Cyber Resilience Act in the EU get in touch today.

CRA in brief – what you need to know

The EU’s Cyber Resilience Act (CRA) is here, setting out tough new cybersecurity requirements for products with digital elements (PwDEs). While obligations are phased, preparation is vital. Here are the three big takeaways manufacturers need to know straight away:

CRA is live but phased. The Act entered into force in December 2024. Vulnerability reporting starts in September 2026, with full compliance and CE marking required from December 2027.
Scope goes beyond RED. Unlike the Radio Equipment Directive (RED), which covers radio-connected products, the CRA applies to all PwDEs, including hardware, software, apps, cloud services, and lifecycle processes.
Preparation is essential. Compliance demands risk assessments, testing, and a vulnerability management process (including an SBOM). Starting now will help manufacturers avoid costly disruption later.

What is the CRA?

The CRA is EU legislation designed to strengthen the resilience of digital products. It sets essential cybersecurity requirements for any product with digital elements placed on the EU market.

Who does it apply to?

Manufacturers, importers, and distributors of products with digital elements, from connected devices and operating systems to apps, software libraries, and cloud services, all fall within scope.

How is it different from the Radio Equipment Directive (RED)?

The RED Delegated Act introduces cybersecurity requirements for radio products with wireless technologies such as Wi-Fi and Bluetooth. From 1 August 2025, these products must be tested against EN 18031 standards.

The CRA goes further. It applies to all PwDEs and extends compliance obligations to include associated software and processes. Manufacturers must demonstrate how they assess and mitigate risks across a product’s entire lifecycle and how they handle vulnerabilities.

When does it come into force?

September 2026 – Vulnerability reporting obligations begin, including notifying ENISA of actively exploited vulnerabilities.
December 2027 – Full compliance takes effect, including CE marking and conformity assessments.

What does compliance involve?

Organisations will need to:

Implement risk assessments covering planning, design, development, production, and maintenance.
Test products against essential requirements, such as access controls and authentication mechanisms.
Create a vulnerability management process, including reporting and maintaining a software bill of materials (SBOM).

European Standards Bodies (CEN/CENELEC and ETSI) are developing supporting standards to help demonstrate compliance. Products meeting requirements can then be CE marked and backed up with technical files including test reports and declarations of conformity.

How SafeShark can help

SafeShark supports companies preparing for CRA compliance through pre-assessments mapped to ENISA’s requirements. We are directly involved in the standards process, so we can provide the latest insights on how requirements are evolving.

Until CRA deadlines apply, manufacturers must still comply with RED. From 1 August 2025, connected radio products entering the EU market must be tested against EN 18031 standards. SafeShark offers straightforward EN 18031 compliance testing at our dedicated cybersecurity lab in central London, helping ensure your products are ready for market.

The top five RED compliance pitfalls and how to avoid them

by Steven Gallivan, Account Manager, SafeShark

If you’re a manufacturer bringing connected products to market, compliance with the Radio Equipment Directive (RED) isn’t optional, it’s essential. But in my work helping companies navigate the process, I see the same avoidable mistakes crop up time and again. Each one can mean delays, extra costs, or even products being pulled from shelves.

Here are the top five pitfalls and, more importantly, how to avoid them.

1. Leaving compliance until the last minute
Compliance isn’t a quick add-on at the end of development. Tackling it too late often leads to redesigns and costly delays. The best approach is to plan for compliance from the start, building requirements into your design and testing roadmap.

2. Misunderstanding cybersecurity obligations
The RED now includes essential requirements on security, privacy, and protection against fraud. These aren’t just technical extras, they’re core to product safety. A common pitfall is underestimating the scope of cybersecurity testing, which can lead to non-conformities when the product is reviewed by a Notified Body.

3. Overlooking documentation
Technical documentation is more than a formality. If it’s incomplete or inaccurate, your product cannot be properly assessed, and it may not be legally sold in the EU or UK. Keep detailed, up-to-date records of design, testing, and risk assessment to avoid unnecessary setbacks.

4. Assuming RED and PSTI are interchangeable
While the UK’s PSTI legislation and RED overlap in some areas, they are not the same. Treating them as interchangeable is a recipe for non-compliance. Understanding where they differ, particularly in scope and enforcement, is crucial if you want to sell into both markets smoothly.

5. Going it alone
The RED is complex, and self-assessment isn’t always enough. Working with a trusted partner who can provide expert guidance, testing, and direct links to a Notified Body makes the whole process smoother and more robust.

At SafeShark, we’ve seen how avoiding these pitfalls helps companies save time, cut costs, and get to market with confidence. Compliance doesn’t have to be a hurdle, with the right planning and support, it becomes a competitive advantage. Feel free to get in touch if you think we can help.

SafeShark joins the IoT Security Foundation

SafeShark is proud to announce that it has joined the IoT Security Foundation (IoTSF), the international not-for-profit organisation dedicated to driving security excellence in the Internet of Things (IoT).

SafeShark’s mission has always been clear: empowering connected device manufacturers to help secure the Internet of Things and make it safe to connect. Joining IoTSF reflects this commitment and underlines the company’s role in:

making cybersecurity compliance accessible, not intimidating
helping manufacturers navigate complex cyber standards with clarity and confidence
influencing future regulation and procurement requirements
contributing to a secure IoT ecosystem

At SafeShark, compliance is made simple through practical, agile, end-to-end solutions. Using automation and a unique testing platform, SafeShark supports manufacturers and service providers to meet today’s evolving standards, from the Radio Equipment Directive (RED) to the upcoming Cyber Resilience Act, while ensuring they stay one step ahead of tomorrow’s challenges.

SafeShark Director Alex Buchan said:“SafeShark’s mission is to help secure the Internet of Things and make it safe to connect. Joining IoTSF reflects our commitment not only to supporting customers with end-to-end compliance solutions, but also to contributing to a stronger, more resilient global IoT ecosystem. We look forward to collaborating with IoTSF and its members to raise standards, build confidence and deliver value to businesses and consumers alike.”

UK smart home market grows to £3.1bn, driven by home cinema and luxury demand

The UK’s professional smart home market has reached an estimated value of £3.1bn, marking a 7% increase from 2023, according to the latest Professional Smart Home Market Analysis from the industry association. Produced in partnership with Ancrage Consulting LLC, the report combines verified sales input from manufacturers and distributors with data from residential integrators and quoting platforms WeQuote and Specifi.

Growth in the sector is being led by strong consumer demand for home cinema, lighting and shading, and networking solutions. Meanwhile, interest in security systems and outdoor AV has seen a relative decline. The report also notes increased momentum in the luxury and uber-luxury segments, with 30% of respondents now focused on high-end clientele.

Service agreements are becoming a standard part of business models, with 80% of integrators offering them. Looking ahead, optimism remains high – half of all surveyed companies plan to recruit additional technical staff in the next year.

Matt Nimmons, EMEA Managing Director, said: “The report doesn’t just reflect the state of the market, it helps shape its future,” highlighting how the analysis gives members a clearer view of both opportunities and challenges.

Cyber Resilience Act - latest updates from the European Commission

Yesterday the EC Policy team gave an update on the Cyber Resilience Act (CRA) which is set to become the latest cyber security regulation to govern connected products. Points to note are:

New cyber security standards expected from standards bodies by Dec 2026
A centralised vulnerability reporting database will be developed by Enisa by Sept 2026 - in time for CRA reporting requirements
Classifications of "Important" and "Critical" products are to be defined in more detail by Dec 2025

In general the CRA is a new set of cybersecurity rules for placing of products on the EU - it will expand on RED requirements (coming into force Aug 1^st 2025) by massively increasing the range of products that fall into its scope - products with "Digital Elements" will include software products, apps, and remote data processing solutions as well as hardware. Another key element is that the CRA is centred around the premise that compliance is maintained throughout the product lifetime.

CRA will come into force in two stages which are:

Vulnerability reporting obligations: 11th September 2026
Essential requirements: 11th December 2027

To prepare for CRA - SafeShark is providing product testing against the EC mapping for current standards e.g. EN 303 645 and EN 18031, that can already provide a level of conformity for CRA - helping you get ahead of the legislation.

SafeShark also provides straightforward PSTI and RED compliance testing, that allows you to quickly prove your consumer electronic product is ready for UK or EU market access in order to meet the 1st Aug deadline. Get in touch to find out more from our experts.

SafeShark partners with CyberWhiz to expand compliance services across Europe

SafeShark, the UK’s leading cybersecurity compliance and assurance provider for connected devices, has announced a new partnership with CyberWhiz, a specialist IoT cybersecurity solutions provider and compliance consultancy, to expand its services in Europe. CyberWhiz will act as an official agent for SafeShark’s services in the EU supporting manufacturers in ensuring regulatory compliance and cybersecurity resilience in an increasingly complex global market.

The partnership enables even more manufacturers across Europe to access SafeShark’s industry-leading compliance solutions, including testing against EN18031 for the EU Radio Equipment Directive (RED) and UK PSTI regulations. With CyberWhiz’s deep local expertise and industry relationships, the collaboration will help businesses navigate evolving regulatory requirements while maintaining product security and market access.

SafeShark Director and DTG CTO Alex Buchan said: “This partnership with CyberWhiz is a key milestone in SafeShark’s mission to support manufacturers worldwide in meeting the highest cybersecurity and compliance standards. CyberWhiz’s extensive customer base in Europe’s major manufacturing hubs such as Turkey makes it essential that these businesses have access to robust, streamlined compliance solutions, and we are delighted to work with CyberWhiz to provide this support.”

CyberWhiz CEO Çağatay Büyüktopçu said: “We are delighted to launch this strategic partnership with SafeShark. Our goal is to support manufacturers across Europe, particularly in major production hubs like Turkey, in meeting increasingly complex cybersecurity regulations. By combining SafeShark’s comprehensive testing and certification processes with CyberWhiz’s holistic IoT Cyber Security expertise and regional leadership, we will provide manufacturers with a fast, cost-effective, and efficient compliance journey. This collaboration marks a significant step in our mission to ensure the highest standards of IoT security.”

SafeShark provides a unique end-to-end compliance service in partnership with a Notified Body, helping manufacturers achieve full assurance from initial assessment to certification. This latest expansion reinforces SafeShark’s commitment to enabling global compliance and security across the connected technology sector.

Download our comprehensive compliance guides or book a test here.

IoT cyber security standards finally approved (nearly)

The new EN 18031 set of standards which are needed to demonstrate conformity to the upcoming IoT cyber security laws in RED, have finally been cited (with restrictions) in the OJEU* meaning that they can go a long way to provide a presumption of conformity to the RED cyber security articles 3.3 d, e, and f once the product has been tested against them.

This comes after months of discussions between the EC and standards body CEN/CENELEC whose industry working groups (which includes SafeShark), created the standards.

However, not all the comments that the EC raised as concerns regarding the EN 18031 standards could be resolved during the discussions which means the standards have some restrictions and cannot fully be taken as providing conformity depending on the product.

These restrictions relate to categories such as password strengths, parental or guardian access controls, and in the case of 18031-3 for products that support financial transactions, assessment criteria of secure updates. The full details of the implementation decision can be read here.

As such, a Notified Body will be required to sign off any elements of the product test results that relate to the restrictions, which in the case of 18031-3 will be likely mean all products.

For 18031-1 and 18031-2 it will be required to check whether the restrictions apply to the product under test and therefore whether a Notified Body assessment will be required.

SafeShark can test all the EN 18031 standards at our Central London test lab and works with Notified Body KL Certification to provide you with clear and accurate guidance as to whether Notified Body certification is required.

Due to our unique automated cyber security test platform, templates for completing pre-test information, example documents for a typical IoT device, and detailed knowledge of the standards, our test service is fast, efficient, and cost effective.

Book your product in for testing today and ensure you're ready for RED cyber security which comes into effect on the 1^st Aug 2025

*The OJEU is the Official Journal of the EU which is essentially an index of standards that can be tested against to demonstrate conformity to the various articles of RED which cover criteria such as health and safety, EMC, RF and spectrum, and from 1^st Aug 2025 - cyber security

Calling all manufacturers – EU connected device consultation

Further to the political agreement reached by the co-legislators on the Cyber Resilience Act (CRA), and pending its formal adoption and entry into force, the European Commission is currently taking preparatory steps for the CRA implementation. This includes initial informal consultations and a series of virtual events for manufacturers.

This is without prejudice to the formal consultation that will take place later in the process. These informal exchanges would, in particular, focus to identify any specificities regarding certain product category that should be addressed by the definition to provide manufacturers with legal certainty allowing them to understand whether the products they place on the market fall into the categories set out in Annex III and Annex IV of the CRA.

More information, timings and registration here.