UK leads global charge on connected device security

The UK has cemented its role as a global leader in connected device security, with new agreements announced during Singapore International Cyber Week set to align international standards and boost consumer protection.

Under a major deal between the UK and Singapore, devices meeting Singapore’s cybersecurity standards will now be recognised under the UK’s Product Security and Telecommunications Infrastructure (PSTI) regime – the world’s first legislation to introduce minimum cyber requirements for consumer devices.

The PSTI regime, built on the ETSI EN 303 645 standard, mandates key protections such as banning default passwords and ensuring transparency over software update support. This alignment will simplify compliance, reduce costs, and accelerate the rollout of secure products globally.

The announcement forms part of a wider Global Cyber Security Labelling Initiative launched by a coalition of countries including the UK, Singapore, Australia, Germany, Finland, Japan, and South Korea. The initiative aims to harmonise standards across markets, delivering safer devices to consumers and a clearer compliance framework for manufacturers.

Cyber Security Minister Liz Lloyd CBE said the initiative will provide “safer products for people, clearer rules for business and less duplication across borders.”

Domestically, the UK is also embedding cybersecurity more deeply into business governance through the Good Business Charter, which now includes cyber resilience as a key accreditation criterion. The forthcoming Cyber Security and Resilience Bill will further strengthen protections for essential and digital services, reinforcing the UK’s leadership in the global cybersecurity landscape.

As more nations adopt the UK’s approach, the PSTI framework – and the EN 303 645 standard that underpins it – continues to set the global benchmark for smart device security, supporting innovation while protecting consumers.

For more on compliance with this, The Radio Equipment Directive and the upcoming Cyber Resilience Act in the EU get in touch today.

CRA in brief – what you need to know

The EU’s Cyber Resilience Act (CRA) is here, setting out tough new cybersecurity requirements for products with digital elements (PwDEs). While obligations are phased, preparation is vital. Here are the three big takeaways manufacturers need to know straight away:

CRA is live but phased. The Act entered into force in December 2024. Vulnerability reporting starts in September 2026, with full compliance and CE marking required from December 2027.
Scope goes beyond RED. Unlike the Radio Equipment Directive (RED), which covers radio-connected products, the CRA applies to all PwDEs, including hardware, software, apps, cloud services, and lifecycle processes.
Preparation is essential. Compliance demands risk assessments, testing, and a vulnerability management process (including an SBOM). Starting now will help manufacturers avoid costly disruption later.

What is the CRA?

The CRA is EU legislation designed to strengthen the resilience of digital products. It sets essential cybersecurity requirements for any product with digital elements placed on the EU market.

Who does it apply to?

Manufacturers, importers, and distributors of products with digital elements, from connected devices and operating systems to apps, software libraries, and cloud services, all fall within scope.

How is it different from the Radio Equipment Directive (RED)?

The RED Delegated Act introduces cybersecurity requirements for radio products with wireless technologies such as Wi-Fi and Bluetooth. From 1 August 2025, these products must be tested against EN 18031 standards.

The CRA goes further. It applies to all PwDEs and extends compliance obligations to include associated software and processes. Manufacturers must demonstrate how they assess and mitigate risks across a product’s entire lifecycle and how they handle vulnerabilities.

When does it come into force?

September 2026 – Vulnerability reporting obligations begin, including notifying ENISA of actively exploited vulnerabilities.
December 2027 – Full compliance takes effect, including CE marking and conformity assessments.

What does compliance involve?

Organisations will need to:

Implement risk assessments covering planning, design, development, production, and maintenance.
Test products against essential requirements, such as access controls and authentication mechanisms.
Create a vulnerability management process, including reporting and maintaining a software bill of materials (SBOM).

European Standards Bodies (CEN/CENELEC and ETSI) are developing supporting standards to help demonstrate compliance. Products meeting requirements can then be CE marked and backed up with technical files including test reports and declarations of conformity.

How SafeShark can help

SafeShark supports companies preparing for CRA compliance through pre-assessments mapped to ENISA’s requirements. We are directly involved in the standards process, so we can provide the latest insights on how requirements are evolving.

Until CRA deadlines apply, manufacturers must still comply with RED. From 1 August 2025, connected radio products entering the EU market must be tested against EN 18031 standards. SafeShark offers straightforward EN 18031 compliance testing at our dedicated cybersecurity lab in central London, helping ensure your products are ready for market.

SafeShark joins the IoT Security Foundation

SafeShark is proud to announce that it has joined the IoT Security Foundation (IoTSF), the international not-for-profit organisation dedicated to driving security excellence in the Internet of Things (IoT).

SafeShark’s mission has always been clear: empowering connected device manufacturers to help secure the Internet of Things and make it safe to connect. Joining IoTSF reflects this commitment and underlines the company’s role in:

making cybersecurity compliance accessible, not intimidating
helping manufacturers navigate complex cyber standards with clarity and confidence
influencing future regulation and procurement requirements
contributing to a secure IoT ecosystem

At SafeShark, compliance is made simple through practical, agile, end-to-end solutions. Using automation and a unique testing platform, SafeShark supports manufacturers and service providers to meet today’s evolving standards, from the Radio Equipment Directive (RED) to the upcoming Cyber Resilience Act, while ensuring they stay one step ahead of tomorrow’s challenges.

SafeShark Director Alex Buchan said:“SafeShark’s mission is to help secure the Internet of Things and make it safe to connect. Joining IoTSF reflects our commitment not only to supporting customers with end-to-end compliance solutions, but also to contributing to a stronger, more resilient global IoT ecosystem. We look forward to collaborating with IoTSF and its members to raise standards, build confidence and deliver value to businesses and consumers alike.”

IoT cyber security standards finally approved (nearly)

The new EN 18031 set of standards which are needed to demonstrate conformity to the upcoming IoT cyber security laws in RED, have finally been cited (with restrictions) in the OJEU* meaning that they can go a long way to provide a presumption of conformity to the RED cyber security articles 3.3 d, e, and f once the product has been tested against them.

This comes after months of discussions between the EC and standards body CEN/CENELEC whose industry working groups (which includes SafeShark), created the standards.

However, not all the comments that the EC raised as concerns regarding the EN 18031 standards could be resolved during the discussions which means the standards have some restrictions and cannot fully be taken as providing conformity depending on the product.

These restrictions relate to categories such as password strengths, parental or guardian access controls, and in the case of 18031-3 for products that support financial transactions, assessment criteria of secure updates. The full details of the implementation decision can be read here.

As such, a Notified Body will be required to sign off any elements of the product test results that relate to the restrictions, which in the case of 18031-3 will be likely mean all products.

For 18031-1 and 18031-2 it will be required to check whether the restrictions apply to the product under test and therefore whether a Notified Body assessment will be required.

SafeShark can test all the EN 18031 standards at our Central London test lab and works with Notified Body KL Certification to provide you with clear and accurate guidance as to whether Notified Body certification is required.

Due to our unique automated cyber security test platform, templates for completing pre-test information, example documents for a typical IoT device, and detailed knowledge of the standards, our test service is fast, efficient, and cost effective.

Book your product in for testing today and ensure you're ready for RED cyber security which comes into effect on the 1^st Aug 2025

*The OJEU is the Official Journal of the EU which is essentially an index of standards that can be tested against to demonstrate conformity to the various articles of RED which cover criteria such as health and safety, EMC, RF and spectrum, and from 1^st Aug 2025 - cyber security

SafeShark Exposes Alarming Non-compliance Rates in Connected Consumer Devices

Following this week’s conformance deadline (April 29^th), SafeShark, the leading authority in connected product testing, has conducted analysis of more than 100 connected consumer devices currently on the market. The results show that a staggering three-quarters of these devices are still not compliant with the legal requirements set out in the Product Security and Telecoms Infrastructure Act.

SafeShark's testing revealed the concerning statistic that 92 of the 124 products (74%) we have checked in the past 24 hours fail to meet the necessary requirements. Plus,

Only 41% of the manufacturer websites had information about their vulnerability disclosure process - which is a mandatory provision in the legislation;
Only one quarter of product websites had the PSTI standard security support date mentioned for the product. Interestingly, 10% of products had PSTI information but did not quote the security support period as specified by the Act.

The findings underscore the urgent need for manufacturers, retailers, and distributors to prioritise compliance to ensure consumer safety and satisfaction.

Non-compliance carries potentially severe penalties, including withdrawal from UK market access and fines of £10m or 4% of global turnover, whichever is higher. That’s before any legal repercussions or damage to brand reputation. As consumers increasingly rely on connected devices in their daily lives, it is imperative for businesses to uphold the standards of quality and safety set out in the legislation as a minimum.

Commenting on the results, SafeShark Director Alex Buchan said: "The level of non-compliance we've uncovered is deeply concerning. It's clear that many manufacturers are falling short in meeting the essential requirements for connected consumer devices. The legislation provides businesses with explicit guidance on what compliance entails, and the OPSS can enforce stringent penalties against companies that fail to adhere to these regulations. We urge all stakeholders in the industry to take immediate action to address these issues."

SafeShark stands ready to assist manufacturers, retailers, and distributors in navigating the complexities of compliance and ensuring their products meet the necessary standards. By partnering with SafeShark, businesses can streamline their compliance journey and safeguard their reputation in the marketplace.

For more information on SafeShark's testing services and how we can help your business achieve compliance please contact our team directly.

UPDATED! UK and EU Cyber Security Legislation for Connected Devices

UPDATED: Our exclusive walkthrough of connected device legislation, which affects all connected products on the UK and EU markets, has been updated ahead of the April 29^th deadline.

Get your copy now which:

Adds more guidance about the products (and businesses) in scope
Includes new detailed information for retailers, distributors and installers about the requirements on them
Expands the section about the Statement of Compliance and the specific conditions that need to be met
Updates key compliance dates for both UK and EU
Provides new information about how to make sure you are covered (or certified that you don’t need to be) by the April 29^th deadline.

From the requirements on all parts of the chain, to the criteria and standards you need to meet, we break down the issues in simple, straightforward language and outline the actions and solutions you need to put in place today.

Get it here

Beko selects SafeShark as ‘clear choice’ for compliance partner

Beko is the latest brand to demonstrate its connected device compliance using SafeShark’s proprietary PSTI testing – the quick, simple way to prove products are in line with legislation before the April 29^th conformance deadline.

“Working with SafeShark has been a great experience for us at Beko,” said Arcelik Head of IoT Security Çağatay Büyüktopçu. “As pioneers in IoT Cyber Security, ensuring compliance with PSTI is paramount for our business. SafeShark's dedication to device security aligns perfectly with our values, and their 'as-a-service' model provides us with the peace of mind for ongoing and continuous compliance.”

“From the outset, their agility and enthusiasm for IoT security stood out, making them the clear choice for our strategic partnership. SafeShark's fast response times, flexibility, and excellent communication have made them a trusted ally in securing our IoT products in line with the new legislation. We wholeheartedly recommend SafeShark to any organisation seeking a reliable and efficient compliance partner for connected devices.”

Manufacturers, distributors and retailers now have less than two months to ensure all connected consumer devices they sell meet the new legislative requirements. From April 29^th this year they risk fines of up to £10m or 4% of global turnover (whichever is larger) and losing access to the UK market.

SafeShark’s quick, simple testing service ensures that won’t happen, issuing the government-mandated Statement of Compliance that must stay with the product throughout every stage of the distribution chain. Plus, thanks to our ongoing monitoring service, we can ensure that compliance throughout the lifetime of the product.

Beko is just one of the international brands passing their compliance burden to us to take care of, including the likes of LG, Philips, Lutron, Panasonic and many more.

Get in touch today and talk to one of our experts who can help determine if you’re in scope and what your next steps need to be.

Connected devices MUST comply from April 29th

On April 29^th 2024, the UK will make history as the first country in the world to introduce ground-breaking protections for consumers using connectable devices, from smart phones and games consoles to smart doorbells, connected appliances and home systems.  

The regulatory regime, introduced through the Product Security and Telecommunications Infrastructure Act (PSTI) 2022 and the PSTI Regulations 2023, will position the UK as the global pioneer in enforcing new minimum cyber security standards, signalling a substantial leap forward in consumer protection.

The Act and Regulations introduce a raft of new, common-sense protections like eliminating universal and easily guessable default passwords, providing a way to report issues to the manufacturers and ensuring manufacturers are transparent about how long a product will receive security updates.  Manufacturers, retailers and importers of smart devices must now ensure they comply with the law and all products must carry a ‘Statement of Compliance’ at all stages of the supply chain.

Unsure if your company or your products are in scope? Need help from the experts to guarantee your compliance and continued access to the UK market? Want to avoid a £10m penalty (or 4% of global turnover whichever is greater) if you aren’t compliant after April 29^th? Get in touch today and we can help immediately with a free call with one of our dedicated experts.

New draft RED standards through the first review phase

SafeShark has been taking part in the latest standards development work in CEN/CENELEC, preparing for the introduction of the RED cyber security requirements in Aug 2025.

Three new standards have been developed EN 18031-1, -2, -3 which cover:

Part 1 common security requirements for internet connected radio equipment;
Part 2 internet connected radio equipment that processes personal, traffic, or location data, as well as products for childcare, toys, and wearables; and
Part 3 internet connected radio equipment that enables the holder or user to transfer money, monetary value or virtual currency.

The first review involved national administrations e.g. BSI in the UK, reviewing the drafts and submitting comments. The comments are now being triaged and responded to before a second round of review.

Through our involvement in the work SafeShark is ensuring that its customers will have plenty of notice as to how they can prepare for the RED requirements.

Recording: DSIT and OPSS enforcement update

In this SafeShark webinar with the Department for Science, Innovation and Technology (DSIT), and the Office for Product Safety & Standards (OPSS) - the enforcement authority responsible for ensuring compliance with the PSTI regulations on behalf of DSIT - we asked those responsible for shaping the legislation, driving device safety and enforcing compliance to answer your questions.

Watch the recording of this insightful and lively session below.

The government-mandated deadline for compliance is April 29th 2024, with potential enforcement action including fines for those that fail to act set at £10million or 4% of global turnover – whichever is greater.

So, if you manufacture a consumer device that connects to the internet, or to other devices that connect to the internet (both wired and wireless), you need to act now. And SafeShark is here to help.