New draft RED standards through the first review phase

SafeShark has been taking part in the latest standards development work in CEN/CENELEC, preparing for the introduction of the RED cyber security requirements in Aug 2025.

Three new standards have been developed EN 18031-1, -2, -3 which cover:

Part 1 common security requirements for internet connected radio equipment;
Part 2 internet connected radio equipment that processes personal, traffic, or location data, as well as products for childcare, toys, and wearables; and
Part 3 internet connected radio equipment that enables the holder or user to transfer money, monetary value or virtual currency.

The first review involved national administrations e.g. BSI in the UK, reviewing the drafts and submitting comments. The comments are now being triaged and responded to before a second round of review.

Through our involvement in the work SafeShark is ensuring that its customers will have plenty of notice as to how they can prepare for the RED requirements.

Recording: DSIT and OPSS enforcement update

In this SafeShark webinar with the Department for Science, Innovation and Technology (DSIT), and the Office for Product Safety & Standards (OPSS) - the enforcement authority responsible for ensuring compliance with the PSTI regulations on behalf of DSIT - we asked those responsible for shaping the legislation, driving device safety and enforcing compliance to answer your questions.

Watch the recording of this insightful and lively session below.

The government-mandated deadline for compliance is April 29th 2024, with potential enforcement action including fines for those that fail to act set at £10million or 4% of global turnover – whichever is greater.

So, if you manufacture a consumer device that connects to the internet, or to other devices that connect to the internet (both wired and wireless), you need to act now. And SafeShark is here to help.

‘Smart’ is a major driver for those looking to move

A survey, carried out by Samsung, of 1,000 adults looking to move home in the next five years, combined with Google search trends analysis between March 2022 and March 2023, has shown that Smart is a key criteria for those looking for their next home.

A third of respondents would be much more likely to buy or rent a smart home (and pay up to 6.5% more for one) with a further third saying they would look to retrofit smart technology afterwards. A huge 86% said that ‘smart’ would be a consideration when selecting their next property.

The boom in demand and proliferation of devices and systems is, in part, what has driven the introduction of the Product Security and Telecommunications Bill by UK Government.

The legislation affects every single connectable device on the UK market and the deadline for compliance has now been confirmed as April 29th 2024.

Failure to comply with the requirements could result in products not being able to access the UK market and/or fines impacting global turnover.

This is in addition to EU market access requirements which are coming in from the 1st of August 2024 via the Radio Equipment Directive (RED).

SafeShark’s testing and certification service provides an efficient and trusted one-stop route to compliance for both the UK and EU markets.

We have worked with NCSC and UK Government since the outset of the Secure By Design initiative and throughout the legislative process, are active in standards bodies writing the requirements that underpins the legislation – ETSI EN 303 645 and trusted by major brands such as LG who have certified their TV platforms via SafeShark.

To find out more and start your compliance get in touch today.

Compliance deadline announced

Following the introduction of the Product Security and Telecommunications Bill last December, the UK Government has now set a date for when new cyber security regulations will apply to connectable products.

Businesses involved in the supply chains of connectable will need to be compliant with the new regime from the 29th April 2024. Failure to comply with the requirements could result in products not being able to access the UK market and/or fines impacting global turnover.

This is in addition to EU market access requirements which are coming in from the 1st of August 2024 via the Radio Equipment Directive (RED).

SafeShark’s testing and certification service backed by the British Standards Institute (BSI) provides a complete one-stop route to compliance for both the UK and EU markets.

SafeShark has been working with NCSC and UK Government since the outset of the Secure By Design initiative and is also active in standards bodies writing the requirements that underpins the legislation – ETSI EN 303 645.

We are trusted by major brands such as LG who have certified their TV platforms via SafeShark. To find out more and start your compliance get in touch today.

Full details on the UK requirements can be read here.

Three quarters of connected device manufacturers will be non-compliant

New research published today shows that the majority (73%) of IoT and connected device manufacturers would not be compliant with the imminent requirements of the Product Security and Telecoms Infrastructure bill. In fact, only just over one in four can rest easy knowing they will meet the initial bar. Read more here and get in touch if you want to move from non-compliant to competitive edge…

UPDATE: Draft EU rules target smart devices with cybersecurity risks

Smart devices connected to the internet such as fridges and TVs will have to comply with tough European Union cybersecurity rules or risk being fined or banned from the bloc. The EU executive announced its proposal, known as the Cyber Resilience Act, today (September 15). It is likely to become law following input from EU countries.

The announcement said:

The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products.

Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021.

Such products suffer from two major problems adding costs for users and the society:

a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and
an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.

While existing internal market legislation applies to certain products with digital elements, most of the hardware and software products are currently not covered by any EU legislation tackling their cybersecurity. In particular, the current EU legal framework does not address the cybersecurity of non-embedded software, even if cybersecurity attacks increasingly target vulnerabilities in these products, causing significant societal and economic costs.

Two main objectives were identified aiming to ensure the proper functioning of the internal market:

create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and
create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

Four specific objectives were set out:

ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
enhance the transparency of security properties of products with digital elements, and
enable businesses and consumers to use products with digital elements securely.

More information and downloads available here.