CRA in brief – what you need to know

The EU’s Cyber Resilience Act (CRA) is here, setting out tough new cybersecurity requirements for products with digital elements (PwDEs). While obligations are phased, preparation is vital. Here are the three big takeaways manufacturers need to know straight away:

What is the CRA?

The CRA is EU legislation designed to strengthen the resilience of digital products. It sets essential cybersecurity requirements for any product with digital elements placed on the EU market.

Who does it apply to?

Manufacturers, importers, and distributors of products with digital elements, from connected devices and operating systems to apps, software libraries, and cloud services, all fall within scope.

How is it different from the Radio Equipment Directive (RED)?

The RED Delegated Act introduces cybersecurity requirements for radio products with wireless technologies such as Wi-Fi and Bluetooth. From 1 August 2025, these products must be tested against EN 18031 standards.

The CRA goes further. It applies to all PwDEs and extends compliance obligations to include associated software and processes. Manufacturers must demonstrate how they assess and mitigate risks across a product’s entire lifecycle and how they handle vulnerabilities.

When does it come into force?

What does compliance involve?

Organisations will need to:

  1. Implement risk assessments covering planning, design, development, production, and maintenance.
  2. Test products against essential requirements, such as access controls and authentication mechanisms.
  3. Create a vulnerability management process, including reporting and maintaining a software bill of materials (SBOM).

European Standards Bodies (CEN/CENELEC and ETSI) are developing supporting standards to help demonstrate compliance. Products meeting requirements can then be CE marked and backed up with technical files including test reports and declarations of conformity.

How SafeShark can help

SafeShark supports companies preparing for CRA compliance through pre-assessments mapped to ENISA’s requirements. We are directly involved in the standards process, so we can provide the latest insights on how requirements are evolving.

Until CRA deadlines apply, manufacturers must still comply with RED. From 1 August 2025, connected radio products entering the EU market must be tested against EN 18031 standards. SafeShark offers straightforward EN 18031 compliance testing at our dedicated cybersecurity lab in central London, helping ensure your products are ready for market.

SafeShark joins the IoT Security Foundation

SafeShark is proud to announce that it has joined the IoT Security Foundation (IoTSF), the international not-for-profit organisation dedicated to driving security excellence in the Internet of Things (IoT).

SafeShark’s mission has always been clear: empowering connected device manufacturers to help secure the Internet of Things and make it safe to connect. Joining IoTSF reflects this commitment and underlines the company’s role in:

At SafeShark, compliance is made simple through practical, agile, end-to-end solutions. Using automation and a unique testing platform, SafeShark supports manufacturers and service providers to meet today’s evolving standards, from the Radio Equipment Directive (RED) to the upcoming Cyber Resilience Act, while ensuring they stay one step ahead of tomorrow’s challenges.

SafeShark Director Alex Buchan said:“SafeShark’s mission is to help secure the Internet of Things and make it safe to connect. Joining IoTSF reflects our commitment not only to supporting customers with end-to-end compliance solutions, but also to contributing to a stronger, more resilient global IoT ecosystem. We look forward to collaborating with IoTSF and its members to raise standards, build confidence and deliver value to businesses and consumers alike.”

Cyber Resilience Act - latest updates from the European Commission 

Yesterday the EC Policy team gave an update on the Cyber Resilience Act (CRA) which is set to become the latest cyber security regulation to govern connected products. Points to note are:

In general the CRA is a new set of cybersecurity rules for placing of products on the EU - it will expand on RED requirements (coming into force Aug 1st 2025) by massively increasing the range of products that fall into its scope - products with "Digital Elements" will include software products, apps, and remote data processing solutions as well as hardware. Another key element is that the CRA is centred around the premise that compliance is maintained throughout the product lifetime.

CRA will come into force in two stages which are:

To prepare for CRA - SafeShark is providing product testing against the EC mapping for current standards e.g. EN 303 645 and EN 18031, that can already provide a level of conformity for CRA - helping you get ahead of the legislation.

SafeShark also provides straightforward PSTI and RED compliance testing, that allows you to quickly prove your consumer electronic product is ready for UK or EU market access in order to meet the 1st Aug deadline. Get in touch to find out more from our experts.

SafeShark partners with CyberWhiz to expand compliance services across Europe

SafeShark, the UK’s leading cybersecurity compliance and assurance provider for connected devices, has announced a new partnership with CyberWhiz, a specialist IoT cybersecurity solutions provider and compliance consultancy, to expand its services in Europe. CyberWhiz will act as an official agent for SafeShark’s services in the EU supporting manufacturers in ensuring regulatory compliance and cybersecurity resilience in an increasingly complex global market.

The partnership enables even more manufacturers across Europe to access SafeShark’s industry-leading compliance solutions, including testing against EN18031 for the EU Radio Equipment Directive (RED) and UK PSTI regulations. With CyberWhiz’s deep local expertise and industry relationships, the collaboration will help businesses navigate evolving regulatory requirements while maintaining product security and market access.

SafeShark Director and DTG CTO Alex Buchan said: “This partnership with CyberWhiz is a key milestone in SafeShark’s mission to support manufacturers worldwide in meeting the highest cybersecurity and compliance standards. CyberWhiz’s extensive customer base in Europe’s major manufacturing hubs such as Turkey makes it essential that these businesses have access to robust, streamlined compliance solutions, and we are delighted to work with CyberWhiz to provide this support.”

CyberWhiz CEO Çağatay Büyüktopçu said: “We are delighted to launch this strategic partnership with SafeShark. Our goal is to support manufacturers across Europe, particularly in major production hubs like Turkey, in meeting increasingly complex cybersecurity regulations. By combining SafeShark’s comprehensive testing and certification processes with CyberWhiz’s holistic IoT Cyber Security expertise and regional leadership, we will provide manufacturers with a fast, cost-effective, and efficient compliance journey. This collaboration marks a significant step in our mission to ensure the highest standards of IoT security.”

SafeShark provides a unique end-to-end compliance service in partnership with a Notified Body, helping manufacturers achieve full assurance from initial assessment to certification. This latest expansion reinforces SafeShark’s commitment to enabling global compliance and security across the connected technology sector.

Download our comprehensive compliance guides or book a test here.

UPDATED! UK and EU Cyber Security Legislation for Connected Devices

UPDATED: Our exclusive walkthrough of connected device legislation, which affects all connected products on the UK and EU markets, has been updated ahead of the April 29th deadline.

Get your copy now which:

From the requirements on all parts of the chain, to the criteria and standards you need to meet, we break down the issues in simple, straightforward language and outline the actions and solutions you need to put in place today.

Get it here

Oxford Professor warns government over smart speaker vulnerability

Oxford University Professor of Cybersecurity Sadie Creese has warned against the potential security threat from smart speakers while giving evidence to the Science, Technology and Innovation Select Committee.

She made particular reference, according to a piece in The Times to ‘senior leaders’ and the potential for threat actors to profile them and the way they live using vulnerabilities in the technology.

She told The Times: “… any devices that give away how you live — will make you more targetable. So I would advise people in those kinds of [senior leadership] positions, where they may well be targeted, against having these things in their environment. Just like I would advise against putting a camera in their living room. It just potentially gives an attacker more information about them that can be used to craft targeted attacks.”

The piece also highlights research that found 57% of connected devices were vulnerable to medium or high severity attacks.

SafeShark testing can allay these concerns by not only guaranteeing the cyber security compliance of connected devices with the new PSTI requirements, but because we test against the whole ETSI EN 303 645 specification (the harmonised international standard for cyber security of IoT devices), meaning manufacturers, retailers and their customers can have confidence in the security of their devices.

Get in touch to start your compliance journey with us today.

SafeShark selected for DSIT-funded cyber accelerator for second year running

SafeShark is delighted to have been selected for the DSIT-funded Cyber Runway scheme as part of the ‘Scale’ cohort of innovative cyber companies for 2024/25.

The largest cyber accelerator in the UK, Cyber Runway is part of the government’s £2.6bn National Cyber Strategy to protect and promote the UK online. The scheme is designed to address the biggest challenges facing cyber security by supporting the most promising innovators at various stages of growth. This includes an objective to strengthen the UK cyber security ecosystem and ensure we have a sustainable, innovative, and internationally competitive cyber and information security sector.

Having been selected as one of the ‘Grow’ cohort last year, it is a mark of SafeShark’s genuine innovation and standing in the market that it has again been selected as one of the most innovative SME’s operating in cyber security today – this year as part of the ‘Scale’ group.

SafeShark Director Alex Buchan said: “To have been selected for this fantastic scheme for a second time really is a badge of honour for SafeShark. It comes at a crucial time for us and for industry as the April 2024 compliance deadline races towards all manufacturers of connected devices.

“Being part of this scheme with other innovators in the cyber space ensures we are in the very best company with access to premium support, which in turn helps us support our customers. And it is a clear endorsement of SafeShark’s innovation, cyber credentials and credibility.”

Saj Huq, CCO and Head of Innovation at Plexal, commented: “We’re excited to welcome two cohorts to Cyber Runway’s Grow and Scale streams, helping some of the UK’s most promising young companies to develop their technologies, and in turn strengthen the UK’s digital economy and drive greater cyber resilience.”

In the UK the Product Security and Telecoms Infrastructure (PSTI) Bill is now law. All manufacturers of connected devices are legally obliged to comply with the new legislation by April 29th 2024.

SafeShark is the only PSTI and RED compliance specialist in the market. A joint venture between DTG Testing and Connect Devices and backed by BSI, we deliver UK and EU market access to consumer electronic devices through independent PSTI and RED compliance testing.

Our mission is clear: to grant swift and hassle-free access to UK and EU markets through our simple, trusted and continuous compliance testing.  Download our guide to cyber security compliance here.

Unprotected connected devices enabling abuse say MPs

MPs from the Culture, Media and Sport Committee have called on the government to tackle the use of connected home devices as abuse enablers.

The committee heard evidence that the ‘vast majority” of domestic abuse cases now feature a cyber element, with unprotected smart devices – such as cameras, smart speakers or baby monitors – being used by malicious actors to capture recordings of victims and to harass them.

It also identified children as particularly in need of protection, both from abuse and from having their data and personal information exploited.

It is why the Government introduced the Product Security and Telecommunications Bill, which requires all businesses involved in the supply chains of connectable products to be compliant with a new security regime from 29th April 2024. 

Failure to comply with the requirements could result in products not being able to access the UK market and/or fines impacting global turnover.

This is in addition to EU market access requirements which are coming in via the Radio Equipment Directive (RED).

SafeShark’s testing and certification service backed by the British Standards Institute (BSI) is the only complete one-stop route to compliance for both the UK and EU markets and trusted my major international brands. To find out more and start your compliance get in touch today.

Book a call back:

‘Smart’ is a major driver for those looking to move

A survey, carried out by Samsung, of 1,000 adults looking to move home in the next five years, combined with Google search trends analysis between March 2022 and March 2023, has shown that Smart is a key criteria for those looking for their next home.

A third of respondents would be much more likely to buy or rent a smart home (and pay up to 6.5% more for one) with a further third saying they would look to retrofit smart technology afterwards. A huge 86% said that ‘smart’ would be a consideration when selecting their next property.

The boom in demand and proliferation of devices and systems is, in part, what has driven the introduction of the Product Security and Telecommunications Bill by UK Government.

The legislation affects every single connectable device on the UK market and the deadline for compliance has now been confirmed as April 29th 2024.

Failure to comply with the requirements could result in products not being able to access the UK market and/or fines impacting global turnover.

This is in addition to EU market access requirements which are coming in from the 1st of August 2024 via the Radio Equipment Directive (RED).

SafeShark’s testing and certification service provides an efficient and trusted one-stop route to compliance for both the UK and EU markets.

We have worked with NCSC and UK Government since the outset of the Secure By Design initiative and throughout the legislative process, are active in standards bodies writing the requirements that underpins the legislation – ETSI EN 303 645 and trusted by major brands such as LG who have certified their TV platforms via SafeShark.

To find out more and start your compliance get in touch today.

Compliance deadline announced

Following the introduction of the Product Security and Telecommunications Bill last December, the UK Government has now set a date for when new cyber security regulations will apply to connectable products.

Businesses involved in the supply chains of connectable will need to be compliant with the new regime from the 29th April 2024. Failure to comply with the requirements could result in products not being able to access the UK market and/or fines impacting global turnover.

This is in addition to EU market access requirements which are coming in from the 1st of August 2024 via the Radio Equipment Directive (RED).

SafeShark’s testing and certification service backed by the British Standards Institute (BSI) provides a complete one-stop route to compliance for both the UK and EU markets.

SafeShark has been working with NCSC and UK Government since the outset of the Secure By Design initiative and is also active in standards bodies writing the requirements that underpins the legislation – ETSI EN 303 645.

We are trusted by major brands such as LG who have certified their TV platforms via SafeShark. To find out more and start your compliance get in touch today.

Full details on the UK requirements can be read here.