- Services
- Industries
- Automotive
- Battery
- Building inspection
- Fire alarms system testing
- Household appliances
- Installation materials
- Industrial machinery
- IT & audio video
- Laboratory, test & measurement
- Lighting equipment
- Maritime, oil & gas
- Medical & healthcare equipment
- Military & aerospace product testing
- Wireless & telecom
- Resources
- About
- Blog
- Events
August 8, 2024
50% of manufacturers hit by ban from EU/EEA market on 1 Aug 2025?
Written by: Kristian S Myrbakk
When going through the marketing strategy for Nemko’s cyber department in 2022, our internal assessment was that we should try to keep our marketing and communication as clinical and technically focused as possible – remaining the reliable and sober source of technical and regulatory information for the industry that we have been for 90 years, resisting in particular the temptation to engage in marketing and sales by fear.
With marketing and sales by fear, we mean focusing on financial and other unpleasant consequences of non-compliance, not only denial of market access, but also uninsured fines, penalties and other sanctions from surveillance authorities as well as civil liabilities for losses or damages that could have been prevented, had due regard been paid to cyber security vulnerabilities. Often, these are vulnerabilities that on the one side it would cost next to nothing to fix for a diligent manufacturer of IoT devices, but which on the other side could result in severe problems for individual users and communities.
The headline above is an exception from the direction we decided to take in 2022. Maybe 50% is exaggerated. However there are grounds to believe that a significant portion of manufacturers will struggle to meet the deadline. The reason is that we see that many manufacturers world-wide are late in moving in the direction of more cyber secure products in general, and in the direction of compliance with the Radio Equipment Directive in particular.
Waiting for the harmonized standard – or?
Some manufacturers seem to have decided to wait for the finalization and harmonization of the most relevant standard, referred to as EN 18031.
Even when published by CENELEC in August 2024, the harmonization by the EU will most probably take some additional months.
Nemko has followed the drafting process closely. The standard reflects global trends within the cyber security field, and there is in Nemko’s view no reason to expect major changes in the standard during the harmonization process.
In light of this, and also as the window between the harmonization of the standard and the compliance deadline is so narrow, maybe as little as 6 months, it is Nemko’s strong recommendation to start to move immediately. If not ...
For manufacturers with a small number of products, this tight timeline may be manageable. However, for those with extensive product lines who have not yet begun the process, meeting the deadline for all their products is nearly impossible. This would require extensive, coordinated efforts. Ultimately, manufacturers may have to prioritize what products they want to keep on the market in Europe.
The Consequences of inaction
Nemko has been working with cybersecurity for years, and is today a seasoned test house, international certification body as well as an EU Notified Body. Based on our experience, not only from product compliance but also from how manufacturers organize their compliance function and what we see in the market, we estimate that up to 50% of manufacturers have products that will not meet the August 2025 deadline.
A failure to comply means the connected products concerned will be barred from the European market. Placing them on the market without doing and documenting what is required, will be illegal.
Steps to take now
- Take a deep breath: Remember that all changes are not necessarily very complex or demand many resources.
- Make a plan and allocate resources: Dedicate sufficient resources, including budget and personnel, to manage the compliance process effectively. Failure to succeed will most likely carry a significantly higher cost, both in the immediate, medium and long term.
- Initiate compliance testing: Start to evaluate your products as soon as possible. Early testing can identify compliance gaps and provide time for necessary modifications.
- Engage with providers of market access support: Work closely with experienced partners, i.e. test, certification and other market access support bodies to ensure competent progress.
- Stay Informed: Keep updated regarding the harmonization of EN 18031 to ensure timely compliance and update your technical documentation and Declaration of Conformity correspondingly.
In an ideal world, it would also be prudent to investigate whether there are existing or upcoming requirements in other geographies that you may need to demonstrate compliance to. This could reduce the total amount of work and reduce total cost.
Conclusion
The clock is ticking for manufacturers of wireless products to meet the new EU cybersecurity requirements. Delayed action increases the risk of being excluded from the key European market.
This is a wake-up call for all levels in your organization: Act now to ensure your products comply with the RED cybersecurity requirements by 1st August 2025. The time for preparation is rapidly closing.
Proactive measures today will secure your market position tomorrow.
If you would like to discuss the way forward with Nemko, please contact our cyber security manager geir.horthe@nemko.com.
Kristian S Myrbakk
Kristian Syverstad Myrbakk came from the position as Group Legal Counsel in DNV GL Group, and joined Nemko in February 2020. He has broad experience from most fields of activity in a TIC company. This includes quality case handling, establishment and maintenance of quality systems, NoBo governance and services,...