When going through the marketing strategy for Nemko’s cyber department in 2022, our internal assessment was that we should try to keep our marketing and communication as clinical and technically focused as possible – remaining the reliable and sober source of technical and regulatory information for the industry that we have been for 90 years, resisting in particular the temptation to engage in marketing and sales by fear.
With marketing and sales by fear, we mean focusing on financial and other unpleasant consequences of non-compliance, not only denial of market access, but also uninsured fines, penalties and other sanctions from surveillance authorities as well as civil liabilities for losses or damages that could have been prevented, had due regard been paid to cyber security vulnerabilities. Often, these are vulnerabilities that on the one side it would cost next to nothing to fix for a diligent manufacturer of IoT devices, but which on the other side could result in severe problems for individual users and communities.
The headline above is an exception from the direction we decided to take in 2022. Maybe 50% is exaggerated. However there are grounds to believe that a significant portion of manufacturers will struggle to meet the deadline. The reason is that we see that many manufacturers world-wide are late in moving in the direction of more cyber secure products in general, and in the direction of compliance with the Radio Equipment Directive in particular.
Some manufacturers seem to have decided to wait for the finalization and harmonization of the most relevant standard, referred to as EN 18031.
Even when published by CENELEC in August 2024, the harmonization by the EU will most probably take some additional months.
Nemko has followed the drafting process closely. The standard reflects global trends within the cyber security field, and there is in Nemko’s view no reason to expect major changes in the standard during the harmonization process.
In light of this, and also as the window between the harmonization of the standard and the compliance deadline is so narrow, maybe as little as 6 months, it is Nemko’s strong recommendation to start to move immediately. If not ...
For manufacturers with a small number of products, this tight timeline may be manageable. However, for those with extensive product lines who have not yet begun the process, meeting the deadline for all their products is nearly impossible. This would require extensive, coordinated efforts. Ultimately, manufacturers may have to prioritize what products they want to keep on the market in Europe.
Nemko has been working with cybersecurity for years, and is today a seasoned test house, international certification body as well as an EU Notified Body. Based on our experience, not only from product compliance but also from how manufacturers organize their compliance function and what we see in the market, we estimate that up to 50% of manufacturers have products that will not meet the August 2025 deadline.
A failure to comply means the connected products concerned will be barred from the European market. Placing them on the market without doing and documenting what is required, will be illegal.
In an ideal world, it would also be prudent to investigate whether there are existing or upcoming requirements in other geographies that you may need to demonstrate compliance to. This could reduce the total amount of work and reduce total cost.
The clock is ticking for manufacturers of wireless products to meet the new EU cybersecurity requirements. Delayed action increases the risk of being excluded from the key European market.
This is a wake-up call for all levels in your organization: Act now to ensure your products comply with the RED cybersecurity requirements by 1st August 2025. The time for preparation is rapidly closing.
Proactive measures today will secure your market position tomorrow.
If you would like to discuss the way forward with Nemko, please contact our cyber security manager geir.horthe@nemko.com.