Global Market Access: Nemko Group AS Testing Services

Cyber security and CE marking – the 10 most frequently asked questions

Written by Geir Hørthe | May 20, 2022

Last updated: August 2023

Since 1 February 2022, cyber security has been included in the Radio Equipment Directive (RED) and will thus become a requirement for CE marked products with wireless functionality.

The requirements will be mandatory from 1 August 2024*, and have three main areas of focus:

*The date has been postponed by 12 months so the new date for when the requirements become mandatory is 1 August 2025. Read more here. 

  1. Protection of use of network

  2. Protection of privacy

  3. Protection against fraud

The terms used in the RED are very general, so since the announcement, we have received numerous of inquiries from customers on the topic, and below we have listed the answers to the 10 most common questions, we have received:

1. Which cyber security standard(s) will be required?

This is not defined yet, but it is expected that the ETSI/EN 303 645 will be close so that is recommended for pre-compliance.

2. When will the cyber security stand(s) be published?
ETSI expects this to be late 2023.

3. Will the requirements only apply to new products?
No, all products being sold after 1 August 2024 will need to comply.

4. How is this valid for Industrial Internet of Things (IoT)?
The requirements cover the scope of RED and currently there are no expressed exceptions for Industrial Internet of Things. The IEC 62443 standard may, however, be more relevant than the ETSI standard, depending on the product.

5. Since there is no harmonized standard yet, will compliance not be required until such standard is available?
On 1 August 2024 compliance becomes mandatory and by that date a standard will have been published. However, it is unclear how far in advance of this date, the standard will be published, and therefore manufacturers may be given a very short timeline to comply to the new standard. This is the reason we recommend that measures are taken now in advance of the final standard being published.

6. Are there any national deviations within the EU?
No, but there may be other requirements outside of the EU.

7. Do I need a Notified Body to obtain CE marking or is it possible to make a self-declaration?

For the Radio Equipment Directive (RED), self-declaration can be used as long as reference is made to Harmonised standards. This remains the case after the cyber security requirements are introduced.

8. Is this limited to radio/wireless equipment?
Yes.

9. When should we start?
Nemko’s recommendation is to start now! All products sold after 1 August 2024 will need to comply to the cyber security requirements, so waiting for a standard that is not expected to be launched until late 2023, is waiting too long. The reason for this is that products designed and put in production prior to the standards being published will still be on the market on 1 August 2024 – and retrofitting a product to meet new requirements will often be practically impossible.

10. How should we start?
We recommend you start by:

  • Evaluating your current product to the current available standard (ETSI/EN 303 645)

  • Identify the areas where improvements are necessary.

  • Decide whether to make the current product compliant, or to take the list of improvements into the design of the next product, ensuring compliance for that product.

Nemko can help.
Nemko offers a range of related services that can help you in determining whether your product is in compliance with the new cyber security requirements. We have helped customers with everything from workshops and gap-analysis (using the ETSI/EN 303 645 standard) to full certification programs, vulnerability scans and penetration testing. We are a notified body to the Radio Equipment Directive, including the cyber security articles, and will therefore be able to help you in determining whether your product is compliant with the RED.

For a more detailed discussion on how we can help you, please contact us and we will get back to you.

For more information on cyber security in CE-marking and the ETSI/EN 303 645 standard, look at our two on-demand webinars from earlier this year, where we go into detail with the cyber security articles within RED and the ETSI/EN 303 645 standard: