Skip to content
Search our site  
    Webinar: Cyber security in CE-marking

    Q&A

    1. Will the requirements only apply to new products placed on the market after the deadline or will all products need to comply from the deadline?
    All products being sold after the date will need to comply.

    2. When an equipment communicates with the manufacturer's cloud over a VPN - does that mean, that it communicates itself over the internet, and, as a consequence, that Art.3(3)d applies to such a product?
    Article 3.3 d), e) and f) all apply for products connected directly or indirectly to the internet

    3. What if my product is already certified upon the ETSI/EN 303 645 norm and the new cybersecurity standard is launched? Do we have to re-certify the "delta" (only adapting the new points)?
    There is no mandatory requirements for certification, but in order to maintain an existing certification only the “delta” would need to be re-examined

    4. How is this valid for Industrial IoT?
    The requirements cover the scope of RED and currently there are no expressed exception for Industrial IoT. The IEC 62443 standard may however be more relevant than ETSI, depending on the product

    5. Is the standard applied more for wireless hardware/firmware part or also on the cloud and application part? Or the whole system hw/fw/app/cloud gets under the certification?
    This is not 100% specified, but this needs to be extended wide enough to ensure the requirements of the standard is covered, e.g., safe storage of personal information etc.

    6. We have a product certified to IEC 62443 Part 4-2. Have you done any comparison between that and ETSI 303 645?
    We have not done a comparison between the standards. They have similarities but the ETSI standards will e.g. focus more on the user. It is a good input to do such a comparison – thank you.

    7. So, level 1 is not included in the network security?
    The EU Cyber Security Act level 1 (Basic) is not included in the published EUCC (if I understood the question correct)

    8. Is this new standard also relevant for industrial automation devices?
    Industrial equipment is not excluded – but may often not be relevant for the clauses. Also, IEC 62443 will be a more suitable standard for most industrial products / systems

    9. Is there a specified date in 2024
    1 August 2024

    10. Is it the same standard for Machinery?
    IEC 62443 will be a more suitable standard for most industrial products / systems

    11. Is it a recommendation or is it mandatory to be compliant with the standard after 2024 for IOT devices in scope?
    Mandatory (the standard is still to be defined).

    12. Is Industrial products in the scope?
    Industrial equipment is not excluded – but may often not be relevant for the clauses. Also, IEC 62443 will be a more suitable standard for most industrial products / systems

    13. Is a USB stick with a 4G modem function with SIM card that is sold as an option with a device from my company to be in contact with this device in the scope of RED?
    Yes, everything with a radio is in the scope of RED unless specifically excluded.

    14. If our product includes a PC with wireless. Is our product in scope?
    Yes

    15. If I am certified on RTTE with a notified body and I did not change anything to the product for the radio part since, do I need to re-test with notified body for the red 2014/53/eu? Or is the conformity assessment ok to consider the EU mark? This applies to all except the article 3.3.
    If the standards you have used are the ones listed in RED you should be good.

    16. I suppose that NFC chip are out of scope for Article 3.3 of RED 2014/53/EU. How about Bluetooth modules? If yes, does ETSI/EN 303 645 standard apply?
    A chip or a module to be incorporated into a final product is not relevant for 3.3

    17. I could not find any finalized version of the delegated act on EURlex, only a draft from 29 October 2021, still lacking a document number. Where is the final version accessible?
    COMMISSION DELEGATED REGULATION (EU) 2022/30 of 29 October 2021

    18. How to properly identify if a RED product has to comply with the cyber security update?
    You would need to evaluate if the functionalities of the product is relevant to d), e) and/or f) of article 3.3

    19. How long will the certificate be valid. How to control the validity?
    A Nemko cyber security certificate will be valid as long as the standard is valid and as long as annual quality assurance audits are completed

    20. Hello, as there is yet no harmonized standard, I assume that it is sufficient to update EU declaration after a harmonized standard is available - right?
    Yes, that is most likely correct. This may however be a very short time to comply to the standards unless measures are taken in advance of the final standards being published.

    21. Are the new CE/RED requirements  required as well or have an impact for an IoT device, which uses an external and certified radio device? i.e., using an external installed cellular Gateway (compliant with RED) connected via the Ethernet cable/RJ45 interface.
    Yes, it is relevant unless the product is cabled only.

    22. Is this new standard also relevant for industrial automation devices?
    Industrial equipment is not excluded – but may often not be relevant for the clauses. Also, IEC 62443 will be a more suitable standard for most industrial products / systems

    23. Does the regulation make any distinction between "consumer IoT" and IoT devices sold to business?
    No

    24. Are there any national deviations for other countries?
    No, but outside of EU there are naturally some other requirements.

    25. I don't understand if NB is needed to obtain CE marking or is it possible to make a self-declaration?
    For the Radio Equipment Directive (RED), self-declaration can be used as long as reference is made to Harmonised standards. This is also the case after cyber requirements are introduced

    26. For a safety function product complying to MD, will RED support this?
    Industrial equipment is not excluded – but may often not be relevant for the clauses. Also, IEC 62443 will be a more suitable standard for most industrial products / systems

    27. Is this limited to equipment with radio only?
    Yes, it is

    28. Cybersecurity: Are there the same requirements for final users (consumers) and professional users (industrial application)?
    Yes. Industrial equipment is not excluded – but may often not be relevant for the clauses. Also, IEC 62443 will be a more suitable standard for most industrial products / systems

    29. This regulation would be first mandatory requirement in field of Cybersecurity. Does it mean that we have to expect an increasing of the scope of requirements in field of CS? If yes, which categories are expected to be covered by new type of requirements in near future?
    All connected equipment will be covered by EU Cyber Security Act.

    30. What is the link with AI 'Artificial Intelligence Act?
    I am not aware of such a link

    31. What about when embedded software manage safety functions? update in line (web) possible?
    I would expect IEC 62443 will be a more suitable standard and the specific requirements of 3.3. d), e) and f) would be less relevant

    32. How is this related to IEC 62443
    We have not done a comparison between the standards. They have similarities but the ETSI standards will e.g. focus more on the user.

    33. How about wired (Ethernet) equipment?
    Wired equipment is not a included in RED