Nowadays, smart devices can be found in almost every household. These devices usually collect, store and transmit data from the user in one way or another. These devices are by default not or insufficiently protected against hacks, data leaks, etc.
That’s why ETSI developed the standard EN 303 645. It’s a new standard for cybersecurity in the Internet of Things (IoT). It’s main purpose is to check whether IoT and consumer devices are sufficiently secure for end users. The standard describes effective and essential security requirements regarding cyber security and privacy protection of consumer electronics. And it doesn’t only concerns smart devices themselves, but also sensors and operating parts of these devices. Basically, any consumer electronic device utilizing data can be put to test according to EN 303 645. Compliance to EN 303 645 activates article 3.3 (d), (e), (f) and (i) of the RED. This means that on your RED certificate compliance to EN 303 645 will be stated as well. So that your RED compliancy also includes cybersecurity for consumer electronic products. This will make your product standout in a world where cyber threats are rising.
With activation of article 3.3 of the Radio Equipment Directive, the conformity Assessment Procedure will look like this:
To give an overview of the documents used for Cybersecurity for Consumer IoT products, one can look at the below information from ETSI.
As for the UK: Forthcoming requirements align with EN 303 645, covering default passwords, vulnerability disclosure and transparency on security update support periods. Proposed mandatory requirements align with EN provisions 5.1-1, 5.1-2, 5.2-1 and 5.3-13.
ETSI standard EN 303 645 can be found here.
So what is said here is that if you have a product that can connect to the internet somehow (so we can call it an IoT device), you need to do an extra test for the RED relating to cybersecurity (EN 303 645). Connecting to the internet can be done through several IoT network solutions, like: Wi-Fi, ZIGBEE, Thread, Cellular IOT, NB-IOT, Sigfox, and so on.
So if you don’t know if you need to test for cyber security, have a look at what technologies are supported in you device and if you see one of those listed above than your product can connect to the internet and you need to do the testing for cyber security. You can read more about the EU Cybersecurity Act here.