SGS in its latest release has alerted manufacturers and importers that a new IoT device regulation is coming into force.
According to SGS, the new IoT devices standards and regulation for consumer products are expected to come into force in the coming months.
The New IoT Devices Standards and Regulation Include:
- UK Product Security and Telecommunications Infrastructure (PSTI) Regulation 2023 – manufacturers and importers must state compliance before placing a product into the market: live from April 29, 2024
- US Cyber Trust Mark – this voluntary labeling scheme is based on specific criteria published by NIST relating to passwords, data protection, software updates and incident detection capabilities.
- Cybersecurity Labelling Scheme (CLS) for Singapore is voluntary for most consumer products but mandatory for routers. It is based on ETSI EN 303 645 and the Infocomm Media Development Authority (IMDA) IoT cyber security guide and offers four levels of assurance
- Cyber Resilience Act (CRA) – The first EU-wide legislation introducing common cybersecurity rules for manufacturers and developers of products with digital elements, covering both hardware and software. Expected to come into force in Q3 2024, it is mandatory after three years and will ensure:
- Wired and wireless products connected to the internet and software are more secure
- Manufacturers remain responsible for the cybersecurity of a product throughout its life cycle
- Consumers are properly informed about the cybersecurity of the products they buy and use
- EU Radio Equipment Directive (RED) Article 3.3 relates to cybersecurity and covers (d) networks, (e) personal data and privacy, and (f) protection from fraud and applies to devices capable of communicating via the internet, toys and childcare equipment and wearables. Originally planned for August 2024, this has now been postponed to 2025
“With ‘smart’ technology growing exponentially, through televisions, speakers, appliances, locks, exercise trackers and even games, the world is becoming ever more connected,” said Alex Rubert, of SGS Brightsight, the world’s leading cybersecurity evaluation laboratory network for chip-based security products. “There were an estimated 8.6 billion IoT-connected devices in the world in 2019 which had risen to 15.14 billion in 2023. The expectation is that growth will continue to reach 29.42 billion by 2030.
“Alongside the rise in IoT devices, we are seeing an increase in cyberattacks. A Check Point Research (CPR) report found a 38% increase in attacks between 2021 and 2022, with the most common targets being education, government and healthcare. A cyberattack could result in one of several outcomes. For example, a smart speaker could eavesdrop, hospital staff could be locked out of a life support system or bank details could be stolen.”
SGS is known for catering to the wireless industry with its global network of testing and certification laboratories. The New IoT devices standards and regulation can be matched with SGS compliance against a variety of global regulations.
SGS currently provides compliance against a variety of global regulations. This includes California Consumer Privacy Act (CCPA) and EU General Data Protection Regulation (GDPR) introduced in 2018 to the recent National Institute of Standards and Technology (NIST) Cybersecurity Framework (NISTIR 8259A-NIST 8425) in the US and Australia’s Demand-response Standard AS4755.2. IoT devices standards and regulation are known to make formidable changes across the IoT device market.
“There is a move towards more regulation which mirrors the increase in IoT devices and cyber threats,” added Alex. “Yet, because implementing new legislation can be slow and the speed of development in technology and threat is rapid, there is inevitably a regulatory lag. However, in 2024 it seems that cybersecurity regulation is about to catch up.”
“Manufacturers and importers of IoT devices will need to make sure their products conform to these new regulations and be able to demonstrate compliance in an easy to recognize manner,” added Alex.
Gaining an advantage in competitive markets requires a comprehensive, technical approach to compliance, which in the US means assessment against NIST 8259 and in Europe (RED and CLS) against ETSI EN 303 645.
Through its global network, SGS can assess all products against required standards, including NIST, RED and CLS, and as a Notified Body, can issue EU-type certification for products destined for European Markets to show compliance with RED 3.3 (d), (e) and (f).
Compliant products can then carry the internationally recognized SGS Cybersecurity Mark, demonstrating to customers the adoption of best practice and product conformity to defined standards:
- ETSI EN 303 645
- NIST IR 8425
- UK PSTI
- IEC 62443-4-2
- ISO 21434
- RED 3.3 (d, e, f)
For further information on Cybersecurity Services and know about IoT devices standards and regulation from SGS: http://www.sgsbrightsight.com
