When we talk about cybersecurity in the area of product compliance, we mean protecting our product from human access. We want to restrict unauthorized access to our IT system.
But what is so worth protecting? In a nutshell:
- Privacy
- Personal data (data protection)
- Product security
- Communication networks
- Information worth protecting (information protection)
- Monetary values
- ...and much more!
On the one hand, the will to protect can come from safety reasons. For example, we want to prevent the induced overload of our product and the misuse. On the other hand, it could cause damage to subjects, e.g. people or pets.
We want to prevent our communication network from being overloaded by misuse. But not only that. We also want to protect our monetary values in financial transactions.
In addition, we want to protect our privacy, or personal data. Besides this specific regulated data worth protecting (data protection), there is other information (information protection) which needs to be protected.
There are many other reasons to protect our systems. This mixture of what is worth protecting now ensures that we receive a large number of legal acts with various protection goals.
Specifics for wireless systems and the Internet of Things
With the protection of privacy, personal data, the communication network and monetary values, we already have everything together that will be required in the future for radio systems that are directly or indirectly connected to the Internet. This will be bindingly applicable by August 2024 through the Delegated Regulation (EU) 2022/30 of the EU Commission.
Standards
In the EU, we already have some standards at hand that support us in the implementation of abstract protection goals in legal acts. The following standards are currently the most widely used:
- EN IEC 62443 family of standards on IT security for industrial automation systems.
- ETSI EN 303 645 and related ETSI publications on cybersecurity for consumer Internet of Things:
essential requirements.- Example ETSI publications are:
ETSI TS 103 701 (Conformity Assessment),
ETSI TS 103 848 (specific requirements for "home gateways"), and
ETSI TR 103 621 (guideline incl. implementation examples).
- Example ETSI publications are:
- ISO/IEC 27000 family of standards for information security.
- From this series, the IoT-specific standards stand out
ISO/IEC 27400 Cybersecurity – IoT security and privacy – Guidelines
ISO/IEC 27402 Cybersecurity – IoT security and privacy – Device baseline requirements (draft)
ISO/IEC 27403 Cybersecurity – IoT security and privacy – Guidelines for IoT-domotics (draft)
- From this series, the IoT-specific standards stand out
Standards for radio equipment (RED 2014/53/EU)
The European Standardization Organization CEN/CENELEC has been mandated by the EU Commission - until September 30, 2023 - to develop cybersecurity requirements for Internet-connected radio equipment (M/585, C(2022) 5637 final of 05.08.2022).
We are looking forward to the developments in the working group: CEN/CLC/JTC 13/WG 8 – Special Working Group RED Standardization Request.
Should you have any need for discussion on this topic, please do not hesitate to contact us or attend our webinar on the topic (see below, in German)!