New EU cybersecurity regulations white paper
How to comply with RED DA, the CRA and other new EU cybersecurity regulations
Read white paper
Time is now running short to comply with new EU cybersecurity rules
The European Union (EU) has set out a clear and stringent portfolio of new cybersecurity regulations, acts and directives. The goal of these is to enhance security across networks, devices and enterprises. Their purpose is to protect the privacy of citizens, secure critical infrastructure, and set common standards for device-makers and developers.
The scope and depth of recent EU cybersecurity regulations is considerable – they demand highly granular consideration of which methods, technologies and policies will be adopted to achieve compliance. Designers must therefore address these increasingly complex requirements during development, rather than as an afterthought just before launch.
One major expansion of EU cybersecurity regulations is the Radio Equipment Directive (2014/53/EU). Also known as RED, this 2014 directive has expanded with the recent Delegated Act which encapsulates new obligations for network resilience, improved personal data and privacy protection, and reduction of monetary fraud. The amended directive or Delegated Act, called RED DA, still applies to the same products as the old RED. RED DA’s new requirements however apply to all radio equipment that can communicate autonomously via the Internet, either directly or via another item of equipment.
This is serious and weighty regulation. The CRA applies to all products that are directly or indirectly connected to another device or network with only specified exclusions for open-source software, medical devices, aviation and cars. Failure to comply could result in fines of up to €15 million or 2.5% of the offender’s total worldwide turnover for the preceding financial year. It’s therefore essential that, given the long development cycles and complex supply chains of IoT products, companies begin integrating compliance measures now.
The EU’s forthcoming Cyber Resilience Act (CRA) introduces common cybersecurity rules for manufacturers and developers of products with digital elements both in hardware and software. The Act requires that products connected the Internet, and software available in the EU, are more secure. Importantly, the CRA sets out that manufacturers remain responsible for cybersecurity throughout their products’ lifecycles. It also requires that customers are properly informed about the cybersecurity of the products they buy and use.
RED DA and the CRA demand much more rigorous cybersecurity requirements to protect devices, infrastructure, data and consumers. To achieve compliance IoT companies must therefore step up their efforts. These new EU cybersecurity regulations mean companies must conduct cyber-risk assessments before a product is introduced to the market. They must also maintain compliance throughout the expected lifecycle, which could be a decade or more.
Quectel has a long-term commitment to security by design. This means ensuring a secure supply chain, regulatory compliance, comprehensive security testing with transparency and security bills of materials (SBOMs), in addition to regular updates and continuous protection. We also offer a comprehensive certification and testing portfolio with a range of professional services and management tools – and, because we support so many customers in all markets, we have an in-depth global view of certification demands across nations, industries and technologies.
To learn more about the complex emerging landscape brought about by new EU cybersecurity regulations – and how we can help you to ensure your security posture achieves compliance – read our free new white paper by entering your details below.