The European Commission has imposed minimum requirements for the security of IoT products, better known as smart devices, starting in 2024. If they do not meet these standards, the product will be banned from the EU market. The EU cybersecurity requirements for consumer products have been introduced as an addition to the EU Radio Equipment Directive (RED). You can read the press release from the Dutch central government here.
IoT products required to meet minimum security standards starting 2024
Why these basic security requirements?
The minimum basic security requirements are there to protect both companies and consumers from possible cyber-attacks. IoT products are not as innocent as they may seem. Insecure smart devices are an ideal way to get into the home of consumers or businesses. Regularly, this is because they are connected via poor security, default settings that are not secure, and updates that are too cumbersome. This allows criminals to gain access to your personal or banking information. Not to mention they can take control of the device and use it for a cyber attack. For businesses, it's extra cautious when employees are working from home. Devices connected to the home network can lead to access to the corporate network!
Examples of basic security requirements include:
- Prohibition on use of default and weak passwords.
- Devices must support software updates.
- Mandatory testing for security vulnerabilities.
- Mandatory safeguarding of stored personal and financial data.
- Ability to manage and delete data by the consumer.
Relevant international standards such as ETSI EN 303 645 or IEC 62443 can already be used to demonstrate compliance of IoT products against the minimum EU security requirements. Secura can help with testing and certification of such products, which will result in strong evidence of compliance against the new EU regulation.