SGS highlights new IoT cybersecurity regulations coming into force in 2024

3 mins read

Manufacturers and importers of IoT devices should prepare for new regulations coming into force in 2024, according to SGS, the testing, inspection and certification company.

“With ‘smart’ technology growing exponentially, through televisions, speakers, appliances, locks, exercise trackers and even games, the world is becoming ever more connected,” said Alex Rubert, Sales Manager, SGS Brightsight which is a cybersecurity evaluation laboratory network for chip-based security products.

“There were an estimated 8.6 billion IoT-connected devices in the world in 2019 which had risen to 15.14 billion in 2023. The expectation is that growth will continue to reach 29.42 billion by 2030,” said Rubert.

“Alongside the rise in IoT devices, we are seeing an increase in cyberattacks. A Check Point Research (CPR) report found a 38% increase in attacks between 2021 and 2022, with the most common targets being education, government and healthcare. A cyberattack could result in one of several outcomes. For example, a smart speaker could eavesdrop, hospital staff could be locked out of a life support system or bank details could be stolen.”

SGS, which operates a global network of testing and certification laboratories to the wireless industry, provides compliance against a variety of global regulations – from the California Consumer Privacy Act (CCPA) and EU General Data Protection Regulation (GDPR) introduced in 2018 to the recent National Institute of Standards and Technology (NIST) Cybersecurity Framework (NISTIR 8259A-NIST 8425) in the US and Australia’s Demand-response Standard AS4755.2.

“There is a move towards more regulation which mirrors the increase in IoT devices and cyber threats,” added Rubert. “Yet, because implementing new legislation can be slow and the speed of development in technology and threat is rapid, there is inevitably a regulatory lag. However, in 2024 it seems that cybersecurity regulation is about to catch up.”

According to SGS, the new regulations and standards for consumer products expected to come into force in the coming months, include:

  • UK Product Security and Telecommunications Infrastructure (PSTI) Regulation 2023 – manufacturers and importers must issue a statement of compliance before placing a product into the market: live from April 29, 2024
  • US Cyber Trust Mark – this voluntary labelling scheme is based on specific criteria published by NIST relating to passwords, data protection, software updates and incident detection capabilities: live from …
  • Cybersecurity Labelling Scheme (CLS) for Singapore is voluntary for most consumer products but mandatory for routers. It is based on ETSI EN 303 645 and the Infocomm Media Development Authority (IMDA) IoT cyber security guide and offers four levels of assurance
  • Cyber Resilience Act (CRA) – first EU-wide legislation introducing common cybersecurity rules for manufacturers and developers of products with digital elements, covering both hardware and software. Expected to come into force in Q3 2024, it is mandatory after three years and will ensure:
  1. Wired and wireless products connected to the internet and software are more secure
  2. Manufacturers remain responsible for the cybersecurity of a product throughout its life cycle
  3. Consumers are properly informed about the cybersecurity of the products they buy and use
  • EU Radio Equipment Directive (RED) Article 3.3 relates to cybersecurity and covers (d) networks, (e) personal data and privacy, and (f) protection from fraud and applies to devices capable of communicating via the internet, toys and childcare equipment and wearables. Originally planned for August 2024, this has now been postponed to 2025.

“Manufacturers and importers of IoT devices will need to make sure their products conform to these new regulations and be able to demonstrate compliance in an easy to recognise manner,” added Rubert.

Gaining an advantage in competitive markets requires a comprehensive, technical approach to compliance, which in the US means assessment against NIST 8259 and in Europe (RED and CLS) against ETSI EN 303 645.

Through its global network, SGS can assess all products against required standards, including NIST, RED and CLS, and as a Notified Body, can issue EU-type certification for products destined for European Markets to show compliance with RED 3.3 (d), (e) and (f).

Compliant products can then carry the internationally recognised SGS Cybersecurity Mark, demonstrating to customers the adoption of best practice and product conformity to defined standards:

  • ETSI EN 303 645
  • NIST IR 8425
  • IEC 62443-4-2
  • ISO 21434
  • RED 3.3 (d, e, f)

For further information on Cybersecurity Services use the link below.