Signs of trust on the Internet in the United States, what's next?
Help create a global cybersecurity baseline. Consider mutual recognition with others (including the European Union and Japan).
Focus on Cybersecurity Fundamentals:
Security-by-design
Transparency for consumers
Security updatability
International harmonization
What's Next:
The FCC issues announcements, gathers comments, and finalizes program rules
The FCC defines the scope of certification (ISO 17065 for CLA and ISO 17025 for CyberLAB).
CLA and CyberLAB apply and earn the required certifications.
Manufacturers prepare for testing and documentation requirements (NISTIR 8425).
Manufacturers work with recognized CLAs (and CyberLAB, if certified, to apply and test products).
ETSI and CENELEC standardization progress.
Other standardization directions:
Environmental characteristics: The standard requires that "the intended use of the device" be specified as the minimum compliance level to support extended performance testing, and the EMC working group is discussing specific options;
Emergency Call (RED Article 3.3 (g)): Harmonization standards are not planned yet, and manufacturers are advised to refer to ETSI TS 103 625 V1.3.1.
CENELEC (European Committee for Electrotechnical Standardization) Standard Update (Cybersecurity)
Old standard status: EN 18031-x series of standards are no longer updated, and the relevant content is transferred to the CRA standard system.
CRA standard planning: Participants: About 300 people participated in standard formulation;
Time node:
Horizontal Standard (General Cybersecurity Requirements): Expected to be completed in August 2026;
Vertical Standards (Industry-Specific Requirements): Expected to be completed by October 2027;
CRA Full Effective Date: December 11, 2027;
Challenge: Strict adherence to the time node to ensure alignment with the RED Cybersecurity Clause Repeal Plan.
Key Issues (Security)
What is the timeline for the connection between the EU RED cybersecurity requirements and the CRA (Cybersecurity Act)? How will manufacturers navigate compliance during this transitional phase?
Connection timeline:
1. The RED Cybersecurity Requirements went into effect on August 1, 2025, and manufacturers are required to complete device compliance.
2. The EU plans to abolish the cybersecurity provisions in RED from December 11, 2027, and fully transfer relevant compliance responsibilities to the CRA;
3. CRA standard development is advancing simultaneously: horizontal standards (general requirements) are expected to be completed in August 2026, and vertical standards (industry-specific requirements) are expected to be completed in October 2027, ensuring implementation conditions are in place by December 2027.
Manufacturer Response:
Short-term (2025.8-2027.12): Strictly comply with RED's existing cybersecurity requirements, clarify the correspondence between non-harmonized standards (such as EN 303 645) and RED requirements when submitting compliance documents, and avoid relying on notifying bodies to sort out logic.
Medium-term (after August 2026): Track the release of CRA horizontal standards and evaluate the adaptability of products to general cybersecurity requirements in advance.
Long-term (post-October 2027): Adjust product design based on the CRA' s vertical standards (specific requirements for wireless electrical equipment) to ensure compliance after the full implementation of the CRA after December 2027.
RED Directive Cybersecurity Requirements: "Compliance Core and Practical Pain Points" in the Transition Phase
Article 3.3D/E/F in the RED Directive (Radio Equipment Directive) is the core basis for the current network security of wireless equipment in the EU, and Michael Darby's interpretation focuses on "clarifying the scope" and "clarifying the boundaries of responsibility". Solve the most confusing question of "whether to do it, what to do, and who is responsible" for manufacturers
Darby replaces "abstract definitions" with "scenario-based cases" and clarifies the applicable boundaries of the three major clauses:
CRA
▶ CRA Regulations: "Systemic Change and Compliance Logical Restructuring" after 2027
▶ The CRA (Cybersecurity Act) is the "ultimate framework" for EU cybersecurity compliance and will replace RED's cybersecurity requirements, with Michael and Steve's interpretation focusing on "showing CRA and RED." The core of "advance layout of transition period preparation", the core is to shift from "one-time testing" to "full life cycle security management".
A) The "essential difference" between CRA and RED: from "product compliance" to "eco-compliance"
B) CRA 's "tiered compliance system": accurately identify risks and avoid "one-size-fits-all"
The CRA' s core innovation is "grading by risk," where compliance requirements vary significantly across categories of equipment and manufacturers. It is necessary to clarify the ownership of the product before formulating a compliance strategy:
1. Default Category (Underlying Risk):
Senarios: simple devices without sensitive data processing and no networking function (such as ordinary Bluetooth mice).
Compliance Requirements: Self-assessment to meet basic security standards (such as mandatory modification of default passwords) without the need for notification body intervention.
2. Class 1(Medium risk):
Applicable scenarios: devices that are connected to the Internet but do not have highly sensitive functions (such as ordinary smart light bulbs).
Compliance requirements: If there are harmonized standards, they will self-declare, and if there are no standards, they will need to be evaluated by the notifying body (such as verifying the encryption strength of data transmission).
3. Class 2(High risk):
Applicable scenarios: devices containing sensitive components (tamper-proof chips, firewalls), handling sensitive personal data (such as smart door locks, medical monitoring equipment).
Compliance Requirements: Mandatory Notifying Bodies to evaluate, provide "security design documents" and "vulnerability response processes", and submit regular vulnerability reports.
4. Key Categories (Very High Risk):
Senariosic scenarios: equipment involving public safety and critical infrastructure (such as power grid wireless monitoring equipment).
Compliance Requirements: Comply with EU ANSSIThe special certification program formulated by (network security agency) needs to pass stricter penetration tests and anti-attack tests.
C). "Key Actions" for the Transition Period (2025-2027): Avoiding "reactive response" to CRA compliance requires "laying out ahead of time" rather than waiting for 2027 to take effect, and core preparatory actions include:
1. 2026 Vulnerability Reporting System Construction (Priority):
The CRA requires manufacturers to report vulnerability information to the EU Harmonized Database from September 2026 and to be "machine-readable" using the CSAF (Cybersecurity Assessment Framework) format.
Preparation actions: Establish a "vulnerability monitoring team", connect with open source vulnerability libraries (such as CVEs), and develop a "vulnerability classification response process" (such as high-risk vulnerability 24). repaired within hours).
2、SBOM (Software Bill of Materials) Management Capacity Building:
CRA requires manufacturers to know the source, version, and supplier of all software components of their products in order to quickly locate upstream vulnerabilities (for example, if an open source inventory is vulnerable, it can be immediately investigated whether it is used).
Preparation Action: Embed SBOM generation tools (such as SPDX format) during the R&D stage and sign "vulnerability notification agreements" with software vendors to ensure timely synchronization of upstream vulnerabilities.
3、RED and CRA "Compliance Bridge":
EN18031 standard tests under RED (e.g., data encryption, identity authentication) can be partially reused to CRA to avoid duplicate tests.
Preparation Action: Retain complete documentation of RED testing (e.g., penetration test report, cryptographic algorithm validation records) as "upfront evidence" of CRA compliance.
Timeline and Transition: Some of the CRA' s obligations, such as vulnerability reporting, will be effective from September 11, 2026, with full effect in December 2027 On March 11, RED's cybersecurity requirements will be terminated, and the RED Authorization Act is expected to be repealed at the same time. By December 11, 2027, wireless electrical equipment must comply with RED's security, EMC, radio, and network security requirements; Then, RED's security, EMC, radio requirements, and CRA's cybersecurity requirements need to be met, and the relevant compliance statements need to be integrated in the same DOC.
Scope and Classification: CRA is suitable for products containing digital components, including software, extending far beyond radio equipment, covering wire-only equipment, non-embedded software, non-radio components, and more. Devices are divided into default categories (basic requirements, self-assessment is sufficient), Class 1 (if there are no harmonized standards, they need to be evaluated by the notified body, and if there are, they can be self-declared), Class 2 (including tamper-proof microprocessors, firewalls, etc., which need to be evaluated by the notified body), and critical categories (need to follow specific certification schemes, which may be determined by the EU cybersecurity agency ANSSI). enacted).
