With the shared objective of enhancing the security and resilience of networked devices, PSTI, RED DA, and the Cyber Resilience Act collectively provide a set of guidelines for implementing cybersecurity practices across various markets. Find out what the features of these regulations are, and how to relate to the different compliance requirements.Reading Time: 6 minutes Difficulty: Advanced
With the shared objective of enhancing the security and resilience of networked devices, PSTI, RED DA, and the Cyber Resilience Act collectively provide a set of guidelines for implementing cybersecurity practices across various markets. Find out what the features of these regulations are, and how to relate to the different compliance requirements.
Main info on the PSTI regulation
PSTI (Product Security and Telecommunication Infrastructure) is a regulation targeting the UK market, effective from April 2024, which enforces compliance with cybersecurity requirements for consumer products that can be connected to the internet, defined by the regulation as “relevant connectable products”, which include smartphones, laptops and home or wearable devices.
The minimum security requirements for consumer protection, which manufacturers, importers, and distributors must adhere to, involve password security, reporting detected vulnerabilities, and ensuring accessibility of information provided to users regarding product security updates.
The harmonized standards to be referred to when applying the PSTI regulation are ETSI EN 303 645 and ISO/IEC 29147.
For further information
PSTI UK regulation for connectable consumer productsDo you want to help our page grow?
Follow us on LinkedINAre you a manufacturer of wireless-enabled devices working in the UK market?
Main info about the RED DA act
The RED DA (Radio Equipment Directive Delegated Act) is the legislative act that complements Directive 2014/53/EU, and which will be enforced on the European Union market by August 2025. Similar to the PSTI regulation, the RED DA aims to improve the security and protection of personal data of consumers using Internet-connected radio equipment. These include phones, tablets, devices using IoT technologies, wearable devices, to which, however, networked industrial control devices are added.
Minimum security requirements focus on secure device design, resistance to cyber attacks, and fraud prevention. The specific requirements for cybersecurity established by the RED DA are described in Article 3.3 letters d), e), f).
The harmonized standard for implementing the RED DA act is prEN 18031, but the IEC 62443, as a universal reference point, also remains considerable.
For further information
RED DA: focus on cybersecurity requirements for wireless devices in EUDo you want to help our page grow?
Follow us on LinkedINAre you a manufacturer of networked radio equipment working in the EU market?
Main info on the CRA regulation
The CRA (Cyber Resilience Act) is the European regulation on horizontal cybersecurity requirements for products containing digital elements, to be voted on in March 2024, and scheduled to enter into force by mid-2024.
Again, for the CRA, the apparent aim is to improve the security and resilience of network-enabled devices, although this is targeted at industrial products: server, desktop and mobile operating systems, firewalls, IoT devices, VPNs, PLCs, SCADA. The products are divided into two risk levels, which the regulation defines as Class I and Class II.
Like the other legislations mentioned earlier, the Cyber Resilience Act strives to ensure users receive sufficient information regarding the security of their purchased products. It achieves this by mandating manufacturers to incorporate suitable cybersecurity measures throughout the device’s lifecycle.
The Cyber Resilience Act is linked to the New Machinery Regulation – Machinery Regulation (EU) 2023/1230 -, but also to the best practices of the international standard IEC 62443.
For further information
Cyber Resilience Act: update of the proposed RegulationDo you want to help our page grow?
Follow us on LinkedINAre you a digital industrial device manufacturer working in the EU market?
Summary on cybersecurity regulations for networked products
| Regulations | PSTI | RED DA | CRA |
|---|---|---|---|
| Market | UK | EU | EU |
| Scope of application | Consumer products equipped with internet connection | Consumer products equipped with internet connection | Industrial products with internet connection |
| Effective Date | April 2024 (final) | August 2025 (final) | Mid-2024 (to be confirmed) |
| Specific requirements | Password security, vulnerability reporting, information accessibility | Network protection, personal data protection, fraud risk reduction | Confidentiality, integrity, data availability, vulnerability mitigation |
| Related Standards | ETSI EN 303 645, ISO/IEC 29147 | prEN 18031, IEC 62443 | Machinery Regulation 2023/1230, IEC 62443 |
Tips for a common solution to cybersecurity regulations
We recommend that you always start by verifying the applicability of IT security regulations through a GAP Analysis.
Initially, we identify the category in which your product belongs. From there, we can systematically analyze which of its features align with the requirements of the regulation(s) applicable to the device. Once the starting point has been established, it is possible to decide what additional measures you will have to take in order to declare conformity.
The GAP Analysis is applicable universally to regulatory standards and serves as our primary tool for determining what aspects of your products comply with cybersecurity requirements and what areas require improvement.
By following our recommendations, you will have time and a way to implement the most appropriate counter-strategies to mitigate cyber risks, and, if the regulatory framework requires it, certify the product. Send us a request.
For further information
Learn about an example of Cybersecurity GAP AnalysisDo you want to help our page grow?
Follow us on LinkedINGo back to the blog
