Cybersecurity of networked products: PSTI, RED DA and CRA compared

Reading time: 6 minutes - Difficulty: advanced

With the shared objective of enhancing the security and resilience of networked devices, PSTI, RED DA, and the Cyber Resilience Act collectively provide a set of guidelines for implementing cybersecurity practices across various markets. Find out what the features of these regulations are, and how to relate to the different compliance requirements.

Main info on the PSTI regulation

PSTI (Product Security and Telecommunication Infrastructure) is a regulation targeting the UK market, effective from April 2024, which enforces compliance with cybersecurity requirements for consumer products that can be connected to the internet, defined by the regulation as ‘relevant connectable products’, which include smartphones, laptops and home or wearable devices.

The minimum security requirements for consumer protection, which manufacturers, importers, and distributors must adhere to, involve password security, reporting detected vulnerabilities, and ensuring accessibility of information provided to users regarding product security updates.

The harmonized standards to be referred to when applying the PSTI regulation are ETSI EN 303 645 and ISO/IEC 29147.

 

Further information:

 

 

Are you a manufacturer of wireless-enabled devices working in the UK market?

 

Request a PSTI consultation

Do you want to help our page grow? Follow us on Linkedin

 

 

Main info about the RED DA act

The RED DA (Radio Equipment Directive Delegated Act) is the legislative act that complements Directive 2014/53/EU, and which will be enforced on the European Union market by August 2025. Similar to the PSTI regulation, the RED DA aims to improve the security and protection of personal data of consumers using Internet-connected radio equipment. These include phones, tablets, devices using IoT technologies, wearable devices, to which, however, networked industrial control devices are added.

Minimum security requirements focus on secure device design, resistance to cyber attacks, and fraud prevention. The specific requirements for cybersecurity established by the RED DA are described in Article 3.3 letters d), e), f).

The harmonized standard for implementing the RED DA act is prEN 18031, but the IEC 62443, as a universal reference point, also remains considerable.

 

Further information:

 

 

Are you a manufacturer of networked radio equipment working in the EU market?

 

Request a RED DA consultation

Do you want to help our page grow? Follow us on Linkedin

 

 

Main info on the CRA regulation

The CRA (Cyber Resilience Act) is the European regulation on horizontal cybersecurity requirements for products containing digital elements, to be voted on in March 2024, and scheduled to enter into force by mid-2024.

Again, for the CRA, the apparent aim is to improve the security and resilience of network-enabled devices, although this is targeted at industrial products: server, desktop and mobile operating systems, firewalls, IoT devices, VPNs, PLCs, SCADA. The products are divided into two risk levels, which the regulation defines as Class I and Class II.

Like the other legislations mentioned earlier, the Cyber Resilience Act strives to ensure users receive sufficient information regarding the security of their purchased products. It achieves this by mandating manufacturers to incorporate suitable cybersecurity measures throughout the device’s lifecycle.

The Cyber Resilience Act is linked to the New Machinery RegulationMachinery Regulation (EU) 2023/1230 -, but also to the best practices of the international standard IEC 62443.

 

Further information:

 

 

Are you a digital industrial device manufacturer working in the EU market?

 

Request a CRA consultation

Do you want to help our page grow? Follow us on Linkedin

 

Summary on cybersecurity regulations for networked products

 

Regulations PSTI RED DA CRA
Market UK EU EU
Scope of application Consumer products equipped with internet connection Consumer products equipped with internet connection Industrial products with internet connection
Effective Date April 2024 (final) August 2025 (final) Mid-2024 (to be confirmed)
Specific requirements Password security, vulnerability reporting, information accessibility Network protection, personal data protection, fraud risk reduction Confidentiality, integrity, data availability, vulnerability mitigation
Related Standards ETSI EN 303 645, ISO/IEC 29147 prEN 18031, IEC 62443 Machinery Regulation 2023/1230,
IEC 62443

 

Tips for a common solution to cybersecurity regulations

We recommend that you always start by verifying the applicability of IT security regulations through a GAP Analysis.

Initially, we identify the category in which your product belongs. From there, we can systematically analyze which of its features align with the requirements of the regulation(s) applicable to the device. Once the starting point has been established, it is possible to decide what additional measures you will have to take in order to declare conformity.

The GAP Analysis is applicable universally to regulatory standards and serves as our primary tool for determining what aspects of your products comply with cybersecurity requirements and what areas require improvement.

By following our recommendations, you will have time and a way to implement the most appropriate counter-strategies to mitigate cyber risks, and, if the regulatory framework requires it, certify the product. Send us a request.

 

Further information:

 

Any questions or comments?

 

Share us your feedback

Do you want to help our page grow? Follow us on Linkedin

 

Go back to the blog
Send this to a friend