s the use of smart, “connected devices” across our homes, workplaces, and cities increases, the cybersecurity risks tied to these products continue to grow. In response, the UK’s Product Security and Telecommunications Infrastructure (PSTI) regime, updates to the EU’s Radio Equipment Directive (RED), and the upcoming EU Cyber Resilience Act (CRA) have emerged to ensure connected products are secure and remain secure throughout their lifecycle.

This article outlines the key requirements, scope, and timelines of each framework and offers guidance for manufacturers preparing to meet their obligations.

While most companies already implement cybersecurity policies to protect internal systems, not all have applied the same rigor to the devices they manufacture. With consumer products increasingly connected to networks and the internet, attackers can exploit security flaws to access sensitive data, compromise systems, or launch widespread cyberattacks. Legislation is now catching up to close this gap.

• At the core of new laws are these principles:
• Eliminating known vulnerabilities at launch
• Default secure configurations
• Secure update mechanisms
• Access controls and data protection
• Responsible vulnerability disclosure

Effective from April 2024, the UK PSTI Regime was the world’s first legislation mandating Cybersecurity for consumer connectable products. It applies to internet- and network-connectable devices such as smart TVs, doorbells, and routers.

The PSTI Regime outlines just four key obligations:

1. Unique or user-defined passwords for each product
2. Clear vulnerability reporting processes
3. Published minimum update periods that cannot be shortened later
4. A statement of compliance, similar to CE or UKCA documentation

The legislation is closely aligned to ETSI EN 303 645, covering basic protections for consumer IoT products, and TS 103 701 for testing methodologies. These standards are freely available and form the technical benchmark for compliance.

While the RED has long governed radio, safety, and electromagnetic compatibility, from August 1, 2025, it will enforce three new cyber-related essential requirements:

• Article 3(3)(d): Prevent harm to communication networks
• Article 3(3)(e): Protect personal data and privacy
• Article 3(3)(f): Guard against financial fraud

These apply only to internet-connected radio equipment, depending on how the device operates and what data it processes.

Three harmonised standards (EN 18031 series) have been cited to meet RED’s new requirements, but all carry usage restrictions. For example, products that allow users to bypass password setup or lack parental controls won’t benefit from automatic conformity.

If these standards can’t be fully applied, manufacturers must undergo more rigorous third-party assessments, such as EU-Type Examination or Full Quality Assurance, involving a Notified Body.

Coming into full force by December 11, 2027, the CRA introduces the most comprehensive set of obligations yet. It applies to any product with a digital element that connects to other devices or networks.

The CRA mandates:

• Cyber risk assessments at all stages of product development
• Conformity assessment based on risk category (basic, important, critical)
• Ongoing security updates and vulnerability disclosure procedures
• Incident reporting to ENISA, CSIRTs, and affected users within 24 hours (from September 2026)

While no specific standards yet exist for CRA, the European Commission has requested the development of 41 new standards by ETSI, CENELEC, and CEN. These will eventually provide the basis for demonstrating compliance, possibly alongside a new European Cybersecurity Certification Scheme (EUCC).

Assessment pathways will vary depending on whether a product is classified as “important” or “critical,” and whether harmonised standards or “Common Specifications” have been fully applied.

A Cybersecurity assessment typically includes:

• Documentation Review: Compliance documentation such as Implementation Conformance Statements (ICS), Implementation Extra Information for Testing (IXIT), and decision trees (especially for RED-related assessments).
• Functional Sufficiency Testing: Verifies that claimed protections work in practice (e.g., encryption is applied, PIN locks activate).
• Completeness Check: Ensures no undocumented features or interfaces exist.
• Penetration Testing: While not required under RED or CRA, some manufacturers may choose to conduct penetration tests for additional assurance.

Test labs play an important role in verifying documentation and performing assessments. Though third-party testing isn’t mandatory under all regimes, many manufacturers prefer external expertise—particularly when Notified Bodies are required.

Element Materials Technology provides full lifecycle support for Cybersecurity compliance:

1. Advisory Services – Developing tailored test plans, conducting risk assessments, providing training and reviewing compliance documentation.
2. Cyber Testing Services – Element performs Cybersecurity assessments to EN 303 645 and EN 18031.
3. Certification Body Services – EU type examination certification for cyber security, as well as all other articles of the RED (radio, EMC, safety).

Whether you’re preparing for RED changes in 2025 or the CRA rollout in 2027, engaging with experts early can streamline compliance and reduce costly delays.