Cybersecurity Solutions

The Radio Equipment Directive (Directive 2014/53/EU) has traditionally focused on spectrum use, electromagnetic compatibility, and user safety for wireless products. With the introduction of Commission Delegated Regulation (EU) 2022/30, the scope of RED has formally expanded to include cybersecurity.

Through this Delegated Act, Article 3(3)(d), (e), and (f) becomes mandatory for all applicable radio equipment placed on the EU market from 1 August 2025. Any non-compliant product supplied after this date cannot be legally sold in the EU.

Key cybersecurity objectives under RED

Network protection (Article 3(3)(d))
Radio equipment must be designed so it does not harm network operations or misuse network resources. This directly targets risks such as botnet infections, DDoS participation, and uncontrolled traffic generation.

Protection of personal data and privacy (Article 3(3)(e))
Devices must include built-in safeguards to protect user data and communications, aligning product security with GDPR principles at the hardware and firmware level.

Fraud prevention (Article 3(3)(f))
Products involved in payments or sensitive transactions must include security controls that reduce fraud risk, including secure authentication and cryptographic protection.

Scope and technical compliance

The Delegated Act applies broadly to internet-connected radio equipment such as smartphones, routers, cameras, wearables, consumer IoT devices, and wireless industrial products.

The Cyber Resilience Act establishes cybersecurity requirements for all products with digital elements (PDEs) placed on the EU market covering both hardware and software. Unlike RED, which focuses on radio equipment, CRA applies horizontally across almost every connected product category.

Security across the full product lifecycle

Under the CRA, manufacturers remain responsible for cybersecurity throughout the supported lifetime of the product (typically five years or more). This includes:

• Secure design and default configurations (no hardcoded or default passwords)
• Ongoing vulnerability remediation
• Security updates throughout the lifecycle

Cybersecurity is no longer a one-time compliance activity at product launch.

Vulnerability handling and transparency

Manufacturers must:

• Actively monitor vulnerabilities
• Report exploited or critical vulnerabilities within 24 hours to national CSIRTs and to ENISA
• Maintain and provide a Software Bill of Materials (SBOM) listing software components and dependencies

This allows rapid identification of affected products when new vulnerabilities are discovered.

Key compliance timelines

CRA entered into force: December 2024
Vulnerability reporting obligations: September 2026
Full product compliance required: December 2027

The Bureau of Indian Standards introduced Essential Requirements for CCTV systems to strengthen security and ensure trusted video surveillance infrastructure in India. The BIS CCTV ER-01 2024 applies to CCTV cameras and recorders that are manufactured, imported, or sold in India.

The framework is structured around four major security pillars.

Hardware Level Security Controls

• Verification that debugging interfaces such as USB, UART, JTAG and SWD are disabled or protected
• Validation of secure boot through boot image signature verification
• Confirmation that cryptographic keys and certificates are unique for each device
• Secure storage of sensitive data, private keys and certificates using secure hardware or strong cryptography

Software and Firmware Security Controls

• Enablement of memory protection mechanisms such as ASLR and DEP where applicable
• Protection of data in transit using secure TLS versions and strong encryption
• Secure firmware update process with digital signature validation and anti rollback protection
• Secure code review to remove banned functions and detect hardcoded credentials

Secure Communication and Supply Chain Controls

• Mutual authentication for wireless communication where supported
• Encryption of wireless communication channels
• Disclosure and validation of network protocols used by the device
• Verification of trusted sourcing of critical hardware components through bill of materials

Security in Product Development and Manufacturing

• Hardware architecture documentation at PCB and SoC level
• Malware detection during development and final product packaging
• Controls to reduce counterfeit and compromised components
• Supply chain risk assessment and mitigation processes

CNLABS, with its team of certified security professionals, is fully equipped to assist manufacturers, government agencies, and private sector stakeholders in achieving compliance with these critical standards.

Key highlights of CNLABS and the BIS CCTV Program:

• First BIS-recognized lab for CCTV security testing under IS 99999:2024.
• New regulations for CCTV systems to come into effect on October 9, 2024.
• Expertise in security testing for CCTV, telecom, IT, OT, and IoT products.
• Approved by TEC India, NIST, IPv6 Forum, SIRIM, and other certification bodies.

The Indian Telecom Security Assurance Requirements (ITSAR) framework is a mandatory security certification program issued by the Department of Telecommunications under the Government of India. It applies to telecom equipment that is deployed in licensed networks in India.

The certification is implemented through the NCCS - National Centre for Communication Security and testing is carried out by designated Conformance Assessment Bodies.

Without ITSAR approval, covered products cannot be procured by Indian telecom service providers.

The scope broadly includes:

• Firewalls and security gateways
• IP routers and switches
• Wi-Fi CPE and broadband access devices
• Optical access equipment such as OLT and ONT
• Various telecom network elements and management systems

Every product falling under a notified ITSAR category must undergo security testing and certification before deployment in Indian telecom networks, regardless of vendor or country of origin.

FIPS 140-3 is the current cryptographic validation standard issued by National Institute of Standards and Technology for government-grade cryptographic modules.

It replaces FIPS 140-2 and aligns fully with international ISO/IEC 19790 requirements.

Why the transition matters

• FIPS 140-2 validations move to historical status in September 2026
• New procurements increasingly require FIPS 140-3 compliance
• All new cryptographic products must now follow the 140-3 framework

Key technical enhancements

• Runtime self-tests and continuous integrity checks
• Formal entropy validation for random number generators
• Clear requirements for hybrid hardware/software cryptographic modules
• Stronger resistance against modern cryptographic attacks

FIPS 140-3 is critical for products used in government, defence, critical infrastructure, and regulated financial environments.

Common Criteria (CC) is an international framework for evaluating the security functionality of IT products, including operating systems, firewalls, smart cards, and secure hardware.

Products are tested against defined security requirements and assigned Evaluation Assurance Levels (EALs).

In the European context, Common Criteria is evolving into the EU Common Criteria (EUCC) scheme under the EU Cybersecurity Act. This transition aims to harmonize the fragmented national certification schemes into a single, recognized European certificate. The EUCC will streamline the process for manufacturers, allowing a certificate issued in one member state to be automatically recognized across the entire Union. This modernization also places a stronger emphasis on patch management and conformity to the latest state-of-the-art attack methods, keeping the certification relevant in a rapidly changing threat landscape.

Assurance levels

• EAL1–EAL2: Basic functional testing
• EAL3–EAL4+: Structured design and vulnerability analysis (common for enterprise products)
• EAL5–EAL7: High-assurance and formal verification

European transition to EUCC

Under the EU Cybersecurity Act, Common Criteria is evolving into the EU Cybersecurity Certification Scheme (EUCC). From 2026 onward, traditional EALs will be mapped into EU-wide assurance levels such as Substantial and High, simplifying cross-border certification.

Manufacturer Usage Description (MUD), defined by Internet Engineering Task Force, allows IoT devices to declare their intended network behaviour.

MUD-CCF is particularly vital for the scalability of secure IoT deployments. In enterprise or industrial environments with thousands of devices, manually configuring firewall rules for every asset is impossible. MUD-CCF allows for "zero-touch" onboarding where a device connects, declares its profile, is verified, and is immediately secured by the network. This automation reduces human error and ensures that security policies are applied consistently across massive fleets of diverse IoT products.

MUD-CCF Certification

The MUD Conformance Certification Framework validates that:

• The device behaviour matches its declared MUD profile
• No hidden communications or unsafe traffic exist

This provides a trust mark for secure-by-design IoT products and enables automated network protection with minimal operational overhead.

Developed by ETSI, EN 303 645 is the leading global security baseline for consumer IoT products. It has influenced IoT regulations across Europe, the UK, and several other regions.

The Thirteen Pillars of IoT Security

ETSI EN 303 645 was designed to mitigate the most common attack vectors used against smart home devices. It outlines 13 provisions that serve as a practical checklist for cyber resilience.

• No Universal Default Passwords
• Vulnerability Disclosure Policy
• Keep Software Updated
• Secure Storage of Sensitive Data
• Secure Communication
• Minimize Exposed Attack Surfaces
• Ensure Software Integrity
• Ensure Personal Data is Secure
• Make Systems Resilient to Outages
• Examine System Telemetry Data
• Easy Deletion of Personal Data
• Easy Installation and Maintenance
• Validate Input Data

EN 303 645 requires the protection of sensitive data both when stored on the device and when transmitted over networks. This necessitates the use of industry-standard cryptography and secure transport protocols like TLS.

Beyond data, the standard focuses on minimizing the attack surface; debug interfaces (like JTAG or UART) used during manufacturing must be disabled or physically secured before the product ships. Unused network ports and services must be closed by default, ensuring that the device exposes only the minimum necessary functionality to the outside world.