Contact information
Free service hotline
400-7558988
TEL: 0769-85075888-6618
13925591357
Fax: 0769-85075898
Mail: net04@gtggroup.com
ADD: Huacan Industrial Park, No. 2 Keji 8th Road, Songshan Lake Park, Dongguan City, Guangdong Province
A must-read for networked product export: Global cybersecurity compliance certification map
With the popularity of Internet of Things (IoT) technology, "Internet of Everything" has become the norm, from smart home cameras, smart wearable devices to industrial gateways. However, the accompanying risk of cyber attacks has caused major markets around the world to build "digital firewalls". For export enterprises, network security is no longer an option, but a mandatory threshold to enter the international market.
This article will sort out the current mainstream network security compliance requirements for networked products in Europe, America and the Asia-Pacific region from the perspective of professional testing and certification.
1. EU: RED Directive Cybersecurity Provisions (Mandatory)
This is currently the most far-reaching regulation on export enterprises. According to the delegated act of the EU Radio Equipment Directive (RED), the provision for cybersecurity (Article 3.3 d/e/f) has officially come into force.
Core requirements: Devices must have the ability to protect the network, protect the privacy of personal data, and prevent fraud.
Technical standards: The current industry-recognized basis for assessment is the ETSI EN 303 645 standard, which is the world's first consumer IoT cybersecurity standard.
Scope of influence: Covers almost all wireless devices that communicate through the Internet, including smart home appliances, toys, wearable devices, etc.
Note: Devices that do not meet the RED cybersecurity requirements will not be available for sale in the EU market. The enterprise R&D side needs to introduce the concept of "Security by Design" in the product definition stage.
2. United Kingdom: PSTI Act (mandatory)
The UK's "Product Security and Telecommunications Infrastructure Act" (PSTI Act) has been officially implemented on April 29, 2024. This is a mandatory law in the UK for the network security of consumer-grade connected products.
Three core compliance points:
Universal default passwords are prohibited: The device is not allowed to use universal factory passwords such as "admin" or "123456". It must be "one machine, one password" or the user is forced to change it when using it for the first time.
Vulnerability Disclosure Policy: Manufacturers must provide clear contact details for security researchers to report vulnerabilities.
Software Update Support Period: Consumers must be clearly informed of how long the product will provide security update support (Support Period).
3. United States: FCC Cyber Trust Mark and California Act
Although the U.S. market is led by state legislation (such as California SB-327), the implementation of unified certification at the federal level is accelerating.
FCC Cyber Trust Mark ( Cyber Trust Mark): This is a voluntary but highly market-influential program. Obtaining this logo means that the product meets high-standard cybersecurity requirements such as NIST IR 8425, which will greatly enhance the competitiveness of the product in North American retailers (such as Amazon and Best Buy).
Mandatory trend: For equipment involving critical infrastructure or centralized government procurement, network security compliance has become a mandatory requirement.
4. Asia-Pacific region: Singapore and Japan
1. Singapore CLS (Cyber Security Labeling Scheme):
The CLS launched by the Singapore Cyber Security Agency (CSA) is divided into 4 levels. For consumer products such as smart homes, it is usually required to reach Level 1 or Level 2, which mainly assesses the default password management and software update mechanism.
2. Japanese MIC certification:
Japan's Ministry of Internal Affairs and Communications has added security requirements for terminal devices in TELEC certification (technical adaptation), especially for IoT devices, which require access control functions and firmware update functions to prevent illegal access.
5. How do enterprises respond? GTG Guangce Group Recommendations
Network security certification is different from traditional security regulations or EMC testing. It focuses more on software logic, encryption algorithms and vulnerability management. For R&D and certification leaders, we recommend:
First, evaluate as early as possible: Don't wait until the product sample is sealed before considering network security. The cost of modifying the underlying code is extremely high.
Second, pay attention to password policy: "weak password" is the most common failure item in the test, so it is necessary to establish a perfect password management mechanism.
Third, document preparation: Prepare vulnerability disclosure policy documents, software BOM and security architecture documents in advance.
GTG Guangce Group has a professional technical team in the field of Internet of Things network security, which can provide enterprises with one-stop technical services from gap analysis, vulnerability scanning to final certification according to ETSI EN 303 645, NIST IR 8425 and other standards.
Networked Product Cybersecurity Certification/Penetration Testing/Compliance Consulting
Professional technical answers to help your products go overseas safely
Consultation hotline: Deng Gong net04@gtggroup.com
This article is edited and compiled by GTG Guangce Group. The content is for reference only. The specific standards are subject to the latest regulations.