Cybersecurity Testing & Compliance
Cybersecurity compliance for network connected smart devices and IoT products in today’s world requires a clear understanding of both the standards that set technical security requirements and the regulations that enforce compliance across various global regions.
- Protect network integrity and prevent misuse.
- Safeguard personal data and privacy.
- Prevent fraud and misuse, especially for devices handling monetary value.
- Comply with mandatory government regulations to sell your product legally.
C-PRAV Cybersecurity Compliance Services
C-PRAV provides expert services tailored to navigating this complex regulatory landscape, including:
Cybersecurity testing for EN 18031-1, EN 18031-2 and EN 18031-3 and EN 303 645 standards for Europe’s directives, UK and Australian contexts.
Supporting you with required Declaration of Compliance for the European RED, UKCA, Australian Cyber Security Act requirements.
Guiding and supporting product developers with VAPT (Vulnerability and Penetration Testing) to find and exploit potential security weaknesses in software, hardware, IT and network configurations.
Specialized guidance and testing for Common Criteria certification (ISO/IEC 15408) targeting Asia-Pacific rules.
Guiding and supporting the global cybersecurity requirements as per the USA’s NIST SP800115, NIST Framework 2.0.
Comprehensive end-to-end support for your market entry into India to comply with mandatory regulations of MTCTE, NCCS, ITSARs for network devices.
We got you secured.
Understanding Cybersecurity
Cybersecurity refers to the measures taken to protect digital systems, networks, and connected devices from unauthorized access, data breaches, and malicious attacks. It is a vital discipline in today’s interconnected world, where billions of devices are linked through the Internet of Things (IoT) and critical information flows across global networks. Cybersecurity ensures the integrity, confidentiality, and availability of data, safeguarding individuals and organizations from risks such as financial fraud, identity theft, and system disruptions.
The Rise of IoT and Connected Devices
A large proportion of electronic and electrical devices sold today are connected to the internet. Beyond traditional devices like computers and smartphones, IoT products are becoming integral to daily life. Examples include:
- Smart Home Devices: Thermostats, security cameras, and voice-controlled speakers.
- Wearable Technology: Fitness trackers and health monitors.
- Child and Pet Safety Gadgets: Baby monitors and GPS-enabled pet trackers.
- Medical Devices: Diagnostic and therapeutic equipment connected to the cloud.
- Industrial Control Systems: Automation tools and sensors used in manufacturing and utilities.
While these devices provide convenience, they are particularly vulnerable to cyber threats, including unauthorized access, data breaches, and system manipulation. A single compromised device can lead to widespread consequences, from financial losses to safety risks.
Understanding Cybersecurity
Cybersecurity refers to the measures taken to protect digital systems, networks, and connected devices from unauthorized access, data breaches, and malicious attacks. It is a vital discipline in today’s interconnected world, where billions of devices are linked through the Internet of Things (IoT) and critical information flows across global networks. Cybersecurity ensures the integrity, confidentiality, and availability of data, safeguarding individuals and organizations from risks such as financial fraud, identity theft, and system disruptions.
The Rise of IoT and Connected Devices
A large proportion of electronic and electrical devices sold today are connected to the internet. Beyond traditional devices like computers and smartphones, IoT products are becoming integral to daily life. Examples include:
- Smart Home Devices: Thermostats, security cameras, and voice-controlled speakers.
- Wearable Technology: Fitness trackers and health monitors.
- Child and Pet Safety Gadgets: Baby monitors and GPS-enabled pet trackers.
- Medical Devices: Diagnostic and therapeutic equipment connected to the cloud.
- Industrial Control Systems: Automation tools and sensors used in manufacturing and utilities.
While these devices provide convenience, they are particularly vulnerable to cyber threats, including unauthorized access, data breaches, and system manipulation. A single compromised device can lead to widespread consequences, from financial losses to safety risks.
Cybersecurity Standards by Region
Australia
The Australian Government is committed to enhancing the cybersecurity of the digital products that Australians use every day. From 4 March 2026, the Cyber Security (Security Standards for Smart Device) Rules 2025 (the Rules) will commence. EN 303 645 serves as the recognized baseline standard for IoT device security, focusing on aspects like secure default settings, vulnerability management, and data protection. Additionally, the ETSI EN 18031 series aligns with radio equipment security requirements applicable within Australia. The following products fall under Voluntary for Cyber: desktop computers, laptops, smartphones, tablet computers.
Australia has also formally adopted IEC 62443 (AS IEC 62443) as part of its national standards for securing critical infrastructure, designating these best practices. This move aligns Australia with a growing list of countries recognizing IEC 62443 as a benchmark for industrial cybersecurity.
European Union
The current requirements are detailed in Article 3(3) sections (d), (e), and (f) of Radio Equipment Directive (RED) 2014/53/EU and apply to internet-connected radio equipment, as well as devices processing personal data or enabling monetary transfers. The Radio Equipment Directive (RED) mandates compliance with EN 18031-1, EN 18031-2, and EN 18031-3, specifically addressing cybersecurity for radio and IoT devices. EN 303 645 complements these as a widely adopted security baseline for consumer IoT products.
Upcoming Comprehensive Cybersecurity Requirements: ETSI has published the draft of four vertical standards under the Cyber Resilience Act (CRA). The timeline is a displayed below, with CRA’s full enforceability by December 11, 2027.
Obligations of Manufacturers:
1. Design and Development
Risk assessment, product-related essential requirements, vulnerability handling essential requirements, conformity assessment.
2. Maintenance
Vulnerability handling throughout the product lifetime (for the period when the product is expected to be in use).
3. Reporting obligations to continue throughout the life product lifetime.
📜Available Drafts
•Topic 18: Password Managers – EN 304 618
•Topic 25: Virtual Network Interfaces – EN 304 625
•Topic 26: Operating Systems – EN 304 626
•Topic 27: Routers, Modems, and Switches – EN 304 627
United States
UL 2900 series standards, along with NIST IoT cybersecurity guidelines, provide a framework widely referenced for technical security controls on connected devices. These standards emphasize risk management, secure communication, and lifecycle protection – guiding and supporting for NIST SP800115, NIST Framework 2.0
India
National Centre for Communication Security (NCCS) is a Centre under Department of Telecommunications (DoT) responsible for implementation of this scheme. Government of India has established NCCS (erstwhile Security Assurance Standards Facility) to facilitate testing and compliance with these Cyber Security Standards. The scope of certification is to cover all types of telecom equipment to be sold in India and to be connected to Indian telecom network. Any Original Equipment Manufacturer (OEM)/ importer/dealer who wishes to sell, import, or use any telecom equipment in India, must get their equipment security tested and certified. There are 63 ITSARs published by NCCS.
United Kingdom
The UK aligns with ETSI cybersecurity standard ETSI EN 303645, while closely mirroring European directives for other requirements like EMC, Safety, Radio, RoHS, etc.
Asia-Pacific (Singapore, Japan, South Korea)
In the APAC region, Common Criteria (ISO/IEC 15408) plays a pivotal role for cybersecurity certification, particularly for smart and connected devices involved in government or critical sectors. Additionally, local standards and frameworks incorporate elements of ISO/IEC 27001 and NIST for managing information security risks. Common Criteria (CC) has mutual recognition by various countries and test results are mutually recognized.
International Industrial Cybersecurity
In addition to the regional standards, there are international standards like ISA/IEC 62443 which is a series of international standards for cybersecurity in industrial automation and control systems (IACS), also known as operational technology (OT). It provides a framework for asset owners, service providers, and product suppliers to secure these systems throughout their lifecycle, addressing both technical and procedural security aspects. The goal is to improve the security and reliability of industrial systems by using a risk-based approach.
Related Resources
European Cyber Resilience Act (CRA)
The European Cyber Resilience Act (CRA) establishes a robust legal framework to enhance the cybersecurity of hardware and software products with digital elements in the European Union (EU). Designed to address the increasing prevalence of cyberattacks and vulnerabilities in connected devices, the CRA sets clear and enforceable requirements for manufacturers, importers, and distributors, ensuring security across the entire lifecycle of these products. What is the Cyber Resilience Act? Adopted
FCC Selects Lead Administrator for Cybersecurity Label Program
The Public Safety and Homeland Security Bureau (Bureau) announces the selection of UL LLC (UL Solutions) to serve as both the Lead Administrator as well as a Cybersecurity Label Administrator (CLA) for the Federal Communications Commission’s (FCC or Commission) Internet of Things Cybersecurity Labeling Program (IoT Labeling Program) which includes the U.S. government certification mark (U.S. Cyber Trust Mark). Official Notification
Cyber Resilience Act: Council Approves New Legislation for Digital Products
The Council approved new legislation on cybersecurity requirements for products with digital components, aimed at ensuring the safety of items like connected home cameras, refrigerators, TVs, and toys before they are introduced to the market (Cyber Resilience Act), on 10th Oct 2024. The new legislation, targeting manufacturers, distributors, and importers of hardware and software, seeks to enhance the security of digital products across Europe. The Cyber Resilience Act will ensure: