Navigating new IoT cyber security standards

As the Internet of Things (IoT) continues to transform industries and daily life, the need for robust cyber security measures has never been more critical. With billions of connected devices in use, new regulations are being introduced to secure these devices and their networks. No matter how well-designed, IoT devices face the real risk of cyber attacks and malicious behaviour after deployment. 

EN 18031 is one such regulation in Europe, with far-reaching implications for manufacturers and Original Equipment Manufacturers (OEMs). This blog will explore what EN 18031 means for your business, followed by a look at the UK’s cyber security and Resilience (CS&R) Bill, which aligns well with EN 18031, although not fully harmonised. 

Although some exemptions exist for military equipment, medical devices, aviation, automotive and electronic road toll systems, EN 18031 primarily applies to industries reliant on IoT and wireless devices, including consumer electronics, healthcare, industrial IoT, energy, agriculture, and telecommunications. Devices in these sectors must meet cyber security standards to be sold in the European Economic Area (EEA), ensuring security, data protection, and fraud prevention. Compliance with EN 18031 is crucial—non-compliant devices will be deemed unsafe and cannot be legally sold in the EEA without the CE mark. Achieving the CE mark, which certifies compliance with EU regulations, is vital for market access in Europe. The deadline for compliance is 1 August 2025 - after this date, devices that do not meet the cyber security requirements will be prohibited from entering the market. 

EN 18031: A new standard for IoT security 

The EU Radio Equipment Directive (RED) has been in effect since 2017 and covers aspects of radio (wireless) equipment including safety, electromagnetic compatibility and use of the radio spectrum. It has now been strengthened to now imposes 3 additional essential cyber security requirements on internet-connected radio (wireless) products available in the European Union (EU). 

EN 18031 provides that strengthening. It specifies requirements for the design, implementation, but also the ongoing management of secure devices and networks. As the number of IoT devices grows, so does the risk of security breaches, which is why EN 18031 introduces critical guidelines for manufacturers to ensure their devices are protected from cyber threats. 

The standard emphasises three new essential cyber security requirements for IoT devices, as defined by Commission Delegated Regulation (EU) 2022/30—also known as the RED Delegated Act or most commonly as Radio Equipment Directive.  

• Network protection (3(3)(d)): Devices must not harm the network or misuse network resources. They must be built to prevent cyber attacks and ensure the integrity of connected networks

• Privacy protection (3(3)(e)): Devices must ensure the protection of personal data, aligning with privacy laws like GDPR to safeguard user information

• Fraud revention (3(3)(f)): Devices must incorporate features to prevent fraudulent activities, such as unauthorized access or data manipulation.

These three requirements - network protection, privacy and fraud prevention - are crucial for the future of IoT security. Adhering to these standards will not only reduce the risk of cyber attacks but also ensure compliance with regulatory expectations and maintain customer trust. 

What About the UK? The CS&R Bill 

While EN 18031 sets the standard in Europe, the UK Cyber Security and Resilience (CS&R) Bill addresses IoT security within the UK. The bill tackles similar concerns about securing connected devices but is not fully harmonised with EN 18031. In other words, while the CS&R Bill and EN 18031 share the same overarching goal - protecting IoT devices from cyber threats - the two frameworks are distinct. 

The CS&R Bill mandates that manufacturers meet minimum cyber security standards for IoT devices sold in the UK. These include securing networks, ensuring data privacy, and protecting against fraud - similar to the requirements in EN 18031. However, the CS&R Bill introduces specific compliance requirements for the UK market, and businesses selling IoT products in both the UK and the EU will need to navigate these differences. 

The key distinction is that businesses must ensure compliance with both EN 18031 (for EU markets) and the CS&R Bill (for UK markets), as the two sets of regulations, though aligned in principle, are not fully harmonised in terms of implementation and legal frameworks. 

How the Wireless Logic IoT security framework addresses these requirements 

To meet the essential security requirements outlined in both EN 18031 and the UK’s CS&R Bill and NIST CSF, Wireless Logic offers a comprehensive IoT security framework designed to protect devices and networks across both markets. This framework enables enterprises and OEMs to meet key security requirements and achieve compliance with the new regulations. Our anomaly & threat detection capability is of particular importance, providing advanced capabilities that help you achieve compliance while creating differentiated capabilities versus competitors. 

• Network protection: The framework secures device-to-network communication, preventing misuse and protecting infrastructure from cyber threats

• Privacy protection: It integrates data encryption, secure storage, and compliance with GDPR and UK data protection laws, ensuring users’ privacy is safeguarded

• Fraud prevention: The framework provides strong authentication mechanisms and real-time monitoring to detect and prevent fraudulent activity. 
  

By adopting the Wireless Logic IoT security framework, businesses can ensure their devices meet the stringent requirements of EN 18031, the CS&R Bill  (UK), and NIST CSF  (USA), protecting their products, data and users from emerging cyber risks while gaining a competitive edge. 

Conclusion 

The introduction of EN 18031 in Europe and the UK Cyber Security and Resilience (CS&R) Bill represents a significant step toward securing IoT devices. While both regulations share common goals, businesses must comply with both sets of requirements, as the UK and EU have separate frameworks in place. The Wireless Logic IoT security framework provides a structured approach to help businesses meet these complex requirements and ensure their devices remain secure and compliant in both regions. 

Are you ready to secure your IoT devices and stay ahead of the curve in an increasingly regulated digital landscape?