EN 18031

[EU] The European Union has incorporated the EN 18031 series into the RED Directive

/in

Latest Update on EN 18031

According to the EU Implementing Decision EU 2025/138, the standards EN 18031-1, EN 18031-2, and EN 18031-3 were officially incorporated into the RED Directive (2014/53/EU) on January 30, 2025, and have become Harmonized Standards. These standards reinforce cybersecurity requirements for radio equipment, particularly in areas such as internet-connected devices, toys, and wearable devices.

EN 18031 Restrictive Provisions

However, the incorporation of these standards comes with certain restrictions, including additional requirements related to passwords, parental controls, and security updates. Although the standard permits devices without passwords, such devices will not be considered compliant under RED. For further details, please refer to the official EU website or consult with our experts.

Harmonized Status and Its Implications

Following their harmonization, manufacturers can have their products tested in accredited laboratories without the need for Notified Body (NB) certification, thereby significantly simplifying the market entry process. For companies, this is not only a regulatory compliance mandate but also a critical measure for ensuring product cybersecurity.

 

As a market-leading testing organization, The One offers professional cybersecurity testing and certification services to help enterprises ensure that their products meet the new regulatory requirements. We will continue to monitor regulatory developments and assist our clients in adapting product designs to secure smooth market entry into the EU and avoid compliance risks.

Source: Official EU website: EU 2025/138

Contact Us
Email: Charles.liao@theonelab.co
Phone: (02)8601-2828

BIS, CCTV, ER:01

【India】Essential requirement(s) for security of CCTV

/in

What is ER:01?

Meity has announced an amendment on IS 13252(part1):2010 on the 9th April, 2024, stating that all the CCTV product shall apply the Essential requirement(s) for security of CCTV.

  • The scheduled enforcement date was 9th October 2024, but then it had been delayed.
  • The new date will be 9th April, 2025

What should we do?

As Meity suggested in Guidelines for implementation of “Essential Requirement(s) for Security of CCTV”,

    1. Existing licensees of ‘CCTV Cameras’ as per IS 13252 (Part 1) : 2010/ IEC 60950-1 : 2005
      • shall implement the ER by 09 April 2025 for the existing models in their scope by applying online along with test report for ER: 01.
      • After 09 April 2025, non-compliant models shall be deleted from the scope of License. If the Licensee fails to take necessary action by 09 April 2025 or if none of the models are complying, License shall be liable for cancellation.
    2. For New Applicants of CCTV Cameras
      • Applications for CCTV Cameras may be submitted along with test report for ER: 01 in addition to test report as per IS 13252 (Part 1): 2010.
      • Processing of Applications without test report for ER: 01 shall be permitted only upto 09 April 2025 and for such cases Applicant shall give a declaration that they will implement the revised Standard by 09 April 2025.
      • Beyond 09 April 2025 no Licence for CCTV cameras shall be granted without compliance to ‘Essential Requirement(s) for Security of CCTV’ as notified in the QCO.

The Enforcement day is getting near. We suggest the manufacturer has to plan for their application ASAP, as the process may take 2-3 months or even more.

Our Service

  1. Full Pre-assessment capability in Taiwan
    • Submission in India is complicated. If there is one single fail in the test, may result with a restart of the whole application process.
    • THE ONE has the full ability to pre-assess your products, so that you can have a more suitable product sample sent to Indian laboratories.
  2. Submission to Indian Authority with our Partner Laboratories and Agencies in Indian
    • ER:01 must be carried out inside India (In Country Test)
    • BIS has only recognized 14 laboratories to carry out the test with reports at the moment (dated 2025/01/17)
    • THE ONE has connections with the recognized laboratories

Only few in Taiwan and India parties manage to handle the whole process for the ER:01 as per IS 13252(part1):2010. But, THE ONE  cybersecurity lab has the most reliable skills and networks in India, which provides you the accurate and effective service for ER:01. We will be the most reliable ONE for your products.

If you have any questions, please feel free to contact our specialist Charles by

email: Charles.liao@theonelab.co

Tel: (02)8601-2828

IMDA, RG, Cyber

【Singapore】 IMDA Residential Gateway (RG) Regulations: Dual Certification in Cybersecurity and Wireless Communication

/in

IMDA TS RG-SEC

and

Cybersecurity Labelling Scheme (CLS)

The Infocomm Media Development Authority of Singapore (IMDA) introduced the technical standard IMDA TS RG-SEC in October 2020, requiring Residential Gateways (RGs) to meet higher levels of cybersecurity standards while providing wireless communication services. This regulation aims to enhance the security of home network devices and protect user data from cyber threats.

Under this new standard, RG products must complete the IMDA wireless communication certification registration process and simultaneously apply for the Cybersecurity Labelling Scheme (CLS). The CLS, established by the Cyber Security Agency of Singapore (CSA), classifies products into four levels (Level 1~4) based on their security design and protection capabilities. This certification must be actively registered by manufacturers or developers.

Regulatory Timeline

  1. From April 12, 2021, all newly launched RG products must obtain a CLS label after completing IMDA registration.
  2. From October 12, 2021, all new RG products intended for sale in Singapore and those already on the market must comply with both CLS and IMDA certifications.

The full implementation of this regulation underscores Singapore’s commitment to home network security and provides clear compliance guidelines for electronics manufacturers entering the Singapore market.

For inquiries regarding RG products for the Singapore market, feel free to contact our professionals via email. We will respond promptly with expert advice.

Charles: Charles.liao@theonelab.co

 

 

JC-Star, JC star, IPA

[Japan Cybersecurity] Japan Launches JC-STAR IoT Security Rating System, and THE ONE Provides Full Support.

/in

JC-STAR IoT Security Rating System

The Japan Information-technology Promotion Agency (IPA) has recently introduced the JC-STAR (Japan Cyber-Security Technical Assessment Requirements), a security rating system for IoT devices. This initiative aims to enhance the security of IoT products while providing consumers with clear and reliable information about product safety. The system aligns with international standards such as ETSI EN 303 645 and NISTIR 8425, establishing a unique evaluation framework for IoT security in Japan.

Overview of the JC-STAR System

The JC-STAR system is based on technical security requirements designed to evaluate and label IoT products that meet safety standards. The system categorizes products by different security levels and uses labeling to provide consumers with a clear understanding of a product’s security level.

Currently, the entry-level “★1” rating has been introduced, setting a foundational security standard broadly applicable to various IoT devices. This ensures that these devices possess minimum defensive capabilities to resist common cyberattacks.

Key highlights of the “★1” rating include:

  • Preventing IoT devices from being infected with malware and becoming part of botnets.
  • Defending against remote attacks from the internet.
  • Requiring clear policies for addressing and supporting vulnerabilities or defects.
  • Ensuring the proper deletion of data generated during device operation when it is disposed of or resold.

Applicable Products

The “★1” rating primarily applies to IoT devices that meet all the following criteria:

  1. Products include hardware, with the label affixed to the device. Software or cloud services alone are not included.
  2. Devices must have the capability to send and receive data using internet protocols (IP).
  3. Devices may connect to the internet, directly or indirectly.
  4. Devices are difficult or impossible to add new security features post-purchase (beyond updates).

Examples of devices not typically covered by the “★1” rating include personal computers, smartphones, and tablets, as they do not meet the fourth criterion. Additionally, devices physically or logically isolated from the internet are also excluded.

Application Requirements and Process

The “★1” rating evaluation follows a self-declaration model, where manufacturers are responsible for assessing their products’ compliance with the security standards. The application process includes the following steps:

  1. Prepare Supporting Documents:
    While proof of compliance is not required during application submission, supporting documents such as technical files, internal reports, and regulations must be prepared for the evaluation process.
  2. Complete the “Suitability Evaluation Checklist”:
    Using the prepared documentation, carefully complete the checklist to ensure accurate evaluation results for each item.
  3. Submit the Checklist:
    Once completed, submit the checklist to complete the application.
  4. IPA Review:
    IPA will review the submitted checklist upon receipt.
  5. Possible Submission of Supporting Documents:
    During the validity period of the rating or if IPA raises questions regarding the application, manufacturers may be required to provide supporting documents for review.

Manufacturers can opt to work with external agencies (e.g., JC-STAR evaluation or verification agencies) to assist in the evaluation and checklist completion. Additionally, even under a Non-Disclosure Agreement (NDA), IPA reserves the right to request supporting documents. Manufacturers must ensure the accuracy and authenticity of their submissions and actively cooperate with IPA’s review requirements.

THE ONE’s ★1 Services

THE ONE offers comprehensive support for your “★1” rating application, including:

  • Assisting with documentation preparation.
  • Conducting product evaluations.
  • Performing necessary testing to provide evidence for evaluation.
  • Submitting applications on your behalf.

For any inquiries or service requests, feel free to contact us.

Email: Charles.liao@theonelab.co
Phone: 02-8601-2828

 

RED

Understanding EN 18031 : Key Highlights Explained by The One

/in

Understanding EN 18031 : Key Highlights Explained by The One

RED Cybersecurity Requirements

In 2022 and 2023, the EU issued supplementary delegated acts for the RED Directive, namely (EU) 2022/30 and (EU) 2023/2444. These acts mandate manufacturers to integrate three cybersecurity requirements into product design and production processes. The new rules will take effect on August 1, 2025.

  • Article 3.3(d):
    Radio equipment must not harm the network or its functionality, nor misuse network resources, thereby avoiding unacceptable degradation of service.
  • Article 3.3(e):
    Radio equipment must include safeguards to protect the personal data and privacy of users and subscribers.
  • Article 3.3(f):
    Radio equipment must support specific features to ensure protection against fraud.

Scope and Exemptions

Scope

  • Article 3.3(d): Applies to any radio equipment capable of internet communication, whether directly or via other interconnected devices.
  • Article 3.3(e): Covers radio equipment capable of processing personal, traffic, or location data. This includes internet-connected devices, child-care equipment, most wireless toys (per Directive 2009/48/EC), and wearable devices.
  • Article 3.3(f): Applies to internet-connected radio equipment enabling the transfer of money, financial assets, or virtual currencies.

Exemptions

  • Articles 3.3(d), (e), and (f) do not apply to medical devices regulated under (EU) 2017/745 and (EU) 2017/746.
  • Articles 3.3(e) and (f) are also excluded for:
    • Remote-controlled drones and specific non-airborne radio equipment under (EU) 2018/1139;
    • Motor vehicles and related systems or components under (EU) 2019/2144;
    • Road toll systems governed by Directive (EU) 2019/520.

EN 18031 Standards

The EN 18031 series comprises three parts (EN 18031-1, EN 18031-2, and EN 18031-3), each addressing different cybersecurity requirements in the RED Directive:

  • EN 18031-1: Ensures that radio equipment does not adversely affect the network or its functionality and prevents misuse of network resources that could severely impact services. Applicable to all radio equipment capable of internet communication.
  • EN 18031-2: Provides safeguards to protect users’ and subscribers’ personal data and privacy. Applicable to devices handling personal data, such as internet-connected devices, child-care equipment, wireless toys, and wearable devices.
  • EN 18031-3: Ensures that internet-connected radio equipment facilitating the transfer of money or virtual currencies is equipped with features to prevent fraud.

Asset Types and Evaluation
The EN 18031 series categorizes assets into four types: security assets, network assets, privacy assets, and financial assets. Security assets are addressed across all three standards, while the other asset types are tailored to their respective standards. The evaluation process employs a mechanism-based approach to guide the application of security measures and assess their appropriateness and suitability.

Stay tuned as we delve deeper into the highlights of EN 18031-1, -2, and -3 in upcoming updates!

If you have any cybersecurity-related inquiries, feel free to contact our specialist, Charles, at charles.liao@theonelab.co.

NCCS

【INDIA ITSAR】Revision of Declaration of conformity cum Undertaking proforma for the Pro Tem certificate -reg.

/in

On 30 October, the Indian telecom authority, TEC, issued a new revision of MTCTE notification regarding the “Security Certification for IP Router and Wi-Fi CPE Products.”

These devices serve networking purposes, each with distinct roles and features. Routers are designed to route data packets between computer networks, while Customer Premises Equipment (CPE) connects the customer’s location to the service provider’s network. Although routers may sometimes be integrated into a CPE setup, their primary function differs.

After initially proposing these products for inclusion in its first MTCTE notification last year, TEC has since postponed the mandatory certification dates twice. The deadline was initially set for 1 April this year. Then, on 16 April 2024, the National Centre for Communication Security (NCCS) issued a notification dividing devices into two categories, labeled S No.1 and S No.2. The joint MTCTE & NCCS portal was set to accept security certification applications from 1 July for S No.1 and from 1 October for S No.2.

With the latest notification, TEC has now extended the application deadline for S No.2 products to 30 November. This category includes “IP Routers and Wi-Fi CPE equipment already certified under MTCTE ER, currently deployed in licensees’ (TSPs’) networks, and proposed for hardware or software changes.”

The application process is a documentation-based self-declaration of conformity to Indian Telecommunication Security Assurance Requirements (ITSAR). The Declaration format is provided with the notification. Upon submission, a “Pro Tem Certificate” valid for six months will be issued, allowing continued supply of these products until full certification is granted.

For further details on project and submission requirements, please contact charles.liao@theonelab.co .

For more details from NCCS, please read the official document.

 

EU CRA

EU Cyber Resilience Act (CRA) Overview——Aside from the RED

/in

EU Cyber Resilience Act (CRA) Overview

The Cyber Resilience Act (CRA), introduced by the EU in 2022 and adopted in October 2024, aims to ensure the cybersecurity of connected products. It mandates rigorous cybersecurity standards across digital products, specifically targeting devices and software that connect to the internet. CRA emphasizes product security throughout its lifecycle to mitigate cybersecurity threats and vulnerabilities.

Key Milestones:

  • September 2022: Initial draft introduced by the European Commission.
  • October 2024: EU Council adopts the act, setting new safety requirements.
  • November 2024: Expected to be published in the Official Journal of the EU, with enforcement beginning after 20 days and a 36-month compliance period for companies.

Core Requirements:

  1. Secure by Design: Products must incorporate security features from design to production stages.
  2. Ongoing Updates: Networked products must support regular security updates and patching.
  3. Transparency of Information: Manufacturers must provide security-related information, including design, known risks, and update policies.
  4. Regulatory Oversight and Penalties: Non-compliant products may face fines or market removal.

Scope of Products Covered:

CRA covers most internet-connected devices, including:

  • Smart Home Devices: E.g., smart refrigerators, TVs, cameras, and toys.
  • Wearables: Such as smartwatches and health monitors.
  • Everyday IoT Devices: E.g., smart bulbs, connected outlets, and home security systems.
  • Industrial IoT Devices: E.g., monitoring systems and automated equipment in factories.

Excluded Products:

Certain categories are exempt due to existing regulations:

  • Medical Devices: Covered by stringent healthcare laws.
  • Aviation Equipment: Governed by aviation regulations.
  • Automobiles: Secured under EU vehicle safety laws.
  • Open-source Software: Exempt when used non-commercially.

CRA’s Vision:

CRA aims to act as a digital safety wall in the EU, enhancing the security of every connected product. For companies, it presents not only a compliance challenge but also an opportunity to boost product credibility and competitiveness.

For further inquiries or assistance with CRA compliance, feel free to contact THE ONE Cybersecurity Lab. We’re dedicated to helping your products meet the latest cybersecurity standards.

 

Cybersecurity Solutions for RED: ETSI EN 303 645 and EN 18031 Standards

/in

The One Lab: A Leading Cybersecurity-Only Lab for EU Standards

The One Lab is a specialized cybersecurity laboratory focused on European standards. As experts in this field, we are particularly dedicated to the new cybersecurity requirements under the Radio Equipment Directive (RED), set to be enforced in August 2025. Below, we provide an overview of two key standards related to these cybersecurity requirements: ETSI EN 303 645 and the EN 18031 series.

ETSI EN 303 645: Cybersecurity for IoT Products

In 2019, ETSI TC CYBER introduced the first cybersecurity standard for consumer IoT products, which later evolved into ETSI EN 303 645. This standard aims to set baseline security requirements for consumer IoT products, outlining 13 security guidelines and 68 provisions to protect against large-scale attacks on smart devices. It also forms the foundation for future IoT certification programs.

ETSI EN 303 645 primarily provides security guidelines, while ETSI TS 103 701 details specific methods for testing and evaluation. Over time, EN 303 645 has proven to be an effective standard through extensive testing and has guided the security assessment of other electronic products. Many countries have referenced this standard when developing their own cybersecurity regulations, such as the UK’s PSTI and Singapore’s Cybersecurity Labelling Scheme.

EN 18031 Series: Comprehensive Cybersecurity Standards

The EN 18031 series is specifically designed to meet the new requirements of the RED and aims to become a harmonized standard for these regulations. The forthcoming Cyber Resilient Act (CRA) is also expected to adopt the EN 18031 series as its baseline requirement.

Approved by the European Union as an official EN standard, the EN 18031 series goes beyond IoT products covered by ETSI EN 303 645, including all network-connected radio equipment such as laptops, smartphones, and routers. It offers a more comprehensive set of testing and assessment methods, making it a crucial standard for all connected devices.

The One Lab’s Expertise in Cybersecurity Standards

The One Lab has obtained TAF certification for EN 303 645 and is on track to achieve certification for the EN 18031 series by Q1 2025. With our extensive expertise and solutions, we are well-equipped to support clients with various IoT products in navigating these cybersecurity standards. If you have any questions about your products, please reach out to us for guidance on planning for the European cybersecurity market.

By incorporating ETSI EN 303 645, EN 18031 series, cybersecurity, and RED into our services, The One Lab ensures your products meet the latest European cybersecurity requirements.

[Partnership Announcement] Congratulations to THE ONE and Eurofins on Signing a Cybersecurity MOU

/in

We are thrilled to announce that THE ONE has officially entered into a partnership with Eurofins. With ONELAB’s cutting-edge cybersecurity technology combined with Eurofins’ extensive customer base, we are committed to providing the highest quality cybersecurity testing services to our partners across various sectors of the electronics industry.

This collaboration also signifies that THE ONE‘s laboratory capabilities have reached a world-class standard, allowing us to establish profound partnerships with multinational corporations.

On the day of the agreement signing, THE ONE was represented by our Cybersecurity Lab Director, Mr. Norton, who signed the cybersecurity partnership agreement alongside Mr. Thami, the NB representative from Eurofins Germany, and Mr. Ethan, the representative from Eurofins Taiwan.

Through this partnership, we are dedicated to delivering the most professional testing and customer service, ensuring that your products can achieve cybersecurity certification and be sold globally.

If you have electronic products intended for export and are uncertain about the need for cybersecurity certification, we warmly invite you to reach out to us at service@theonelab.co for further inquiries.

IoT cybersecurity

【EDM】New challenges in the IoT market

/in

IoT cybersecurity

As the Internet of Things (IoT) market rapidly expands, so do the associated security risks. This year, countries around the world have begun to establish stringent cybersecurity regulations for IoT products, including:

  • The UK’s PSTI  (effective from April 29, 2024)
  • Europe’s EN 303645 and EN18031  (effective from August 2025)
  • The USA’s Cyber TrustMark initiative (currently in planning)
  • India’s BIS cybersecurity requirements  (requirements for CCTV, DVRs, etc. already implemented)

This means that IoT product manufacturers will need to quickly respond to these significant demands.

 

Our Value

The One Cybersecurity Lab was founded for this very purpose. As a leading IoT cybersecurity expert, we provide cutting-edge security solutions to help you navigate the challenges of new regulatory environments, protecting your products and users from cyber threats.

The establishment of The One Cybersecurity Lab stems from our deep understanding of the increasing need for digital security. With the global proliferation of IoT devices, these devices have become prime targets for cyberattacks. To address this challenge, we have assembled a team of seasoned cybersecurity experts, engineers, and researchers committed to developing and providing solutions that meet the highest security standards.

 

Our Services

Our range of services covers the extensive cybersecurity needs of IoT products, including home automation devices, smart appliances, and connected products. The One Cybersecurity Lab offers professional security assessments and solutions based on rigorous international standards and is accredited by the Taiwan Accreditation Foundation (TAF) (Accreditation No.: 4248) to ensure that our security measures meet and exceed the industry’s most stringent requirements.

In the global market, our services extend beyond Europe to Southeast Asia, the USA, India, and other regions. Our team has a deep understanding of the unique needs and security challenges of various markets, and we have developed targeted security strategies to ensure our clients maintain a leading position in any market.

We sincerely invite you to learn more about The One Cybersecurity Lab and look forward to the opportunity to collaborate with you to advance the future of IoT product security.

For more information or to discuss collaboration, please feel free to contact us. The One team is always at your service.