Cybersecurity Update: Technological Neutrality in Cybersecurity Standards

This blog was originally posted on 4th June, 2024. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY AARON GREEN, SENIOR REGULATORY COMPLIANCE SPECIALIST, COMPLIANCE & RISKS

Introduction

CEN unveiled the final draft text of the proposed harmonized standard for cybersecurity compliance (FprEN 18031-1:2024) under the Radio Equipment Directive at the May members meeting of REDCA.

In this blog, we outline the changes made to the draft.

FprEN 18031-1:2024 – What’s Changed

There are no major substantive changes from the previous draft, as the main focus of the drafting body was to reduce the ambiguity in the requirements. The most significant change in the final draft is to remove exemptions based on “intended use” so that only specific exceptions are allowed. For example, specific exemptions are granted where interoperability with legacy equipment prevents the adoption of certain access controls.  

The central theme of the standard is the adequacy of the access control techniques adopted by the equipment manufacturer. In general, the technology requirements are generic rather than prescriptive. The sufficiency of the technology is established through documentation of risk assessment and solution provided. One of the few prescriptive elements included in the standard is the cryptography key length requirement, which is set at 112 bits unless interoperability requires an older protocol.

Other improvements in the final draft are:

• More categories for implementation clarity
• Improved documentation requirements
• Overhauled assessment methods
• Improved risk assessment details
• Mapping for ETSI and IEC 62443-4-2 standards to help with transition to CEN standard.  

The Challenges

It is important to note that the lack of specific minimum technological neutrality poses a particular challenge for the developers of the new radio equipment cybersecurity standard. 

The previous draft was rejected by the EU Commission’s consultants on the grounds that it was too generic and lacked objective compliance criteria. This criticism leaves the drafting committee to thread the needle between specific criteria and the Commission’s commitment to technological neutrality. This latter commitment was demonstrated when the Commission announced at the REDCA annual meeting in May 2024 that it would withdraw the harmonized standard for intelligent transport systems, ETSI EN 302 571. The Commission representative explained that the unusual step of withdrawing a standard before a replacement has been adopted is necessary because the existing standard is not technologically neutral.  

What’s Next for FprEN 18031-1:2024

The drafting body responsible for the RED cybersecurity standard attempted to provide specific requirements within the bounds of technological neutrality, so we now await the verdict of the stakeholders and the commission consultants. If approved, the final standard remains on track to meet the deadline of 30 June 2024.

Stay on Top of Cybersecurity Regulations and Standards

Want to stay ahead of evolving regulatory developments like FprEN 18031-1:2024?

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – Your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

• Accelerate time-to-market for products
• Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
• Enable business continuity by digitizing your compliance process and building corporate memory
• Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
• Save time with access to Compliance & Risks’ extensive Knowledge Partner network

Prepare to Repair: Right-to-Repair Rules in the US and the EU

With new repair rules in the EU, this webinar clarifies manufacturers’ obligations to repair, access to spare parts for independent repairers, and more. It also provides an overview of the US state Right to Repair legislation, including enacted and proposed bills.

watch NOW