IoTSF Members-Only Content
Welcome to our members-only webinar back catalogue.
Streamed live on the final Thursday of the month and hosted by yours truly, our expert webinars explore important aspects of IoT cybersecurity in bite-sized chunks.
See the IoTSF Events Calendar for upcoming webinars – I hope you can join me for the next one!
Christopher Bennison, Member Engagement Manager
May 2026
ETSI EN 303 645 with Ken Munro and Sam Thom of Pen Test Partners.
Connected devices are now part of almost every environment, from homes and offices to factories, ships, vehicles, and critical infrastructure. That makes security harder to ignore, especially as standards such as ETSI EN 303 645 become more important across Europe.
In this webinar, Ken Munro and Sam Thom of Pen Test Partners (a long-standing IoTSF member) look at what IoT security means in practice, not just on paper.
Drawing on real hardware testing, they talk through the kinds of issues they see in connected products, where devices often fall short of the standard, and why those gaps matter once devices are deployed into real environments.
The session covers practical lessons from testing non-compliant devices, common weaknesses found in IoT and OT hardware, and what manufacturers, integrators, and organisations should think about before connected devices become part of their wider network.
This is aimed at anyone involved in building, specifying, buying, integrating, or managing connected hardware. The focus is on useful, real-world insight that helps teams understand the risks and improve security in a way that actually works.
April 2026
Presentation 1 with Mustanir Ali (Element)
The EU Cyber Resilience Act (CRA) is coming sooner than you might think.
From 11th September 2026, manufacturers will have reporting obligations relating to in-scope products currently on the EU market.
In this session, Mustanir unpacks these requirements – what needs to be reported, when, and how.
Presentation 2 with David Pashley (Direct Insight)
As CRA deadlines loom, the last minute may be simply too late for IoT devices which can’t feasibly be made sufficiently secure.
What design choices can developers of embedded systems at the edge make right now to reduce the cost and pain of the compliance journey which will inevitably be imposed when management finally gets the memo?
March 2026
‘Autonomous Compliance: Operationalising EU CRA and UK PSTI via Embedded Microservices’ and ‘Standards vs. Security: A Proactive Compliance Framework’ Presentation 1 with Murat Cakmak (Microservice Store) With the UK PSTI in effect and the EU CRA approaching, IoT manufacturers face a massive manual burden of vulnerability reporting and lifecycle governance. This session introduces a shift from static documentation to ‘Autonomous Compliance’. By replacing monolithic firmware with a modular, microservice-based architecture, the Microservice Store (MSS) and its integrated Security Manager (iSM) automate mandatory obligations—including SBOM generation, 24-hour module-level incident notification, fault-containment, and targeted security updates. Murat will demonstrate how device-level evidence and edge-to-cloud automation transform compliance from an engineering bottleneck into a seamless, verifiable platform function. Presentation 2 with Jonny Tyers (Threatplane) Most organisations treat compliance and security as separate problems. You tick boxes for one, patch vulnerabilities for the other, and maintain two sets of documentation that drift apart over time. This talk presents an approach that unifies both. Using risk-based threat modelling, you can identify the controls that satisfy your compliance requirements and protect against real threats. Same analysis, same documentation, same implementation. You’ll see how mapping business impact to technical controls creates a single source of truth. This approach helps you prove to auditors that your controls address actual risks, not just checkbox requirements. And it gives your security team clear priorities based on what matters to the business. We’ll walk through practical examples showing how threat models can simultaneously document controls, justify security investments, and guide implementation work. You’ll leave with a framework that makes compliance and security work together instead of competing for resources.
By the end of the session, participants will have an understanding of quantum safety, what it means for IoT, and a sensible timeline of future actions.
February 2026
The rapid proliferation of IoT devices across critical industries – e.g. automation, healthcare, smart cities – has introduced significant security challenges. Whilst current cryptographic protocols safeguard data today, upcoming developments in quantum computing threaten to render these protections obsolete. And this threat is amplified by the actions of adversarial nation states looking to disrupt critical industries whilst engaging in hybrid warfare.
This presentation explains the implications of quantum computing on IoT ecosystems.
By the end of the session, participants will have an understanding of quantum safety, what it means for IoT, and a sensible timeline of future actions.
Steven Kennedy is a seasoned cybersecurity architect with deep expertise in securing some of the most complex networks in the world (e.g. Tier 1 telecoms, hyperscale public cloud). After working for several years in Microsoft cybersecurity product management, he took the plunge to become a self-employed consultant. Working with Blue Mesh Solutions, he’s focused on using his knowledge of cryptography and quantum mechanics to help clients transition smoothly into the post-quantum future.
Richard Brooks sent the first IoT hello world message as ‘hello 5G’ across a private 5G network in the UK.
This was all part of the UK Government’s 5G Accelerator Programme and involved collaborators from Hutchinson Ports, 3 Telecom, University of Cambridge, the Port of Felixstowe and Blue Mesh Solutions. Exploratory use cases were developed including autonomous port haulage vehicles and our IoT based project to create digital twins of the large quayside container cranes.
Critical strategic assets, such as ports, require hardened IoT estate encryption, and testing new encryption technologies to present a harder, quantum safe cryptography stance became the final outcome of the project, leading to new quantum safe MQTT solutions and a best in class commercial partnership.
January 2026
For our first session of 2026 we welcome Anupam Mediratta of Stealth Startup who discusses using AI-generated attack simulations and synthetic “hard negative” data to build adaptive defences against increasingly stealthy, AI-powered IoT threats,
November 2025
We’re closing out the 2025 Webinar Series with an exciting finale – “Cybersecurity Engineering in Automotive: Frameworks, Tools, and Processes”, featuring Alan Jacobs-Cook and Sergio Ricardo Scabar from ZF Engineering Solutions.
This talk explores how cybersecurity engineering is shaping the future of automotive design, focusing on the frameworks, tools, and processes that ensure vehicle systems remain safe, resilient, and compliant with industry standards. Speakers from ZF Engineering Solutions share practical insights into managing cyber risks across complex automotive architectures — from development to deployment — highlighting best practices, regulatory alignment, and the integration of security into every stage of the engineering lifecycle.
October 2025
Steve Hanna of Infineon presented ‘Matter security and device identity: An overview of the CSA standard’ during the October 2025 IoTSF Device Identity Form working group meeting.
September 2025
We’ll have Chris Swan of Atsign with us, his talk title will be ‘Software Supply Chain Security – SBOMs, SLSA and Scorecards’.
We’ll also have Yogesh Kokadwar of Johnson Controls joining us from Pune. His talk will be ‘Offensive IoT Security: Exploiting Vulnerabilities in Connected Devices’.
August 2025
‘Post-Quantum Cryptography (PQC) for IoT: Securing Devices for the Quantum Future’ and ‘Adapting a Root of Trust silicon design to handle post-quantum cryptography’
We’ll be joined by Device Authority’s Amit Rao, his presentation will be ‘Post-Quantum Cryptography for IoT: Securing Devices for the Quantum Future’.
We’ll also have Javier Orensanz Martinez who is the CEO of lowRISC, he is also a former VP and General Manager at ARM.
July 2025
On the day before RED takes effect – RED eve, if you like – we’ll be joined by Richard Marshall of Xitex to talk us through all the very latest. We’ll also have a roundtable discussion, together with audience Q&A, involving BSI and experts from the IoTSF’s Regulatory Watch working group.
June 2025
Topics are : Threat modeling: ‘Why doesn’t security get a seat at the table?’ with Adam Shostack and Space IoT: ‘Decentralised space systems: Frameworks for the future of space communities’ with Beth Probert and Agathe Bouis.
May 2025
We’ll have Fred Gordy of MBI and Jim McGlone of Concentric IoT LLC focusing on the current OT cybersecurity state of the global built environment and the challenges the industry faces in addressing them and ideas on the way forwards.
April 2025
The Critical Role of Randomness in IoT Security’ by Dr Ramy Shelbaya – Quantum Dice
This talk explores the key role high-quality randomness plays in cybersecurity, focusing on the evolution of randomness and its applications in IoT security.
PQC transition: What you need to know in 2025′ by Daniele Fronte, PhD – SEALSQ
As quantum computing advances, the cryptographic foundations securing modern systems face unprecedented risks. This webinar provides a strategic roadmap for navigating the PQC transition in 2025, blending historical context, actionable timelines, and practical security insights.
March 2025
Featuring the talks ‘The Internet of Things or The Intranet of Things?’ by Richard Newbould, Vodafone and ‘Normalising Security for IoT with Protected Containerisation and Modular Development’ by Murat Cakmak, ZAYA.
February 2025
Temple Melville of Scotcoin will be joining us to talk about cryptocurrency. We’ll also have Michael Beine of Bureau Veritas who’ll present on CRAcoWi – a tool chain for EU CRA compliance.
February 2025
With Richard Marshall, current chair of the BSI IST/33/-/9 ‘Special Working Group – Cyber Resilience Act Standardization Request’.
With citation of EN18031 standard in the EU Official Journal, the routes to conformity for connected radio products have become clearer to meet the 1st August 2025 deadline for applicability.
This webinar will provide an introduction to EN18031-1/2/3 and the high level steps OEMs need to take to verify which products are in scope of Art 3.3 and which of the three EN18031 standards applies based on the article 3.3 sub parts d, e or f.
Also covered will be some suggestions as to where the IoTSF’s Assurance Framework could be used to support the preparation of the Technical File for documenting compliance with EN18031.
January 2025
Looking at ‘Full-stack IoT security from core to edge’ with Peter Cox of UM-Labs, plus Tropic Square CEO John Sirianni presenting ‘Securing Next Generation Critical Infrastructure with Open and Auditable Hardware’.
November 2024
Jeremy B: “Post quantum cryptography”
Launched in October 2016, the NCSC has headquarters in London and brought together expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure (which became the National Protective Security Authority, NPSA, in March 2023).
The NCSC provides a single point of contact for SMEs, larger organisations, government agencies, the general public and departments. They also work collaboratively with other law enforcement, defence, the UK’s intelligence and security agencies and international partners.
Mustanir Ali: “Upcoming changes to the Radio Equipment Directive for IoT devices”
The EU Radio Equipment Directive has been around since 2017. Next year, on 1 August 2025, 3 new essential requirements related to the cybersecurity of radio equipment are coming into effect. Find out about the new essential requirements, and hear guidance on how to determine if they apply to your radio products, and how to demonstrate compliance with them.
Mustanir is currently the certification lead for IoT cybersecurity at BSI. He has a Masters degree in Electronics & Software Engineering, and has been involved in CE marking and the testing and certification of products with software for over a decade, in particular electronic controls, consumer electrical products and medical devices.
October 2024
Cybersecurity labelling for consumer IoT products
A double presentation from the USA Federal Communications Commission talking about the FCC’s trustmark and the work pertaining to it.
With Renee Roland, FCC Special Counsel and Drew Morin, Deputy Division Chief of the Cybersecurity and Communications Reliability Division, Public Safety and Homeland Security Bureau.
September 2024
Florian Lukavsky of ONEKEY bringing all the latest on the EU CRA: ‘Decoding the Cyber Resilience Act – Key Requirements for IoT Vendors’.
Also joining us will be Honeywell’s Amitesh Kumar of IoTSF Bangalore talking about ‘Bridging the Gap: IT vs OT Security and Lessons from Major Cyber Attacks’.
August 2024
BT’s Sam Cater will be joining us. The public IPv4 address pool is exhausted and now extortionate to buy into. IPv6 has an almost limitless address space as well as other advantages over IPv4.
IoT technologies will begin favouring IPv6-first going forward, but what new factors do we need to be aware of?
In this talk, Sam will go through some IPv6 fundamentals to frame the opportunity, followed by a dive into the considerations and potential challenges which engineers, administrators and security practitioners need to keep in mind when developing IPv6 IoT solutions.
Kottaram Ramesh (SkillsDA) and Vaidy Chandramouli (Apayapadh Advisory) of IoTSF Chennai will also join us to present their IoT smart city lab environment and speak about how this is useful for learning, research and product development.
They will show various attributes and how it works, the dashboard and how this is useful for imbibing knowledge to learners.
July 2024
Cagatay Buyuktopcu of BEKO/CyberWhiz presents ‘A holistic approach for a sustainable IoT cyber security’ and Dr David Long of Doulos with ‘Securing your Embedded System – Where to get started?’.
Joining us from Istanbul, Cagatay focusses on three pillars of IoT: edge, mobile application and cloud.
David’s presentation highlights how an SDL and the IoTSF Security Assurance Framework can be used together at each step to meet the security requirements.
There are no universal, off-the-shelf solutions to create a secure IoT product: each application will have different security requirements and mitigations with multiple potential implementations.
‘Security-by-Design’ is a desired goal. However, regulations such as the EU Cyber Resilence Act (CRA) and standards such as ETSI EN 303 645 are not design specification documents and provide little guidance about how security-by-design should be achieved. Guidelines such as the IoTSF Security Assurance Framework can help, but do not answer the question: “How to get started?”
A security development lifecycle (SDL) is a good place to start. It defines all of the steps required and provides a path from product conception to end-of-life.
June 2024
Embracing prevention-first practices and strategies in the OT realm with Check Point’s Antoinette Hodes – Global Solution Architect and Evangelist.
Delve into the world of Operational Technology (OT) security and gain valuable insights on threats, risk-based defense, digital transformation, resilience strategies, AI integration and future trends. Learn on how to secure all your valuable assets in the age of digital transformation. You will learn what value AI brings by reducing burden of repetitive or complex tasks that would otherwise be impossible in the absence of human intervention. We share strategies on how to secure your assets using a zero tolerance approach, preventing attacks, protecting sensitive data and improving your security posture throughout the shopfloor.
We’ll also have ‘Top 6 requirements you need to fulfil in OT Cyber Security – NIS2 perspective’ with Johannes Niemi of Tosibox.
As regulations evolve, so does the landscape of network security. With implementing the NIS2 Directive, understanding and preparing for compliance has never been more crucial. Tosibox will guide you through the complexities of NIS2 compliance and provide practical strategies on how to simplify the process.
May 2024
‘Firmware Vulnerability Management: Balancing Open Source vs. Proprietary Code’ with Attila Szasz of BugProve and ‘How Threat Modelling helps achieve EU CRA compliance’ with Jonny Tyres of Threatplane.
April 2024
In this webinar , Parm Singh (IoTSF/TechWorks) was our special guest presenter and we were joined by Toby Wilmington of qomodo with the topic ‘Threats to XIoT and how can we secure it?’
In his presentation, Toby, CEO of qomodo introduced us to the Extended Internet of Things (XIoT) and share their recent analysis on the evolving threat landscape of these interconnected technologies.
Now that industrial networks are converging with the internet, which is being enabled with XIoT – it is more important now than ever that we understand what the threats are and what we can do about them.
As UK PSTI comes to the fore, we also revisited this hot topic with Andrew Mullen of Beko.
The reality of PSTI is what manufacturers are currently dealing with. Hear how a Global manufacturer like Beko approaches, monitors and gets involved in developing legislation.
Following an Honours degree in Electronic engineering, Andrew has spent nearly 35 years working for major brands in White Goods and Consumer Electronics.
During that time, he’s had responsibility for After sales, product Safety & regulatory compliance as well as New Product & technology development including Flat panel and Digital TV development.
He was actively involved in DTG during the formation of standards and the launch of Digital Terrestrial TV in the UK, and worked with DTG Testing (a partner in Safeshark) from its inception.
For the last 18 years he’s worked for Beko PLC where he is currently the Sustainability and Regulatory Affairs specialist – this involves working with R&D teams in the UK and Turkey to ensure products are safe, durable and compliant, bringing a sustainability focus.
He is the chair of the BSI CPL/59 committee that looks after performance standards of appliances and is interim chair of the AMDEA Smart Appliance panel.
From an electrical waste perspective, he chairs the Joint Trades Association, a group of 11 Trade associations impacted by the WEEE Directive, and he is a Non-Exec Director of Repic, a WEEE Compliance scheme.
March 2024
In February we had an automotive special, so this month it’s aviation (perhaps we’ll do rail one day soon to complete the planes, trains and automobiles set!)
Aviation IoT, or Internet of Things in aviation, refers to the use of connected devices and sensors to improve various aspects of the aviation industry. This technology allows for real-time monitoring of aircraft systems, predictive maintenance, fuel efficiency optimization, and enhanced passenger experiences. By collecting and analysing data from different sources, aviation IoT helps airlines and airports operate more efficiently, increase safety, and provide better services to passengers.
Ken Munro of Pen Test Partners and Lee Speakman of the University of Salford joined us for this months webinar.
Ken has been working in IT security for over 15 years. He writes for various newspapers and industry magazines and is a regular source of comment and sanity on IoT issues to various news agencies and the BBC.
Lee is a Senior Lecturer at the University of Salford. He is the Course leader for Cyber Security, Threat Intelligence and Forensics.
February 2024
The IoTSF and AESIN joined forces for this (automotive special) broadcast on Thursday 29th February 2024. We were thrilled to confirm our guests Lee Harrison of Siemens and Paul Wooderson of Horiba Mira. Lee shared insights on SDVs (software defined vehicles) in this automotive-focused hour-long broadcast while Paul’s presentation focussed on hardware security.
January 2024
The IoTSF Monthly Webinar with Scott Register, VP Security Solutions at Keysight Technologies and his presentation “Test or Die – don’t fall victim to IOT security holes” and Michael Richardson, Chief Scientist at Sandelman Software Works who presents “Notoriously insecure: The tragedy of the commons in home network security”
November 2023
PSTI Legislation & Enforcement with our speakers Jonathan Angwin, Head of Product Security Legislation and Maria Bormaliyska, Deputy Head of Product Security Legislation followed by a video presentation by Paul W, Cryptography and Hardware Security Expert at NCSC.
Part 2 was on Enforcement with Veena Dholiwar, Head of Enforcement and Evidence and Warda Hassan, Deputy Head of Enforcement policy.
October 2023
oT Security and PUFs – why are they not more popular? with our speaker, Shahram Mossayebi of Crypto Quantique. In an era where IoT is reshaping industries and our daily lives, ensuring the security of IoT devices is paramount. One of the most intriguing yet relatively lesser-known technologies in this realm is Physical Unclonable Functions (PUFs). Despite their immense potential to bolster IoT security, PUFs remain somewhat underutilised and misunderstood within the industry. Join us as we delve into the world of IoT security and PUFs to unravel the reasons behind their limited adoption. We’ll explore the strengths, challenges and untapped possibilities of PUFs, shedding light on how they can fortify IoT ecosystems against emerging threats.
Plus, IoT security for connected medical devices – the FDA raises the bar again. What does this mean for IoT Security? with our speaker, Andy Bridden, Digital Trust and Cyber Security and IoT expert
September 2023
Threat Modelling for Beginners with our speakers, IASME’s Jason Blake and Secarma’s Jennifer Williams.
August 2023
DSIT’s enterprise IoT cyber policy with our speakers, James Deacon and Rhys Duncan both of the UK government’s Department for Science, Innovation and Technology (DSIT).
July 2023
Zero Trust Architecture from First Principles with our speaker, Patrick English, CTO of Zero Trust Solutions
June 2023
Engineering Trustworthy AI. Artificial intelligence (AI) is one of the most transformative technologies of our time. It has the potential to solve some of the world’s most pressing problems, however, it also poses risks and in recent years as the field has exploded, there have been growing concerns about those risks.
Elon Musk, for example, has warned that AI could be potentially more dangerous than nuclear weapons. With two prominent experts in the field, Dr. Nick Allott and Professor Subramanian Ramamoorthy, this Zoom webinar will explore how we can engineer AI systems so that they are trustworthy.
This event is delivered in partnership with TechWorks connected communities IoT Security Foundation (IoTSF), Automotive Electronic Systems Innovation Network (AESIN) and Technology Network for Embedded Systems (TechNES). It is an open event for members and guests.
May 2023
The Industrial IoT (IIoT) with Alexandru Suditu, Director of Cyber Security at ENEVO Group and one of the Founders of IoTSF’s Bucharest Chapter. Joining him from Calgary is Paul Smith, CTO of SCADAfence. The topics are “How IIoT changes the paradigm of operational control, exploring how it enables management of modern distributed energy grids” (Alex) and “Predictive analytics, the upside of telemetry to the cloud creates a gaping hole in security” (Paul).
April 2023
The European Cyber Resilience Act and international cybersecurity labelling. Before going on sale to the European market, the CRA will require network-connected hardware, software and services to meet essential cybersecurity requirements. It will place obligations on manufacturers to maintain their security throughout the product lifecycle. Florian Lukavsky, CTO of ONEKEY, will be talking us through the CRA.
Joining him to speak about global OT/IoT evaluation, certification and cybersecurity labelling will be Matt Tett (who spoke at IoTSF’s annual conference this past October in London). With Singapore, USA, Finland, Germany and India all still trying to determine a consumer safety model, this is very much a hot topic.
Matt is an Advisor and Subject Matter Expert for IoT Security Mark who operate the global IoT Security Trust Mark™ Certification and voluntary cyber security labelling scheme.
March 2023
Smart Built Environment Guidance for Facilities Professionals. In this webinar we discuss new Guidance from the IoT Security Foundation on IoT Security for Facilities Professionals and focus on Smart Built Environments.
The IoTSF formed a Smart Building working group in 2017 to look at the issue of risk to buildings from cyber attacks.
The topic has become more important over the years and leaders from the Institute of Workplace and Facilities Management (IWFM) joined to help write relevant and important guidance for facilities professionals and the key stakeholders they need to work with to manage the risk effectively.
In larger organisations, this will include cyber and physical security teams and be part of a general enterprise risk management strategy. But for many SMEs there will be fewer experts to help and this guidance indicates what needs to be done. It takes the view that by identifying the risk and requirements that the organisation will be more resilient.
We are delighted to welcome Sarb Sembhi, Co-Chair of the Smart Built Environment working group and IoTSF Executive Steering Board member.
Joining him will be James Willison, Co-Chair of the IoTSF Smart Built Environment working group.
What could be more important than securing our buildings against cyber attacks if our systems and the technology falls down?
February 2023
IoT and the Software Bill of Materials. A ‘software bill of materials’ (SBoM) has emerged as a key building block in software security and software supply chain risk management. IoTSF will soon publish best practice guidance to help vendors and the industry understand the relevance to IoT and navigate the nuances of SBoM. Our speakers are Allan Friedman US Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency, Amyas Phillips Ambotec & IoTSF Supply Chain Integrity Project Chair & Robert Dobson Vice President Technology Partners, Device Authority.
January 2023
New Consumer Security IoT report: Update on UK PSTI Bill. This month, the IoT Security Foundation published the fifth report on Consumer IoT Vulnerability Disclosure Policy Status. The desk-based research for the study was carried out during the summer of 2022 by Copper Horse Ltd., who are experts in mobile and IoT security.
The PSTI Bill was enacted this past December with Department for Digital, Culture, Media & Sport as the sponsoring Government department. What does this Act mean? What’s next and what do the affected parties (manufacturers, importers, and distributors) need to know/be aware of?
Speakers are Rohan Panesar of Copper Horse and Jonathan Angwin of DCMS.
EUROPEAN UNION RADIO EQUIPMENT DIRECTIVE (EU RED) EXECUTIVE BRIEF
An IoTSF Regulatory Watch group publication
The European Commission (EC) has advanced efforts to enhance cybersecurity for Internet-connected radio equipment within the EU by implementing a delegated act under the Radio Equipment Directive (RED).
While initially set for enforcement in August 2024, the regulation’s start date has been extended to 1st August 2025, to allow time for the development of harmonized standards. Beginning on this date, in-scope wireless devices and products sold in the EU must comply with the requirements set by the RED Delegated Act (EU) 2022/30.
Throughout this document, the Radio Equipment Directive as modified by
Delegated Regulation (EU) 2022/30 will be referenced as ‘RED DA’.
This IoTSF publication aims to help the reader answer the following questions:
1. Does RED DA apply to me?
2. What do I have to do to achieve and maintain compliance with RED DA?
3. How does the RED DA interact with the CRA?
4. How do I do it?
5. What happens if I don’t do it?
6. How do I demonstrate conformance to the requirements?
7. Where do I start?
To continue reading, please download the paper
EUROPEAN UNION CYBER RESILIENCE ACT (EU CRA) EXECUTIVE BRIEF
An IoTSF Regulatory Watch group publication
The aim of the European Cyber Resilience Act (CRA) is to improve security of products, and to increase transparency around security to allow customers to take cybersecurity into account when purchasing and operating products.
The CRA primarily addresses manufacturers of products with digital elements, but also holds liable importers and distributors. It was initially proposed by the European Commission in September 2022, was signed into law by the EU Council in September 2024 and formally passed into the EU Official Journals (EUOJ) on 20th November 2024.
This sets the Entry into Force (EIF) date as 10th December 2024 and the Enforcement date from 11th Dec 2027.
Manufacturers now have 36 months from the EIF date to adapt to the requirements of the Act. An exception to this is vulnerability reporting, for which a 21-month adaptation period is defined.
Violations can lead to penalties of up to EUR 15m or 2.5% of the vendor’s annual global revenue, whichever is higher.
This IoTSF publication aims to help the reader answer the following questions:
- Does the CRA apply to me?
- What do I have to do to achieve and maintain compliance with the Act?
- How do I do it?
- What happens if I don’t do it?
- How do I demonstrate conformance to the requirements?
- Where do I start?
To continue reading, please download the paper
UK PSTI EXECUTIVE BRIEF
An IoTSF Regulatory Watch group publication
Digital security is a challenge for every organization stretching from traditional information technology systems and GDPR, through to trade secrets, operational capability, brand impact, and the protection of customer experience.
Unfortunately, many organizations remain unaware of major product security legislation due to be enforced from April 2024, and the critical impact this will have on the executive management.
The Product Security & Telecoms Infrastructure (PSTI) Bill passed royal assent in 2022, and was adopted into legal statute on 28th April 2023, with a 12-month grace period. This new bill imposes responsibilities on the manufacturers, importers and vendors regarding the cybersecurity of the connectable products they supply. It provides for sanctions similar to those surrounding GDPR, with the responsible directors, managers, et cetera also being held liable. As such, it is critical that the executive team ensures compliance with this new legislation, by the deadline of 29th April 2024.
It should be noted that the PSTI bill will be followed by broader regulations due for introduction in jurisdictions around the globe over the coming years. These include the EU Cyber Resilience Act and US Cyber Security Labelling Program for Smart Devices which will add to the basic requirements introduced in UK PSTI…
To continue reading, please download the paper
Welcome to our members-only webinar back catalogue.
Streamed live on the final Thursday of the month and hosted by yours truly, our expert webinars explore important aspects of IoT cybersecurity in bite-sized chunks.
See the IoTSF Events Calendar for upcoming webinars – I hope you can join me for the next one!
Christopher Bennison, Member Engagement Manager
May 2026
ETSI EN 303 645 with Ken Munro and Sam Thom of Pen Test Partners.
Connected devices are now part of almost every environment, from homes and offices to factories, ships, vehicles, and critical infrastructure. That makes security harder to ignore, especially as standards such as ETSI EN 303 645 become more important across Europe.
In this webinar, Ken Munro and Sam Thom of Pen Test Partners (a long-standing IoTSF member) look at what IoT security means in practice, not just on paper.
Drawing on real hardware testing, they talk through the kinds of issues they see in connected products, where devices often fall short of the standard, and why those gaps matter once devices are deployed into real environments.
The session covers practical lessons from testing non-compliant devices, common weaknesses found in IoT and OT hardware, and what manufacturers, integrators, and organisations should think about before connected devices become part of their wider network.
This is aimed at anyone involved in building, specifying, buying, integrating, or managing connected hardware. The focus is on useful, real-world insight that helps teams understand the risks and improve security in a way that actually works.
April 2026
Presentation 1 with Mustanir Ali (Element)
The EU Cyber Resilience Act (CRA) is coming sooner than you might think.
From 11th September 2026, manufacturers will have reporting obligations relating to in-scope products currently on the EU market.
In this session, Mustanir unpacks these requirements – what needs to be reported, when, and how.
Presentation 2 with David Pashley (Direct Insight)
As CRA deadlines loom, the last minute may be simply too late for IoT devices which can’t feasibly be made sufficiently secure.
What design choices can developers of embedded systems at the edge make right now to reduce the cost and pain of the compliance journey which will inevitably be imposed when management finally gets the memo?
March 2026
‘Autonomous Compliance: Operationalising EU CRA and UK PSTI via Embedded Microservices’ and ‘Standards vs. Security: A Proactive Compliance Framework’ Presentation 1 with Murat Cakmak (Microservice Store) With the UK PSTI in effect and the EU CRA approaching, IoT manufacturers face a massive manual burden of vulnerability reporting and lifecycle governance. This session introduces a shift from static documentation to ‘Autonomous Compliance’. By replacing monolithic firmware with a modular, microservice-based architecture, the Microservice Store (MSS) and its integrated Security Manager (iSM) automate mandatory obligations—including SBOM generation, 24-hour module-level incident notification, fault-containment, and targeted security updates. Murat will demonstrate how device-level evidence and edge-to-cloud automation transform compliance from an engineering bottleneck into a seamless, verifiable platform function. Presentation 2 with Jonny Tyers (Threatplane) Most organisations treat compliance and security as separate problems. You tick boxes for one, patch vulnerabilities for the other, and maintain two sets of documentation that drift apart over time. This talk presents an approach that unifies both. Using risk-based threat modelling, you can identify the controls that satisfy your compliance requirements and protect against real threats. Same analysis, same documentation, same implementation. You’ll see how mapping business impact to technical controls creates a single source of truth. This approach helps you prove to auditors that your controls address actual risks, not just checkbox requirements. And it gives your security team clear priorities based on what matters to the business. We’ll walk through practical examples showing how threat models can simultaneously document controls, justify security investments, and guide implementation work. You’ll leave with a framework that makes compliance and security work together instead of competing for resources.
By the end of the session, participants will have an understanding of quantum safety, what it means for IoT, and a sensible timeline of future actions.
February 2026
The rapid proliferation of IoT devices across critical industries – e.g. automation, healthcare, smart cities – has introduced significant security challenges. Whilst current cryptographic protocols safeguard data today, upcoming developments in quantum computing threaten to render these protections obsolete. And this threat is amplified by the actions of adversarial nation states looking to disrupt critical industries whilst engaging in hybrid warfare.
This presentation explains the implications of quantum computing on IoT ecosystems.
By the end of the session, participants will have an understanding of quantum safety, what it means for IoT, and a sensible timeline of future actions.
Steven Kennedy is a seasoned cybersecurity architect with deep expertise in securing some of the most complex networks in the world (e.g. Tier 1 telecoms, hyperscale public cloud). After working for several years in Microsoft cybersecurity product management, he took the plunge to become a self-employed consultant. Working with Blue Mesh Solutions, he’s focused on using his knowledge of cryptography and quantum mechanics to help clients transition smoothly into the post-quantum future.
Richard Brooks sent the first IoT hello world message as ‘hello 5G’ across a private 5G network in the UK.
This was all part of the UK Government’s 5G Accelerator Programme and involved collaborators from Hutchinson Ports, 3 Telecom, University of Cambridge, the Port of Felixstowe and Blue Mesh Solutions. Exploratory use cases were developed including autonomous port haulage vehicles and our IoT based project to create digital twins of the large quayside container cranes.
Critical strategic assets, such as ports, require hardened IoT estate encryption, and testing new encryption technologies to present a harder, quantum safe cryptography stance became the final outcome of the project, leading to new quantum safe MQTT solutions and a best in class commercial partnership.
January 2026
For our first session of 2026 we welcome Anupam Mediratta of Stealth Startup who discusses using AI-generated attack simulations and synthetic “hard negative” data to build adaptive defences against increasingly stealthy, AI-powered IoT threats,
November 2025
We’re closing out the 2025 Webinar Series with an exciting finale – “Cybersecurity Engineering in Automotive: Frameworks, Tools, and Processes”, featuring Alan Jacobs-Cook and Sergio Ricardo Scabar from ZF Engineering Solutions.
This talk explores how cybersecurity engineering is shaping the future of automotive design, focusing on the frameworks, tools, and processes that ensure vehicle systems remain safe, resilient, and compliant with industry standards. Speakers from ZF Engineering Solutions share practical insights into managing cyber risks across complex automotive architectures — from development to deployment — highlighting best practices, regulatory alignment, and the integration of security into every stage of the engineering lifecycle.
October 2025
Steve Hanna of Infineon presented ‘Matter security and device identity: An overview of the CSA standard’ during the October 2025 IoTSF Device Identity Form working group meeting.
September 2025
We’ll have Chris Swan of Atsign with us, his talk title will be ‘Software Supply Chain Security – SBOMs, SLSA and Scorecards’.
We’ll also have Yogesh Kokadwar of Johnson Controls joining us from Pune. His talk will be ‘Offensive IoT Security: Exploiting Vulnerabilities in Connected Devices’.
August 2025
‘Post-Quantum Cryptography (PQC) for IoT: Securing Devices for the Quantum Future’ and ‘Adapting a Root of Trust silicon design to handle post-quantum cryptography’
We’ll be joined by Device Authority’s Amit Rao, his presentation will be ‘Post-Quantum Cryptography for IoT: Securing Devices for the Quantum Future’.
We’ll also have Javier Orensanz Martinez who is the CEO of lowRISC, he is also a former VP and General Manager at ARM.
July 2025
On the day before RED takes effect – RED eve, if you like – we’ll be joined by Richard Marshall of Xitex to talk us through all the very latest. We’ll also have a roundtable discussion, together with audience Q&A, involving BSI and experts from the IoTSF’s Regulatory Watch working group.
June 2025
Topics are : Threat modeling: ‘Why doesn’t security get a seat at the table?’ with Adam Shostack and Space IoT: ‘Decentralised space systems: Frameworks for the future of space communities’ with Beth Probert and Agathe Bouis.
May 2025
We’ll have Fred Gordy of MBI and Jim McGlone of Concentric IoT LLC focusing on the current OT cybersecurity state of the global built environment and the challenges the industry faces in addressing them and ideas on the way forwards.
April 2025
The Critical Role of Randomness in IoT Security’ by Dr Ramy Shelbaya – Quantum Dice
This talk explores the key role high-quality randomness plays in cybersecurity, focusing on the evolution of randomness and its applications in IoT security.
PQC transition: What you need to know in 2025′ by Daniele Fronte, PhD – SEALSQ
As quantum computing advances, the cryptographic foundations securing modern systems face unprecedented risks. This webinar provides a strategic roadmap for navigating the PQC transition in 2025, blending historical context, actionable timelines, and practical security insights.
March 2025
Featuring the talks ‘The Internet of Things or The Intranet of Things?’ by Richard Newbould, Vodafone and ‘Normalising Security for IoT with Protected Containerisation and Modular Development’ by Murat Cakmak, ZAYA.
February 2025
Temple Melville of Scotcoin will be joining us to talk about cryptocurrency. We’ll also have Michael Beine of Bureau Veritas who’ll present on CRAcoWi – a tool chain for EU CRA compliance.
February 2025
With Richard Marshall, current chair of the BSI IST/33/-/9 ‘Special Working Group – Cyber Resilience Act Standardization Request’.
With citation of EN18031 standard in the EU Official Journal, the routes to conformity for connected radio products have become clearer to meet the 1st August 2025 deadline for applicability.
This webinar will provide an introduction to EN18031-1/2/3 and the high level steps OEMs need to take to verify which products are in scope of Art 3.3 and which of the three EN18031 standards applies based on the article 3.3 sub parts d, e or f.
Also covered will be some suggestions as to where the IoTSF’s Assurance Framework could be used to support the preparation of the Technical File for documenting compliance with EN18031.
January 2025
Looking at ‘Full-stack IoT security from core to edge’ with Peter Cox of UM-Labs, plus Tropic Square CEO John Sirianni presenting ‘Securing Next Generation Critical Infrastructure with Open and Auditable Hardware’.
November 2024
Jeremy B: “Post quantum cryptography”
Launched in October 2016, the NCSC has headquarters in London and brought together expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure (which became the National Protective Security Authority, NPSA, in March 2023).
The NCSC provides a single point of contact for SMEs, larger organisations, government agencies, the general public and departments. They also work collaboratively with other law enforcement, defence, the UK’s intelligence and security agencies and international partners.
Mustanir Ali: “Upcoming changes to the Radio Equipment Directive for IoT devices”
The EU Radio Equipment Directive has been around since 2017. Next year, on 1 August 2025, 3 new essential requirements related to the cybersecurity of radio equipment are coming into effect. Find out about the new essential requirements, and hear guidance on how to determine if they apply to your radio products, and how to demonstrate compliance with them.
Mustanir is currently the certification lead for IoT cybersecurity at BSI. He has a Masters degree in Electronics & Software Engineering, and has been involved in CE marking and the testing and certification of products with software for over a decade, in particular electronic controls, consumer electrical products and medical devices.
October 2024
Cybersecurity labelling for consumer IoT products
A double presentation from the USA Federal Communications Commission talking about the FCC’s trustmark and the work pertaining to it.
With Renee Roland, FCC Special Counsel and Drew Morin, Deputy Division Chief of the Cybersecurity and Communications Reliability Division, Public Safety and Homeland Security Bureau.
September 2024
Florian Lukavsky of ONEKEY bringing all the latest on the EU CRA: ‘Decoding the Cyber Resilience Act – Key Requirements for IoT Vendors’.
Also joining us will be Honeywell’s Amitesh Kumar of IoTSF Bangalore talking about ‘Bridging the Gap: IT vs OT Security and Lessons from Major Cyber Attacks’.
August 2024
BT’s Sam Cater will be joining us. The public IPv4 address pool is exhausted and now extortionate to buy into. IPv6 has an almost limitless address space as well as other advantages over IPv4.
IoT technologies will begin favouring IPv6-first going forward, but what new factors do we need to be aware of?
In this talk, Sam will go through some IPv6 fundamentals to frame the opportunity, followed by a dive into the considerations and potential challenges which engineers, administrators and security practitioners need to keep in mind when developing IPv6 IoT solutions.
Kottaram Ramesh (SkillsDA) and Vaidy Chandramouli (Apayapadh Advisory) of IoTSF Chennai will also join us to present their IoT smart city lab environment and speak about how this is useful for learning, research and product development.
They will show various attributes and how it works, the dashboard and how this is useful for imbibing knowledge to learners.
July 2024
Cagatay Buyuktopcu of BEKO/CyberWhiz presents ‘A holistic approach for a sustainable IoT cyber security’ and Dr David Long of Doulos with ‘Securing your Embedded System – Where to get started?’.
Joining us from Istanbul, Cagatay focusses on three pillars of IoT: edge, mobile application and cloud.
David’s presentation highlights how an SDL and the IoTSF Security Assurance Framework can be used together at each step to meet the security requirements.
There are no universal, off-the-shelf solutions to create a secure IoT product: each application will have different security requirements and mitigations with multiple potential implementations.
‘Security-by-Design’ is a desired goal. However, regulations such as the EU Cyber Resilence Act (CRA) and standards such as ETSI EN 303 645 are not design specification documents and provide little guidance about how security-by-design should be achieved. Guidelines such as the IoTSF Security Assurance Framework can help, but do not answer the question: “How to get started?”
A security development lifecycle (SDL) is a good place to start. It defines all of the steps required and provides a path from product conception to end-of-life.
June 2024
Embracing prevention-first practices and strategies in the OT realm with Check Point’s Antoinette Hodes – Global Solution Architect and Evangelist.
Delve into the world of Operational Technology (OT) security and gain valuable insights on threats, risk-based defense, digital transformation, resilience strategies, AI integration and future trends. Learn on how to secure all your valuable assets in the age of digital transformation. You will learn what value AI brings by reducing burden of repetitive or complex tasks that would otherwise be impossible in the absence of human intervention. We share strategies on how to secure your assets using a zero tolerance approach, preventing attacks, protecting sensitive data and improving your security posture throughout the shopfloor.
We’ll also have ‘Top 6 requirements you need to fulfil in OT Cyber Security – NIS2 perspective’ with Johannes Niemi of Tosibox.
As regulations evolve, so does the landscape of network security. With implementing the NIS2 Directive, understanding and preparing for compliance has never been more crucial. Tosibox will guide you through the complexities of NIS2 compliance and provide practical strategies on how to simplify the process.
May 2024
‘Firmware Vulnerability Management: Balancing Open Source vs. Proprietary Code’ with Attila Szasz of BugProve and ‘How Threat Modelling helps achieve EU CRA compliance’ with Jonny Tyres of Threatplane.
April 2024
In this webinar , Parm Singh (IoTSF/TechWorks) was our special guest presenter and we were joined by Toby Wilmington of qomodo with the topic ‘Threats to XIoT and how can we secure it?’
In his presentation, Toby, CEO of qomodo introduced us to the Extended Internet of Things (XIoT) and share their recent analysis on the evolving threat landscape of these interconnected technologies.
Now that industrial networks are converging with the internet, which is being enabled with XIoT – it is more important now than ever that we understand what the threats are and what we can do about them.
As UK PSTI comes to the fore, we also revisited this hot topic with Andrew Mullen of Beko.
The reality of PSTI is what manufacturers are currently dealing with. Hear how a Global manufacturer like Beko approaches, monitors and gets involved in developing legislation.
Following an Honours degree in Electronic engineering, Andrew has spent nearly 35 years working for major brands in White Goods and Consumer Electronics.
During that time, he’s had responsibility for After sales, product Safety & regulatory compliance as well as New Product & technology development including Flat panel and Digital TV development.
He was actively involved in DTG during the formation of standards and the launch of Digital Terrestrial TV in the UK, and worked with DTG Testing (a partner in Safeshark) from its inception.
For the last 18 years he’s worked for Beko PLC where he is currently the Sustainability and Regulatory Affairs specialist – this involves working with R&D teams in the UK and Turkey to ensure products are safe, durable and compliant, bringing a sustainability focus.
He is the chair of the BSI CPL/59 committee that looks after performance standards of appliances and is interim chair of the AMDEA Smart Appliance panel.
From an electrical waste perspective, he chairs the Joint Trades Association, a group of 11 Trade associations impacted by the WEEE Directive, and he is a Non-Exec Director of Repic, a WEEE Compliance scheme.
March 2024
In February we had an automotive special, so this month it’s aviation (perhaps we’ll do rail one day soon to complete the planes, trains and automobiles set!)
Aviation IoT, or Internet of Things in aviation, refers to the use of connected devices and sensors to improve various aspects of the aviation industry. This technology allows for real-time monitoring of aircraft systems, predictive maintenance, fuel efficiency optimization, and enhanced passenger experiences. By collecting and analysing data from different sources, aviation IoT helps airlines and airports operate more efficiently, increase safety, and provide better services to passengers.
Ken Munro of Pen Test Partners and Lee Speakman of the University of Salford joined us for this months webinar.
Ken has been working in IT security for over 15 years. He writes for various newspapers and industry magazines and is a regular source of comment and sanity on IoT issues to various news agencies and the BBC.
Lee is a Senior Lecturer at the University of Salford. He is the Course leader for Cyber Security, Threat Intelligence and Forensics.
February 2024
The IoTSF and AESIN joined forces for this (automotive special) broadcast on Thursday 29th February 2024. We were thrilled to confirm our guests Lee Harrison of Siemens and Paul Wooderson of Horiba Mira. Lee shared insights on SDVs (software defined vehicles) in this automotive-focused hour-long broadcast while Paul’s presentation focussed on hardware security.
January 2024
The IoTSF Monthly Webinar with Scott Register, VP Security Solutions at Keysight Technologies and his presentation “Test or Die – don’t fall victim to IOT security holes” and Michael Richardson, Chief Scientist at Sandelman Software Works who presents “Notoriously insecure: The tragedy of the commons in home network security”
November 2023
PSTI Legislation & Enforcement with our speakers Jonathan Angwin, Head of Product Security Legislation and Maria Bormaliyska, Deputy Head of Product Security Legislation followed by a video presentation by Paul W, Cryptography and Hardware Security Expert at NCSC.
Part 2 was on Enforcement with Veena Dholiwar, Head of Enforcement and Evidence and Warda Hassan, Deputy Head of Enforcement policy.
October 2023
oT Security and PUFs – why are they not more popular? with our speaker, Shahram Mossayebi of Crypto Quantique. In an era where IoT is reshaping industries and our daily lives, ensuring the security of IoT devices is paramount. One of the most intriguing yet relatively lesser-known technologies in this realm is Physical Unclonable Functions (PUFs). Despite their immense potential to bolster IoT security, PUFs remain somewhat underutilised and misunderstood within the industry. Join us as we delve into the world of IoT security and PUFs to unravel the reasons behind their limited adoption. We’ll explore the strengths, challenges and untapped possibilities of PUFs, shedding light on how they can fortify IoT ecosystems against emerging threats.
Plus, IoT security for connected medical devices – the FDA raises the bar again. What does this mean for IoT Security? with our speaker, Andy Bridden, Digital Trust and Cyber Security and IoT expert
September 2023
Threat Modelling for Beginners with our speakers, IASME’s Jason Blake and Secarma’s Jennifer Williams.
August 2023
DSIT’s enterprise IoT cyber policy with our speakers, James Deacon and Rhys Duncan both of the UK government’s Department for Science, Innovation and Technology (DSIT).
July 2023
Zero Trust Architecture from First Principles with our speaker, Patrick English, CTO of Zero Trust Solutions
June 2023
Engineering Trustworthy AI. Artificial intelligence (AI) is one of the most transformative technologies of our time. It has the potential to solve some of the world’s most pressing problems, however, it also poses risks and in recent years as the field has exploded, there have been growing concerns about those risks.
Elon Musk, for example, has warned that AI could be potentially more dangerous than nuclear weapons. With two prominent experts in the field, Dr. Nick Allott and Professor Subramanian Ramamoorthy, this Zoom webinar will explore how we can engineer AI systems so that they are trustworthy.
This event is delivered in partnership with TechWorks connected communities IoT Security Foundation (IoTSF), Automotive Electronic Systems Innovation Network (AESIN) and Technology Network for Embedded Systems (TechNES). It is an open event for members and guests.
May 2023
The Industrial IoT (IIoT) with Alexandru Suditu, Director of Cyber Security at ENEVO Group and one of the Founders of IoTSF’s Bucharest Chapter. Joining him from Calgary is Paul Smith, CTO of SCADAfence. The topics are “How IIoT changes the paradigm of operational control, exploring how it enables management of modern distributed energy grids” (Alex) and “Predictive analytics, the upside of telemetry to the cloud creates a gaping hole in security” (Paul).
April 2023
The European Cyber Resilience Act and international cybersecurity labelling. Before going on sale to the European market, the CRA will require network-connected hardware, software and services to meet essential cybersecurity requirements. It will place obligations on manufacturers to maintain their security throughout the product lifecycle. Florian Lukavsky, CTO of ONEKEY, will be talking us through the CRA.
Joining him to speak about global OT/IoT evaluation, certification and cybersecurity labelling will be Matt Tett (who spoke at IoTSF’s annual conference this past October in London). With Singapore, USA, Finland, Germany and India all still trying to determine a consumer safety model, this is very much a hot topic.
Matt is an Advisor and Subject Matter Expert for IoT Security Mark who operate the global IoT Security Trust Mark™ Certification and voluntary cyber security labelling scheme.
March 2023
Smart Built Environment Guidance for Facilities Professionals. In this webinar we discuss new Guidance from the IoT Security Foundation on IoT Security for Facilities Professionals and focus on Smart Built Environments.
The IoTSF formed a Smart Building working group in 2017 to look at the issue of risk to buildings from cyber attacks.
The topic has become more important over the years and leaders from the Institute of Workplace and Facilities Management (IWFM) joined to help write relevant and important guidance for facilities professionals and the key stakeholders they need to work with to manage the risk effectively.
In larger organisations, this will include cyber and physical security teams and be part of a general enterprise risk management strategy. But for many SMEs there will be fewer experts to help and this guidance indicates what needs to be done. It takes the view that by identifying the risk and requirements that the organisation will be more resilient.
We are delighted to welcome Sarb Sembhi, Co-Chair of the Smart Built Environment working group and IoTSF Executive Steering Board member.
Joining him will be James Willison, Co-Chair of the IoTSF Smart Built Environment working group.
What could be more important than securing our buildings against cyber attacks if our systems and the technology falls down?
February 2023
IoT and the Software Bill of Materials. A ‘software bill of materials’ (SBoM) has emerged as a key building block in software security and software supply chain risk management. IoTSF will soon publish best practice guidance to help vendors and the industry understand the relevance to IoT and navigate the nuances of SBoM. Our speakers are Allan Friedman US Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency, Amyas Phillips Ambotec & IoTSF Supply Chain Integrity Project Chair & Robert Dobson Vice President Technology Partners, Device Authority.
January 2023
New Consumer Security IoT report: Update on UK PSTI Bill. This month, the IoT Security Foundation published the fifth report on Consumer IoT Vulnerability Disclosure Policy Status. The desk-based research for the study was carried out during the summer of 2022 by Copper Horse Ltd., who are experts in mobile and IoT security.
The PSTI Bill was enacted this past December with Department for Digital, Culture, Media & Sport as the sponsoring Government department. What does this Act mean? What’s next and what do the affected parties (manufacturers, importers, and distributors) need to know/be aware of?
Speakers are Rohan Panesar of Copper Horse and Jonathan Angwin of DCMS.
UK PSTI EXECUTIVE BRIEF
An IoTSF Regulatory Watch group publication
Digital security is a challenge for every organization stretching from traditional information technology systems and GDPR, through to trade secrets, operational capability, brand impact, and the protection of customer experience.
Unfortunately, many organizations remain unaware of major product security legislation due to be enforced from April 2024, and the critical impact this will have on the executive management.
The Product Security & Telecoms Infrastructure (PSTI) Bill passed royal assent in 2022, and was adopted into legal statute on 28th April 2023, with a 12-month grace period. This new bill imposes responsibilities on the manufacturers, importers and vendors regarding the cybersecurity of the connectable products they supply. It provides for sanctions similar to those surrounding GDPR, with the responsible directors, managers, et cetera also being held liable. As such, it is critical that the executive team ensures compliance with this new legislation, by the deadline of 29th April 2024.
It should be noted that the PSTI bill will be followed by broader regulations due for introduction in jurisdictions around the globe over the coming years. These include the EU Cyber Resilience Act and US Cyber Security Labelling Program for Smart Devices which will add to the basic requirements introduced in UK PSTI…
To continue reading, please download the paper
EUROPEAN UNION CYBER RESILIENCE ACT (EU CRA) EXECUTIVE BRIEF
An IoTSF Regulatory Watch group publication
The aim of the European Cyber Resilience Act (CRA) is to improve security of products, and to increase transparency around security to allow customers to take cybersecurity into account when purchasing and operating products.
The CRA primarily addresses manufacturers of products with digital elements, but also holds liable importers and distributors. It was initially proposed by the European Commission in September 2022, was signed into law by the EU Council in September 2024 and formally passed into the EU Official Journals (EUOJ) on 20th November 2024.
This sets the Entry into Force (EIF) date as 10th December 2024 and the Enforcement date from 11th Dec 2027.
Manufacturers now have 36 months from the EIF date to adapt to the requirements of the Act. An exception to this is vulnerability reporting, for which a 21-month adaptation period is defined.
Violations can lead to penalties of up to EUR 15m or 2.5% of the vendor’s annual global revenue, whichever is higher.
This IoTSF publication aims to help the reader answer the following questions:
- Does the CRA apply to me?
- What do I have to do to achieve and maintain compliance with the Act?
- How do I do it?
- What happens if I don’t do it?
- How do I demonstrate conformance to the requirements?
- Where do I start?
To continue reading, please download the paper
EUROPEAN UNION RADIO EQUIPMENT DIRECTIVE (EU RED) EXECUTIVE BRIEF
An IoTSF Regulatory Watch group publication
The European Commission (EC) has advanced efforts to enhance cybersecurity for Internet-connected radio equipment within the EU by implementing a delegated act under the Radio Equipment Directive (RED).
While initially set for enforcement in August 2024, the regulation’s start date has been extended to 1st August 2025, to allow time for the development of harmonized standards. Beginning on this date, in-scope wireless devices and products sold in the EU must comply with the requirements set by the RED Delegated Act (EU) 2022/30.
Throughout this document, the Radio Equipment Directive as modified by
Delegated Regulation (EU) 2022/30 will be referenced as ‘RED DA’.
This IoTSF publication aims to help the reader answer the following questions:
1. Does RED DA apply to me?
2. What do I have to do to achieve and maintain compliance with RED DA?
3. How does the RED DA interact with the CRA?
4. How do I do it?
5. What happens if I don’t do it?
6. How do I demonstrate conformance to the requirements?
7. Where do I start?
To continue reading, please download the paper