Finnish Cybersecurity Label recognised in Singapore
The cybersecurity authorities of Finland and Singapore mutually recognise the cybersecurity labels issued by each other. Both labels are based on the same standard, ETSI EN 303 645. Companies may be granted both the Finnish Cybersecurity Label and the Singaporean IoT Cybersecurity Label at once, with a single application and testing process. The Finnish Cybersecurity Label meets the criteria of level 3 in the labelling scheme used in Singapore (level 4 being the highest).
The Cybersecurity Label is strongly based on development at European level and aims for consistency with future obligations. We have identified EU-level provisions and requirements concerning the cybersecurity features of smart consumer devices and have taken them into account in the requirements set for the Cybersecurity Label.
Radio Equipment Directive
The information security requirements included in the EU Radio Equipment Directive (RED) entered into force in February 2022, and they apply to radio equipment connected to the internet directly or via other equipment. The requirements improve the protection of users’ privacy and protect communications networks. They also reduce the risk of monetary fraud committed using internet-connected equipment. Additional requirements concerning the protection of personal data and privacy have been set, in particular, for wearable equipment, toys and childcare equipment. The Regulation supplementing the Radio Equipment Directive provides for a 30-month transition period for equipment manufacturers, but starting from 1 August 2024 devices placed on the EU market must comply with the new requirements.
EU Cybersecurity Act
The EU Cybersecurity Act (CSA) entered into force in June 2019. It establishes a European cybersecurity certification framework for the certification of ICT products, services and processes to attest that they are secure. The certificate will show that a product meets certain requirements concerning the availability, authenticity, integrity and confidentiality of data or the functions or services throughout its life cycle. The certificate will be recognised in all EU countries, which means that manufacturers and service providers do not need to apply for separate national certificates in different countries. The intention is to provide a certification scheme also for IoT products, but this work has not yet been started.
EU Cyber Resilience Act
The cybersecurity requirements and objectives for products and services will be specified at the level of specific certification schemes approved by the European Commission. This will be done, for example, by referring to standards or to technical specifications if relevant standards are not available. The objective of the Cyber Resilience Act (CRA) is to establish harmonised cybersecurity standards for products. The CRA is estimated to be adopted in the third quarter of 2022.