This article presents the critical deadlines and the best practices for shaping product cybersecurity in 2025. These insights are drawn from emerging regulations, customer feedback, and hands-on experience in the field. By addressing these areas proactively, businesses can safeguard their operations while capitalizing on the opportunities that compliance and robust cybersecurity offer.
Critical Regulations to Consider for Product Security for 2025 Product Cybersecurity Compliance
1. New RED DA Standards: Compliance by August 1, 2025
The Radio Equipment Directive (RED), through the issuance of the RED Delegated Act (DA), has introduced cybersecurity requirements for connected radio devices, with a compliance deadline set for August 1, 2025. The EN 18031 standards series has been developed to provide guidance on achieving compliance with these requirements. Product Cybersecurity Compliance
Understanding EN 18031
The EN 18031 series sets the foundation for mitigating security risks in connected radio devices. It comprises three components:
EN 18031-1: Targets network and security risks for connected radio devices.
EN 18031-2: Addresses privacy and security risks for devices handling personal data.
EN 18031-3: Focuses on financial and security risks for devices processing virtual currency.
While these standards establish technical product requirements, other aspects, such as incident response and vulnerability handling, fall under complementary regulations like the Cyber Resilience Act (CRA) and NIS2.
2. Cyber Resilience Act: A Phased Compliance Roadmap
The Cyber Resilience Act (CRA), now officially adopted, demands compliance within 36 months, setting a target for full adaptation by the end of 2027. However, some provisions, like incident reporting and vulnerability disclosures, require compliance much sooner—by summer 2026.
Manufacturers need to understand that waiting is not an option. Early planning and alignment with CRA requirements will be vital to avoid rushed implementations and associated risks.
3.FDA/MDR Compliance: Meeting Dual Regulatory Challenges
Ensuring compliance with the U.S. Food and Drug Administration (FDA) and the EU Medical Device Regulation (MDR) is paramount for medical device manufacturers.
FDA Compliance
The FDA emphasizes cybersecurity in its pre-market and post-market guidance. Key elements include:
Developing a comprehensive Secure Product Development Framework (SPDF). SPDF calls for deliberate incorporation of security activities into the development lifecycle, encompassing:
Design Artifacts: Network diagrams, threat models, security architecture.
Process Integration: Mapping security measures to specific design phases, roles, and responsibilities.
Intentionality: Building security by design, not as an afterthought.
Ensuring robust Cybersecurity Risk Management (CRM) practices to prevent data breaches and system failures.
Incorporating Software Bill of Materials (SBOMs) in device submissions.
MDR Compliance
The EU’s MDR, which became applicable in 2021, adds further complexity with:
Strict clinical evaluation and safety requirements for connected devices.
Increased focus on post-market surveillance to address emerging risks.
Navigating the intersection of FDA and MDR requirements is challenging, but harmonized documentation and processes can streamline compliance and reduce redundancy.
4. ISA/IEC 62443 Certifications: Rising Demand for 2025
The ISA/IEC 62443-4-1 and 62443-4-2 standards are becoming a priority across the industrial sector. These certifications set a gold standard for cybersecurity in Industrial Automation and Control Systems (IACS).
Why ISA/IEC 62443 Matters
These standards:
Bridge the gap between Operational Technology (OT) and Information Technology (IT).
Provide best practices for securing interconnected systems.
Align process safety with robust cybersecurity protocols.
The push for ISA/IEC 62443 certification will only grow in 2025 as industries prioritize security across the product lifecycle.
Leveraging Compliance Gap Analysis for ISA/IEC 62443-4-1 Certification: Riello UPS
5. NIS2 Compliance for Manufacturing and Industrial Systems
By October 2024, EU member states had to transpose the updated Network and Information Security Directive (NIS2) into domestic law. This directive significantly raises the bar for cybersecurity across numerous sectors.
NIS2 Highlights
NIS2 extends its scope to cover:
New sectors such as manufacturing, chemicals, and food production.
Stricter cybersecurity standards with enhanced penalties for non-compliance.
Mandatory incident reporting and supply chain security measures.
Preparing for NIS2 Compliance
Companies must act now to:
Determine whether they fall under NIS2’s scope.
Evaluate and enhance existing security measures.
Implement new policies and protocols to ensure full compliance.
6. UK PSTI Act: A Game-Changer for Connected Products
The UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, effective April 29, 2024, enforces baseline cybersecurity standards for all connected products sold in the UK.
PSTI Requirements
No default passwords: Eliminating vulnerabilities tied to pre-set credentials.
Vulnerability disclosure process: The manufacturer must implement a mechanism that allows external parties to report security issues.
Support period: Mandating manufacturers declare how long the product will receive security updates.
Non-compliance can result in steep penalties, including fines up to £10 million or 4% of global revenue. Businesses distributing connected products in the UK must publish a Statement of Compliance (SoC) to demonstrate adherence to PSTI requirements.
Product Cybersecurity Best Practices 2025
1. Threat Modeling: A Key to Secure Device Development
Threat modeling and risk assessment, often referred to collectively as “Threat modeling,” are essential for secure product development. By identifying and prioritizing potential threats early in the design process, threat modeling ensures that products are built to withstand real-world risks.
The Role of Threat Modeling
This methodology provides a structured approach to:
Identifying Security Gaps: Detect vulnerabilities before they become costly problems.
Tailoring Countermeasures: Address specific threats in the product’s intended use environment.
Optimizing Development: Avoid over-engineering security features while meeting requirements.
For 2025, threat modeling is poised to become a central focus for device manufacturers aiming to stay competitive and compliant.
2. Cybersecurity Risk Management (CRM) in Connected Devices
In the context of medical devices, the FDA’s Cybersecurity Risk Management (CRM) framework applies threat modeling and risk assessment, with a strong emphasis on risk evaluation.
Key CRM Objectives
CRM focuses on:
Identifying threats, vulnerabilities, and assets.
Estimating and evaluating security risks.
Implementing and monitoring risk controls.
CRM is the counterpart of SRM (Safety Risk Management): while SRM focuses on reducing clinical harms, CRM addresses security risks like data breaches, downtime, and reputational damage. Understanding and differentiating these two processes is critical for medical device manufacturers and others operating in high-stakes industries.
SBOM Management: Enhancing Transparency and Security
The Software Bill of Materials (SBOM) is becoming a critical component of global cybersecurity standards, providing detailed inventories of the software components within a device.
Key Drivers for SBOM Management
Regulatory mandates: Required by regulations/standards such as the FDA Pre-market submissions, the Cyber Resilience Act, ISA/IEC 62443, and RED DA.
Supply chain transparency: SBOMs enhance visibility, enabling manufacturers to identify vulnerabilities proactively.
Security assurance: A robust SBOM supports better risk management and customer confidence.
Organizations must develop efficient processes to manage the full lifecycle of SBOMs, ensuring accuracy and compliance with global standards.
Vulnerability Management: Mitigating Risks Across the Lifecycle
Vulnerability management is a cornerstone of robust cybersecurity practices, ensuring that risks are identified, assessed, and mitigated throughout a product’s lifecycle
Core Components of Vulnerability Management
Proactive identification: Continuous monitoring of vulnerabilities. Automate vulnerability identification and notification with tools such as the ARIANNA platform.
Patch management: Ensuring rapid and efficient deployment of security updates.
Incident response: Establishing protocols for managing and disclosing critical vulnerabilities, as required by laws like the Cyber Resilience Act (CRA).
With regulatory frameworks increasingly mandating formal vulnerability management processes, manufacturers must invest in tools, training, and systems to stay ahead of emerging threats.
Strengthening Vulnerability Management in Industrial Automation and Control Systems (IACS) : THYTRONIC
Conclusion: Meeting the Challenge of 2025
The road to 2025 is marked by pivotal deadlines and emerging trends that demand proactive engagement from businesses across industries. From aligning with RED DA and CRA to adopting FDA’s SPDF and ISA/IEC 62443 certifications, organizations must embrace these challenges as opportunities to strengthen their market position.
Incorporating threat modeling and risk assessment, SBOM, vulnerability management, and NIS2 compliance into business strategies is not just about avoiding penalties but building a resilient, future-ready organization.
The time to act is now. Businesses prioritizing cybersecurity compliance today will drive innovation and trust in tomorrow’s connected world.
Comentários