New cybersecurity standard for home gateways published

Without presumption of conformity

The good news is that we have a new standard for assessing cybersecurity requirements at our fingertips. But unfortunately, even this standard will not provide a presumption of conformity.

But first things first:
Currently, the most important standard for assessing the cybersecurity of IoT end-user devices ("Internet-of-Things") is ETSI EN 303 645 V2.1.1 (2020-06) (Basic Requirements). This standard was originally developed by ETSI and is now managed by ETSI, CEN and CENELEC under a joint agreement.

On March 22, 2022, a "vertical" and thus product-specific standard appeared – ETSI TS 103 848 V1.1.1 (2022-03) – which addresses the above-mentioned basic requirements and tailors them to home gateways.

Home gateways are found in almost all households with Internet access. This is the interface to the outside world to the Internet Service Provider (ISP) – i.e. the provider who provides the Internet access. On the inside, we see the WLAN or LAN interfaces to connect our end devices to the Internet.

The provisions listed in this document are supported by a preceding threat analysis according to ETSI TR 103 743, which addresses attacks from the outside (WAN, ISP) and from the inside (LAN). Deviating possibilities for compromise (e.g. within the supply chain) are not addressed here.

To put the news presented here in context, let's travel back in time a few months.

RED 2014/53/EU - Essential requirements of Article 3, paragraph 3(d), (e) and (f)

On January 12, 2022, additional essential requirements for radio products for activation were announced in the Official Journal of the European Union (L7:2022), to be mandatory from August 1, 2024.

In addition to the already known essential requirements on health and product safety in Article 3 (1) (a), electromagnetic compatibility in Article 3 (1) (b) and radio spectrum in Article 3 (2), three subparagraphs of Article 3 (3) are now activated.

The subparagraphs with the letters d, e and f define - in brief - the harmless use of the network (d), the protection of personal data as well as privacy (e) and the protection against fraud (f). In practice, the latter point can be seen, for example, in the secure transfer of money, monetary assets or virtual currencies.

Harmonized Standards and OJEU Listing

For market access in the European Union, harmonized European standards (hEN) are to be drawn up in preference, which develop their presumption of conformity through their naming in the OJEU. The application of a hEN gives presumption of conformity with an essential requirement of a directive (or regulation).

However, the ETSI standards presented at the beginning do not meet the requirements of a harmonized European standard (hEN) and will therefore not be cited in the OJEU.

We are currently in a preliminary phase of standards development. The challenge is to draft standards that can name objective requirements and prove them by functional tests. Any subjective (non-specific or non-verifiable) requirement in a standard will prevent its gazette citation.

The suitability of standards is evaluated by an appointed expert (HAS consultant). A checklist of six pages serves as the basis for this evaluation, although the described objectivity of requirements accounts for only one item (4.5) on the checklist.

It is by no means guaranteed that the required objective and testable requirements can be found in the near future. Moreover, there is currently no mandate from the EU to commission one of the standards organizations mentioned (ETSI, CEN or CENELEC) to develop such a standard.

Published on 21.04.2022
Category: Fokus Electrical and Wireless, Compliance

Breaking News in Standards and Product Compliance

The world of standards and market authorization requirements may turn slowly, but it does turn.  Regular updates, revisions and reforms prove it.  We'll keep you posted!

And in other news, here's the latest on Standards and Product Compliance
Donate instead of sending - also in 2021

Christmas tradition continues

Read more

GLOBALNORM supports vaccination campaign


Read more

New Release: Practical Guide Radio Equipment Directive 2014/53/EU

New specialized book by Dipl.-Ing. (FH) Michael Loerzer

Read more

EU: The backlog in the publication of harmonized standards continues

Background and current status

Read more

Final EMC standard for GNSS receivers published

(ETSI) EN 301 489-19

Read more

International standardization initiatives and the national delegation principle

China vs. EU

Read more

German Market Surveillance Conference 2022

Short summary

Read more

Testing of radio equipment in connection with the Radio Equipment Directive 2014/53/EU

What to consider

Read more

EU: The planned EU Machinery Regulation is coming

Read more


In accordance with the EU ePrivacy (Cookie) Directive (2009/136/EG), we would like to inform you that our website uses cookies. By using our website, you accept and agree to our Privacy policy. Please view our Privacy policy to find out what cookies we use and how to disable them.