Global Platform, formed over 20 years ago, is a community of security experts from diverse industries, working together to reduce the cost of security and certification to drive lower cost, secure products. For example, member companies can help evolve established standards, evaluate new technologies, define use cases, monitor trends, analyse cryptographic algorithms and define attack methodologies for use in assessing product security.

Carlos Serratos is the SESIP Ecosystem Adoption WG Chair, at Global Platform.  SESIP is the Security Evaluation Standard for IoT Platforms a methodology that reduces the cost, complexity and effort of security evaluation and certification. It utilises the concepts of composition and reuse, so that previously certified components can be used to build a device with in-built security assurances, without having to repeat the same evaluations in every targeted market. The methodology maps to other standards and requirements from bodies including ETSI, ISO/IEC and NIST, which demonstrates a risk-based design approach and helps lower barriers to entry. 

Here, Serratos is urging companies to be ready for the new Radio Equipment Directive rule which will come into force in August this year.  He explains the importance of these new regulations and some of the actions that companies can take to help simplify the route to compliance.

The European Union (EU) recognised the need to expand the scope of RED to address the growing risks posed by cyber attacks targeting connected devices, culminating in the activation of RED Articles to address - Protecting networks from cyber attacks (Article 3.3d); Safeguarding user privacy (Article 3.3e); and Mitigating financial fraud (Article 3.3f).

With the new RED rules being enforced from August 2025, OEMs of all types of connected devices—from smart TVs to industrial controllers—find themselves racing against the clock to show conformance with the expanding regulations. For OEMs lacking expertise in areas such as secure communication cryptography, this represents a significant challenge. What must they do to obtain the necessary conformance to market their products in Europe? And how do they ensure the components they use in their products are compliant?

A standards-based approach to compliance

To support OEMs on this journey, CENELEC, the European standardisation organisation, has developed the EN 18031 series of standards to demonstrate conformance with the Delegated Act. In January, the European Commission officially implemented EN 18031 as a harmonised framework. This enables products to be classed as compliant with the new RED cybersecurity requirements if they fully adhere to the EN 18031 standards.

These standards provide OEMs with a roadmap for meeting RED’s cyber security obligations, allowing them to comply with the regulation through self-declarations. However, in some cases, OEMs may still need assessments conducted by a third-party Notified Body (NB). Indeed, some may opt for this route to minimize risk and liability.

Streamlining the certification process using SESIP

Help is at hand to make this process easier. This is found in Annex D of EN 18031, which introduces a direct mapping to Global Platform’s SESIP framework. This means OEMs can now use SESIP as evidence of their conformance to RED’s cyber security requirements, streamlining the certification and self-assessment process. This marks a pivotal moment for SESIP as a trusted mechanism for demonstrating compliance with European cyber security regulations.

It means OEMs can now self-declare that their devices meet RED requirements by using SESIP-compliant components, saving significant time and effort. If they choose third-party assessment, certification bodies might simply verify that the device is built using SESIP-certified components and will not need to retest something already certified.

This approach extends to modularity as well. By integrating SESIP into the RED conformance process, a solid foundation is established for modular compliance. For example, consider a TV with SESIP-compliant modules. Just as an OEM can demonstrate RED compliance to similar TV’s with different dimensions by proving that the TV’s module meets regulatory standards, SESIP’s modularity allows manufacturers to verify security compliance at the module and component level. Instead of testing what has already been tested, they can streamline the conformance process by relying on existing conformance evidence and the verification of proper integration of such functionality in the end device.

Defining a conformance model for future cyber security rules

With the new RED directives set to come into force in just a few months, OEMs now have a faster and more efficient path to achieving the CE mark certification—a requirement for market access in the EU. By integrating SESIP into the RED conformance process, OEMs now have a clear pathway for meeting regulatory requirements and ensuring their devices can be safely sold within the EU and beyond.

Finally, Carlos Serratos stresses. "For OEMs navigating complex regulatory requirements, SESIP offers a reliable, efficient, and future-proof approach to cyber security compliance. Its inclusion in RED through EN 18031 also sets a precedent for upcoming regulations such as the Cyber Resilience Act (CRA), which takes effect in December 2027. As security standards evolve, SESIP enables manufacturers to stay ahead, ensuring their devices meet the highest levels of protection—both today and in the future."