Secure Global Market Access with Cybersecurity Compliance

Protect your clients. Protect your business.

Enhancing Device and Application Security through Cybersecurity Testing

Granite River Labs (GRL) provides comprehensive cybersecurity testing and evaluation services, helping organizations meet and exceed evolving global security standards. Our expert assessments identify vulnerabilities, mitigate potential threats, and strengthen security measures to protect sensitive data and critical infrastructure.

As an independent, third-party security assessor, GRL delivers unbiased, ISO/IEC 17025-accredited evaluations, ensuring the highest quality and technical rigor. Our accreditations, including recognition by India’s NABL, provide global credibility and confidence in our assessments.

Why Choose GRL for Cybersecurity Testing?

  • Globally Recognized & Accredited – NABL accreditation ensures worldwide acceptance of test reports.
  • Industry-Leading Expertise – Specialists in IoT, telecom, and software security.
  • State-of-the-Art Security Labs – Advanced testing facilities for global compliance.
  • End-to-End Compliance Support – Tailored cybersecurity compliance for regulatory requirements across Europe (EU RED), India (NCCS, BIS), and other global markets

EU Radio Equipment Directive (RED) Cybersecurity Compliance – EN 18031-1/2/3

The European Union’s Radio Equipment Directive (RED) has introduced new cybersecurity requirements to enhance the security, privacy, and fraud prevention capabilities of radio-connected devices in the EU market. The EN 18031 series of standards provides a harmonized framework for compliance, ensuring that manufacturers meet cybersecurity regulations before selling devices within the EU region and continuing compliance with CE marking requirements.

Reach out to kickstart your RED EN 18031 compliance journey.

Products that fall under the new RED requirements include:

  • Consumer Electronics: Smartphones, tablets, and wearables
  • IoT and Smart Devices: Connected home systems and industrial equipment
  • Financial & Payment Devices: Wireless payment systems
  • Digital & Connected Fire Equipment: IoT-enabled alarms and lighting
  • Entertainment & Educational Products: Gaming consoles and e-readers
  • Transportation & Safety Devices: Vehicle telematics and keyless entry systems
  • Communication & Networking Equipment: Wi-Fi routers and Bluetooth hubs
Certain Non-Internet Connected Radio Equipment: Wearables, toys, and childcare products processing personal data (e.g., voice or facial recognition)
 
Please refer to the table below for details on applicability.

Device type

Internet connected Radio equipment or Radio equipment

EN 18031-1 (network functions)

EN 18031-2 
(data protection)

**EN 18031-3 (financial transactions) **

Remarks

RED-Essential requirement reference

2014/53

Article 3.3 d

Article 3.3 e)

Article 3.3 f

 

Delegated act reference

2022/30

Article 1.1

Article 1.2

Article 1.3

 

Tablets/laptops

Internet connected

Yes

Yes

Yes*

Only if financial transactions are supported

Smart phones/ home devices and Wireless IoT devices

Internet connected

Yes

Yes

Yes*

Only if financial transactions are supported

Toys and childcare

Internet connected

Yes

Yes

Yes*

Only if financial transactions are supported

Toys and childcare

Radio devices (no internet)

No

Yes

No

 

Body worn/wearable devices

Internet connected

Yes

Yes

Yes*

Only if financial transactions are supported

Body worn/wearable devices

Radio devices (no internet)

No

Yes

No

 

Automotive

Internet connected

Yes

No

No

 

Aviation (Drones)

Internet connected

Yes

No

No

 

Road toll systems

Internet connected

Yes

No

No

 

Medical devices

Internet connected

No

No

No

 

IVD medical devices

Internet connected

No

No

No

 

 

Mandatory Compliance Deadline – August 1, 2025

The European Commission has harmonized the EN 18031 series under the RED, making compliance mandatory for all new radio equipment placed on the EU market from August 1, 2025. Manufacturers must test and certify their devices before this deadline to ensure regulatory approval.

GRL supports manufacturers, telecom providers, and IoT developers in meeting EN 18031-1, EN 18031-2, and EN 18031-3 requirements.

  • Accredited Cybersecurity Testing
    GRL’s ISO/IEC 17025-certified labs provide third-party testing and evaluation for compliance with the EU RED cybersecurity directive.

  • Pre-Compliance Testing & Risk Assessments
    We help manufacturers identify vulnerabilities in their radio devices before official certification, ensuring a smoother approval process.

  • Security Testing for IoT & Wireless Devices
    Our expertise includes networked IoT devices, smart home equipment, wearables, automotive systems, and telecom infrastructure.

 

Breakdown of EN 18031 Standards

EN 18031-1 – Network Protection


Ensures devices do not compromise network integrity by preventing:
  • Unauthorized access & disruptions
  • Malware propagation through connected devices
  • Excessive bandwidth consumption affecting performance

EN 18031-2 – User Data & Privacy Protection

Focuses on securing personal data with:

  • Encryption for sensitive data (transmission & storage)
  • Protection against unauthorized tracking & privacy breaches
  • Secure authentication & access controls

EN 18031-3 – Fraud Prevention & Secure Transactions

Mandates anti-fraud security for radio-connected financial devices, ensuring:
  • Protection against unauthorized transactions & identity fraud
  • Secure wireless payment processing
  • Prevention of device cloning, tampering & cyber fraud

ETSI EN 303 645 Compliance

The European Telecommunications Standards Institute (ETSI) published the ETSI EN 303 645 standard in 2020 to address the growing concerns around the security of Internet of Things (IoT) devices. The standard outlines security requirements for the design, development, and lifecycle management of internet-connected consumer IoT devices. These include devices intended for personal and home use, such as smart home appliances, wearable technology, and home automation systems. 
Notably, the ETSI EN 303 645 does not cover all IoT devices, but is specifically limited to consumer-grade products. IoT devices in fields including healthcare, manufacturing, or industrial settings are not subject to this law as these sectors often have unique security requirements and regulations that are not addressed by the ETSI standard.

Granite River Labs (GRL) provides end-to-end security testing and compliance certification to help manufacturers, developers, and IoT vendors meet ETSI EN 303 645 requirements and ensure global market access.

Learn how you can become ETSI EN 303 645 compliant

What is ETSI EN 303 645?

The ETSI EN 303 645 is the European standard for consumer IoT cybersecurity, defining security best practices for connected devices. It is recognized by:
  •  The EU Cyber Resilience Act
  • The UK PSTI (Product Security and Telecommunications Infrastructure) Act
  • Global regulatory frameworks for IoT security

GRL’s IoT Security Testing & ETSI EN 303 645 Compliance Services comprises of:
  • Compliance & Certification Support
    • Pre-Compliance Assessment – Identify gaps in ETSI EN 303 645 compliance
    • Technical Documentation & Test Reports – Prepare for regulatory approval
    • Certification Assistance – Meet EU regulatory requirements efficiently

  • Penetration Testing & Risk Assessment
    • Resilience Testing – Evaluate IoT device security against cyber threats
    • Vulnerability Assessment – Identify weaknesses in firmware, APIs, and network protocols

  • Testing for a Wide Range of IoT Products
    • Smart Home & Consumer IoT – Cameras, doorbells, smart speakers, and wearables
    • Industrial & Enterprise IoT – Smart meters, factory automation, and connected healthcare devices
    • Networked Communication Devices – Routers, gateways, and smart hubs

EU Cyber Resilience Act (CRA)

The European Union's Cyber Resilience Act (CRA) establishes stringent cybersecurity requirements that manufacturers and retailers must adhere to before their hardware and software products can be authorized for sale within the EU market. This regulation, lined up to be implemented in December 2027, aims to ensure that products with digital elements available to consumers meet current cybersecurity standards, thereby enhancing the overall security posture of the EU digital landscape.

CRA encompasses all products that have the capability to connect directly or indirectly to another device or network. This includes everything from daily consumer electronics to complex industrial systems. However, open-source software and services that are already covered by other existing regulations are excluded from the CRA's purview.

By mandating compliance with cybersecurity standards, the CRA aims to mitigate the risks associated with cyber threats, such as data breaches, malware infections, and unauthorized access. Products that successfully meet the CRA's requirements will be affixed with the CE marking, which signifies conformity with EU safety, health, and environmental protection standards. 

Obtain EU CRA marking for your products

What is the EU Cyber Resilience Act (CRA)?

The CRA applies to:

  • Consumer & Industrial Digital Products – Any device or software that connects to a network
    • IoT & Smart Devices – Wearables, smart home devices, and connected appliances
    • Enterprise & Critical Infrastructure Systems – Cloud software, industrial automation, and communication equipment
  • Excluded: Open-source software and products already regulated under existing EU cybersecurity laws.

GRL’s CRA Compliance & Cybersecurity Testing Services

  • Cybersecurity Risk & Vulnerability Assessment.
    • Identify cyber threats, software vulnerabilities, and network risks
    • Secure data storage, transmission, and system integrity
  • Penetration Testing & Security Validation
    • Test resilience against cyberattacks, malware, and unauthorized access
    • Assess firmware, software, and API security
  • Compliance & CE Marking Readiness
    • Pre-certification assessments to identify gaps in CRA compliance
    • Technical documentation & test reports for regulatory submission
    • Support for CE marking approval
  • Secure Software Development & Lifecycle Management
    • Ensure regular software updates, security patches, and incident response plans
    • Implement strong authentication & access control mechanisms

UK’s Product Security and Telecommunications Infrastructure Act 2022 (PSTIA)

The PSTIA 2022 enhances UK consumer "smart" product security by mandating strong passwords and provision of security information to customers. While these requirements only apply to manufacturers at the time of writing, experts believe that they may extend to importers and distributors in the future. Supply chain stakeholders are advised to prioritize PSTIA compliance to avoid the high cost of non-compliance.

The UK’s consumer connectable product security regime has been in effect since 29 April 2024. Since inception, the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023, has required manufacturers of UK consumer connectable products (or ‘smart’ products) to comply with the relevant obligations set out in the Act, which include the following minimum-security requirements.

  1. These Regulations may be cited as the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
  2. These Regulations come into force on 29th April 2024 and extend to England and Wales, Scotland and Northern Ireland.

Enforcement of these regulations falls under the capable oversight of the Office for Product Safety and Standards (OPSS), collaborating with DSIT under an MoU, guaranteeing strict adherence to the PSTI Act 2022 and the 2023 Regulations.

  • Who's in the spotlight? Manufacturers, importers, and distributors of relevant connectable products—our economic actors committed to ensuring your safety and security.
  • What exactly are "relevant connectable products"? These are the game-changers—internet-connectable or network-connectable products designed to enhance your life, excluding those deemed excepted products.

Schedule 1 to the 2023 Regulations sets out the specific requirements that must be complied with in relation to relevant connectable products.

  1. Passwords: Passwords must be unique per product; or capable of being defined by the user of the product. Should comply with provision 5.1-1 of ETSI EN 303 645 and, where relevant, provision 5.1-2 of ETSI EN 303 645.
  1. Information on how to report security issues: The manufacturer must provide information on how to report to them security issues about their product. Should comply with provision 5.2-1 of ETSI EN 303 645.
  1. Information on minimum security update periods: Information on minimum security update periods must be published and made available to the consumer in a clear accessible and transparent manner. Should comply with provision 5.3-13 of ETSI EN 303 645

National Centre for Communication Security (NCCS)

The National Centre for Communication Security (NCCS), operating under the Department of Telecommunications (DoT), Government of India, is responsible for ensuring the cybersecurity of India's critical communication infrastructure through security certification and evaluation of telecom equipment.  

The NCCS has formulated the Indian Telecom Security Assurance Requirements (ITSAR), a set of security guidelines applicable to all telecom service providers and importers of telecom infrastructure in India. 

Falling under the Mandatory Testing and Certification of Telecommunication Equipment (MTCTE), the ITSAR covers areas such as network security, data privacy, and lawful interception. Compliance with ITSAR not only ensures the security of India's telecom infrastructure but also provides telecom equipment manufacturers with a competitive advantage when bidding for contracts with Indian public and private organizations.

As a NCCS-designated Telecom Security Testing Laboratory (TSTL) GRL provides cyber security testing in accordance with ITSARs and other national and international standards to the following equipment:

  • IP Routers ( Standalone, Cloud Managed, Virtual Routers)
  • Wi-Fi Customer Premises Equipment (CPEs) 
  • Standalone or Cloud Managed Access Points (AP)
  • Optical Line Terminals (OLT) and Optical Network Terminals (ONT)
  • 5G/LTE Core & Radio Network Components

Obtaining NCCS certification is a prerequisite to achieving MTCTE certification for telecom devices, which in turn is a mandatory requirement for telecom devices to enter the Indian market. 

Kickstart your ITSAR compliance journey with GRL

Learn more about NCCS

BIS CCTV cybersecurity

The Ministry of Electronics & Information Technology (MeitY) has implemented a Compulsory Registration Scheme (CRS) that requires all consumer electronics manufacturers to register their products with the Bureau of Indian Standards (BIS). This registration can only be obtained after the products have undergone testing at BIS-recognized laboratories.

In addition to electrical safety standards, all CCTV cameras must also meet the cybersecurity requirements specified in Essential Requirements (ER01), effective from 9th April 2025.

Securing a CCTV camera is crucial to protect sensitive information and ensure the system operates effectively. Key areas of testing include exposed network services, device communication protocols, physical access to the device’s UART, JTAG, SWD, etc., the ability to extract memory and firmware, firmware update process security and storage and encryption of data. OEMs should ensure the minimum-security requirements in CCTV camera such as –

  • Access Control - Implement role-based authentication for administrators, operators, and users.
  • Network Security - Ensure end-to-end encryption for data storage and transmission to prevent eavesdropping or data breaches.
  • Software Security - Perform regular firmware & software updates to patch vulnerabilities. Disable unused features and restrict unnecessary network services. Enforce strong password policies, including multi-factor authentication (MFA).
  • Penetration Testing & Cyber Threat Resistance - Conduct regular penetration testing to identify and fix vulnerabilities. Ensure systems can withstand cyberattacks, malware, and unauthorized access attempts.

GRL India is authorized by BIS for cybersecurity testing of CCTV cameras under the Compulsory Registration Scheme (CRS) helping manufacturers before certification (Pre-compliance and to test the security parameters defined in essential security requirements listed in ER01 under following categories–

  1. Hardware Level Security Parameters
  2. Software/ Firmware
  3. Secure Process Conformance
  4. Secure Conformance at Product Development stage

Learn how you can make sure your CCTV cameras are BIS compliant.

Vulnerability Assessment & Penetration Testing (VAPT)


VAPT is crucial for identifying, analyzing, and mitigating security risks in connected devices, including telecom, IoT, and drones. The National Institute of Standards and Technology (NIST) SP 800-115 provides a structured methodology for security testing, to ensure robust cyber resilience and regulatory compliance.

The services offered include

  • Vulnerability Assessment (VA) – Identifying Security Gaps
    • Automated & manual scanning for vulnerabilities in hardware, firmware, and software.
    • Evaluate encryption, authentication, and access control mechanisms.
    • Risk assessment & prioritization based on severity impact.

  • Penetration Testing (PT) – Simulating Real-World Attacks
    • Black-box, grey-box, and white-box testing methodologies.
    • Simulated cyberattacks, malware injection, and unauthorized access attempts.
    • Test firmware integrity, API security, and network resilience.

Application Security Testing (AST)

Modern applications—whether running on web, mobile, IoT, telecom networks, or embedded devices—are a prime target for cyberattacks. Weak authentication, insecure APIs, and unpatched vulnerabilities can expose systems to breaches, data leaks, and service disruptions. Ensuring robust application security is essential to maintain user trust, regulatory compliance, and business continuity.

  • Testing Offerings

    Web & Mobile Application Security Testing

  • IoT & Embedded System Application Security

  • API & Cloud Application Security Testing

  • Penetration Testing & Exploit Simulation

  • Secure Software Development & DevSecOps

Granite River Labs (GRL) as a NABL (ISO/IEC 17025) accredited lab helps manufacturers, software developers, and service providers strengthen their applications through rigorous security testing based on OWASP Top 10 and CWE 25 frameworks. Our end-to-end security assessment ensures that applications are resilient against cyber threats at every stage—from development to deployment”

CIS benchmark Compliance Testing

Network infrastructure is a critical target for cyber threats, making security hardening a top priority for routers, switches, firewalls, VPN gateways, and other network devices. The Center for Internet Security (CIS) Benchmarks provide industry-recognized security configurations to reduce vulnerabilities, prevent unauthorized access, and enhance system resilience. GRL’s CIS Benchmark Compliance Testing Services

  • Baseline Security Configuration Validation
  • Network Hardening & Secure Configuration Testing
  • Automated Compliance Auditing & Reporting
  • Penetration Testing & Vulnerability Assessments

Securing Your Market Position with the Right Partners

Transform compliance challenges into market opportunities with GRL compliance testing and market access expertise. Meet prevailing cybersecurity standards, and exceed customer expectations by hopping on board the fast track towards global market success. 

Go beyond compliance. Safeguard new markets, and your future, with GRL.