To help you better understand why we are hardly pushing this crucial initiative, I would like to quote a proverb from a famous Americain physician Dean Ornish which says “Fear leads to more fear, and trust leads to more trust Eventhough IoT is bringing a lot of benefits to businesses and consumers, THE FEAR IS THERE… cyber attacks on IoT devices are increasing and this problem isn’t one for the years to come. It’s a problem that needs to be solved today. Plus, the number of IoT devices keeps growing at an increasingly faster pace, and more of them are reaching the market. Thus the collective FEAR is growing… That's why we need to focus on addressing the security of IoT in all sectors. Yes the EU Cybersecurity Act is operational since September 2019 and is becoming a reality with the creation of the first EU certification schemes in 2021.Certification are intended to bring TRUST that will leads to more and more TRUST and security for the EU consumers and businesses. The Commission is convinced that security by design is a key and that certification of IoT devices must be a priority. The Council recognize also the importance of the certification and support the creation of the IoT Certification Scheme. Excellent News for all of us… but the less good part of it is that it looks like it is not for 2021… due to some lack of capacity… ! And let’s face it IoT is a huge complex ecosystem, although there are several initiatives on the market today we are going to face several challenges… In this presentation you'll find the top 6 of these challenges that I’ve often heard from different stakeholders while working with several organizations to create IoT certification schemes (from the IoTSF, to IoXT Alliance, GSMA, to Eurosmart,, ECSO, GP, CEN-CENELEC, ISO, etc.) Every challenge is affected to the steps impacted as defined by Article 54 of the CSA guiding us in creating the certification scheme.

1. © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
BRINGING TRUST
TO THE
INTERNET OF THINGS
A PROPOSAL FOR AN EU IOT CERTIFICATION SCHEME CANDIDATE
24th of March, 2021

2. 2
© 2020 RED ALERT LABS – ALL RIGHTS RESERVED
A PROPOSAL FOR AN EU IOT CERTIFICATION SCHEME CANDIDATE
WE ARE
REVOLUTIONIZING THE
WAY COMPANIES
SECURE BY DESIGN,
ASSESS AND CERTIFY
THEIR CONNECTED
SOLUTIONS BY
AUTOMATING APPLIED
PROCESSES AND BEST
PRACTICES.
#IoT
#Cybersecurity
#Chip-to-Cloud
#Certification
#Security-By-Design
#Regulations
https://www.iotstrust.com
#IoTsTrust

3. 3
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
“Fear leads to more fear,
and trust leads to more trust”
Dean Ornish

4. 4
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
IOT BRINGS A LOT OF BENEFITS … WITH HIGH
SECURITY RISK !
Fraud &
Misuse
Privacy Safety

5. 5
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
ITS GROWING…
15.41 17.68 20.35 23.14 26.66
30.73
35.82
42.62
51.11
62.12
75.44
0
10
20
30
40
50
60
70
80
2015 2016 2017 2108 2019 2020 2021 2022 2023 2024 2025
Evolution du nombre d’objets connectés en milliards
75 BILLION
of IOT DEVICES
in 2025

6. 6
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
Cybersecurity certification under the
European Union Cybersecurity Act
(CSA) is intended to increase trust and
security for European consumers and
businesses and help to achieve a
genuine digital single market.
GOOD NEWS

7. 7
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
“Building strong cybersecurity for the
EU’5 states that the Commission and
stakeholders should consider the
certification of these devices as
priority area. In particular, the
Communication refers to the use of
"security by design" methods in low-
cost, digital, interconnected mass
consumer devices, which make up the
Internet of Things”
URWP
The EU Commission
GOOD NEWS

8. 8
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
“We recognise the growing importance of
devices connected to the internet and
their security, including machines,
sensors and networks that make up the
Internet of Things and invite the
Commission and the ECCG to start
discussions on a candidate cybersecurity
certification scheme and support the
inclusion of an IoT scheme in the
URWP.”
The EU Council
URWP
GOOD NEWS

9. 9
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
1
TOP 6 CHALLENGES AHEAD
SCOPE
2
BASELINE
3
INTENDED USE
4
COMPOSITION
5
COST-EFFICENCY
6
VENDOR & CONSUMER FRIENDLY
Subject Matter & Scope
Article 54.1.a
Purpose of the scheme
Article 54.1.b
• Security Requirements
Standards
Standards supporting
Evaluation
Methodologies
Article 54.1.c
Assurance Levels
Article 54.1.d
Conformity Self-
Assessment Article
54.1.e
Specific Requirements
applicable to CABs
Article 54.1.f
Specific Evaluation
Criteria & Methods
Article 54.1.g
Necessary Information
for Certification Article
54.1.h
Marks & Labels Article
54.1.i
Rules for Monitoring
Compliance and Non-
Compliance Article
54.1.j/l
Managing Certificates
Article 54.1.k/p/r/s
Vulnerabilities
Handling Article 54.1.e
National &
International Schemes
Article 54.1.o
Mutual Recognition
Article 54.1.t

10. 10
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
1
SCOPE
SCOPE
Subject Matter & Scope
Article 54.1.a
Purpose of the scheme
Article 54.1.b
• Security Requirements
Standards
• Evaluation Methods
• Assurance Levels
Standards supporting
Evaluation
Methodologies
Article 54.1.c
Assurance Levels
Article 54.1.d
Conformity Self-
Assessment Article
54.1.e
Specific Requirements
applicable to CABs
Article 54.1.f
Specific Evaluation
Criteria & Methods
Article 54.1.g
Necessary Information
for Certification Article
54.1.h
Marks & Labels Article
54.1.i
Rules for Monitoring
Compliance and Non-
Compliance Article
54.1.j/l
Managing Certificates
Article 54.1.k/p/r/s
Vulnerabilities
Handling Article 54.1.e
National &
International Schemes
Article 54.1.o
Mutual Recognition
Article 54.1.t
IoT Application
IoT Core
(OS, Connectivity, Drivers, etc.)
IoT RoE/RoT
(Crypto, Bootloader, Secure storage, etc.)
IoT HW
(SoC, SE)
SENSOR
ACTUATOR
IOT DEVICE
“Trust is very hard if you don't know what you're trusting “
Marianne Williamson

11. 11
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
1
SCOPE
SCOPE
Subject Matter & Scope
Article 54.1.a
Purpose of the scheme
Article 54.1.b
• Security Requirements
Standards
• Evaluation Methods
• Assurance Levels
Standards supporting
Evaluation
Methodologies
Article 54.1.c
Assurance Levels
Article 54.1.d
Conformity Self-
Assessment Article
54.1.e
Specific Requirements
applicable to CABs
Article 54.1.f
Specific Evaluation
Criteria & Methods
Article 54.1.g
Necessary Information
for Certification Article
54.1.h
Marks & Labels Article
54.1.i
Rules for Monitoring
Compliance and Non-
Compliance Article
54.1.j/l
Managing Certificates
Article 54.1.k/p/r/s
Vulnerabilities
Handling Article 54.1.e
National &
International Schemes
Article 54.1.o
Mutual Recognition
Article 54.1.t
Consumer IoT devices are focused on individual users and typically include wearables,
smart home applications, and personalized healthcare devices, for example. Such
devices are likely to have a life measured in months or years, with new versions quickly
replacing older products. The lifetime may also be counted in years, but consumer IoT
tend to be replaced with the newest versions launched with the advent of new tech
generations.

12. 12
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
1
SCOPE
SCOPE
Subject Matter & Scope
Article 54.1.a
Purpose of the scheme
Article 54.1.b
• Security Requirements
Standards
• Evaluation Methods
• Assurance Levels
Standards supporting
Evaluation
Methodologies
Article 54.1.c
Assurance Levels
Article 54.1.d
Conformity Self-
Assessment Article
54.1.e
Specific Requirements
applicable to CABs
Article 54.1.f
Specific Evaluation
Criteria & Methods
Article 54.1.g
Necessary Information
for Certification Article
54.1.h
Marks & Labels Article
54.1.i
Rules for Monitoring
Compliance and Non-
Compliance Article
54.1.j/l
Managing Certificates
Article 54.1.k/p/r/s
Vulnerabilities
Handling Article 54.1.e
National &
International Schemes
Article 54.1.o
Mutual Recognition
Article 54.1.t
To solve the complexity arising from the multiple use of IoT, the URWP proposes to
develop a generic candidate scheme for IoT devices addressing all assurance levels
as provided for in the Cybersecurity Act.
➔ IoT devices designed for use in industrial automation will be dealt with under the
scheme on Industrial and Automation Control System
*Discussions are still ongoing in the Commission to provide a more precision on the scope

13. 13
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
BASELINE
2
BASELINE
Subject Matter & Scope
Article 54.1.a
Purpose of the scheme
Article 54.1.b
• Security Requirements
Standards
Standards supporting
Evaluation
Methodologies
Article 54.1.c
Assurance Levels
Article 54.1.d
Conformity Self-
Assessment Article
54.1.e
Specific Requirements
applicable to CABs
Article 54.1.f
Specific Evaluation
Criteria & Methods
Article 54.1.g
Necessary Information
for Certification Article
54.1.h
Marks & Labels Article
54.1.i
Rules for Monitoring
Compliance and Non-
Compliance Article
54.1.j/l
Managing Certificates
Article 54.1.k/p/r/s
Vulnerabilities
Handling Article 54.1.e
National &
International Schemes
Article 54.1.o
Mutual Recognition
Article 54.1.t
ETSI EN 303 645 is designed to prevent large-scale, prevalent attacks
against smart devices that cybersecurity experts see every day, by
establishing a security baseline for connected consumer products and
provides a basis for future IoT certification schemes. ETSI EN 303 645
supports a good security baseline for connected consumer products,
provisioning a set of 13 recommendations, with the top three being: no
default passwords, implement a vulnerability disclosure policy, and
keep software updated.
Alignment with
ISO/IEC 27402

14. 14
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
BASELINE
2
BASELINE
Subject Matter & Scope
Article 54.1.a
Purpose of the scheme
Article 54.1.b
• Security Requirements
Standards
Standards supporting
Evaluation
Methodologies
Article 54.1.c
Assurance Levels
Article 54.1.d
Conformity Self-
Assessment Article
54.1.e
Specific Requirements
applicable to CABs
Article 54.1.f
Specific Evaluation
Criteria & Methods
Article 54.1.g
Necessary Information
for Certification Article
54.1.h
Marks & Labels Article
54.1.i
Rules for Monitoring
Compliance and Non-
Compliance Article
54.1.j/l
Managing Certificates
Article 54.1.k/p/r/s
Vulnerabilities
Handling Article 54.1.e
National &
International Schemes
Article 54.1.o
Mutual Recognition
Article 54.1.t
The assessment specification ETSI TS 103701 specifies baseline
conformance assessments for assessing consumer IoT products
against the provisions of ETSI EN 303 645. It sets out mandatory
and recommended assessments, intended to be used by testing
labs and certifying bodies that provide assurance on the
security of relevant products, as well as manufacturers that
wish to carry out a self-assessment.
Alignment with
IEC 62443,
IACS, IoXT
Alliance, PSA,
SESIP and
Eurosmart
IoT,…

15. 15
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
INTENDED USE
3
INTENDED USE
Subject Matter & Scope
Article 54.1.a
Purpose of the scheme
Article 54.1.b
• Security Requirements
Standards
Standards supporting
Evaluation
Methodologies
Article 54.1.c
Assurance Levels
Article 54.1.d
Conformity Self-
Assessment Article
54.1.e
Specific Requirements
applicable to CABs
Article 54.1.f
Specific Evaluation
Criteria & Methods
Article 54.1.g
Necessary Information
for Certification Article
54.1.h
Marks & Labels Article
54.1.i
Rules for Monitoring
Compliance and Non-
Compliance Article
54.1.j/l
Managing Certificates
Article 54.1.k/p/r/s
Vulnerabilities
Handling Article 54.1.e
National &
International Schemes
Article 54.1.o
Mutual Recognition
Article 54.1.t
RISK-ASSESSMENT
OPERATIONAL ENVIRONEMENT
JTC 13 WG3 risk-based
assessment for
Certification Schemes
ISO/IEC 27005, STRIDE, EBIOS RM,
EUROSMART IoT, ISO/IEC 31010,
Retail
Speciality
Hospitality
Stores
Transportation
Transpor
t Systems
Vehicles
Non-
vehicular
Industrial
Smart
distribution
Resource
Automation
Predictive
Maintenance
Smart
Manufacturing
Health Care &
Life Science
Care
In
vivo/home
Lab
research
Consumer &
Home
Infrastructure
Convenience
Entertainment
Smart Energy
Supply &
Demand
Oil & Gas
Alternative
Energy
Smart
Buildings
Commercial
Institutional
Industrial
IT & networks
Public
Enterprise
Security &
Public Safety
Public
Infrastructure
Emergency
services
Surveillance
Tracking

16. 16
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
INTENDED USE
3
INTENDED USE
Subject Matter & Scope
Article 54.1.a
Purpose of the scheme
Article 54.1.b
• Security Requirements
Standards
Standards supporting
Evaluation
Methodologies
Article 54.1.c
Assurance Levels
Article 54.1.d
Conformity Self-
Assessment Article
54.1.e
Specific Requirements
applicable to CABs
Article 54.1.f
Specific Evaluation
Criteria & Methods
Article 54.1.g
Necessary Information
for Certification Article
54.1.h
Marks & Labels Article
54.1.i
Rules for Monitoring
Compliance and Non-
Compliance Article
54.1.j/l
Managing Certificates
Article 54.1.k/p/r/s
Vulnerabilities
Handling Article 54.1.e
National &
International Schemes
Article 54.1.o
Mutual Recognition
Article 54.1.t
RISK-ASSESSMENT ASSURANCE LEVELS
JTC 13 WG3/ENISA risk-
assessment for
Certification Schemes
ISO/IEC 27005, STRIDE, EBIOS RM,
EUROSMART IoT, ISO/IEC 31010, …
• BASIC
• ➔ SELF-ASSESSMENT / ETSI TS 103
• SUBSTANTIAL
• ➔ Eurosmart IoT + JTC 13 WG3
SRAHG/ SESIP
• HIGH
• ➔ EUCC

17. 17
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
COMPOSITION
4
COMPOSITION
Subject Matter & Scope
Article 54.1.a
Purpose of the scheme
Article 54.1.b
• Security Requirements
Standards
• Evaluation Methods
• Assurance Levels
Standards supporting
Evaluation
Methodologies
Article 54.1.c
Assurance Levels
Article 54.1.d
Conformity Self-
Assessment Article
54.1.e
Specific Requirements
applicable to CABs
Article 54.1.f
Specific Evaluation
Criteria & Methods
Article 54.1.g
Necessary Information
for Certification Article
54.1.h
Marks & Labels Article
54.1.i
Rules for Monitoring
Compliance and Non-
Compliance Article
54.1.j/l
Managing Certificates
Article 54.1.k/p/r/s
Vulnerabilities
Handling Article 54.1.e
National &
International Schemes
Article 54.1.o
Mutual Recognition
Article 54.1.t
IoT Application
IoT Core
(OS, Connectivity, Drivers, etc.)
IoT RoE/RoT
(Crypto, Bootloader, Secure storage, etc.)
IoT HoW
(SoC, SE)
ECSO Product Certification Composition
- Risk-Based composition
- Composition across EU Schemes (EU
Cloud, 5G, IoT)
- Composition across security
assurance levels

18. 18
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
COST-EFFICENCY
5
COST-EFFICENCY
Subject Matter & Scope
Article 54.1.a
Purpose of the scheme
Article 54.1.b
• Security Requirements
Standards
• Evaluation Methods
• Assurance Levels
Standards supporting
Evaluation
Methodologies
Article 54.1.c
Assurance Levels
Article 54.1.d
Conformity Self-
Assessment Article
54.1.e
Specific Requirements
applicable to CABs
Article 54.1.f
Specific Evaluation
Criteria & Methods
Article 54.1.g
Necessary Information
for Certification Article
54.1.h
Marks & Labels Article
54.1.i
Rules for Monitoring
Compliance and Non-
Compliance Article
54.1.j/l
Managing Certificates
Article 54.1.k/p/r/s
Vulnerabilities
Handling Article 54.1.e
National &
International Schemes
Article 54.1.o
Mutual Recognition
Article 54.1.t
- Self-Assessment
- Time-constrained Evaluation Methodology
- Composition
- Risk-Based security profiles (focus evaluation effort
on security functionalities that matters the most)
- Automated platforms & tools
- Time to Market
- One shot
- Vulnerability
Management
- Delta certification

19. 19
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
VENDOR & CONSUMER FRIENDLY
6
VENDOR & CONSUMER FRIENDLY
Subject Matter & Scope
Article 54.1.a
Purpose of the scheme
Article 54.1.b
• Security Requirements
Standards
Standards supporting
Evaluation
Methodologies
Article 54.1.c
Assurance Levels
Article 54.1.d
Conformity Self-
Assessment Article
54.1.e
Specific Requirements
applicable to CABs
Article 54.1.f
Specific Evaluation
Criteria & Methods
Article 54.1.g
Necessary Information
for Certification Article
54.1.h
Marks & Labels Article
54.1.i
Rules for Monitoring
Compliance and Non-
Compliance Article
54.1.j/l
Managing Certificates
Article 54.1.k/p/r/s
Vulnerabilities
Handling Article 54.1.e
National &
International Schemes
Article 54.1.o
Mutual Recognition
Article 54.1.t
- Standards and Clear Metrics
- Natural Language
- Smart Labels
- Clear IoT device taxonomy
- Simplified Processes

20. 20
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
01 02 03
Evaluation
Impact
Activity (EIA)
SAR Evidence for
application
Observation
Report (OR)
Vendor
evidence
Evaluation
Outputs
Security
Profile Security
Requirements
(SFR)
Security
Assurance
Activities
(SAR)
00
Security
Maturity
Questionnaire
List of
Security goals
and risk
acceptance
Business Line
BOB
Consultant
CAB-CB
CAB-ITSEF
➔ PASS
➔ INCONCLUSIVE
➔ FAIL
VENDOR & CONSUMER FRIENDLY

21. 21
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
EU CYBERSECURITY ACT - ARTICLE 54 POTENTIAL COVERAGE*
(a) subject-matter and scope of the certification scheme, including the type or categories of ICT processes,
products and services
[ETSI EN 303 645], Chapter 1,
[TR-E-IOT-SCS-PART-1], Chapter 1 + Executive Summary,
(b) a clear description of the purpose of the scheme and how the selected standards, evaluation methods and
assurance levels correspond to the needs of the intended users of the scheme.
[TR-E-IOT-SCS-PART-1], Chapter 1 + Executive Summary
[EUCC], Chapter 2 (level High). [ETSI EN 303 645], Introduction,
(c) references to the international, European or national standards applied in the evaluation or, where such
standards are not available or appropriate, to technical specifications that meet the requirements set out
in Annex II of Regulation (EU) No 1025/2012 or, if such specifications are not available, to technical
specifications or other cybersecurity requirements defined in the European cybersecurity certification
scheme;
[ETSI EN 303 645], [ETSI TS 103 701], [ISO /IEC 15408], [ISO/IEC
18045], [TR-E-IOT-SCS-PART-1], Section 1.3,
(d) where applicable, one or more assurance levels; [EUCC], Chapter 4 (level High).
[TR-E-IOT-SCS-PART-1], Section 1.1 (SUBSTANTIAL LEVEL)
[ETSI EN 303 645], Annex A,
(e) an indication of whether conformity self-assessment of conformity is permitted under the scheme; [ETSI TS 103 701], Chapter 1
(f) where applicable, specific or additional requirements to which conformity assessment bodies are subject
in order to guarantee their technical competence to evaluate the cybersecurity requirements;
[TR-E-IOT-SCS-PART-5]
[EUCC], Chapter 6,7 (level High).+ related guidelines (substantial)
(g) The specific evaluation criteria and methods to be used, including types of evaluation, in order to
demonstrate that the specific objectives referred to in Article 51 are achieved;
[TR-E-IOT-SCS-PART-3], [EUCC], Chapter 8 (level High).
[ETSI TS 103 701], [SESIP] Chapter 3
(h) where applicable, the information which is necessary for certification and which is to be supplied or
otherwise be made available to the conformity assessment bodies by an applicant;
[TR-E-IOT-SCS-PART-1], Section 4.1
[TR-E-IOT-SCS-PART-3] and [TR-E-IOT-SCS-PART-9]
[EUCC], Chapter 9 (level High).
(i) where the scheme provides for marks or labels, the conditions under which such marks or labels may be
used;
[TR-E-IOT-SCS-PART-7]
[EUCC], Chapter 10 (level High).
(j) rules for monitoring compliance of ICT products, ICT services and ICT processes with the requirements of
the European cybersecurity certificates or the EU statements of conformity, including mechanisms to
demonstrate continued compliance with the specified cybersecurity requirements;
[TR-E-IOT-SCS-PART-1], Section 4.2
and [TR-E-IOT-SCS-PART-6]
[EUCC], Chapter 11 .
* The coverage analysis is not exhaustive and must be considered

22. 22
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
EU CYBERSECURITY ACT - ARTICLE 54 POTENTIAL COVERAGE*
(k) where applicable, the conditions for issuing, maintaining, continuing and renewing the European
cybersecurity certificates, as well as the conditions for extending or reducing the scope of certification;
[TR-E-IOT-SCS-PART-1], Section 6,
[EUCC], Chapter 12 (level High).
(l) rules concerning the consequences for ICT products, ICT services and ICT processes that have been
certified or for which an EU statement of conformity has been issued, but which do not comply with
the requirements of the scheme;
[TR-E-IOT-SCS-PART-1], Section 6.1.4.4.
[EUCC], Chapter 13 (level High and Substantial).
(m) rules concerning how previously undetected cybersecurity vulnerabilities in ICT products, ICT services
and ICT processes are to be reported and dealt with;
[TR-E-IOT-SCS-PART-1] Section 6.1, 6.1.4 and [TR-E-IOT-SCS-PART-6]
[EUCC], Chapter 14 (level High and Substantial) + Patch Management.
(n) where applicable, rules concerning the retention of records by conformity assessment bodies; [EUCC], Chapter 15 (level High).
(o) the identification of national or international cybersecurity certification schemes covering the same
type or categories of ICT products, ICT services and ICT processes, security requirements, evaluation
criteria and methods, and assurance levels;
IoTSF/Code of Practice UK, Finnish Cybersecurity Label, IoT-SSF Japan,
CLS Singapore, + [EUCC], Chapter 16 (level High).
(p) the content and the format of the European cybersecurity certificates and the EU statements of
conformity to be issued;
[TR-E-IOT-SCS-PART-9]
[EUCC], Chapter 17
(q) the period of the availability of the EU statement of conformity, technical documentation, and all other
relevant information to be made available by the manufacturer or provider of ICT products, ICT
services or ICT processes;
[EUCC], Chapter 18
(r) maximum period of validity of European cybersecurity certificates issued under the scheme; [TR-E-IOT-SCS-PART-1], Section 6 (Substantial level) or [EUCC], Chapter
19 (level High).
(s) disclosure policy for European cybersecurity certificates issued, amended or withdrawn under the
scheme;
[EUCC], Chapter 20.
(t) conditions for the mutual recognition of certification schemes with third countries; [EUCC], Chapter 21 (level High). TBD for other levels
(u) where applicable, rules concerning any peer assessment mechanism established by the scheme for the
authorities or bodies issuing European cybersecurity certificates for assurance level 'high' pursuant to
Article 56(6). Such mechanism shall be without prejudice to the peer review provided for in Article 59;
N/A – Not relevant to the Basic & Substantial level, [EUCC], Chapter 22
(level High).
(v) format and procedures to be followed by manufacturers or providers of ICT products, ICT services or
ICT processes in supplying and updating the supplementary cybersecurity information in accordance
with Article 55.
[EUCC], Chapter 23
* The coverage analysis is not exhaustive and must be considered as a
proof of concept

23. 23
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
The EU CSA is going to revolutionize the world of security by design and
certification.
ENISA, your organization and all relevant stakeholders have the experts…
the need is clear… this is a proposal addressing the main challenges… and
several initiatives are out there… and there is clear traction !
So if you want to be part of this revolution, if you want to help us eliminate
the FEAR by adding more TRUST, please join us in such effort either
through the future AdhocWGs via ENISA or through your individual
contributions and feel free to get in touch with us to discuss this further.
TAKEAWAYS

24. 24
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
THANK YOU FOR YOUR TRUST
Red Alert Labs
3, rue Parmentier | 94140 Alfortville, FRANCE
contact@redalertlabs.com
+33 9 53 55 54 11
www.redalertlabs.com
It's not up to you to decide if someone is
interested in stealing your data or
compromising your technology, but it is
up to you to decide how to protect it !

25. 25
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
01
AUTOMATISATION
& AGILE
METHODOLOGY
02
RECOGNIZE
EXISTING
EVALUATION
METHODOLOGY
03
REDUCE
COSTS
04
COMPARE IOT
DEVICES
05
REQUIREMENTS
TAILORED TO
THE INTENDED
USE
KEY GOALS

26. 26
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
06
COST-EFFICENT
CERTIFICATION
MAINTENANCE
07
CREATE
INCENTIVE FOR
VENDORS
08
INVOLVE IOT
SERVICE
PROVIDERS
09
SIMPLE
METRICS
10
MUTUAL
RECOGNITION
KEY GOALS

27. 27
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
EN 303 645
ISO 27402
Asia
• CH -Cybersecurity Law June, 2017
• IoT security Code of Practice Mar,
2020
• JP APPI & METI IoT Security 2020
Europe & UK
• GDPR May, 2018
• EU Cybersecurity Act Sept, 2019
• Proposed UK IoT Law Jan, 2020
• NIS 2.0
• RED Directive
• EU IoT Scheme ?
North America
• California IoT Security Law Jan
2020
• IoT Cybersecurity Improvement Act
of Dec 2020,
• CCPA Jan 2020
REGULATIONS

28. 28
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
HOW ABOUT A STORY?
HOW CAN I ASSESS THE RISKS ?
HOW CAN I INVOLVE BUSINESS LINE?
WHAT ARE MY SECURITY NEEDS ? …
WHAT IS MY LEVEL OF MATURITY ?
WHICH STANDARDS SHOULD WE APPLY ?
ARE WE GOING TO BE AUDITED ?
WHAT ABOUT TIME & BUDGET ?
HOW CAN I TRUST MY SUPPLIER ?
WHAT SECURITY REQUIREMENTS &
STANDARDS
SHOULD I APPLY ?
HOW CAN I ASSESS THE ROBUSTNESS
OF MY IMPLEMENTATION ?
WHAT EVIDENCE SHOULD I PREPARE ?
WHICH LAB SHOULD I CHOSE ?
HOW DO I GET CERTIFIED ?
HOW DO I DEAL WITH
VULNERABILITIES AND
MAINTAIN CERTIFICATES ?
END
USER/BUYER
VENDOR CAB
INDUSTRIAL SMART SENSORS CERTIFIER

29. 29
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
IoTsTrustTM
The World #1
IoT Security & Certification
“All-in-one” SaaS Platform
IoTsTrustTM platform is an indispensable tool
supporting you during the whole life-cycle process
of your IoT devices and solutions in order to set up
the adequate level of security by design and prove
trustworthiness through certifications
https://www.iotstrust.com/

30. 30
A PROPOSAL FOR AN EU IOT CERTIFICATION SHCEME CANDIDATE © 2021 RED ALERT LABS – ALL RIGHTS RESERVED
SOFTWARE AS A SERVICE (SaaS)
✓ Run risk assesment
✓ Chose secure products
✓ Certify products
✓ Generate security requirements
✓Assess IoT Security Maturity
✓ Chatbot & Live Support
AUTOMATION PROCESSES
✓ Select & Apply Standards
✓ Create evidence
✓ Run Self-Testing
✓ Maintain certificates
✓ Compare products
✓ Collaborate
USER-FRIENDLY INTERFACES
Certifier Consultant
Evaluator
Manufacturer/Developer
Business Line
Buyer/Owner