Red Alert Labs
RAL
Red Alert Labs' mission is to bring trust to the IoT by providing IoT cybersecurity assurance certification services designed to help manufacturers and customers take a more informed decision when buying or selling IoT products.
ID: 450926493482-66
Lobbying Activity
Response to Amendment to the list of the state-of-the-art documents supporting the EUCC scheme
21 Aug 2025
Red Alert Labs welcomes the Commissions effort to clarify and modernise EUCC. We support the additions on assurance continuity, publication of Security Targets, updating State-of-the-Art (SotA) documents, and clearer documentation/reporting. We propose the following refinements: 1) Certificate Identifier & Transparency (Art. 11, Annex V). Keep the simplified unique identifier but add an ITSEF ID alongside the CB ID. This should appear on the ENISA landing page (QR code), not just inside reports. It ensures traceability when CBs use ITSEFs in other Member States. 2) Change Classification (Art. 13, Annex IV). We recommend introducing a NON-INTERFERING change tier below minor. These are updates with no security impact (e.g., UI, branding, performance optimisations). Minor changes would still cover limited security-related updates without requiring full reassessment. Major changes remain for crypto, security architecture, or accumulated minors. A non-binding decision tree with examples should be added to Annex IV to harmonise CB practice. 3) Product Series (Art. 5, Annex V). Certification of series is welcome but should require: (i) a variant matrix mapping hardware/firmware/software differences, (ii) sampling rationale, and (iii) a clear list of covered/excluded variants, referenced in the public report. 4) Publication of STs & English Versions (Art. 42, Annex V). We support mandatory publication of Security Targets. Replace without undue delay with a firm timeline (1020 working days). Add guidance for acceptable sanitisation to balance transparency with IP protection. 5) SotA Updates (Art. 48). We support applying new SotA documents to reassessments and re-evaluations. To avoid disruption, add a 6-month transition window for in-flight evaluations, with an emergency override for urgent security issues. 6) Reports & Metadata (Art. 11, Annex V). Reports should include optional CWE/CVE mappings and a small machine-readable metadata annex (product/version, AVA_VAN, CB ID, ITSEF ID, PP(s), dates, series membership). This will improve procurement comparability and transparency. 7) Protection Profiles (Annex III). We support the refreshed list. To ease deviation when no PP fits, introduce a one-page justification template rather than leaving the process open-ended. Forward-Looking Recommendation (Art. 13, 19; Annex IV, V). We encourage the Commission to explore continuous assurance and partial compliance recognition. By introducing dynamic triggers (e.g., SBOM deltas, CVEs), and POA&M-style incremental security roadmaps, the scheme could evolve beyond a strict pass/fail model while keeping trust. This would reward proactive security improvements and keep products current with threats. Closing. Our main asks are to surface the ITSEF ID, add a non-interfering change category, and strengthen transition and metadata requirements. These adjustments will increase transparency, predictability, and usability of EUCC without compromising rigor. For more details please refer to the document attached.
Read full responseResponse to The EU Cybersecurity Act
19 Jun 2025
Red Alert Labs welcomes the EC's initiative to revise the CSA and is pleased to contribute as a CAB/ITSEF actively engaged in cybersecurity certification across multiple regulatory domains. We support the goals of reinforcing ENISAs mandate, improving the ECCF, and streamlining cybersecurity legislation. In our response, we emphasize the need for greater agility and proportionality in certification processes, a clearly defined coordination role for ENISA, better regulatory coherence across instruments like CRA, RED, and NIS2, the inclusion of ICT services and supply chains in certification schemes using harmonised and transparent criteria, and stronger support for the CAB ecosystem and SMEs. We believe these measures are essential for a resilient, trusted, and innovation-driven cybersecurity landscape in Europe. More detailed observations and recommendations are attached to this submission.
Read full response