CRA

【EU Cyber】The EU Cyber Resilience Act’s New Enforcement Phase.

/in ,

The ONE reminds all manufacturers and brands exporting to the EU market:

Do not focus solely on pre-market CRA compliance; more importantly, do not overlook the risks of post-market surveillance and random inspections.

The EU has recently completed a significant step in the CRA market surveillance cooperation mechanism, indicating that the Cyber Resilience Act (CRA) is progressing from a legal text toward practical enforcement and international coordination.

According to the latest official EU update, the CRA Administrative Cooperation Group (AdCo) has held its first meeting and elected its Chair and Vice-Chairs.
The EU clearly stated that this is a vital development in preparing for CRA enforcement.
The CRA adopts a post-market surveillance model, meaning that once a product enters the EU market, competent authorities can monitor the market, demand improvements, or even take restrictive measures.

For enterprises, this means the challenge is no longer just about “whether a product can be launched,” but rather: Whether you have established robust vulnerability management mechanisms, incident response processes, technical documentation maintenance, support period management, and the capability to handle post-market inspections.


The CRA’s requirements for reporting vulnerabilities and significant incidents will apply from September 11, 2026.
Enterprises will be required to submit an “early warning” within 24 hours of becoming aware of an issue, followed by a formal notification within 72 hours.

The ONE offers CRA consultancy services to help clients prepare in advance:
— From scope assessment and gap analysis,
— To technical documentation planning, vulnerability handling processes, incident reporting workflows, and post-market surveillance readiness.

We believe that the earlier you deploy, the better you can mitigate the risks of inspections, requests for supplementary documentation, or even impacts on your sales performance in the EU market.

If your company is preparing for CRA implementation, you are welcome to contact The ONE.
We can assist you in systematically meeting the latest CRA requirements, ensuring you are fully prepared for both product launch and post-market management.


Official update from the European Commission: https://digital-strategy.ec.europa.eu/en/news/cyber-resilience-act-eu-market-surveillance-group-elects-new-chair-and-vice-chair


For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

VN QCVN

【ICT】Certification Information_Vietnam_Regulation updates

/in ,

Vietnam’s Ministry of Science and Technology has issued Circular 29/2025/TT-BKHCN, updating management rules for ICT and telecommunications products.

The regulation takes full effect on 31 December 2025, replacing Circular 02/2024/TT-BTTTT, and aims to simplify conformity procedures while aligning with international testing practices.
Main changes include allowing normal-condition testing for most ICT products from 1 July 2025, except for Wi-Fi transceivers, which must still undergo severe-condition testing.

The scope of regulated products is expanded to include industrial computers, and a phased rollout of the new SAR standard (QCVN 134:2024/BTTTT) begins in 2026 for mobile/5G devices and in 2027 for laptops, tablets, and DECT phones.


The circular also introduces mandatory compliance for Wi-Fi 6E and Wi-Fi 7 devices operating in the 6 GHz band and removes previous import quantity exemptions, requiring full compliance for all imported ICT and telecom products regardless of volume.

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

UAE

【UAE】ECAS LVE new marking and labeling requirements.

/in ,

Regarding ECAS LVE new marking and labeling requirements.

1. If you have sold products in the UAE market and obtained the UAE ECAS certificate before September 15, 2025, you can still use the old logo and labels. However, if you obtain the UAE ECAS certificate or the product continues to be sold in the UAE market after September 15, 2025, you must replace it with a new logo and label.

2. Products that are about to enter the UAE market and have obtained certificates before March 15, 2025 can still use the old logo and labels. However, after March 15, 2025, all products entering the UAE market must use the new logo and labels.

Size: No size restrictions. The logo can be scaled proportionally but must remain clearly visible.

Color: The color must match the logo shown below

ECAS label requirement

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

CRA

【EU Cyber】EU Cyber Resilience Act Article 14 Takes Effect in 2026

/in ,

Mandatory Vulnerability Reporting Is Approaching — Are Manufacturers Ready?

As the European Union moves closer to full enforcement of the Cyber Resilience Act (CRA), manufacturers of digital products should be aware of a critical obligation that will take effect earlier than many expect.

Under Article 14 of the CRA, mandatory vulnerability and cybersecurity incident reporting obligations will enter into force on September 11, 2026, well ahead of the Act’s full applicability in 2027.

From that date onward, manufacturers placing products with digital elements on the EU market will be legally required to detect, assess, and report certain vulnerabilities and actively exploited cybersecurity incidents within strict and enforceable timelines.

What CRA Article 14 Requires

Once a manufacturer becomes aware of either:

  • an actively exploited vulnerability, or
  • a severe cybersecurity incident,

Article 14 triggers a staged reporting obligation:

  • Within 24 hours: submission of an early warning notification
  • Within 72 hours: submission of a formal vulnerability or incident notification
  • Within 14 or 30 days (depending on the case): submission of a final, comprehensive report, including:
    • impact assessment
    • mitigation measures taken or planned
    • follow-up risk control actions

These obligations apply regardless of product certification status or time on the market and are mandatory, not optional.

What Manufacturers Should Do Now

Although the reporting obligation begins in 2026, practical preparation must start well in advance. Manufacturers are strongly advised to:

  • Establish a vulnerability monitoring and intake process
  • Define clear internal criteria for determining reportable vulnerabilities
  • Set up incident response and escalation workflows
  • Prepare technical documentation and reporting templates
  • Identify responsible roles for communication with EU authorities

Without these elements in place, meeting the 24-hour and 72-hour reporting deadlines will be extremely difficult in real-world incident scenarios.

How We Support CRA Article 14 Compliance

To help manufacturers move from regulatory awareness to operational readiness, we provide dedicated CRA Article 14 support services, including:

  • Vulnerability reporting workflow and governance design
  • Incident response and escalation process consulting
  • CRA-aligned reporting documentation and templates
  • Ongoing advisory and notification support services

Our goal is to reduce compliance risk while enabling engineering and product teams to remain focused on development and innovation.

The CRA clock is already ticking.
Manufacturers that prepare early will avoid last-minute disruption and regulatory exposure when Article 14 reporting becomes mandatory in 2026.

For more information on CRA Article 14 readiness and support services, please contact:
📧 Charles.liao@theonelab.co

BIS

【India】BIS to Replace IS 13252-1 with IS/IEC 62368-1 Effective November 1, 2028

/in ,

The Ministry of Electronics and Information Technology (MeitY), Government of India, has officially announced the transition of Indian safety standards IS 13252 (Part 1): 2010 and IS 616:2017 to IS/IEC 62368 (Part 1), as published in the Gazette of India.

According to the notification, IS/IEC 62368-1 has been adopted as the primary safety standard for Audio/Video, Information and Communication Technology (AV/ICT) equipment under the Electronics and Information Technology Goods (Requirement of Compulsory Registration) Order, 2021.

To facilitate a smooth transition for the industry, the Government of India has permitted the concurrent applicability of IS 13252-1, IS 616, and IS/IEC 62368-1 until November 1, 2028. After this date, IS 13252 (Part 1): 2010 and IS 616:2017 will be formally withdrawn, and BIS CRS registrations must comply exclusively with IS/IEC 62368-1.

The transition also applies to newly regulated product categories, including Extended Reality (XR) products, such as Augmented Reality (AR), Virtual Reality (VR), and Mixed Reality (MR) devices.

IS/IEC 62368-1 is based on the Hazard-Based Safety Engineering (HBSE) approach and has become the globally recognized safety standard for AV and ICT equipment. This migration aligns India’s BIS certification framework more closely with international IEC standards and supports global manufacturers in harmonizing product safety compliance across markets.

Manufacturers and brand owners are advised to begin evaluating product designs, test reports, and BIS certification strategies well in advance to ensure compliance with the post-2028 regulatory requirements.

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

FCC Reopens Application Window for Cyber Trust Mark Lead Administrator

/in ,

The Federal Communications Commission (FCC), through its Public Safety and Homeland Security Bureau (PSHSB), has announced the reopening of the application window for the Cyber Trust Mark Lead Administrator. The filing window will be open from January 7, 2026, through January 28, 2026, spanning 15 business days.

The U.S. Cyber Trust Mark Program, established by the FCC in March 2024, is a voluntary cybersecurity labeling initiative for consumer Internet of Things (IoT) devices. The program aims to help consumers easily identify products that meet baseline cybersecurity standards, while encouraging manufacturers to enhance security-by-design practices. Products approved under the program will display the Cyber Trust Mark along with a QR code linking to detailed cybersecurity information.

The Lead Administrator plays a central role in the program’s governance and execution, serving as the primary coordinator between the FCC and designated Cybersecurity Label Administrators (CLAs). Responsibilities include overseeing program operations, supporting the development and maintenance of technical standards and testing procedures, and facilitating consistent implementation across participating entities.

The Cyber Trust Mark Program was originally expected to begin accepting device applications in late 2025 or early 2026. However, progress was impacted following the withdrawal of the previously selected Lead Administrator in December 2025, as well as subsequent reviews and investigations related to program administration. To ensure the integrity and continuity of the program, the FCC has now reopened the Lead Administrator application process.

The FCC will announce the selected Lead Administrator after the close of the filing window.

About the U.S. Cyber Trust Mark Program
The U.S. Cyber Trust Mark is a voluntary FCC-led cybersecurity labeling program for wireless consumer IoT devices. By leveraging independent third-party testing and verification, the program seeks to enhance consumer confidence, improve transparency, and raise the overall cybersecurity posture of connected products in the U.S. market.

The ONE | Driving Global Awareness of Cybersecurity Testing at CES 2026

/in

We were honored to have our Global Strategic Partnerships Lead, Smiler Lu, and Technical Director, Jeans Koo, represent The One Testing Technology Co., Ltd. at CES 2026 powered by the Consumer Technology Association, connecting with industry leaders and innovators from across the globe.

Throughout the event, our team engaged in meaningful conversations with manufacturers, startups, and technology partners spanning IoT, smart devices, consumer electronics, and next-generation connected products. CES 2026 highlighted innovations like non-invasive glucose monitoring via breath analysis—showing how connected health and IoT are advancing, and why strong cybersecurity is essential for trust and safety.


A clear consensus emerged:

Cybersecurity testing is no longer just a compliance checkbox — it’s a strategic necessity for global market access and building lasting product trust.
As international regulations and security expectations evolve, cybersecurity has become a core element of product design and go-to-market strategies. At The ONE, we remain committed to delivering professional, globally aligned cybersecurity testing services that help manufacturers overcome regulatory challenges and create secure, reliable products.
We’re excited to turn the insights gained at CES 2026 into actionable testing and advisory solutions, collaborating with partners worldwide to strengthen a secure and resilient technology ecosystem.

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

TEC

【India TEC】India NCCS Extends Pro-Tem Security Certification to a Two-Year Validity (Effective Jan 1, 2026)

/in ,

Key Update from DoT/NCCS: Scheme Extension and Certificate Validity Upgrade

Based on the latest official communications released by India’s Department of Telecommunications (DoT) and the National Centre for Communication Security (NCCS), the Pro-Tem Security Certification Scheme has been extended for an additional two (2) years effective from January 1, 2026. In parallel, the validity of individual Pro-Tem certificates has been increased from six (6) months to two (2) years. The policy is intended to provide the industry with greater operational certainty and sufficient transition time while formal security testing and certification activities continue under the national framework.

Scope: ITSAR-Mandated Products Remain In-Scope

The Pro-Tem certification continues to be closely aligned with the Indian Telecommunication Security Assurance Requirements (ITSAR). In practice, it primarily applies to regulated product categories such as IP Routers and Wi-Fi CPE (including routers, Wi-Fi access points/CPE devices, and related variants). Importantly, the extended validity should not be interpreted as an exemption from security compliance obligations. Instead, it is a mechanism to support market continuity while products undergo required testing and certification procedures.

Official Rationale: Business Continuity and Reduced Renewal Burden

NCCS has emphasized that the adjustment aims to: ensure continuity of business operations, reduce pressure caused by frequent renewals, and ease the transition toward full-scale mandatory security certification. For products already holding a Pro-Tem certificate, stakeholders are advised to track certificate status and any renewal/extension requirements through NCCS/MTCTE processes and subsequent notices, particularly where import clearance, delivery timelines, or customer commitments depend on valid certification status.

Ongoing Monitoring and Customer Advisory

Our team will continue to monitor further announcements and implementation guidance from DoT/NCCS, including any follow-up notifications, procedural clarifications, and updates related to the Pro-Tem pathway and subsequent standard/graded certification regimes. We will keep customers and partners informed as additional details become available.

TEC

【TEC-India-Ai Server】 The ONE Supports a Leading Taiwanese OEM in Securing India TEC Certification

/in ,

Enabling AI Server Market Entry and Reducing Customs Clearance Uncertainty in India

The ONE today announced that it has successfully supported a leading Taiwanese OEM in obtaining India’s TEC certification for its AI server products—accelerating market entry into India and strengthening compliance readiness for stable shipments and smoother customs clearance. As India’s demand for ICT infrastructure and data center deployment continues to grow, Taiwan’s AI server supply chain is expanding globally while facing increasingly complex market-access and import compliance requirements.

AI Server Architectures Involving Switch Systems Increase Import Scrutiny

In many cases, traditional server products may not be subject to mandatory certification. However, modern AI server architectures typically incorporate high-speed interconnect designs between CPUs and GPUs, often involving switch systems that enable switching functionality. During importation, such components may raise concerns at customs due to regulatory considerations around switch-related items, potentially leading to additional inspection, document requests, or clearance delays. To avoid delivery risks caused by differing interpretations, The ONE worked closely with the customer to implement a proactive compliance strategy—preparing the required technical documentation, aligning test and evaluation plans, and managing the overall TEC application process. As a result, the customer secured certification to help ensure more predictable clearance and delivery timelines.

Addressing Non-Scale Out System Challenges with Speed and Execution Discipline

This project also covered a new Non-Scale Out system, which introduced multiple practical challenges across test conditions and certification workflows compared with conventional approaches. The ONE collaborated with its India-based partners and engaged in intensive, ongoing communications with TEC to clarify applicability, evidence expectations, and documentation positioning. By maintaining a high-efficiency project cadence and clear milestone control, The ONE successfully met the strict timeline requirements expected by a world-class brand.

Continuing to Strengthen Cross-Border Compliance Services for Taiwan’s AI Supply Chain

The ONE will continue investing in international regulatory research and cross-border compliance enablement, helping more Taiwanese manufacturers enter overseas markets with greater speed and confidence—so Taiwan’s AI supply chain can scale globally with stronger trust, resilience, and execution capability.

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

TEC

【India_TEC】 India NCCS Updates ITSAR: Wi-Fi CPE and IP Router V2.0.0 Released; Cloud-Implemented Exemption Extended to 31 Mar 2026

/in ,

Highlights

India’s National Centre for Communication Security (NCCS) has released ITSAR V2.0.0 for Wi-Fi CPEs and IP Routers (Release date: 01 Dec 2025). These updated requirements serve as a key reference for product security alignment, documentation preparation, and compliance planning for suppliers targeting the Indian market.

Key 2026 Milestone

In an official memorandum dated 07 Jul 2025, NCCS confirmed that the exemption from security testing/certification for cloud-implemented IP Routers and Wi-Fi CPEs has been extended until 31 March 2026. Stakeholders are advised to treat this date as a major planning checkpoint and to accelerate internal readiness activities to minimize schedule and supply-chain risks beyond the exemption window.

Recommended Actions

  • Confirm product classification (Wi-Fi CPE vs. IP Router) and deployment model (including cloud-implemented architectures).
  • Perform a gap assessment against ITSAR 2.0.0, updating security design, evidence packages, and test plans accordingly.
  • Build a 2026 execution roadmap aligned to the exemption end date (31 Mar 2026), including certification lead times and procurement commitments.

Sources (Official NCCS Documents)

https://nccs.gov.in/public/circulars_sc/ExtensionOfMandatoryDateForCloudRouterCPE.pdf

https://nccs.gov.in/public/latest_updates/ITSAR402122512.pdf

https://nccs.gov.in/public/latest_updates/ITSAR201012512.pdf