【India ITSAR】Streamlines Telecom Certification: New Flexibility for Software Changes to Speed Up Product Launches

/in , /by


The National Centre for Communication Security (NCCS) in India has issued a landmark circular (No. 1-11/2022-NCCS/ComSec/V-I) dated March 17, 2026, aimed at streamlining the testing process under the Communication Security (ComSec) Scheme.
The release of this document signifies a shift towards a more pragmatic and flexible approach in India’s telecom security auditing.

1. Core Change: Flexibility for Software Modifications during Testing

Previously, software versioning was strictly locked once the testing phase began. The National Centre for Communication Security (NCCS) has now officially permitted applicants to modify the software of a Device Under Testing (DUT) while it is still within the Telecom Security Testing Laboratory (TSTL) process.

2. Mandatory Documentation for Modifications

To leverage this new flexibility, manufacturers must categorize their changes into two compliance paths:

  1. Code-Level Modifications: Requires the submission of Annexure-I & II, including a comprehensive Impact Assessment to ensure that the integrity of prior testing remains intact.
  2. Clerical Corrections: Requires only Annexure-II to rectify typos or minor descriptive errors in the Bill of Materials (BOM).

3. Strategic Impact

  • Reduced Lead Time: Eliminates the need to restart the entire application process for minor software adjustments.
  • Cost Efficiency: Minimizes redundant testing fees and resource allocation.
  • Agile Compliance: Allows OEMs to fix security vulnerabilities or bugs discovered during the testing phase in real-time.

4. Applicability

This notification applies to all stakeholders involved in the Indian Communication Security Certification Scheme (ComSec Scheme), including:

  • Original Equipment Manufacturers (OEMs)
  • Dealers and Importers
  • Telecom Security Testing Laboratories (TSTLs)

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

CRA

【EU Cyber】Mandatory EU CRA Reporting for Digital Products Starts September 11, 2026.

/in , /by

New Reporting Obligations Under the EU Cyber Resilience Act (CRA)

The Cyber Resilience Act is no longer a distant concept—it is a fast-approaching reality. Manufacturers must act now to integrate robust reporting workflows and secure certification to ensure their products remain compliant and competitive in the European market by September 2026.

1. Mandatory Reporting Deadline Set for September 2026

Starting from September 11, 2026, manufacturers of “products with digital elements” will be legally required to report actively exploited vulnerabilities and severe security incidents. This marks a significant shift in the EU’s regulatory landscape, making cybersecurity certification a prerequisite for market access.

2. The “Early Warning” Mechanism: Strict 24/72-Hour Timelines

The CRA introduces a tiered reporting structure to ensure rapid response to cyber threats:

  • Within 24 Hours: An “early warning” must be submitted after becoming aware of an actively exploited vulnerability or a severe incident.
  • Within 72 Hours: A detailed “full notification” must follow the initial warning.
  • Final Report: Must be submitted within 14 days after a corrective measure is available (for vulnerabilities) or within one month (for severe incidents).

3. Launch of the Single Reporting Platform (SRP)

To streamline compliance, ENISA is developing a Single Reporting Platform (SRP).

  • Manufacturers only need to report once through this centralized portal.
  • The notification will be automatically shared with the relevant Computer Security Incident Response Teams (CSIRTs) and ENISA, reducing administrative burdens for companies operating across multiple EU member states.
  • ENISA will launch the CRA Single Reporting Platform (SRP) by September 11, 2026, following a pre-launch testing phase.

4. Focus on “Actively Exploited” Vulnerabilities

The regulation specifically targets vulnerabilities that are being exploited in the wild. By mandating the disclosure of these flaws, the CRA aims to prevent localized security breaches from escalating into EU-wide systemic crises through synchronized information sharing among CSIRTs.


Role of THE ONE

As the deadline approaches, cybersecurity certification companies play a vital role in helping manufacturers bridge the compliance gap:

  • Compliance Audits: Evaluating whether a product’s design and its manufacturer’s vulnerability management processes meet CRA standards.
  • Incident Response Readiness: Assisting firms in establishing the technical capabilities needed to detect and report incidents within the 24/72-hour windows.
  • Technical Documentation: Ensuring that the “Correction Measures” and final reports meet the legal requirements for transparency and safety.

Official update from the European Commission : https://digital-strategy.ec.europa.eu/en/policies/cra-reporting

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

CRA

【EU Cyber】The EU Cyber Resilience Act’s New Enforcement Phase.

/in , /by

The ONE reminds all manufacturers and brands exporting to the EU market:

Do not focus solely on pre-market CRA compliance; more importantly, do not overlook the risks of post-market surveillance and random inspections.

The EU has recently completed a significant step in the CRA market surveillance cooperation mechanism, indicating that the Cyber Resilience Act (CRA) is progressing from a legal text toward practical enforcement and international coordination.

According to the latest official EU update, the CRA Administrative Cooperation Group (AdCo) has held its first meeting and elected its Chair and Vice-Chairs.
The EU clearly stated that this is a vital development in preparing for CRA enforcement.
The CRA adopts a post-market surveillance model, meaning that once a product enters the EU market, competent authorities can monitor the market, demand improvements, or even take restrictive measures.

For enterprises, this means the challenge is no longer just about “whether a product can be launched,” but rather: Whether you have established robust vulnerability management mechanisms, incident response processes, technical documentation maintenance, support period management, and the capability to handle post-market inspections.


The CRA’s requirements for reporting vulnerabilities and significant incidents will apply from September 11, 2026.
Enterprises will be required to submit an “early warning” within 24 hours of becoming aware of an issue, followed by a formal notification within 72 hours.

The ONE offers CRA consultancy services to help clients prepare in advance:
— From scope assessment and gap analysis,
— To technical documentation planning, vulnerability handling processes, incident reporting workflows, and post-market surveillance readiness.

We believe that the earlier you deploy, the better you can mitigate the risks of inspections, requests for supplementary documentation, or even impacts on your sales performance in the EU market.

If your company is preparing for CRA implementation, you are welcome to contact The ONE.
We can assist you in systematically meeting the latest CRA requirements, ensuring you are fully prepared for both product launch and post-market management.


Official update from the European Commission: https://digital-strategy.ec.europa.eu/en/news/cyber-resilience-act-eu-market-surveillance-group-elects-new-chair-and-vice-chair


For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

VN QCVN

【ICT】Certification Information_Vietnam_Regulation updates

/in , /by

Vietnam’s Ministry of Science and Technology has issued Circular 29/2025/TT-BKHCN, updating management rules for ICT and telecommunications products.

The regulation takes full effect on 31 December 2025, replacing Circular 02/2024/TT-BTTTT, and aims to simplify conformity procedures while aligning with international testing practices.
Main changes include allowing normal-condition testing for most ICT products from 1 July 2025, except for Wi-Fi transceivers, which must still undergo severe-condition testing.

The scope of regulated products is expanded to include industrial computers, and a phased rollout of the new SAR standard (QCVN 134:2024/BTTTT) begins in 2026 for mobile/5G devices and in 2027 for laptops, tablets, and DECT phones.


The circular also introduces mandatory compliance for Wi-Fi 6E and Wi-Fi 7 devices operating in the 6 GHz band and removes previous import quantity exemptions, requiring full compliance for all imported ICT and telecom products regardless of volume.

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

UAE

【UAE】ECAS LVE new marking and labeling requirements.

/in , /by

Regarding ECAS LVE new marking and labeling requirements.

1. If you have sold products in the UAE market and obtained the UAE ECAS certificate before September 15, 2025, you can still use the old logo and labels. However, if you obtain the UAE ECAS certificate or the product continues to be sold in the UAE market after September 15, 2025, you must replace it with a new logo and label.

2. Products that are about to enter the UAE market and have obtained certificates before March 15, 2025 can still use the old logo and labels. However, after March 15, 2025, all products entering the UAE market must use the new logo and labels.

Size: No size restrictions. The logo can be scaled proportionally but must remain clearly visible.

Color: The color must match the logo shown below

ECAS label requirement

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

CRA

【EU Cyber】EU Cyber Resilience Act Article 14 Takes Effect in 2026

/in , /by

Mandatory Vulnerability Reporting Is Approaching — Are Manufacturers Ready?

As the European Union moves closer to full enforcement of the Cyber Resilience Act (CRA), manufacturers of digital products should be aware of a critical obligation that will take effect earlier than many expect.

Under Article 14 of the CRA, mandatory vulnerability and cybersecurity incident reporting obligations will enter into force on September 11, 2026, well ahead of the Act’s full applicability in 2027.

From that date onward, manufacturers placing products with digital elements on the EU market will be legally required to detect, assess, and report certain vulnerabilities and actively exploited cybersecurity incidents within strict and enforceable timelines.

What CRA Article 14 Requires

Once a manufacturer becomes aware of either:

  • an actively exploited vulnerability, or
  • a severe cybersecurity incident,

Article 14 triggers a staged reporting obligation:

  • Within 24 hours: submission of an early warning notification
  • Within 72 hours: submission of a formal vulnerability or incident notification
  • Within 14 or 30 days (depending on the case): submission of a final, comprehensive report, including:
    • impact assessment
    • mitigation measures taken or planned
    • follow-up risk control actions

These obligations apply regardless of product certification status or time on the market and are mandatory, not optional.

What Manufacturers Should Do Now

Although the reporting obligation begins in 2026, practical preparation must start well in advance. Manufacturers are strongly advised to:

  • Establish a vulnerability monitoring and intake process
  • Define clear internal criteria for determining reportable vulnerabilities
  • Set up incident response and escalation workflows
  • Prepare technical documentation and reporting templates
  • Identify responsible roles for communication with EU authorities

Without these elements in place, meeting the 24-hour and 72-hour reporting deadlines will be extremely difficult in real-world incident scenarios.

How We Support CRA Article 14 Compliance

To help manufacturers move from regulatory awareness to operational readiness, we provide dedicated CRA Article 14 support services, including:

  • Vulnerability reporting workflow and governance design
  • Incident response and escalation process consulting
  • CRA-aligned reporting documentation and templates
  • Ongoing advisory and notification support services

Our goal is to reduce compliance risk while enabling engineering and product teams to remain focused on development and innovation.

The CRA clock is already ticking.
Manufacturers that prepare early will avoid last-minute disruption and regulatory exposure when Article 14 reporting becomes mandatory in 2026.

For more information on CRA Article 14 readiness and support services, please contact:
📧 Charles.liao@theonelab.co

BIS

【India】BIS to Replace IS 13252-1 with IS/IEC 62368-1 Effective November 1, 2028

/in , /by

The Ministry of Electronics and Information Technology (MeitY), Government of India, has officially announced the transition of Indian safety standards IS 13252 (Part 1): 2010 and IS 616:2017 to IS/IEC 62368 (Part 1), as published in the Gazette of India.

According to the notification, IS/IEC 62368-1 has been adopted as the primary safety standard for Audio/Video, Information and Communication Technology (AV/ICT) equipment under the Electronics and Information Technology Goods (Requirement of Compulsory Registration) Order, 2021.

To facilitate a smooth transition for the industry, the Government of India has permitted the concurrent applicability of IS 13252-1, IS 616, and IS/IEC 62368-1 until November 1, 2028. After this date, IS 13252 (Part 1): 2010 and IS 616:2017 will be formally withdrawn, and BIS CRS registrations must comply exclusively with IS/IEC 62368-1.

The transition also applies to newly regulated product categories, including Extended Reality (XR) products, such as Augmented Reality (AR), Virtual Reality (VR), and Mixed Reality (MR) devices.

IS/IEC 62368-1 is based on the Hazard-Based Safety Engineering (HBSE) approach and has become the globally recognized safety standard for AV and ICT equipment. This migration aligns India’s BIS certification framework more closely with international IEC standards and supports global manufacturers in harmonizing product safety compliance across markets.

Manufacturers and brand owners are advised to begin evaluating product designs, test reports, and BIS certification strategies well in advance to ensure compliance with the post-2028 regulatory requirements.

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

FCC Reopens Application Window for Cyber Trust Mark Lead Administrator

/in , /by

The Federal Communications Commission (FCC), through its Public Safety and Homeland Security Bureau (PSHSB), has announced the reopening of the application window for the Cyber Trust Mark Lead Administrator. The filing window will be open from January 7, 2026, through January 28, 2026, spanning 15 business days.

The U.S. Cyber Trust Mark Program, established by the FCC in March 2024, is a voluntary cybersecurity labeling initiative for consumer Internet of Things (IoT) devices. The program aims to help consumers easily identify products that meet baseline cybersecurity standards, while encouraging manufacturers to enhance security-by-design practices. Products approved under the program will display the Cyber Trust Mark along with a QR code linking to detailed cybersecurity information.

The Lead Administrator plays a central role in the program’s governance and execution, serving as the primary coordinator between the FCC and designated Cybersecurity Label Administrators (CLAs). Responsibilities include overseeing program operations, supporting the development and maintenance of technical standards and testing procedures, and facilitating consistent implementation across participating entities.

The Cyber Trust Mark Program was originally expected to begin accepting device applications in late 2025 or early 2026. However, progress was impacted following the withdrawal of the previously selected Lead Administrator in December 2025, as well as subsequent reviews and investigations related to program administration. To ensure the integrity and continuity of the program, the FCC has now reopened the Lead Administrator application process.

The FCC will announce the selected Lead Administrator after the close of the filing window.

About the U.S. Cyber Trust Mark Program
The U.S. Cyber Trust Mark is a voluntary FCC-led cybersecurity labeling program for wireless consumer IoT devices. By leveraging independent third-party testing and verification, the program seeks to enhance consumer confidence, improve transparency, and raise the overall cybersecurity posture of connected products in the U.S. market.

The ONE | Driving Global Awareness of Cybersecurity Testing at CES 2026

/in /by

We were honored to have our Global Strategic Partnerships Lead, Smiler Lu, and Technical Director, Jeans Koo, represent The One Testing Technology Co., Ltd. at CES 2026 powered by the Consumer Technology Association, connecting with industry leaders and innovators from across the globe.

Throughout the event, our team engaged in meaningful conversations with manufacturers, startups, and technology partners spanning IoT, smart devices, consumer electronics, and next-generation connected products. CES 2026 highlighted innovations like non-invasive glucose monitoring via breath analysis—showing how connected health and IoT are advancing, and why strong cybersecurity is essential for trust and safety.


A clear consensus emerged:

Cybersecurity testing is no longer just a compliance checkbox — it’s a strategic necessity for global market access and building lasting product trust.
As international regulations and security expectations evolve, cybersecurity has become a core element of product design and go-to-market strategies. At The ONE, we remain committed to delivering professional, globally aligned cybersecurity testing services that help manufacturers overcome regulatory challenges and create secure, reliable products.
We’re excited to turn the insights gained at CES 2026 into actionable testing and advisory solutions, collaborating with partners worldwide to strengthen a secure and resilient technology ecosystem.

For further inquiries, please contact:
Email:Charles.liao@theonelab.co
Phone:(02)8601-2828

TEC

【India TEC】India NCCS Extends Pro-Tem Security Certification to a Two-Year Validity (Effective Jan 1, 2026)

/in , /by

Key Update from DoT/NCCS: Scheme Extension and Certificate Validity Upgrade

Based on the latest official communications released by India’s Department of Telecommunications (DoT) and the National Centre for Communication Security (NCCS), the Pro-Tem Security Certification Scheme has been extended for an additional two (2) years effective from January 1, 2026. In parallel, the validity of individual Pro-Tem certificates has been increased from six (6) months to two (2) years. The policy is intended to provide the industry with greater operational certainty and sufficient transition time while formal security testing and certification activities continue under the national framework.

Scope: ITSAR-Mandated Products Remain In-Scope

The Pro-Tem certification continues to be closely aligned with the Indian Telecommunication Security Assurance Requirements (ITSAR). In practice, it primarily applies to regulated product categories such as IP Routers and Wi-Fi CPE (including routers, Wi-Fi access points/CPE devices, and related variants). Importantly, the extended validity should not be interpreted as an exemption from security compliance obligations. Instead, it is a mechanism to support market continuity while products undergo required testing and certification procedures.

Official Rationale: Business Continuity and Reduced Renewal Burden

NCCS has emphasized that the adjustment aims to: ensure continuity of business operations, reduce pressure caused by frequent renewals, and ease the transition toward full-scale mandatory security certification. For products already holding a Pro-Tem certificate, stakeholders are advised to track certificate status and any renewal/extension requirements through NCCS/MTCTE processes and subsequent notices, particularly where import clearance, delivery timelines, or customer commitments depend on valid certification status.

Ongoing Monitoring and Customer Advisory

Our team will continue to monitor further announcements and implementation guidance from DoT/NCCS, including any follow-up notifications, procedural clarifications, and updates related to the Pro-Tem pathway and subsequent standard/graded certification regimes. We will keep customers and partners informed as additional details become available.