Data protection is very important at VDE
Glebstock / stock.adobe.com
2025-01-20 Testing + Certification

Information Security/Cyber Security – Testing and Certification at the VDE Institute

Information is highly valuable for companies, authorities and private persons and must therefore be reasonably protected. Handling this information in a trustworthy manner and protecting it are the fundamental goals of information security. The VDE Institute helps you achieve these goals.

Cybersecurity is a prerequisite for CE marking

Smart home interface in a hazy bedroom
ImageFlow / stock.adobe.com
2024-11-14 short info

The VDE Institute is developing certificates of compliance to cover the requirements of the CRA. This way, consumers will have an even better overview of the cybersecurity of a product. The VDE Institute has years of experience in testing cybersecurity and data security. Preliminary audits and workshops on the CRA are already available. In free online seminars, manufacturers and distributors can also keep up to date with the latest requirements.

Get more information about Cyber Resilience Act

Information security, IT security or cyber security?

Information security is protecting sensitive information from loss and manipulation
bluebay2014 / Fotolia

Personal and sensitive data can be saved both on paper, computers or even in minds. Information security primarily deals with protecting and processing electronically saved information. Information security is also the state in which the confidentiality, integrity and availability of information and information technology are protected by reasonable measures.

The term information security is more comprehensive than IT security and therefore sees increased use. However, the term “IT Security” continues to be used in some publications like “IT Baseline Protection” (IT Sicherheit). Nevertheless, different texts and the standardization are becoming increasingly more tailored to examining information security. Cyber security, cybersecurity, IT safety or information security are terms that are also used very frequently, mainly when companies operate at an international level.

Protecting against cyber attacks with VDE certification

The expansion of digitization and the accompanying progress of intelligent networking in one’s own home as well as in industry have seen an increased risk in data theft and manipulation. Many cases show how easy it is for hackers to penetrate smart homes and management systems.

Our tests for information security (including cyber security) are based on the following regulations and standards:

  1. VDE PB-0004 and -0005
  2. IEC 62443-4-1 and -4-2
  3. ETSI EN 303 645
  4. VDE-PB-0033
  5. EN 18031-1 / 18031-2 / 18031-3

The testing of information security is divided into the following areas:

  • Testing the devices (communication devices and gateways)
  • Testing the backend and cloud systems
  • Testing the apps for smartphones and tablets

During these processes, the security goals for cyber security in the product, system design and in the implementation undergo testing.  User documentation and the technical aspects of privacy are part of the testing.


Security goals include the following:

  • Protecting communication from eavesdropping and manipulation
  • Protecting the systems from unauthorized infiltration,
    -Unauthorized use, manipulation
    -And data loss
  • Protecting personal data
  • Protected security updates for the system

We protect your smart home products from cyber attacks by using ultra-modern technology

Smart Home products protected from hacker attacks
iconimage / Fotolia

The information security test

1. Confirmation of the basic implementation of an IT security concept.
2. Confirmation of the effective implementation of IT security.
3. Confirmation of the completeness of IT security documentation.

Testing data protection

1. Identifying the importance of data protection
2. Testing data protection in accordance with
3. European Guidelines (DGPR General Data Protection Regulation)

Request your offer here

Cybersecurity in the Radio Equipment Directive

Delegated Regulation (EU) 2022/30 supplemented by (EU) 2023/2444 requires a mandatory cybersecurity assessment in accordance with Article 3, 3. (d), (e) and (f) of the Radio Equipment Directive 2014/53/EU (RED) of 08/01/2025.  Accordingly, the requirements for radio equipment have been extended to include the areas of “network protection”, “personal data protection” and “fraud protection.” Harmonized cybersecurity standards cited in the Official Journal of the EU under the Radio Equipment Directive are the standards EN 18031-1, EN 18031-2 and EN 18031-3. They specify the requirements of the Radio Equipment Directive with regard to cybersecurity.

Manufacturers of radio equipment must prove the conformity of their products with new cybersecurity requirements of 08/01/2025. The VDE Institute provides support with the internal test specification “VDE-PB-0033,” which is based on ETSI EN 301 645 and the EU mandate to the European standardization organizations. We also offer the new “cybersecurity tested” certification scheme. This scheme includes certification according to the EN 18031-1,-2 and/or -3 standards. In addition to the certificate, a label is issued which can be attached to the product for marketing purposes. This label is valid for one year. An EU type examination on a voluntary basis, or if a restriction of the presumption of conformity applies, is still possible at any time on the basis of EN 18031-X and is always recommended by us, as this provides a high level of security for the manufacturer during a market surveillance inspection. The Notified Body RED/EMV of VDE Prüf- und Zertifizierungsinstitutes GmbH will be happy to advise you on the possibilities and benefits of the EU type examination certificate.  

Functional safety for the connected home

Are there further hazards due to the system’s additional communication capabilities?

Functional safety according to DIN EN 61508-4:2011 and functional safety in product standards (e.g. household devices) provide information about it. We also help you with this challenge in order to complete the security examination. Learn more about our services in functional safety.

What separates functional safety from information security?

The VDE Institute tests and certifies functional safety
Ryan McVay / Photodisc

Functional safety is using automated technology to ensure that no device or system poses a hazard to people or the environment. This type of safety is to some extent tailored “from the device to the outside”.

Information security deals with fending off hazards that affect the system from the outside. It relates to matters such as malware or unauthorized system access. In both cases, system functionality may be affected or it can even be made to do nothing or do something improperly.

As such, the connection between both topics has been established: If, for instance, the examined system is a safety-related control system or a field device in safety equipment, then anything that affects its functionality simultaneously affects its (functional) safety.

Protect your smart factory with VDE certification

In the office IT and operations OT areas, we test the interfaces between machines, management, office systems and to the internet. While doing so, it is irrelevant if the network is only operated inside a factory or if external communications partners such as branch offices are connected to this network over the internet. Testing also includes assessing the risk analysis related to information security as per IEC 62443. After a successful test, the network operator receives the VDE Certificate for information security.

The tested network is classified using a four-level scale. According to the existing IEC 62443 outlines, the use and certainty with which the attack is expected is described using this scale; they are called security levels (SL).

  • Security Level 1: Protection against undesired, casual violation.
  • Security Level 2: Protection against intentional violation using simple means with low resources, generic skills and low motivation.
  • Security Level 3: Protection against intentional violation using sophisticated means with moderate resources, IACS-specific skills and moderate motivation.
  • Security Level 4: Protection against intentional violation using sophisticated means with extended resources, IACS-specific skills and high motivation.

IEC 62443-4-1 lists requirements for the information security of development processes. We are happy to support you in implementing the development processes to ensure you are optimally prepared for the requirements of the CRA (Cyber Resilience Act).

We offer the following VDE certificates in information security, among others:

You may also be interested in this