EU Cybersecurity Chat with Angelo D’Amato, Founder of Vulnir

By Steve Liu, President of RF Safety Laboratory®, LLC

Last week, I had the incredible opportunity to visit London alongside several cybersecurity businesses from Maryland. Exploring the UK’s cybersecurity and business landscape with the Maryland Department of Commerce was truly a blast. As exciting as the events were, it was the people I met in person who made the experience unforgettable because, ultimately, it’s human connections that have the greatest impact on everything we do.

Of course, no trip to London would be complete without sampling its legendary Indian food scene. Angelo D'Amato, thanks for being my food companion and joining me in my food survey almost every day! 

Meeting you in person and seeing your passion for advancing our industry’s mission to keep the digital world safe and secure was really encouraging. So I was really looking forward to meeting you this week.

So, I originally planned to share about this as a YouTube video, but my hotel banned me fro filming in their lounge… So, I’m sharing my reflections here in an article instead!

So I first met Angelo during a cybersecurity panel we were on, last Spring 2025’s TCB Workshop with Robert Paxman at Intel. 

Angelo, thanks for joining us. For those who haven’t met you, can you share a bit about your background and what led you to found Vulnir?

Angelo D’Amato: Thank you, Steve. I’ve spent over 16 years in cybersecurity, with the last decade working in the Testing, Inspection, and Certification (TIC) industry. Three months ago, I launched Vulnir to help organizations navigate cybersecurity and regulatory compliance. 

We specialize in end-to-end assessments, for certifications like UL 2900 and Common Criteria, and helping companies meet new requirements such as the EU’s Cyber Resilience Act (CRA). I’m also actively involved with the European Standards Organization CEN and CENELEC, serving as rapporteur for two of the three horizontal standards supporting the CRA. 

The main reason that led me to found Vulnir was the opportunity to have a direct impact on the security of the European market with my role as rapporteur and my unique drive to bring together trust, quality and higher level of protection for the industry. I love bringing the highest value as possible to every assignment and I look forward to engage also with customers that have the same value and want to go responsibly on the market with a more secure product.

RED-DA and CRA

Steve: One of the biggest questions I hear from manufacturers is about the overlap between the RED Delegated Act (RED-DA) and the Cyber Resilience Act (CRA). With so much investment in RED-DA compliance, is there a risk of wasted effort if the CRA doesn’t align?

Angelo: That’s a real concern today. The European Commission recently proposed repealing Delegated Regulation (EU) 2022/30 [link to draft repeal], which has left many manufacturers worried about duplicative work and costs. Fortunately, the standardization request M/606 explicitly states that harmonized standards for the CRA should build on the work already done for the RED-DA. In practice, this means efforts like EN 18031 won’t be wasted; instead, they’ll serve as a foundation for CRA compliance.

As rapporteur, I’m committed to ensuring existing standards are reused and mapped effectively. For example with ETSI TS 104 120 [link], we’re aligning EN 18031 with ETSI EN 303 645, which sets cybersecurity requirements for consumer IoT devices. 

This approach allows manufacturers to pivot smoothly between RED and CRA requirements, minimizing redundant effort and expense.

Harmonized Standards and Notified Bodies: The Restrictions

Steve: EN 18031-1, EN 18031-2, and EN 18031-3 have been published as harmonized standards in the Official Journal, but with certain “restrictions”—like requirements for passwords, financial assets, and parental controls. If these standards don’t fully address a device’s features, where should manufacturers turn to ensure their Notified Body’s opinion is accepted?

Angelo: Great question. For context, a Notified Body (NB) is an organization designated by an EU country to assess the conformity of certain products before being placed on the market. The recent COMMISSION IMPLEMENTING DECISION (EU) 2025/138 [link] introduces restrictions that sometimes require third-party NB assessment, especially for devices handling financial or parental control functions.

Unfortunately, there’s no one-size-fits-all guidance; acceptance depends on the NB’s expertise and familiarity with your device type. My advice is to select a Notified Body with experience in your product category—especially if your device involves access controls, parental controls, or manages financial assets (e.g. PCI standards - link). 

The RED Compliance Association (REDCA) [link] is developing practical guidance, but I also recommend manufacturers get involved in the ongoing harmonized standard development [work programme link] for the CRA. Participating in these groups gives you a voice in shaping future requirements and ensures your products are ready for what’s next.

Defining the Scope & Bluetooth Only Devices

Steve: I get a lot of questions about “Bluetooth only” devices—those that can’t connect to the internet by themselves. Many manufacturers assume they’re out of scope for RED cybersecurity requirements. But recent EU regulator discussions suggest otherwise. What would bring a Bluetooth device into scope?

Angelo: This is a hotly debated topic. The EU Commission hasn’t issued a definitive written recommendation, which has led to different interpretations. Orgalim, representing many EU manufacturers, suggests that only “internet-ready” devices—those with direct internet connectivity—should be in scope [Position paper in Sept 2022 and REDCA presentation in May 2025; and TIC council position in October 2025]. For example, a ZigBee light bulb controlled by a smartphone they say would be out of scope.

However, the TIC Council, which I’ve contributed to, points out cases like the Tesla Model 3’s tire pressure monitoring system (TPMS) vulnerability [link]. Even though TPMS isn’t “internet-ready,” it still poses significant security risks.

The key takeaway is that manufacturers should always conduct a thorough risk assessment, considering the device’s intended use and context. It is time worth spent. Don’t rely solely on whether a device is “internet-ready.” 

A risk-based approach ensures you’re prepared for both RED and CRA requirements and demonstrates due diligence to regulators.

Wired Ports and Radio Devices

Steve: Here’s another common scenario: Many radio devices also have wired ports, like USB or RJ45. Do these need to be considered under RED, and if so, why?

Angelo: Absolutely. Under Directive 2014/53/EU, any device that communicates via radio waves falls within the scope of the RED. It says the regulation doesn’t distinguish between radio and non-radio functions. If a device includes a radio component, the entire device—including wired ports like USB or RJ45—must comply with the essential requirements, particularly for cybersecurity. This holistic approach ensures that vulnerabilities can’t be introduced through non-radio interfaces.

The EU CRA

Steve: For those new to EU cybersecurity from the radio equipment world, the RED focuses on radio or wireless devices. But the CRA is much broader. Can you outline what it covers?

Angelo: The new CRA [link] is a game-changer. It covers any “product with digital elements”—that is, almost any hardware OR software, including remote data processing solutions. Here’s a breakdown:

• Default Category: Most products, subject to self-assessment.

• Important “Class I”: Products like identity management systems; these must follow harmonized standards or undergo third-party assessment.

• Important “Class II”: Sensitive products such as firewalls and microprocessors.

• Critical Products: Require European cybersecurity certification, including hardware security modules and smart meters.

The EU Commission is still clarifying these classifications [link], with more detailed technical explanations expected 3Q 2025. For now, manufacturers should familiarize themselves with these classifications and monitor what would be considered critical.

Standardization and who’s Shaping the Future?

Steve: How many standards organizations or groups are currently working on assessment methods for digital devices under the CRA?

Angelo: There’s a lot of collaboration underway. Both ETSI (European Telecommunications Standards Institute) and CEN/CENELEC (European Committee for Standardization and Electrotechnical Standardization) have accepted the standardization request M/606 [link]. They’ve established a work program with a huge list [link] covering both vertical (sector-specific) and horizontal (cross-sector) standards. Ben Kokx who is the convener of WG9 and WG6 speaks succinctly and nicely about this effort [Youtube link]

I’m rapporteur for two of the three horizontal standards in the CEN/CLC/JTC 13/WG 9 working group for the CRA. Manufacturers can access detailed work items and even participate in shaping these standards. My suggestion to manufacturers is to engage today. It is the best way to ensure your products are getting prepare for what’s to come.

Software Apps

Steve: Let’s talk about software. If a manufacturer makes apps that aren’t installed on devices at market placement—say, apps available in app stores—are they still responsible for their security?

Angelo: Under EN 18031-X:2024, the focus is on the device itself, not associated services or aftermarket apps. However, manufacturers are still responsible for additional risks not covered by standards, as outlined in the European Commission Blue Guide [link]. If an app is installed after the device is sold, manufacturers are expected to not permit software with security vulnerabilities that can lead to security incidents. These apps will also fall under the future CRA, so it’s wise to consider security from the outset, even now.

Personal Data

Steve: For internet-connected devices like security cameras or voice assistants, is the data they collect—like video feeds or voice calls—considered “personal data” under EN 18031-2?

Angelo: Yes, absolutely. The European Commission’s definition of personal data [link], aligned with the General Data Protection Regulation (GDPR), includes any data that can identify a person directly or indirectly [See link to EU 2016/679]. Voice and video data can be used as biometric identifiers. For example, voice capturing can reveal identity, gender, mood, and more [see Guidelines 02/2021 link as an example from voice assistants]. Video footage is also considered personal data [see EDPS guideline link].

Manufacturers should minimize personal data capture and consult legal guidance, especially the European Data Protection Supervisor (EDPS) Guidelines on processing personal data through video devices and voice assistants. Taking privacy seriously is essential for user trust especially in a world where deepfakes are now a real security threat.

Final Practical Advice

Steve: Angelo, thanks for sharing your expertise and helping clarify these complex topics. Any final advice for manufacturers navigating these regulations?

Angelo: Stay proactive. Engage with standardization groups, conduct thorough risk assessments, and don’t wait for final clarifications before acting. Scope related questions are always being asked and there are many grey areas, but a risk-based approach and early preparation will put you in the best position to comply and ultimately protect your own customers. Remember, compliance isn’t just about ticking boxes but it’s about building trust and resilience into your products by design. This is the ultimate goal for everyone in Europe.

Steve: To wrap up, can you tell our audience about some of the projects you’re working on and how they can follow your work or get involved?

Angelo: Absolutely. If you’re interested in following my work on the Cyber Resilience Act standards or even getting involved, the best way is to reach out to your National Standards Body (NSB). I’m leading two project teams—one on Generic Security Requirements and another on Vulnerability Handling Requirements—within the CEN/CLC/JTC 13 Working Group 9.

There’s also funding available through the CyberStand [link], which can support your participation with up to 20,000 euros! This is a fantastic opportunity to get involved in shaping standards without worrying about costs.

We have some exciting events coming up. On June 19th, there’s a hands-on workshop in Brussels, which you can also join online [link]. Later in the year, around September, there will be another workshop in Spain organized with the Spanish Association for Standardization [much similar to link from April’s event  – final date was still not advertised and there will be more information in July]. These events are interactive and a great way to stay updated, share your expertise, and help shape the future of cybersecurity standards in Europe. Keep an eye on announcements from your national bodies and the Cyberstand platform—I hope to see you participating soon!

Steve: Alright it was really awesome to meet you in person finally and thank you again for your willing to spend time to have this interview with me and sharing with our industry your valuable insights about the cybersecurity!

Angelo D'Amato (Founder of www.vulnir.com) is a cybersecurity expert with over 15 years of experience across diverse sectors and international organizations. His expertise spans comprehensive end-to-end cybersecurity assessments, product certifications (including UL 2900, Common Criteria, and ETSI EN 303 645), and forward-looking regulatory compliance initiatives such as RED DA 2022/30 and the EU Cyber Resilience Act. With a strong foundation in the Testing, Inspection, and Certification (TIC) industry, advanced research projects, and global team collaboration, Angelo brings a strategic and informed perspective to the evolving cybersecurity landscape.

RF Safety Laboratory®, LLC (www.rfsafetylab.com) is an ISO/IEC 17025-accredited third-party regulatory compliance test laboratory based in the Baltimore, Maryland / Washington, DC area. The lab supports technology companies in navigating FCC (USA), ISED (Canada), and CE Mark (EU) regulatory requirements to bring wireless RF products to market. RFSL specializes in SAR testing, HAC testing, and cybersecurity compliance for wireless-enabled devices across medical, industrial, consumer, and critical infrastructure industries.