Skip to main content
  • Service

IEC 60335-1, Ed. 6, Annex U: Cybersecurity Requirements for Connected Appliances

Learn about the cybersecurity requirements introduced in IEC 60335-1, Ed. 6, Annex U, which require connected appliances to use cryptography to mitigate safety risks.

Over the shoulder view of young woman turning on the air-conditioner in her smart home with home automation mobile app on smartphone on her way home.

As the world becomes more interconnected, companies must address constantly changing global and local regulatory requirements while meeting market demands for faster innovation and increased safety, security and sustainability. As technology advances in household or similar appliances, related safety challenges increase.

Manufacturers aim to provide the safest possible products to the market, but what does safety mean today? In this context, safety refers to mitigating harm or other dangers. It can also refer to the control of recognized hazards as a way to achieve an acceptable level of risk.

Product safety addresses avoiding unacceptable risks to safety such as fire hazards, electrical shock and personal injury. Functional safety, on the other hand, acts as a subsystem of product safety. Usually, such a subsystem refers to integrated appliance control, and it is in charge of the correct execution of the specific functions that reduce the risks to an acceptable level identified in the end use of a product.

When we talk about connected systems, we refer to cybersecurity as a combination of policies, technologies and procedures to help enhance confidentiality, integrity, and availability. To be confident that appliances sold in the market are as safe as possible, we must consider product safety, functional safety and cybersecurity.

IEC 60335-1, Ed. 6 provides technical changes and new safety requirements in many of its sections. Among other measures, it extends the software safety requirements from Annex R of its edition 5 to deal with new safety risks related to unauthorized access and transmission failures that arise when household and similar appliances connect to public networks, and it demands the adoption of cryptographic techniques.

Scope of the Clause 22.62 and Annex U

Safety risks related to unauthorized access may appear very abstract to manufacturers and consumers, but when an IoT device is compromised, cybercriminals have access to a wide range of intellectual property that can include software and firmware that could give them control over a home's security systems as well as other electronic devices.

In Clause 22.62 and Annex U, IEC 60335-1, Ed. 6 adds requirements for household or similar appliances intended for remote communication through public networks.

It presents a set of cybersecurity requirements for software downloads and preventing unauthorized access from impairing product safety and functional safety compliance. These new additions help mitigate the effects of transmission failures of safety-related data via remote communication through public networks.

Clause 22.62 specifies which household and similar appliances the requirements of Annex U apply to.

Annex U applies to appliances that connect to public networks, either wired (such as a local area network [LAN]) or wireless (such as Wi-Fi or Bluetooth®), while remote communication via public networks applies in multiple scenarios, including downloading software or transmitting data associated with:

  • Software compliance in relation to Annex R, e.g., a new software version for self-cleaning ovens.
  • Compliance with Clauses 8 to 32 of IEC 60335-1, e.g., a change in washing machine cycle parameters.
  • Parts of the software that are not related to the preceding cases but are not partitioned/segregated from the specified software parts.

Annex U does not apply in two specific cases:

  • Evaluation of Clauses 8 to 32 of IEC 60335-1 reveals that compliance with the standard is software independent.
  • Remote communication through public networks is solely for transmitting data-driven messages or push remote monitoring.

In addition, Annex U does not cover aspects concerning the confidentiality of data and consumer privacy.

Directives and standards more relevant for this purpose for appliances and consumer products include Article 3.3 of the Radio Equipment Directive (RED) 2014/53/EU and ETSI 303 645.

Edition 6 of IEC 60335-1 is only to be used in conjunction with Parts 2 that have been established based on this new edition. However, manufacturers may still have to use older versions of the standard if the adoption process and publication of national standards is still ongoing, with no mandatory effective dates published yet.

Annex U requirements

After identifying that Annex U applies, software in household and similar appliances shall implement all the necessary measures to control fault/error conditions related to remote communication, including protection of safety-relevant data, integrity against corruption and wrong or incomplete communication. Annex U does not limit communication protocols/technologies used by appliances to establish remote communication. However, the selected security protocol implemented to fulfill Annex U requirements shall be verified and validated as required by IEC 60335-1.

Software modularity is required to keep the parts involved in the public network communication segregated from the rest of the software.

The safe operation of an appliance shall not depend on remote communication. Local user interface functions shall always take priority over remote communication. When remote communication is used, it shall include proper access control functions, such as:

  • Identification – A unique identifier shall be provided for users and/or devices.
  • Authentication – A process for verifying a user’s or device’s identity must be included.
  • Authorization – After completing identification and authentication, the user or device shall be authorized to enable remote communication.

Cryptographic techniques shall be used during authentication and after authorization to implement fundamental security properties.

Modern techniques are founded on protocols based on symmetric, asymmetric or hybrid keys. Currently, there is no list of acceptable cryptographic techniques in Annex U. There is a need to adopt a globally accepted cryptographic algorithm in which no hacking/vulnerabilities have yet been discovered.

How UL Solutions can help you

Navigating the regulatory landscape of global markets is complex as each country or region has its own rules and regulations that dictate not only what requirements may apply to specific products but also how product compliance must be demonstrated.

Our UL Solutions teams of cybersecurity, software and electrical safety experts can:

  • Walk you through the full list of directives and regulations.
  • Assess your readiness for compliance to IEC 60335-1, Ed. 6, Annex U, helping to evaluate Annex U gaps on specific product concepts or prototypes.
  • Address the necessary steps to achieve compliance and certification to the updated parts of IEC 60335-1, Ed. 6.

In the specific case of Annex U, we highly recommend that you involve UL Solutions experts in the early stages of the product development process. Postponing attention to safety and security requirements until the last stages (implementation) increases the risk of causing rework that can impact feasibility, costs, and time-to-market.

As a leading issuer of International Electrotechnical Commission for Electrical Equipment (IECEE) CB test certificates worldwide and a single-source provider for global market access, we offer services for safety testing, interoperability, energy efficiency, electromagnetic compatibility (EMC) testing, advisory and more.

We provide global compliance expertise in more than 150 countries. With accredited certification bodies and laboratories across North America, Latin America, Europe and Asia, we make it convenient for you to work with UL Solutions experts close to you:

  • Our recognized laboratories and regulatory expertise offer household appliances manufacturers a complete solution.
  • We have experts who can help you navigate the process for testing, certification and submission.
  • Online tools like our Global Market Access Configurator, Regulatory Intelligence online knowledge database and Global Compliance Management platform keep you updated and enable you to keep track of customized information.

The UL Solutions Design Partnership portfolio supports manufacturers during the design stages, helping them understand compliance requirements and deliver their products to market faster.

Contact us to learn how we can help you prepare for compliance today.

Appliances Global Market Access

Navigate different international rules and regulations and gain market access with our Global Market Access Solution. We’ll work with you to expand your selling opportunities and to keep updated on the latest regulatory changes.

Learn more
Key resources

AHC_Cryptography Sell Sheet

281.14 KB

GMA Brochure (English)

2.87 MB

Global Market Access - Passport for Appliances

1.45 MB

Get connected with our sales team

Thanks for your interest in our products and services. Let's collect some information so we can connect you with the right person.

Please wait…