The European Union Artificial Intelligence Act (EU AI Act) is set to be fully implemented in 2026, and the Cyber ??Resilience Act (CRA) is scheduled for 2027. Adding the Radio Equipment Directive Delegated Act (RED-DA) already took effect on August 1, 2025, those three legislative measures collectively emphasize mandatory requirements for information security and cybersecurity.
These regulations strengthen the comprehensive lifecycle management mechanisms for critical applications, IT components and telecommunications, impacting corporate strategies for complying with international information security standards while providing new opportunities for next-generation technological innovation. As a globally leading standards testing and certification organization, TUV NORD combines multiple international standards to meet comprehensive regulatory requirements, helping global enterprises address major challenges in AI, cybersecurity, and information security regulations.
Eric Behrendt, Global Key Account Manager of TUV Information stechnik GmbH (TUVIT), and Chia-Hung Lin, Director of the Information Security Business Division at TUV NORD Taiwan, were jointly interviewed. This interview coincided with the relocation of TUV NORD Taiwan's testing laboratory to its new address in Kaohsiung City. Taking advantage of the new facility's inauguration. In addition to inviting industry customers to celebrate together, they introduced TUVIT's global organizational developments and its comprehensive assessment and verification services, helping Taiwan customers understand new information security standards and the laboratory's development to seize new market opportunities.
TUVIT is an independent subsidiary within the TUV NORD Group, dedicated to the Digital and Semiconductor Business Unit, focusing on information security and data infrastructure resilience technologies. Established in 1995, TUVIT provides cybersecurity verification, testing, and consulting services, specializing in establishing information and networking security technology, testing hardware, software and certifying information security management systems. With the global industry's growing emphasis on and attention to semiconductor chips and network equipment information security standards compliance, TUVIT has established a robust information security environment to advance technological progress and ensure digital security.
In partnership with TUV NORD Taiwan, TUVIT assists Asian semiconductor, electronics manufacturing, and OEM/ODM manufacturers in obtaining certifications for various international and national information security standards. This will include Germany Federal Office for Information Security (or named BSI) IT Baseline Protection to enhance cybersecurity with a structured framework for organizations to protect their IT systems effectively.
TUV NORD Taiwan laboratory offers services for CC, FIPS 140, and FIDO
TUV NORD Taiwan, together with TUVIT, has collaborated to help assisted 12 semiconductor customers in the Asia-Pacific region (across more than 20 factories) achieving the German BSI Common Criteria safety certification. TUV NORD Taiwan's Kaohsiung testing laboratory is the only laboratory in Taiwan equipped to certify three major international cybersecurity standards including Common Criteria (CC), the U.S. National Institute of Standards and Technology (NIST) FIPS 140-3 standard, and the Fast Identity Online (FIDO) standard.
TUV NORD Taiwan has further expanded its services to include financial and industrial PC sectors, in addition to its existing work in semiconductors and networking, to help Taiwanese electronics manufacturers meet global compliance requirements. This expansion offers a broader range of services like product safety, information technology, and vendor assessment audits to support companies in navigating complex global standards.
Meanwhile, TUVIT also has expanded more actively into emerging fields such as artificial intelligence and quantum computing certification services, which are key technologies poised to redefine problem-solving, innovation, and competitive landscapes. TUVIT supports companies in implementing these new requirements and contributes to the safety and reliability of emerging technologies in the post quantum era.
As AI technologies become increasingly integrated into everyday business operations, ensuring ethical, transparent, and secure AI systems is very important. The AI Act is the first legal framework on AI, which addresses the risks of AI and positions Europe to play a leading role globally. Since 2018, BSI has reacted quickly to the rapid development in the field of artificial intelligence and created a framework that keeps pace with technological developments. This also includes intensive testing and the implementation of countermeasures. TUVIT carried out these tests and began developing and applying initial testing methods for AI applications at an early stage, Behrendt highlighted. He proudly stated that TUVIT continues to work closely with BSI to ensure compliant in AI devices keeping pace with rapid technological advancements.
NIST Post-Quantum Cryptography Standards become a key role in Information security certification
Using Quantum Key Distribution (QKD) technology as an example, Behrendt noted that the threat of quantum computer attacks on classical cryptographic mechanisms must be considered to ensure future-proof protection of information. QKD offers a promising solution by harnessing the principles of quantum mechanics to establish secure keys. TUVIT assists enterprises in following NIST-adopted Post-Quantum Cryptography (PQC) standards, providing industry testing and certification services to ensure their systems can withstand future quantum computer attacks.
Of course, this also involves enterprises' information systems requiring continuous assessment and upgrades to adapt to the practical operational needs of new PQC algorithms. Current cutting-edge technological developments involving data transmission and remote data exchange all require secure certification mechanisms for assurance. TUVIT is working with global technical partners to develop testing technologies and equipment, enabling related certification work and standard development to proceed in parallel.
Beyond facing new challenges such as QKD technology, customers currently face multiple certification requirements including CRA and EU AI Act standards, which inevitably leaves them feeling overwhelmed. Behrendt recently participates in three or more technical consultation meetings with customers regarding CRA standards almost every week. He observes that many customers neglect preparations from the initial stages of product design planning. He especially reminds customers of the importance of a secure internal product development framework that considers information security planning.
Large or middle scale manufacturers meet multiple product line launch requirements by leveraging a common product development or manufacturing platforms that incorporates information security standards from the start. This enhances the security of specific environments and allows for the reuse of verification results when certifying products manufactured in those environments, thereby simplifying subsequent product certification processes, saving time and costs.
Furthermore, regarding CRA and AI Act, he provides several strategic recommendations. First, priority attention should be given to CC for IT security evaluation and IEC 62443 for industrial automation system information security standards. Currently, these fundamental cybersecurity standards have become prerequisites for new products entering international markets. Furthermore, for consumer electronics product cybersecurity requirements, all security requirement items will require to follow ETSI/EN 303 645 IoT network security standards as important cybersecurity requirement guidelines.
Since Taiwan's electronics industry consists major OEM/ODM manufacturers for global brands, TUV NORD Taiwan supports Taiwan's electronics supply chain by providing premium testing, inspection, certification, and consulting services to meet the specifications requested by global branding customers. These services help ensure that products comply with safety , quality, and cybersecurity standards across various industries, and contribute to market access and customer confidence.
Behrendt sincerely advises Taiwan OEM/ODM customers that from the first day of designing products under CRA, they must consider security and information security design. If these requirements are not considered, ultimately they will still need to go back to resolve these compliance challenges. Once these basic requirements are overlooked, regulatory agencies for these new standards will impose high penalty as punishment, which will cause product brand name value and enterprises to suffer significant losses. Therefore, he recommends that enterprises need to take seriously and genuinely prepare response plans early and avoid violations. Passing certification and presenting evidence of proven effectiveness is the best product compliance strategy.
FIPS 140-3 Cryptographic Module and Software Testing Compliance Guidelines
Government agencies in the United States and Canada require FIPS 140-series certification for cryptographic products, while Taiwan's requirements align with this international standard. This certification is mandatory for products used to protect sensitive information and ensures that cryptographic modules have been independently tested and validated for security.
Since cryptographic applications involving information exchange and sharing are not limited to hardware or software, as long as they participate in encryption and decryption operations, they need to pass FIPS 140-3 certification. For example, the systems including operating system software, semiconductor chips, network routers, firewalls, and other hardware devices all require to grant the requiring certification.
TUV NORD Taiwan's cryptographic module testing laboratory in Kaohsiung is the only local laboratory specifically providing testing and consulting services for this standard. Teddy Tsui, Senior Manager and FIPS 140 Lab Director, introduced that TUV NORD Taiwan laboratory obtained FIPS laboratory certification in 2014. This laboratory is also the only one in Taiwan recognized by NIST, serving ASIA customers for over ten years with expertise in the cybersecurity field. Currently, the laboratory can perform FIPS 140-3 testing for three types of cryptographic validation including hardware cryptographic modules, software algorithms, and entropy sources. Meanwhile, this lab also provides customer consulting and educational training.
Credit: TUV NORD
Tsui explained that the Cryptographic and Security Testing (CST) laboratory only conducts testing and issues test reports for a FIPS 140 standard certification. But the NIST is the authority that issues the formal certification or validation. Talking about the time consuming for hardware cryptographic modules, the process will include checking design process documentation, functional testing, and even code inspection are required.
The average time for a FIPS 140-3 certification for hardware cryptographic modules is approximately from 18-month to 2-year, largely due to a backlog caused by the transition from FIPS 140-3 and the high volume of requests, which contributes to the extended waiting period. But software algorithm testing is relatively faster. The laboratory uses software verification programs, expecting to complete testing in two to three weeks. Since NIST released three PQC standards for algorithms that can resist quantum computer attacks in August 2024: FIPS 203 (for key encapsulation), FIPS 204 (for digital signatures), and FIPS 205 (for hash-based digital signatures). These algorithms are now available for certification testing.
NIST estimates that quantum computers could threaten current cryptography in the next 10 years, leading to risks for long-term sensitive data through the "harvest now, decrypt later" attack. This involves attackers collecting encrypted data today and decrypting it in the future when a powerful enough quantum computer becomes available.
Tsui also frankly stated, FIPS 140 standards for software algorithm testing will require re-testing when PQC algorithms are updated. Customers will face challenges in migrating their systems. The main challenges include the complexity of inventorying all cryptographic systems, integrating the new algorithms into products, and the long timeline for the transition, which requires careful management and strategic planning.
TUV NORD Taiwan Leverages Localization Advantages with Rich Experience Serving Taiwanese Manufacturers
Furthermore, Chia-Hung Lin, Director of the Information Security Business Division at TUV NORD Taiwan, especially emphasized the importance of information products passing CC verification. The requirement starts from the entire product development lifecycle to ensure cybersecurity every stage of the manufacturing process receives complete protection.
The evaluation process of CC certification will include Site Certification where product development or manufacturing occurs. This is ensuring that the physical and procedural environment where a product is developed or manufactured meets security standards, protecting design data and products throughout their lifecycle. These audits are crucial steps in the evaluation, as it validates the developer's claims about product security and confirms the integrity of the entire supply chain, not just the final product itself. Meanwhile, Site Certification also saves time and money for re-audits by allowing a single certification to cover multiple products developed or manufactured at that site. Currently, the major semiconductor fabs and OSAT vendors in Taiwan have obtained Site Certification with TUV NORD Taiwan's assistance.
Among the experience of serving Taiwanese customers for decades, most notably, Lin pointed out one real case for customer support in Taiwan. The COVID-19 pandemic induced systemic disruptions by semiconductor shortage for the auto industry during the years in 2020. At that time, Taiwan government has implemented strict border quarantine for all passengers. A Taiwanese semiconductor fab manufacturing automotive chips urgently needed certification but caused delays for the quarantine policy with TUVIT German auditors and professionals. TUV NORD Taiwan's team overcame difficulties and communicated with the government, resulting in a breakthrough that allowed German auditors perform audits on time to certify this Taiwanese customer. This case becomes an important case in TUV NORD Taiwan's customer support history.
TUV NORD Taiwan maintains an important market reputation and actively maintains long-term relationships with customers. Combined with the unique and important value demonstrated by the localized laboratory - not just testing equipment, but also the extensive practical experience and know-how accumulated over the years - TUV NORD Taiwan's services have earned customer trust. With Global information security product opportunities to increase Asian manufacturing by helping companies diversify supply chains, TUV NORD Taiwan aims to partner with Taiwan clients to leverage new business opportunities that arise from information security standards. This partnership focuses on helping customers to seize the critical business opportunities on the growing importance of cybersecurity by ensuring compliance with standards, protecting sensitive data, and maintaining business resilience.
Credit: TUV NORD