A Detailed Introduction to the EU EN 18031 Standard

There are countless articles online about the en 18031 standard, but most of them are repetitive, with one simply copying from another, lacking innovation and only stoking anxiety without adding value. The JJR Lab in China strives to present straightforward, honest information—things that customers want to know but are hard to find online. Let's get to the core of it.

We won’t repeat the details of the standard itself. To summarize: starting from August 1st of this year, the EU has a cybersecurity requirement for products entering the market. Products must comply with their standards (the EN 18031 series). Now, let’s dive into the questions.

Question 1: Which products must comply with this standard?

In short: If your device can connect to the internet, handle personal data, or involve financial transactions, it likely needs to undergo EN 18031 certification.

1. Three Categories of Products that Must Comply with EN 18031

 1. Internet-connected electronic devices

 Examples:

 - Your home router that connects to WiFi and auto-updates the system → Must be certified (EN 18031-1).

 - A smart fridge that connects to the internet for recipe searches and software updates → Must be certified (EN 18031-1).

 - A children's watch with 4G/5G connectivity → Must be certified (EN 18031-1).

 Self-check question: Does the device connect to WiFi, Bluetooth, 4G/5G? Does it auto-update software?

 2. Devices that collect personal data

 Examples:

 - A smart watch that tracks heart rate or GPS data → Must be certified (EN 18031-2).

 - A baby monitor with camera and audio functions → Must be certified (EN 18031-2).

 - A Bluetooth headset that collects user voice data via an app → Must be certified (EN 18031-2).

 Self-check question: Does the device record user identity, location, or health data?

 3. Devices that involve payments or virtual currencies

 Examples:

 - A POS machine in a supermarket that processes credit card payments → Must be certified (EN 18031-3).

 - A hardware wallet for storing Bitcoin → Must be certified (EN 18031-3).

 - A phone supporting NFC payments (e.g., Apple Pay) → Must be certified (EN 18031-3).

 Self-check question: Does the device handle transfers, store money, or process virtual currencies?

2. Exceptions—Products That Don’t Need Certification

 - Medical Devices: For example, a connected pacemaker → No need for privacy or financial certification (EN 18031-2/3 doesn’t apply).

 - Automotive Devices: For example, a car’s navigation system → No need for privacy or anti-fraud measures (EN 18031-2/3 doesn’t apply).

 - Simple Toys: For example, a remote-controlled car that doesn't connect to the internet → No certification required.

3. Quick Self-Check

 In short: Any electronic device that connects to the internet, records personal data, or deals with money needs EN 18031 certification.

 Extreme example: If a smart toilet connects to WiFi to record user toilet times and even supports QR code payment for flushing, it would need to comply with all three standards!

Question 2: Self-declaration vs Third-party Certification—Which Should I Choose?

In short: Don't overthink it—opt for third-party certification! If you could do it yourself, you wouldn’t be searching for answers online. Let professionals handle it.

Instead, your main concern should be whether an NB certificate is necessary.

1. When Self-declaration is Allowed

 Manufacturers can self-declare compliance as long as the product doesn't trigger any of the following restricted conditions:

 1. No Default Password Vulnerabilities

 The device must require the user to set a password (or an alternative like biometric authentication) when first used, and "no password" mode is not allowed.

 Example: A smart router that requires users to change the default password when first connected → Self-declaration is possible.

 2. Not Involved in High-Risk Scenarios

 - Non-children's devices: The product doesn't collect children's personal data (e.g., a regular smart band that doesn't track children's GPS data).

 - Non-financial devices: The product doesn’t handle payments or virtual currency transactions (e.g., a regular Bluetooth speaker).

 3. Secure Update Mechanism

 Firmware updates must meet the standard’s multiple security requirements (e.g., digital signature + rollback prevention), and not rely on a single measure.

 Example: A smart camera that supports encrypted mandatory updates → Self-declaration is possible.

 Self-declaration can be done in two ways:

 - Option 1: DoC (Declaration of Conformity) – This CE certificate is a self-declaration document, which should not be issued by a third-party organization, so an EU-format company declaration can replace it.

 - Option 2: CoC (Certificate of Compliance) – This certificate is issued by a third-party organization and must be accompanied by a test report and technical documentation, and the manufacturer must sign the declaration.

2. Situations That Require Third-Party Certification and an NB Certificate

 If the product involves any of the following, it must undergo certification by an EU Notified Body (NB):

 1. Allows User to Bypass Passwords

 Example: A phone that allows "password-free unlocking" → Needs third-party certification.

 2. Involves Sensitive or Children’s Privacy Data

 If the product is a children's toy, baby monitor, or wearable device and does not force parental control features.

 Example: A children's smart watch without the ability to remotely disable the camera → Needs third-party certification.

 3. Financial or Payment-related Devices

 If the product involves payment or virtual currency storage and relies solely on a single security measure.

 Example: A cryptocurrency hardware wallet that only uses a digital signature for key protection → Needs third-party certification.

In summary: The best approach is to find a third-party to test the product, prepare the report, and complete the Declaration of Conformity. If the product falls into one of the three special categories, it's important to choose a third-party organization that can issue an NB certificate.

Question 3: Do Products That Have Previously Obtained CE certification Need to Be Re-certified?

1. Core Judgment Criteria for Whether Re-certification Is Needed

 1. Scope of the Original Certification

 If a product has already passed CE-RED, CE-EMC, or CE-lvd certification and does not involve the new cybersecurity clauses introduced in 2025 (RED Article 3.3(d)(e)(f)), there is no need for re-certification.

 If the product falls under the scope of the RED directive and involves networking functions, personal data processing, or electronic payments (such as smart watches, POS machines, etc.), additional testing against the EN 18031 series standards will be required to comply with the new cybersecurity regulations.

 2. Updates to Certification Standards and Directives

 - CE-RED: From August 1, 2025, the cybersecurity clauses (EN 18031-1/2/3) will be mandatory. If the original certification does not cover this part, it will need to be re-evaluated.

 - CE-EMC/LVD: If no new directives or standards are issued, and the product design has not changed, re-certification is not needed.

2. Specific Scenarios and Response Strategies

 (1) Scenarios Where Re-certification Is Required

 - Product falls under the newly controlled scope of the RED directive

 For example, smart phones, smart home devices, and payment terminals need to meet requirements for network protection (3.3d), privacy protection (3.3e), and anti-fraud (3.3f), and must pass EN 18031 testing and update their CE-RED certification.

 - Original CE-RED certification does not cover cybersecurity clauses

 If the certificate does not include the additional RED-DA requirements introduced in 2022 (such as default password protection, financial transaction security mechanisms), additional testing is required.

 (2) Scenarios Where Re-certification Is Not Required

 - Product does not fall under the newly controlled scope of the RED directive

 For example, general electrical appliances that only need to meet EMC (Electromagnetic Compatibility) or LVD (Low Voltage Directive) standards (such as fans, lamps), provided that the standard has not been updated and there are no design changes, the original certificate remains valid.

 - Certification is still valid and no changes in the standards

 The default validity period of a CE certificate is 5 years. If the product design has not changed and the directive has not been updated, there is no need for re-certification.

3. Regulatory Exemptions and Transition Period

 - Exemption Scope: Medical devices, civil aviation equipment, automotive products, and other products regulated by specialized laws are exempt from the RED cybersecurity clauses (3.3e/f).

 - Transition Period: Products that were placed on the EU market before August 1, 2025, can continue to be sold until the end of their lifecycle. However, new production or first-time market entry products must comply with the new regulations.

4. Suggestions for Companies

 1. Self-check Product Classification

 Confirm whether the product belongs to the newly added categories under the RED directive, such as networking devices, data-processing devices, or payment devices.

 2. Evaluate Certification Coverage

 Check whether the existing CE certificate includes the requirements of the EN 18031 standard.

 3. Update Technical Documentation

 If additional certification is required, submit updated technical documentation (including cybersecurity design specifications, vulnerability patch records, etc.).

Question 4: Can Your Product Family Be "Bundled" for Certification?

Some manufacturers have asked: "We have more than 20 categories of cameras, and each category has at least 5-6 models, with some having 20-30 models. That means we have over 300 products! If we need to certify each one, wouldn't all our workers in the factory just be working for the certification company?"

Alright, today I'll explain the most complex rules in the simplest way possible, so that even business staff can understand immediately!

1. Can it be done? Yes! But it must meet 3 "Golden Rules"

Series certification is like a "family bucket" – as long as the core recipe is the same, different versions can be certified together. However, it must meet the following conditions:

① The core safety design must be completely identical

- Hardware: All models use the same encryption chip (for example, NXP's SE050 security chip).

- Software: The main firmware version, encryption algorithm (like AES-256), and permission management logic must be exactly the same.

- Example: A smart lock in the same series, where the appearance color differs but the security module is the same, can be bundled for certification.

② Only non-security parameters can differ

- Allowed differences: Appearance, screen size, casing material, non-essential functions (like alarm reminders).

- Not allowed: Removing parental controls, lowering encryption levels, changing communication protocols (like switching from WiFi 6 to 4G).

③ Software upgrade strategy must be unified

- All models must have the same firmware update mechanism (e.g., digital signature verification) and vulnerability patch cycle.

2. Three Steps for Series Certification: Saving Time and Money

(Taking a smart watch series as an example)

Step 1: Choose a "Representative Product"

- Select the model with the highest hardware configuration and the most features (e.g., the flagship model) as the "main model."

- Why? High-end models cover the security requirements of lower-end models, but the reverse might not meet the standards.

Step 2: Prepare the "Family Bucket Materials"

- Technical Documentation: Provide a comparison table for all models, highlighting the differences (e.g., communication modules, functional scenarios).

- Test Samples:

- Main model: 2 normal samples + 2 debug samples (with root access).

- Other models: One normal sample per model (only for random checks on the differences).

Step 3: Submit the Application and Wait for "Bulk Price" Discounts

- Certification costs are 30%-50% lower than for single model certification (due to the reuse of test items).

- The certification period is shortened to 2-3 months (main model testing takes 2 months, other models' difference checks take 1-2 months).

3. Avoid These Pitfalls!

(3 Common Mistakes Made by Business Staff)

Choosing the Wrong "Representative Product"

- Example: A manufacturer chose a low-end fitness band as the main model, resulting in the entire series being rejected for "lack of secure boot."

- Solution: Prioritize the most complex and security-critical model.

Concealing Minor Modifications

- Example: A headphone series secretly changed the Bluetooth chip, leading to the entire series' certification being invalidated.

- Solution: Any hardware change (even just a different brand of sensor) must be reported to the certification body in advance.

Overlooking "Child Mode"

- Example: In a children's smartwatch series, some models removed the "parental remote lock" function, leading to the entire batch failing certification.

- Solution: When it comes to privacy or financial functions, all models in the series must have the same functionality.

4. One-Sentence Summary

Series certification = standardized core formula + transparent differences + main model!

As long as the core security is standardized like a chain store's "central kitchen," different products can be quickly replicated for certification like "branches." But remember: Any changes involving encryption, privacy, or payment functions must be certified separately!

(Need to evaluate whether your products are suitable for series certification? Feel free to contact the JJR expert team for a free solution��)

Here is the English translation:

Three Major Fatal Misunderstandings for Manufacturers

Misunderstanding 1: "The law doesn't punish the majority, so if everyone does it, it's fine."

- Reality: Leading companies have already made moves! Brands like Samsung and Philips started EN 18031 certification in 2024, and by Q1 of 2025, over 60% of certified products will be from these brands. The “wait and see” approach of small and medium-sized manufacturers actually hands over the market to competitors.

- Data Contradicts: According to a 2025 EU customs pilot inspection, only 32% of Chinese-exported radio equipment complies with the new regulations.

Misunderstanding 2: "They won't catch me, just make a superficial compliance report."

- Technical Evidence: The EU will use automated detection tools (such as Nmap port scans, Wireshark packet captures) to bulk-screen devices. For example:

- ✅ Detect if devices respond to Telnet/SSH ports → Exposure is a violation.

- ✅ Analyze data streams to check if TLS 1.3 is used → Unencrypted data will be rejected.

Misunderstanding 3: "I can fix it if I get caught."

- Time Trap: The full EN 18031 certification process takes 4-8 months:

1. Hardware Modification (e.g., adding a secure boot module) → 3-6 months.

2. Firmware Rewrite (e.g., enforcing password policies) → 2-4 months.

3. NB Certification (required for financial devices) → 1-2 months.

- Closing Window: From today (April 11), only 112 days left → There's no time to complete the full certification process!

How to Break the Deadlock: Three Steps to Minimize Losses

STEP 1: 72-Hour High-Risk Self-Inspection

- Key Items to Check:

- ✅ Force modification of default passwords upon first boot (e.g., admin/123456) → 20% of products still have this issue!

- ✅ Ensure data transmission uses TLS 1.3 or HTTPS (can be verified with a 10-minute Wireshark packet capture).

- ✅ Payment devices must support digital signatures + dynamic password two-factor authentication.

STEP 2: Prioritize "Veto Items"

- Lowest-Cost Compliance Path:

1. Reuse Existing Certifications: Use certified models to cover the product series (save 50% of costs).

2. Emergency Software Patches: Push password policies, close redundant ports via OTA updates (can be completed in 1 week).

3. Document Compliance Packaging: Add risk assessment reports, encryption protocol explanations (to avoid rejection due to incomplete documents).

STEP 3: Seize the Last Certification Window

- Green Channel: Cooperate with JJR for prioritized EN 18031 testing.

The Ultimate Choice for Manufacturers: Either Pay $20,000 for Certification Now, or Face a $100,000 Fine Later!

- Strategic Value: EN 18031 certification is the golden key to accessing the EU market and provides mutual recognition qualifications for more than 50 countries worldwide.

[Urgent Pitfall Avoidance]

EN 18031 Self-Declaration ≠ "Just a Quick Fix!" 90% of Manufacturers Fall into Deadly Compliance Traps

1. Self-Declaration ≠ No Barriers: Three Major Limiting Conditions That Expose "Sloppy Reports" Immediately

- Core Misunderstanding: Some manufacturers mistakenly believe that "coordinated standards allow self-declaration" means "no need for technical verification." In reality, EN 18031 compliance declarations have strict limitations, and blind actions will directly trigger the EU’s “one-vote veto”:

1. Default Password “Death Trap”:

- If a device allows users to skip setting a password (e.g., default empty password or weak password like admin/123456), even if a declaration is submitted, it will be deemed non-compliant.

- The EU explicitly requires that the default password be forcibly changed upon first boot, and it must be validated with a high-strength algorithm (e.g., SHA-256 hash).

2. Mandatory NB Certification for Financial Devices:

- Devices handling virtual currencies or payments (e.g., POS machines, ATMs) must go through certification by an authorized body (NB). Self-declaration is invalid. For example, if security updates rely solely on a single digital signature without additional access control mechanisms, the product will be rejected.

3. Parental Control Red Line for Children’s Products:

- Toys or child care devices that don’t implement role-based access control (e.g., parental control isolation) will be regarded as "technical fraud," even if a declaration is issued.

Bloody Lessons (Fantasy Version):

- A Bluetooth earphone manufacturer was fined 800,000 euros by the EU due to a "bypassable default password" vulnerability, even after submitting a self-declaration.

- A smartwatch manufacturer forged an encryption protocol report, but customs used Wireshark to capture 10 minutes of data in plain text, and the goods were destroyed.

2. Technical Evidence: What You Think Customs "Won't Understand" is Actually Lowering the Standards

Misunderstanding Crusher:

1. Customs Inspections Use "Military-Grade Tools"

 - Automated Detection Technology:

 - ✅ Nmap Port Scan: Identifies if high-risk Telnet/SSH ports (e.g., port 23, 22) are open in 3 seconds → Exposure is a violation.

 - ✅ Wireshark Packet Capture Analysis: Analyzes data streams in real-time; if TLS 1.3 or AES-256 encryption is not used, the product is rejected.

 - ✅ Hydra Brute Force Tool: Simulates 100,000 password attempts; if the device does not lock accounts → It’s considered a "default password vulnerability."

2. Document Review "Microscopic Error Checking"

 - Required Items for Reports:

 - ✅ Encryption algorithm implementation details: Must be precise to the code line (e.g., OpenSSL version, key length). Simply stating "complies with TLS protocol" is invalid.

 - ✅ Security Update Log: Must include automated update records for the past year (timestamp + hash value). Falsifying time sequences will trigger "historical data review."

3. EU Has Established a "Blacklist Linkage Mechanism"

 - Once a false declaration is found, the involved company and its affiliates (e.g., contractors, brand owners) will be added to the EU RAPEX early warning system, leading to stricter inspections for all products in the category.

3. Compliance Cost Comparison: Taking a Chance vs. Professional Certification — Which is More Cost-Effective?

Case Evidence (Fantasy Version):

- A router manufacturer expedited certification by reusing an existing hardware security module, completing EN 18031-1 certification in 7 days, saving 60% of costs.

- A smart home brand delayed certification and saw its inventory fail to sell after August 1. European distributors claimed over 5 million euros in damages.

4. Three Steps for Rapid Clearance: Seize the Last 90-Day Window

STEP 1: 48-Hour High-Risk Self-Inspection

- Self-Inspection Toolkit (to be launched soon, stay tuned):

- ✅ Nmap High-Risk Port Scan Script.

- ✅ Wireshark Packet Capture Compliance Template.

- ✅ Default Password Strength Validator.

STEP 2: Prioritize "Critical Items"

- Low-Cost Compliance Plan:

1. Emergency Software Patches: Close redundant ports and push password policies (can be completed in 3 days).

2. Reuse Certification: Share test reports for the same product series (save 70% of costs).

3. Document Packaging: Encryption protocol explanation + risk assessment report (to avoid document rejection).

STEP 3: Lock in the "Guaranteed Certification" Channel

- Green Channel: Partner with JJR to sign a “Late Penalty Agreement” (if delays are caused by scheduling issues, the testing party will bear the penalties).

- Technical Support: Provide pre-testing services to ensure a one-time pass (free re-test if not passed).

Summary

Whether you need to redo CE certification before August 1, 2025, depends on the product type and existing certification scope:

- RED Directive products involving networking, data, or payment → Must supplement EN 18031 testing and update certification.

- Products only requiring EMC/LVD certification → No need for re-certification if standards haven’t been updated.

It is recommended that manufacturers first check high-risk products to avoid market access issues caused by compliance problems.