CE RED Certification and EN 18031 Security Standard

In the digital era, wireless devices have become an integral part of our daily lives. From smartphones to smart home systems, these high-tech products greatly enhance our living experiences but also introduce new challenges for cybersecurity and privacy protection.

To address these emerging issues, the European Union (EU) established the Radio Equipment Directive (RED), aiming to ensure the safety of all wireless devices on the market. This initiative not only helps protect consumer interests but also promotes the healthy development of the entire industry.

Background of the RED Directive

With the widespread adoption of wireless technologies such as Wi-Fi, NFC, and Bluetooth, the risks of cyberattacks and financial fraud have increased. To mitigate these risks, the European Commission adopted an enabling act for the Radio Equipment Directive (2014/53/EU) in October 2021, ensuring the safety of wireless devices in the markets of the EU’s 27 member states. These changes were published in the EU Official Journal (EUOJ) on January 12, 2022.

In May 2024, the EU officially released the final draft of the EN 18031 cybersecurity standards series, widely consulting member states for feedback. The standards will become mandatory starting August 1, 2025.

Under this regulation, all wireless devices sold in the EU market must meet requirements for cybersecurity, personal data privacy, and fraud prevention. Manufacturers must comply with these provisions and obtain CE-RED certification before the August 1, 2025, transition deadline. This implies that device manufacturers will need to implement enhanced measures for cybersecurity, personal data protection, and fraud risk reduction.

Cybersecurity Requirements of the RED Directive

The cybersecurity requirements in the RED Directive focus on three key areas:

1. Cybersecurity Protections: Wireless devices must not harm networks or their functionality, nor misuse network resources, leading to unacceptable service degradation.

2. Personal Data and Privacy Protection: Wireless devices must include safeguards to protect users' and subscribers' personal data and privacy.

3. Prevention of Financial Fraud: Wireless devices must support features to prevent financial fraud.

Affected Product Categories

These changes will impact all manufacturers declaring compliance under the Radio Equipment Directive. According to RED Article 3.3, the main product categories include:

- EN 18031-1: Common security requirements for wireless devices - Part 1: Internet-connected wireless devices.  

- EN 18031-2: Common security requirements for wireless devices - Part 2: Wireless devices that process data, including network-connected devices, children's devices, toys, and wearables.  

- EN 18031-3: Common security requirements for wireless devices - Part 3: Devices that process virtual currency or monetary value through internet connections.

Products Excluded from Scope:

- Medical devices classified under (EU) 2017/745 and (EU) 2017/746.

- Exemptions for parts of civil aviation, automotive, and road toll systems (3.3e and 3.3f requirements excluded).

Guidelines for Manufacturers

Manufacturers should begin preparations for the mandatory compliance deadline of August 2025. They must review existing products and evaluate new product designs to ensure compliance with the new cybersecurity requirements and secure the necessary certifications before the deadline. These efforts will minimize business risks and help maintain a competitive edge.

Failure to comply may result in severe consequences, including but not limited to product recalls, fines, market bans, and reputational damage.