EN 18031 RED Network Security Introduction

On January 12, 2022, the European Union Official Journal published the authorization regulation (EU) 2022/30, which enforces mandatory compliance with the RED Directive provisions 3.3(d), (e), and (f), effective from August 1, 2025. This regulation directly impacts radio equipment manufacturers, certification bodies, and compliance processes. Below are the key points for analysis.

Product Scope

- Laptops: Internet access via Wi-Fi for activities like web browsing.

- Smartphones: Internet access via mobile networks or Wi-Fi, capable of calls, web browsing, and using apps.

- Smart TVs: Streaming videos, browsing online content, with apps and smart features after connecting to the internet.

- Smart Cameras and Surveillance Systems: Used for home security monitoring and other related purposes.

- Wearable Devices: Such as smartwatches and fitness trackers, capable of transmitting health and fitness data.

- Smart Home Devices: Like smart lighting, sockets, and temperature control systems, which can be controlled remotely.

- Smart Refrigerators: Internet-connected to manage food inventory and view recipes.

- Smart Security Systems: Including smart locks and alarm systems, with remote monitoring and control features.

- Smart Kitchen Appliances: Such as smart coffee makers and ovens, which can be controlled remotely.

- Bluetooth Headphones: Support for accessing contact information or location data.

- POS Terminals: Support for payment functionalities.

Core Standards Requirements and Scope:

en 18031 is divided into three parts, each corresponding to different security objectives:

- EN 18031-1 (Network Protection)

Requires devices to prevent network harm and avoid resource misuse (e.g., DDoS attacks).

Evaluation Content: Access control, security updates, resilience mechanisms, network monitoring, etc.

- EN 18031-2 (Privacy Protection)

Protects user personal data, applicable to children's toys, wearables, and similar devices.

Evaluation Content: Data encryption, logging, user notification mechanisms, etc.

- EN 18031-3 (Fraud Prevention)

Prevents fraud in financial transactions.

Evaluation Content: Device boot integrity, secure financial transaction verification, etc.

Implementation Timeline:

In May 2024, the EU officially released the final draft of the EN 18031 cybersecurity standards and widely sought feedback from member states. The standards were officially approved on August 1, 2024. However, the EN 18031 series must still undergo final approval from the EU and be incorporated into the Official Journal of the European Union (OJ) to become the officially recognized harmonized standard for RED compliance.

Important Considerations

1. If the documentation and remediation period are extended, the certification cycle will be delayed. It is recommended to allocate sufficient time for remediation.

2. Over 80% of products currently on the market will require remediation. Therefore, it is advisable to reserve time for remediation during the certification cycle, with a suggested preliminary assessment 6 months to a year in advance.

3. Since different products may have varying testing requirements and designs, it is recommended to conduct preliminary testing for each product category. After understanding the detailed requirements, integrate them into the product development phase to avoid extensive remediation during certification.

Important Notes

Q: Which products need to comply?

A:

- Models that have not yet shipped, but are shipped after the mandatory enforcement date (August 1, 2025), must undergo testing and obtain certification according to the requirements.

- Products that have already shipped but are still shipping after the mandatory enforcement date must complete testing and obtain certification.

- Products already shipped and sold in the EU market but will not be shipped after the mandatory enforcement date do not need to undergo testing and certification as per the new requirements.

Q: If a product has already passed EN 303 645, does it still need to comply with RED 3.3d/e/f?

A:

- If a product has passed EN 303 645, additional testing for the differences with EN 18031 is required to obtain an NB certificate and meet compliance requirements.

Q: How to issue a RED 3.3d/e/f certificate?

A:

- After testing is completed, the test report is submitted to the NB body for certification. A RED 3.3d/e/f certificate can be issued separately or together with the original EMC/Safety/RF certificates.

As the network security requirements of RED will be enforced starting from August 1, 2025, all products entering the EU market must comply with these standards. Manufacturers should confirm the following three key actions in advance:

1. Confirm whether the product is subject to restrictive clauses.

2. Document additional security measures.

3. Choose the appropriate certification path.