EN 18031 Testing Services

The mandatory implementation date for the EU Radio Equipment Directive (RED) cybersecurity requirements under en 18031 is August 1, 2025. Although it has not yet been officially listed as a harmonized standard in the EU Official Journal (OJ), manufacturers are advised to prepare for compliance in advance.

Below is a comprehensive overview of the testing content for the EN 18031 series of standards, in line with the cybersecurity requirements of the EU Radio Equipment Directive (RED):

Standard Background and Scope

The EN 18031 series of standards was developed by the EU to implement the cybersecurity requirements under Article 3(3)(d), (e), and (f) of the RED Directive (2014/53/EU), specifically focused on securing networked radio equipment. This standard is divided into three parts, each addressing asset protection in different domains:

- EN 18031-1: Corresponding to Article 3(3)(d), focusing on cybersecurity assets (e.g., network infrastructure, communication protocols).

- EN 18031-2: Corresponding to Article 3(3)(e), focusing on privacy assets (e.g., personal identification information, health data).

- EN 18031-3: Corresponding to Article 3(3)(f), dedicated to the protection of financial assets (e.g., devices supporting cryptocurrency transactions or funds transfer).

Core Testing Content

1. General Security Mechanisms (Applicable to EN 18031-1/2/3):

 - Access Control Mechanism (ACM): Verifying the device’s ability to manage user permissions, preventing unauthorized operations.

 - Authentication Mechanism (AUM): Testing the reliability and anti-breach capabilities of multi-factor authentication (e.g., biometrics, dynamic passwords).

 - Secure Communication (SCM): Checking the encryption protocols for data transmission (e.g., TLS 1.3) and the ability to defend against man-in-the-middle attacks.

 - Secure Storage Mechanism (SSM): Evaluating encryption storage solutions for sensitive data (e.g., keys, transaction records), ensuring compliance with standards such as AES-256.

 - Secure Updates Mechanism (SUM): Verifying the integrity of firmware/software updates and anti-tampering mechanisms (e.g., digital signature verification).

2. Itemized Testing Focus:

 - EN 18031-3 (Financial Asset Protection):

 - Anti-fraud Functions: Testing the device's ability to identify and block abnormal transactions (e.g., phishing attacks, duplicate payments).

 - Key Management: Ensuring that pre-installed or generated encryption keys are ≥112 bits in length and verifying the security of the key lifecycle (generation, storage, destruction).

 - Log Mechanism (LGM): Ensuring the integrity, anti-tampering, and traceability of transaction logs.

 - EN 18031-2 (Privacy Protection):

 - Data Anonymization: Verifying the anonymization processes for personal privacy information (e.g., geolocation, payment records).

 - Compliance Auditing: Checking adherence to privacy regulations such as GDPR, ensuring data minimization principles.

 - EN 18031-1 (Cybersecurity):

 - Vulnerability Protection: Assessing the device’s attack resistance through penetration testing (e.g., SQL injection, DDoS attack simulation).

 - Network Segmentation: Verifying the device’s network segmentation and isolation mechanisms under abnormal traffic conditions.

Testing Process and Requirements

1. Document Preparation:

 - Submit an asset identification table that classifies security, network, privacy, and financial assets.

 - Provide technical documentation (design specifications, communication interface matrix, security policies).

2. Prototype Requirements:

 - Provide 4-6 prototypes (including 2-3 debug prototypes) with open debug interfaces (e.g., root access) to support in-depth testing.

3. Testing Timeline:

 - Documentation Submission: 4-12 weeks.

 - Functionality Testing: 8-12 weeks (including concept evaluation, functional verification, and fuzz testing).

Compliance Recommendations

- Plan Ahead: Due to the lengthy testing process, it is recommended to initiate the certification process at least 6 months before the mandatory implementation deadline.

- Collaborate with Certified Laboratories: Choose a third-party laboratory qualified under the RED directive for pre-testing to optimize design flaws.

- Ongoing Maintenance: Regularly update security patches and maintain records of updates to ensure compliance throughout the device's lifecycle.