Is EN 18031 Cybersecurity Compliance Mandatory?

With only 100 days left until the mandatory enforcement of en 18031, many IoT device manufacturers have yet to initiate their certification processes. This wait-and-see attitude may stem from the "soft landing" precedent set by the UK's PSTI Act in 2022. Back then, many businesses successfully avoided risk by betting on policy delays or loosening. However, in Brussels, the dynamics surrounding cybersecurity certification have fundamentally shifted: according to Article 17 of the Cyber Resilience Act and ENISA's "2025 Cybersecurity Certification White Paper," EN 18031 has been established as a technical support standard for the Cyber Resilience Act, forming a "trinity" regulatory framework alongside the GDPR. This means that companies attempting to replicate the PSTI wait-and-see strategy are essentially betting on a losing game.

Historical Experience: The EU's Enforcement of Technical Regulations

While some manufacturers remain skeptical about the enforcement of EN 18031 (thinking it might be "all talk, no action" like some technical standards), the EU has historically had a strong enforcement record in areas related to national security, privacy protection, and public safety, with almost no "unfinished business" cases.

Counterexamples:

- RED Directive: In the past, some manufacturers attempted to bypass EMC or RF testing through loopholes, but this was limited to areas with lower technical risks (e.g., Bluetooth signal interference). However, once safety risks are involved (e.g., battery explosion hazards), the EU's enforcement is strict, even including product recalls. Similarly, cybersecurity testing will not be overlooked.

- GDPR (General Data Protection Regulation): When GDPR came into effect in 2018, there were concerns about its difficult enforcement. However, through hefty fines (e.g., Amazon €746 million, Meta €1.2 billion) and cross-border cooperation, the EU established its authority. GDPR has since become a global benchmark for privacy protection.

The Special Nature of Cybersecurity: The EU Has Elevated It to National Security Status

The core of EN 18031 is to prevent network attacks that could cripple critical infrastructure, leak private information, or trigger public safety incidents, which is fundamentally different from traditional safety, EMC testing:

- Extension of GDPR: Device vulnerabilities leading to data leaks can directly trigger GDPR fines (e.g., smart home cameras leaking user privacy).

- EU Cyber Resilience Act: The new regulation passed in 2024 explicitly requires connected devices to meet cybersecurity standards (such as vulnerability fixes, security updates), and EN 18031 will serve as its technical foundation.

- Geopolitical Drivers: After the Russia-Ukraine conflict, the EU has zero tolerance for network attacks in critical areas like energy, communication, and transportation. For example, a camera being hacked could serve as a gateway for attacking the power grid.

Signals of EN 18031's Mandatory Enforcement

- Clear timeline: EN 18031 will be enforced from August 1, 2025. Similar to GDPR, the EU will allow a transition period but will not delay its implementation.

- Leading companies have already acted: Major international and domestic companies, such as Samsung, Philips, Hikvision, and Dahua, began EN 18031 certification in 2024. By Q1 2025, over 60% of their certified products will be compliant. These leading manufacturers’ market insights are sharp and should not be ignored.

- High compliance costs for manufacturers: Devices that fail to comply with EN 18031 will not receive the CE mark, meaning they will be unable to enter the EU market. Manufacturers cannot afford to take this risk.

The Future of Cybersecurity

- Short-term (1-2 years): EN 18031 will continue as a supplementary provision to the RED Directive but will work in tandem with the Cyber Resilience Act, forming a "dual constraint."

- Long-term (3-5 years): Cybersecurity will likely become an independent, mandatory certification system, much like medical devices (MDR) or automobiles (E-mark). The driving factors include:

- Technical complexity: Cybersecurity involves ongoing threats (like zero-day vulnerabilities) and requires dynamic assessment, which is incompatible with static RF/EMC testing modes.

- Cross-industry demand: Smart cars, industrial IoT, and medical devices all require unified cybersecurity standards, making independent certification more efficient.

Conclusion

- No unfinished business: The EU has firmly positioned cybersecurity as a core aspect of "digital sovereignty," and EN 18031 serves as a technical implementation tool, working alongside GDPR and the Cyber Resilience Act to form a complete regulatory chain.

- Manufacturers have no choice: Compliance is the only path to entering the EU market. With leading companies already starting certification, the entire industry will be forced to follow suit.

- Trend towards independent certification: In the future, cybersecurity certification will likely be detached from the RED Directive, becoming an independent module, and may even require regular updates (e.g., annual vulnerability scans).

Recommendations for Manufacturers:

Start preparing for EN 18031 compliance immediately, focusing on the following cost items:

1. Security Development Lifecycle (SDLC) modifications;

2. Third-party vulnerability scanning and penetration testing;

3. Automated deployment of security update mechanisms.

The cost of delay is far higher than the cost of compliance.