What is EN 18031 Compliance Certification?

Recently, the European Commission announced in its official journal, Office Journal (OJ), that the en 18031 series of standards have been incorporated into the Radio Equipment Directive (Directive 2014/53/EU) as harmonized standards. This decision aims to further regulate cybersecurity requirements for radio equipment, enhancing compliance and security for devices entering the EU market.

As the cybersecurity requirements outlined in the EN 18031 series will become mandatory from August 1, 2025, this represents a significant shift for wireless equipment manufacturers.

Background and Significance

The EN 18031 series of standards were developed jointly by the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC), primarily focusing on cybersecurity requirements for radio equipment. The inclusion of this series marks a crucial step in the EU's efforts to enhance cybersecurity for radio equipment, providing manufacturers with a clear technical framework while simplifying the process of entering the EU market.

Composition of the EN 18031 Series

The EN 18031 series consists of three parts, each addressing different types of radio equipment and their security requirements. In 2022, the European Commission also introduced cybersecurity requirements under Article 3(3) of the directive.

EN 18031-1:2024

- Scope: Internet-connected radio equipment.

- Compliance Requirements: Must meet the basic requirements of Article 3(3)(d) of the Radio Equipment Directive, which introduces cybersecurity measures to "prevent network harm and service degradation."

EN 18031-2:2024

- Scope: Includes internet-connected devices, childcare equipment, toy devices, and wearable devices.

- Compliance Requirements: Must meet the basic requirements of Article 3(3)(e) of the Radio Equipment Directive, introducing cybersecurity measures to "protect personal data and user privacy."

EN 18031-3:2024

- Scope: Radio equipment handling virtual currency or monetary value.

- Compliance Requirements: Must meet the basic requirements of Article 3(3)(f) of the Radio Equipment Directive, introducing cybersecurity measures to "prevent fraud in wireless devices handling virtual currency."

Restrictions in the Harmonized EN 18031 Standards Listed in the OJ

EN 18031-1:2024

- If users are allowed to not set or use any passwords (Sections 6.2.5.1 and 6.2.5.2), the device does not meet the requirements of Article 3(3)(d) of the directive.

- The "rationale" and "guidance" sections of the standard do not provide a presumption of conformity with the basic requirements of Article 3(3)(d).

EN 18031-2:2024

- If users are allowed to not set or use any passwords (Sections 6.2.5.1 and 6.2.5.2), the device does not meet the requirements of Article 3(3)(e).

- For specific devices like children's equipment, if parental or guardian access control is not ensured (e.g., Section 6.1.3.4.2), the device does not comply with Article 3(3)(e).

- The "rationale" and "guidance" sections do not provide a presumption of conformity with Article 3(3)(e).

EN 18031-3:2024

- If users are allowed to not set or use any passwords (Sections 6.2.5.1 and 6.2.5.2), the device does not meet the requirements of Article 3(3)(f).

- Section 6.3.2.4 outlines assessment criteria for security updates, listing four different implementation categories, including digital signatures, secure communication mechanisms, and access control mechanisms. However, no single approach is sufficient for financial asset security assessment.

- Manufacturers of products covered by EN 18031-3:2024 cannot ensure compliance with Article 3(3)(f) solely based on the product’s design. Therefore, third-party conformity assessment is mandatory.

- The "rationale" and "guidance" sections do not provide a presumption of conformity with Article 3(3)(f).

These restrictions indicate that while the EN 18031 series provides a cybersecurity framework for radio equipment, some devices may still fail to fully meet the essential requirements of the Radio Equipment Directive in the following areas:

- User password setup and usage.

- Parental or guardian access control for children's devices.

- Security evaluation of devices handling virtual currency.

For radio equipment that is partially compliant, non-compliant, or lacks harmonized standards, the conformity assessment process must involve a Notified Body (NB) for evaluation.

Impact on Manufacturers

The implementation of the EN 18031 series will drive manufacturers to strengthen the cybersecurity of their devices while providing greater security assurance for users. These standards will also help regulate the EU radio equipment market and boost consumer confidence in wireless devices.

Since the RED cybersecurity requirements will be enforced from August 1, 2025, all products entering the EU market after this date must comply. Manufacturers must act quickly to ensure compliance with the new cybersecurity requirements.

Key Actions for Manufacturers:

1. Determine whether products fall under the restricted clauses.

2. Document additional security measures.

3. Select the appropriate certification pathway.

Cybersecurity Testing and Certification Services by JJR Laboratory

JJR Laboratory provides comprehensive testing and evaluation services to help manufacturers meet cybersecurity compliance requirements.