What is the EN 18031 Standard?

EU Cybersecurity Regulations

The European Union (EU) has taken steps to regulate cybersecurity, with the first mandatory implementation occurring in 2022. Cybersecurity requirements were incorporated into the EU’s Radio Equipment Directive (RED) as essential regulatory provisions. The cybersecurity-related clauses Article 3.3 (d), (e), and (f) of the RED will become mandatory from August 1, 2025.

From this date onward, products covered by the RED must comply with cybersecurity requirements in order to meet the CE marking criteria. The key requirements include:

- Article 3.1 (a) – Safety

- Article 3.1 (b) – Electromagnetic Compatibility (EMC)

- Article 3.2 – Radio communication

- Article 3.3 (d), (e), (f) – Cybersecurity requirements

- Article 3.4 – Common charging interface

Products Covered by the Regulation

The RED applies to radio equipment that communicates via the internet or other devices. Additionally, wireless devices that process sensitive personal data fall within its scope. Examples include:

- Mobile phones, tablets, and laptops

- Wireless toys and child safety devices (e.g., baby monitors)

- Wearable technology (e.g., smartwatches, fitness trackers)

- Smart cameras, smart TVs, smart speakers, and smart displays

- Smart home appliances (e.g., smoke detectors, smart locks, window sensors)

Harmonized Standard en 18031

The EN 18031 series is the EU’s harmonized standard for cybersecurity. Manufacturers can use the EN 18031 standards to demonstrate compliance with the new cybersecurity requirements. Different EN 18031 standards apply depending on the type of product:

- EN 18031-1 – Applies to Article 3.3(d): Devices connected to networks

- EN 18031-2 – Applies to Article 3.3(e): Wireless devices processing personal data

- EN 18031-3 – Applies to Article 3.3(f): Wireless devices involved in monetary transactions

OJ Listing and Application Restrictions

When the EU Official Journal (OJ) lists the EN 18031 standards under the RED Directive, it may impose specific limitations on their application. These restrictions must be carefully considered when implementing compliance strategies. Some key restrictions include:

- “Basic principles” and “guidelines” sections

- Use of passwords

- Parental or guardian access controls

- Monetary value transactions

When is a Notified Body (NB) Required?

A Notified Body (NB) assessment is required in certain cases:

- For products subject to OJ restrictions, specific limitations in EN 18031-1 and EN 18031-2 require NB evaluation.

- For products covered by Article 3.3(f) (i.e., using EN 18031-3), NB assessment is mandatory.

- Products integrating third-party systems or applications (e.g., Windows, third-party apps) must also be evaluated by an NB.

Recommendations for Manufacturers

The RED cybersecurity requirements will become mandatory on August 1, 2025. Manufacturers must act quickly to ensure their wireless products comply. Key steps include:

1. Review the RED scope – Determine if your product falls under the RED cybersecurity requirements. Testing labs, such as JJR Lab in China, can assist in assessing product relevance.

2. Examine the EN 18031 series – Understand how these standards apply to your product and identify relevant restrictions.

3. Conduct a compliance gap analysis – Evaluate your product’s current cybersecurity measures against EN 18031 requirements.

4. Prepare for the market – Implement necessary changes in product design, testing, and technical documentation to meet the 2025 regulatory deadline.

5. Obtain an NB certification – Getting a Notified Body conformity certificate is a reliable way to demonstrate compliance in the market.

Final Thoughts

The EN 18031 series, as an OJ-listed harmonized standard, provides wireless device manufacturers with clear guidance on meeting RED cybersecurity requirements. However, the OJ’s listed restrictions highlight the importance of careful assessment and expert guidance.

JJR Lab in China has cybersecurity laboratories, experienced cybersecurity experts, and certification auditors. We offer professional guidance to help manufacturers understand regulatory requirements and achieve compliance before the mandatory deadline. Our services include consultation, training, assessment, and cybersecurity certification for the EN 18031 series.