EN 18031 Certificate Validity 2026: How Long Does the Certification Last?

2026-07-06

Does an EN 18031 certificate expire? Sounds like a simple question, but the answer depends on which path you took and what kind of certificate you hold. A lot of companies assume that once the certificate is issued, they're set for years. Then one day they try to ship a new batch and customs blocks it because the compliance status went sideways. This article breaks down the validity rules for EN 18031 — what keeps a certificate alive, what can kill it, and how to handle the annual maintenance without surprises.

NB Certificates Have No Fixed Expiry Date — They Survive on CoP

Here's the first thing to get straight. Type-examination certificates issued by a Notified Body under EN 18031 do not come with a fixed expiry date. There's no "valid for three years" or "expires in five years" printed on the document. This is fundamentally different from certifications like FCC, Bluetooth BQB, China CCC, or automotive E-mark, where you get a clear renewal deadline.

And while we're clearing up confusion — the underlying CE-RED radio and EMC certificates also don't have a fixed three-year expiry. That's a common misconception from people who are used to the FCC or BQB renewal cycle. The RED system simply doesn't work that way.

What keeps an NB certificate alive is the annual Conformity of Production report, or CoP. Every year, the manufacturer has to submit production sampling records, a declaration that the security configuration remains consistent with the certified sample, and firmware version control logs. These go to the NB for archival.

Now, if you miss the CoP deadline, it's not an instant death sentence. Notified Bodies handle this in two stages. A short delay of one to three months gets you a formal reminder with a deadline to submit — the certificate stays active during this period. Only if you repeatedly ignore reminders or flat-out refuse to submit does the NB escalate to suspension. A lot of companies don't know about this buffer and panic the moment the deadline passes. The smart move is to submit as soon as possible — don't wait for the escalation.

  Self-Assessment Declarations Stay Valid — But Compliance Is on You

If you took the self-assessment route, there's no NB certificate to begin with. You signed a Declaration of Conformity yourself, and that declaration has no expiry date. It stays valid as long as the product remains in compliance.

The catch is that there's no external body checking on you. It's entirely up to the manufacturer to monitor product changes and determine when a re-test is needed. Swap out the communication module, restructure the security architecture, change the encryption implementation — any of these means the original declaration no longer covers the current product. If market surveillance catches a non-compliant product during a random check, you're looking at fines and a recall, and the fact that you self-declared makes the liability entirely yours.

On the cost side, there's a real advantage here that's often overlooked. A single-model product with stable hardware and no frequent revisions has no annual NB audit fee under self-assessment. The ongoing compliance cost is significantly lower than the NB path. But if you're running multiple models with frequent updates, the re-testing burden adds up fast. Don't assume self-assessment is always cheaper — it depends on your product lineup and how often you change things.

  Transition Period: Legacy RED Certificates and Stock Clearance

RED certificates obtained before August 1, 2025, are not automatically invalidated. The certificate itself remains on the books. What changed is that any new production batch shipped after that date must include an EN 18031 assessment in the technical file. Stock that was already manufactured before the deadline can be cleared through normal channels.

But there's a boundary that trips people up. EU member states set what they consider a reasonable stock digest  period — typically 12 to 24 months. If you're sitting on a warehouse of three-year-old inventory and trying to clear it as "pre-August 2025 stock," customs is going to take a hard look. Long-stored legacy inventory can still get intercepted.

And here's the operational detail: if customs inspects a shipment claimed as pre-deadline stock, you need to prove it. Production date records and shipping documents have to align. "We think it was made before August" doesn't cut it. The burden of proof is on the manufacturer or importer.

  Document Retention, Patch Support, and the EU Representative

Under the current RED directive, technical documentation must be retained for "a sufficient period" after the product is placed on the market. Member states interpret this differently — anywhere from 5 to 10 years. The CRA (Cyber Resilience Act, Regulation (EU) 2024/2847) does specify a clear 10-year retention obligation, but that regulation doesn't fully take effect until late 2027. As of 2026, you can't uniformly demand 10 years across all member states — the legal basis isn't there yet. But it's coming, so plan for it.

Post-market security patch support is another gray area. Current regulations don't specify a mandatory period for vulnerability patching after a product is discontinued. Industry best practice suggests maintaining 2 to 3 years of patch support. Once the CRA kicks in, that stretches to a 10-year statutory requirement. Don't conflate the current recommendation with future legal obligation, but also don't design products as if patching doesn't matter — it's going to matter a lot.

Your EU Authorized Representative agreement is typically renewed annually. If the agreement lapses and regulatory authorities can't reach the responsible party, customs and market surveillance can hold shipments and suspend the product's market access. However — and this is a subtle but important distinction — the NB certificate itself doesn't freeze or invalidate just because the rep agreement expired. Certificate status and market circulation rights are two separate legal concepts. But practically speaking, if you can't lawfully place the product on the market, the certificate's value is moot.

  Product Change Assessment: What Triggers a Re-Evaluation

Changing the security chip, swapping the communication module, or doing a major overhaul of the firmware's underlying security architecture doesn't automatically invalidate the original NB certificate. What it does is trigger a change assessment — you submit the modification details to the NB, and they evaluate whether the change affects EN 18031 compliance.

During the assessment period, the original certificate remains valid. You can continue shipping under the existing certification while the NB reviews the changes.

What counts as a major change? Only modifications to core security mechanisms require NB review: signature algorithms, key management schemes, secure boot implementations, encrypted communication channels, parental control features, and transaction traceability systems. If your OTA distribution strategy shifts from full rollout to staged gray release — but the firmware verification and signature security logic stays the same — that's not a major security change. You document it internally and move on. No NB submission needed.

This boundary matters because a lot of companies either over-report minor changes and waste time on unnecessary NB reviews, or under-report major changes and risk shipping non-compliant products. The rule of thumb: if the change touches how the device authenticates, encrypts, signs, or protects data, it needs review. If it's just a UI tweak or a non-security-related firmware adjustment, file it and forget it.

  Summary: Validity Rules at a Glance

NB type-examination certificates are valid indefinitely, maintained through annual CoP submissions. Self-assessment declarations are valid indefinitely, maintained through the manufacturer's own diligence on product consistency. Transition-period RED certificates issued before August 2025 remain valid for the certificate itself, but new production batches require EN 18031 assessment to be added to the technical file. Product changes trigger re-evaluation only when core security mechanisms are affected.

The bottom line: EN 18031 validity isn't about counting days on a calendar. It's about whether you're actively maintaining compliance throughout the product's market life. Skip the CoP, ignore change assessments, or let your EU representative agreement lapse — and you'll find out the hard way that "long-term valid" has conditions attached.


For EN 18031 certification validity consultation, contact BlueAsia Testing at 13534225140 (Benson).