What documents do you need for EN 18031 certification? I have lost count of how many times I have been asked. Too many clients get most of the way through lab testing before remembering to assemble documentation, only to have the NB send it back for revisions across multiple rounds. This article covers everything you need to prepare, broken down by self-assessment and NB paths, with attention to which materials cause the most trouble.
1. Security Architecture Description
You need to explain how the product's security protection is layered. Each security mechanism must map to the specific EN 18031 clause it addresses, how it is implemented, and what parameters are configured. For communication security, state the TLS version, CA certificate source, key length, and cipher suite whitelist. The worst case is documentation claiming TLS 1.3 while packet capture during testing shows TLS 1.1. This kind of basic contradiction gets rejected immediately. Companies with limited review experience trip over this the most.
2. Threat Model Analysis
Use STRIDE or attack tree methodology. All four major attack surfaces must be covered: wireless layer (Bluetooth hijacking, Wi-Fi man-in-the-middle), firmware layer (key extraction, rollback downgrade), physical layer (debug port exposure), and cloud API layer (unauthorized access). Each threat must be tied to a specific product interface and protocol stack. Writing "an attacker may compromise the device via network" is useless. The NB can tell. Templated copies are spotted instantly.
3. Penetration Test Report
This cannot be substituted with functional testing. It must be performed by a security engineer with offensive/defensive experience following the OWASP IoT Top 10. Each attack step requires operation records, vulnerability reproduction PoC screenshots, severity rating, remediation plan, and retest conclusion. Functional verification that confirms the network communicates is not a penetration test. They are two entirely different things.
4. EN 18031 Complete Test Records
Raw data and pass/fail conclusions from the lab's item-by-item testing per standard clauses. For multi-RF devices like Wi-Fi plus Bluetooth plus 4G, each wireless interface requires independent test records. The NB cross-references test data against the security architecture documentation. Missing records mean supplementary testing, which throws the schedule into chaos.
5. DPIA Data Privacy Assessment Report
Only applies to EN 18031-2 products. Per GDPR Article 35, list what sensitive data is collected, how it is minimized, encryption and storage schemes, cross-border transfer compliance measures, and how user access and deletion rights are implemented. Item by item. The common problem with templated DPIAs is that they disconnect from the product's actual data collection logic. Generic privacy statements do not meet the standard.
Self-Assessment Path: Additional Documents
The RED Directive Declaration of Conformity and Module A internal production control documents. The declaration must state the applicable harmonized standard number and version, testing laboratory ISO 17025 accreditation number, and product model range. Signing means the company assumes full responsibility.
Easily forgotten: the existing RED base documents. RF report, EMC report, safety report, risk assessment report. EN 18031 is an addition to this foundation, not a replacement.
NB Path: Additional Materials
The NB path requires significantly more documentation:
·Sample consistency declaration: committing that mass production hardware, firmware, and security configuration match the tested sample.
·Type examination application form and NB review person-day document package.
·Children's devices: supplementary complete parental control verification report.
·Payment devices: supplementary hardware SE security element certification and transaction log专项 explanation.
After the NB issues the certificate, annual production conformity reports must be submitted, with cooperation for unscheduled sampling.
Top Six Failure Points
1.Threat model granularity insufficient: rejected repeatedly because attack surfaces are described too vaguely.
2.Security architecture description mismatches firmware: documentation says one thing, testing reveals another.
3.Penetration test submitted as functional test: the NB spots this immediately.
4.DPIA template套用: privacy clauses are generic and disconnected from actual data collection.
5.EU representative information incomplete: authorization scope does not cover cybersecurity compliance.
6.Multi-RF device test records cover only one interface: NB cross-reference discovers the gap.
Document Retention Rules
All documents must be archived at the EU authorized representative's office for 10 years, counted from the last batch of product market placement. Electronic files must be encrypted and backed up to prevent tampering. Market surveillance authorities can request access at any time. Missing documentation means goods are detained and products recalled.
One practical tip that saves headaches later: maintain a living document register from day one of the project. Track which documents are in draft, under review, approved, or needing update. When the NB or market surveillance asks for a specific file, being able to produce it within 24 hours versus scrambling for two weeks makes a material difference in how smoothly the compliance relationship runs.
Another point worth noting: if your product is sold across multiple EU member states, the documentation language requirements may vary. Some authorities accept English-only technical files. Others may require the user-facing documents (declaration of conformity, user manual privacy notices) in the local language. Check the specific requirements of your primary market early in the project.
BlueAsia Testing is a Huawei HiCar authorized certification organization, recognized with the "Excellent Certification Organization" award in 2025. We help exporters prepare complete EN 18031 document packages and coordinate with EU notified bodies.
For EN 18031 document consultation, contact BlueAsia Testing: 13534225140
相关新闻