Getting EN 18031 certification wrong at any step means spending the rest of the project plugging holes. I have seen scope misjudgments that forced complete restarts, remediation done without internal regression testing followed by repeated lab failures, and NB review packages rejected four or five rounds running. The problem is not that the standard is impossibly hard. The problem is that too many people understand the process at too shallow a level, thinking it means sending samples and waiting for a report.
This article breaks the full six-step process down, covering who does what at each stage, where bottlenecks occur, and how to pass on the first attempt.
Step 1: Product Scope Determination
This is the first step of project initiation. Get it wrong and everything after is wasted effort.
First, clarify the wireless type. Wi-Fi, Bluetooth, 4G/5G, LoRa, NB-IoT. Any one of these that enables internet connectivity triggers EN 18031-1. One easily missed point: indirect connectivity counts. If the device itself does not access public networks but connects to a phone app via Bluetooth that then goes to the cloud, it is still in scope. Only pure local Bluetooth earbuds without OTA and data uploads are exempt.
After -1 determination, look at data collection. Does the product collect location, biometric, children's, or health data? If yes, EN 18031-2 stacks on top. Does it have payment functionality, NFC card reading, or virtual currency transactions? If yes, EN 18031-3 stacks on top.
The most common exemption trap: factory-installed OEM vehicle systems follow the UN R155 framework, not EN 18031. But aftermarket third-party 4G modules, head units, and wireless GPS assemblies are independent RED devices and cannot escape. Work with your lab's compliance advisor at this step.
Step 2: Pre-Gap Analysis
After scope determination, do not rush to send samples. First, have an NB-accredited lab perform a gap analysis, comparing the product's existing security design against the normative clauses of EN 18031 clause by clause. The Rationale and Guidance chapters in the standard are not compliance basis. Only normative clauses count.
The gap report outputs two things. Satisfied clauses need no work. Unsatisfied gaps split into two categories: software remediation and hardware security element augmentation. The cycle and cost implications are not in the same league.
Too many companies self-assess, glance at a few competitors' public materials, and miss three or four clauses. By the time they reach testing, they face two rounds of rework. Gap analysis costs little and saves a lot. This step cannot be skipped.
Step 3: Product Security Remediation
This is the phase with the most variability.
High-frequency remediation items: switching firmware upgrades from HTTP plaintext to HTTPS with digital signature verification. Adding TLS 1.2 or above to communication links with certificate validation to prevent man-in-the-middle and replay attacks. Establishing full lifecycle management for key generation, storage, rotation, and destruction. Completing logs to include failed operation records and anomaly attack logs. Secure boot verification confirming hardware supports firmware hash tamper protection.
Children's devices doing -2 need parental controls with remote viewing, data deletion, and feature limitation. This is a hard requirement, not just adding a toggle on the device. The app and server side must implement it. Payment devices doing -3 cannot bypass hardware SE (Secure Element) requirements.
The critical action after remediation is internal regression verification. Run all the lab's test cases in your own environment. Confirm everything passes before sending samples. Skip this and your schedule falls apart. I had a client who modified firmware on-site at the testing lab, triggering widespread regression. A four-week test stretched into nearly three months.
Step 4: Laboratory Testing
EN 18031-1's 14 mechanism categories are tested item by item per standard clauses. Multi-RF interfaces like Wi-Fi plus Bluetooth require separate communication link security test cases for each. Stacked -2 or -3 privacy and financial test cases run in parallel.
The most common mistake companies make at this stage: discovering a failure mid-test and trying to patch code on the fly. The correct rhythm is completing remediation, doing internal regression, confirming all items pass, and then entering the lab.
Testing is not just functional verification. Secure communication runs TLS protocol version verification, certificate validation, man-in-the-middle attack simulation, and replay attack testing. Firmware updates run signature verification, rollback protection, and plaintext channel blocking. Access control runs privilege grading, brute force rate limiting, and session management. Missing any item means the test has not passed.
Step 5: Compliance Assessment Path
The (EU) 2025/138 restriction clauses directly determine which path your product takes.
Self-Assessment
Applicable when: factory enforces password change, no blank password login, not a children's or payment device. The company compiles a Declaration of Conformity based on the test report and signs it, assuming full compliance responsibility. The product carries only the CE mark, no NB number. Annual obligation: maintain production consistency records for inspection. No mandatory audit.
NB Third-Party Assessment
Mandatory for: products allowing blank password login, children's monitoring and toy devices, all payment terminals. Full test reports and technical documentation are submitted to the NB. The NB independently reviews the attack surface and security implementation. Substandard materials are rejected outright. Upon passing, a type examination certificate is issued. The product carries CE mark plus NB number on both the device and packaging. NB certificates carry annual CoP obligations: submit annual reports and cooperate with unscheduled sampling.
Many companies reach this step only to discover their threat model does not cover all attack surfaces, or their DPIA lacks sufficient depth. The NB sends it back repeatedly. Secondary review after remediation adds extra person-day fees.
Step 6: Technical Documentation Archiving
The final step integrates all materials into the RED technical construction file. Security architecture description, threat model, EN 18031 test report, penetration test report, DPIA privacy assessment, firmware version control and change traceability records. All go to the EU authorized representative for retention of at least 10 years.
Sign the EU representative contract at project start, not at the end. Define the authorization scope clearly. If market surveillance authorities cannot reach the EU representative, the documentation is considered invalid.
Do not forget market-ready packaging: CE mark on product and packaging, NB number for NB-path products. Upload certificates to e-commerce platforms. Amazon EU and Temu enforce mandatory verification. Deliver compliance summaries to importers and offline distributors to mitigate supply chain joint liability.
If the product changes communication modules or undergoes major security hardware modifications, re-assessment and partial retesting are required.
BlueAsia Testing is a Huawei HiCar authorized certification organization, recognized with the "Excellent Certification Organization" award in 2025. We guide exporters through the full EN 18031 certification process from start to finish.
For EN 18031 process consultation, contact BlueAsia Testing:13534225140
相关新闻