EN 18031 EU Wireless Device Cybersecurity Certification: 2026 Beginner's Guide

2026-07-03

Starting August 1, 2025, every product with wireless communication capability heading to the EU market faces a new mandatory hurdle. It is called EN 18031, the EU's harmonized standard for wireless device cybersecurity, privacy protection, and fraud prevention. Fail this hurdle, and the CE mark cannot be applied. The product cannot enter the EU.

Many companies hear about EN 18031 for the first time and react with confusion. Is there not already CE-RED certification? Why another cybersecurity certification? The answer is that EN 18031 is not a standalone new certification. It is the technical implementation standard for three requirements under Article 3, paragraph 3, items (d), (e), and (f) of the RED Directive. Think of it as a security shell added on top of the existing RED framework.

How EN 18031 Came About

The parent legislation behind EN 18031 is the Delegated Regulation (EU) 2022/30, enacted under the RED Directive (2014/53/EU). It added three hard requirements: cybersecurity, privacy protection, and fraud prevention. Previously, RED certification meant RF compliance, electromagnetic compatibility, and electrical safety. Now there are three additional dimensions. The device must withstand network attacks, protect user privacy, and prevent financial fraud.

The standard was jointly developed by CEN and CENELEC. The final version was published in August 2024. On January 28, 2025, the EU Official Journal published Implementing Decision (EU) 2025/138, officially adding EN 18031 to the RED harmonized standards list. Full enforcement began August 1, 2025.

  Three Sub-Standards and Their Divisions

EN 18031 is split into three sub-standards, each corresponding to a RED clause. They cover different territory.

EN 18031-1: Network Security [Article 3(3)(d)]

All internet-capable wireless devices must comply. This is the broadest scope. Six core requirements: access control, encrypted communication, secure updates, traffic control, anomaly logging, and attack recovery. Simply put, the device must not let anyone connect freely, communication must go through encrypted channels, firmware updates must verify digital signatures, and the system must be able to return to a safe state after an attack. Smartphones, routers, cameras, smart locks, and industrial sensors all fall within this scope.

EN 18031-2: Data Privacy [Article 3(3)(e)]

Devices that process personal data face additional requirements. Data collection must be limited to the minimum necessary for functionality. Children's devices must have mandatory parental controls, restricting high-risk features like social networking with strangers. Data breaches must be reported to users within 72 hours, and EU member state market surveillance authorities must also be notified simultaneously. Notifying consumers alone is not sufficient. Children's watches, baby monitors, educational robots, and fitness bands fall into this category.

EN 18031-3: Financial Anti-Fraud [Article 3(3)(f)]

Only connected devices supporting monetary or virtual currency transactions need this. The scope is narrowest, but the requirements are the strictest. Transaction integrity protection, tamper-proof design, multi-factor authentication, and secure boot. Every transaction must record timestamp, amount, and device fingerprint, with at least 5 years of traceability. Logs must be stored locally with hardened storage plus cloud backup. Cloud-only storage does not satisfy the requirement. Boot-time firmware hash verification prevents malicious tampering. Wireless POS terminals, NFC payment devices, hardware crypto wallets, and payment-enabled charging stations must pass this.

  Who Needs EN 18031 and Who Does Not

Products with Wi-Fi, Bluetooth, 5G/4G, LoRa, or NB-IoT wireless capabilities that can connect directly or indirectly to the internet must do EN 18031-1. Those collecting location, health, biometric, or children's personal data must additionally comply with EN 18031-2. Those involving payment or virtual currency must additionally comply with EN 18031-3.

Exemptions:

·Medical devices fall under the MDR regulation, not EN 18031.

·Aviation equipment falls under EASA, exempt.

·Factory-installed OEM vehicle systems like T-Boxes, in-vehicle entertainment, and head units are governed by EU 2019/2144 plus UN R155 vehicle cybersecurity regulations. They are exempt at the whole-vehicle level.

However, aftermarket third-party vehicle wireless accessories do not enjoy this exemption. Standalone 4G modules, third-party head units, and wireless GPS terminals that fall under RED independently must do EN 18031.

Purely wired products without wireless capability are outside the RED scope and naturally not affected. Pure local Bluetooth audio earbuds without OTA upgrades, cloud connectivity, or personal data uploads are fully exempt. But if a Bluetooth earbud can upgrade firmware via an app, or continuously uploads call logs, location, or biometric sensor data, EN 18031-2 applies even without OTA.

  Two Compliance Paths

Self-assessment declaration or notified body third-party assessment. But not all products can choose self-assessment.

Products that allow blank password login out of the factory cannot take the self-assessment path. They must go through NB assessment. The trigger condition is specific: the device ships without mandatory authentication and allows blank password login without forcing a first-time password change. Devices that enforce a first-login password change and permanently disable blank passwords can take the normal self-assessment path. Do not misjudge this.

Children's care and toy devices that do not support parental control permissions also cannot self-assess. Financial devices where security updates alone are insufficient to mitigate risk must go through NB assessment.

  Relationship with Legacy RED

Companies that already hold CE-RED certificates need to supplement EN 18031 assessment and update technical documentation. Existing stock is treated in two parts: products manufactured before August 1, 2025, can continue to clear inventory. Batches produced and shipped after August 1 must supplement EN 18031 assessment and update technical files before applying the CE mark.

For new CE-RED applications, EN 18031 is already a mandatory test item, running alongside RF, EMC, and safety testing. Timeline-wise, products with solid security design fundamentals take 3 to 4 months. Those needing to add encrypted communication, secure updates, or access control take 6 months or more. Children's and payment devices requiring NB involvement add another 4 to 8 weeks.


BlueAsia Testing is a Huawei HiCar authorized certification organization, recognized with the "Excellent Certification Organization" award in 2025. We help exporters navigate EN 18031 compliance and prepare for CE-RED certification under the latest requirements.

For EN 18031 certification consultation, contact BlueAsia Testing: 13632500972 (Benson)