EN 18031 Product Scope: Which Wireless Devices Must Comply in 2026?

2026-07-06

Which products does EN 18031 actually cover? Most people's first instinct is "anything with wireless." That's not wrong, but the boundary details — where does aftermarket end and OEM begin, does indirect connectivity count, do locally-stored data points trigger privacy requirements — these distinctions trip up a lot of companies. If you're running a cross-border e-commerce business with hundreds of SKUs, misclassifying even a few products can mean unexpected compliance costs or customs holds. This article maps out the full product scope.

Coverage Principle and Exemption Boundary

Any product with Wi-Fi, Bluetooth, 4G/5G, LoRa, NB-IoT, NFC, Zigbee, or UWB radio capability that can connect to the internet — directly or indirectly — falls under EN 18031-1. Indirect connectivity means the device itself has no public network module, but it connects to a phone app via Bluetooth, and that app forwards data to the cloud. Same rule applies. If there's a path from the device to the internet, it's in scope.

The following categories are fully exempt — no EN 18031 required:

OEM automotive T-Boxes and infotainment systems fall under UN R155 and EU 2019/2144 at the vehicle level. MDR-regulated medical devices and EASA-regulated aviation equipment are exempt. Purely wired devices with no radio module at all are outside RED's scope entirely. And if a device has a wireless module but the radio is permanently locked at the factory with no connectivity or data collection capability, you can apply for a functional exemption by providing proof — no full test suite needed.

Pure local Bluetooth earbuds that only play audio, with no OTA updates and no cloud data interaction, are exempt. But here's a boundary that's easy to miss: even without cloud upload, if those earbuds collect heart rate or ear temperature biometric data, or if they continuously sync exercise or location records to the phone's local storage (readable by the app), they still trigger EN 18031-2 privacy requirements. The exemption test isn't just "does it go to the cloud" — it's also "does it collect sensitive data locally."

  Four Common Misjudgments in Layered Classification

-1 Plus -2: Does the Data Link to a Real Person?

Bluetooth beacons and Wi-Fi fingerprinting used for indoor positioning only trigger -2 if the location data is associated with a specific user through account binding. Anonymous retail foot traffic analytics beacons that don't bind to user identities don't need -2. But cameras, smartwatches, and body composition scales that collect health, location, or image data for long-term analysis and user profiling have a high probability of triggering -2. Children's smartwatches involve children's personal data, which means -1 plus -2 and mandatory NB assessment — self-assessment is not an option.

Print Cache and Screen Mirroring: Not Always -2

Print cache and screen mirroring content doesn't automatically trigger -2. Only if the cached or transmitted content contains personally identifiable information — faces, identity documents, biometric data, location — does -2 apply. Plain text office documents or non-personal screen mirroring content? EN 18031-1 alone is sufficient.

-1 Plus -3: It's Not About Whether Payment Exists

The -3 trigger isn't "does the product involve any payment." A smart door lock that processes a one-time QR code payment, or a device that handles a one-time cloud checkout without storing balance or transaction ledgers locally, only triggers -2 — not the full -3 financial security suite. EN 18031-3 applies only when the device itself stores fund balances, processes top-up and deduction transactions, or handles virtual currency settlement. Wireless POS terminals, hardware crypto wallets, and charging stations with built-in balance accounts — these need -3. The distinction matters enormously for hardware cost — don't classify a one-time payment device as a -3 product and start adding secure element chips you don't need.

Multi-Radio Devices: Test Scope, Not Sub-Standard Scope

For devices with multiple radio types (Wi-Fi plus Bluetooth plus 4G/5G), each communication link's security use cases are tested independently. But the sub-standard applicability (-1, -2, -3) doesn't change based on the number of radio types. Having both Wi-Fi and Bluetooth doesn't push you into an additional sub-standard — it just means more test cases within the same sub-standard.

  High-Frequency Misjudgment Scenarios

Aftermarket automotive. Aftermarket 4G GPS trackers, third-party head units, and 4G dashcams are independent RED products. They don't qualify for the OEM vehicle exemption. I had a client making aftermarket GPS trackers who assumed they'd be classified as "auto accessories" and exempt. They were not. Independent wireless devices with their own radio modules — full EN 18031 from -1 onward, and -2 if they collect location data.

B2B industrial equipment is not exempt. The RED directive doesn't distinguish between consumer and enterprise sales channels. Industrial wireless gateways, sensors, and edge computing terminals — if they have wireless capability and enter the EU market, they need EN 18031. Many B2B manufacturers misjudge this, assuming that "industrial" means "exempt." It doesn't.

CRA-compliant devices still need -2 and -3. Products that have completed full CRA compliance can reuse the general cybersecurity mechanism overlap with EN 18031-1. But -2 children's privacy and -3 financial payment specialized provisions have no CRA equivalent. They must still be tested separately. Don't assume a CRA certificate covers everything.

Transition period stock. Products manufactured before August 1, 2025, can be cleared through normal channels. Batches produced after that date must have EN 18031 assessment in the technical file. Don't mix old and new batch compliance calculations — the cutoff is clear.

  Quick-Reference Classification Guide

Mandatory -1: Any wirelessly connected product — smart home devices, industrial gateways, aftermarket 4G/5G automotive devices, Bluetooth fitness bands and earbuds with app sync or OTA, wireless routers, wireless printers, shared charging stations.

Additional -2: Products collecting data linkable to a natural person — location, camera, heart rate, children's data. Smartwatches, children's phone watches, cameras, body composition scales, home sensors with indoor positioning. (Wired printers and screen mirroring devices without personal data: -1 only.)

Additional -3: Devices that locally store funds or virtual currency — wireless POS, hardware crypto wallets, charging stations with built-in balance deduction. (One-time cloud payment door locks: -2 only, not -3.)

Fully exempt: OEM vehicle T-Boxes and infotainment, MDR medical devices, EASA aviation equipment, purely wired devices with no radio, purely local Bluetooth keyboard/mouse/audio without OTA and without sensitive data collection, devices with factory-locked radio modules and supporting documentation.

  The Bottom Line

Getting the product scope right at the beginning saves you from expensive surprises later. The four most common misjudgments — aftermarket automotive exemption assumptions, B2B exemption assumptions, -3 over-classification for one-time payment devices, and local-only data collection oversight — each can add weeks to your timeline and significant unnecessary costs. Classify carefully, document your reasoning, and when in doubt, ask a lab that has actual EN 18031 testing experience. Guessing is the most expensive option.


For EN 18031 product scope determination, contact BlueAsia Testing at 13534225140 (Benson).