Inquiries about EN 18031 have surged recently, especially from manufacturers exporting Bluetooth headsets, smartwatches and Wi-Fi modules to the EU. As the August 1, 2025 enforcement deadline draws near, many enterprises realize the old CE-RED model (only RF and EMC testing for shipment) is obsolete.
This article fully explains the definition of EN 18031-1:2024, its differences from legacy RED certification and required test items.
Background
The EU released the Radio Equipment Directive (RED) 2014/53/EU in 2014. Clause 3.3 mandates that wireless devices meet minimum standards for cybersecurity, personal data protection and anti-fraud controls, alongside traditional RF and EMC requirements.
For years, Clause 3.3 remained unenforced due to missing harmonized technical standards. In January 2022, the European Commission issued Implementing Regulation EU 2022/30, outlining a mandatory rollout roadmap and tasking CEN/CENELEC with developing supporting harmonized standards by 2024.
CENELEC published the full EN 18031 standard suite in mid-2024, which was listed as an official OJEU harmonized standard on January 30, 2025. Mandatory enforcement launched August 1, 2025; all new models placed on the EU market after this date must comply, with short grace periods for existing inventory set by individual member states.
2. Three Sub-Standards of EN 18031 and Respective Scopes
EN 18031 is a three-part suite with distinct regulatory alignment to RED Clause 3.3 subsections:
·EN 18031-1: Cybersecurity (RED 3.3(d), foundational requirement)Mandatory for all internet-connected wireless devices. Core obligations include network attack resistance, secure factory default configurations, encrypted firmware over-the-air (OTA) updates and end-to-end communication encryption. Example mandates: Wi-Fi smart plugs must disable weak encryption protocols, prohibit generic default credentials like admin/admin, and deploy encrypted OTA delivery channels.
·EN 18031-2: Personal Data & Privacy Protection (RED 3.3(e))Only applicable to devices processing personal user data, with strict oversight for children-targeted products.Personal data processing scenarios include smartwatch heart rate tracking, wireless camera facial capture, smart speaker voice command recording. Children’s devices face rigorous hardware-enforced parental control rules; software-only control schemes are non-compliant.
·EN 18031-3: Financial Anti-Fraud Protection (RED 3.3(f))Limited exclusively to payment hardware such as wireless POS terminals and NFC payment readers. Requirements include tamper-proof hardware, auditable transaction trails and data integrity validation, featuring the highest technical complexity of the three parts.
Quick compliance rule of thumb: All connected wireless devices need Part 1; add Part 2 if personal data is processed (critical for kids’ gear); add Part 3 for payment-enabled hardware.
3. Fundamental Differences vs Legacy CE-RED Certification
-Traditional CE-RED relied on three core assessments: RF performance, EMC and electrical safety. Manufacturers issued a Declaration of Conformity (DoC) post-testing to affix CE marks, a mature workflow used by factories for over a decade.
-EN 18031 introduces mandatory security testing and a two-tier certification split:
·Most standard consumer wireless hardware (Wi-Fi plugs, Bluetooth earbuds, fitness bands, regular cameras, automotive T-Boxes) may still follow manufacturer Self-Declaration (SDoC) upon passing EN 18031-1/-2 tests and submitting formal risk assessment reports.
·Three high-risk product categories require mandatory Notified Body (NB) certification: financial payment terminals, high-risk children’s smart devices, industrial/medical wireless units with remote critical control functionality.NB certification extends project timelines far beyond standard SDoC cycles, demands comprehensive technical documentation and risk analysis, and carries substantially higher fees (starting at thousands of euros for basic consumer models, with steep premiums for payment and complex industrial equipment).Penalties are significantly stricter than pre-EN 18031 rules: EN 18031-2 privacy breaches trigger GDPR fines up to €20 million or 4% of global annual turnover (whichever is higher). Cybersecurity and anti-fraud violations follow individual member state RED penalty frameworks (not universal GDPR caps) yet impose severe financial risks for small and mid-sized electronics exporters.
4. Mandatory Product Coverage for EN 18031
-Official scope: All radio devices with transmit/receive functionality connecting to public networks (direct or via relay), plus hardware handling sensitive personal data. Some member states apply lighter enforcement to isolated local-LAN-only wireless gear, though full standard compliance remains formally required EU-wide. In plain terms, nearly all wireless smart devices fall under enforcement.
-Covered product categories:
·Mobile electronics: Phones, tablets, laptops, smartwatches, fitness bands, Bluetooth headsets;
·Smart home: Speakers, smart locks, wireless cameras, smart lighting, Wi-Fi sockets;
·Automotive: T-Boxes, onboard communication modules;
·B2B IoT: Industrial sensors, wireless gateways, 5G CPE units. Industrial non-consumer hardware is not exempt for EU market entry.
-Limited exemption boundaries:Wireless medical devices are not fully exempt; RF and cybersecurity must meet EN 18031 per RED, while clinical performance and biocompatibility follow parallel MDR audits. Automotive UN R-series and aerospace RTCA equipment prioritize industry-specific regulations with partial RED/EN 18031 waivers subject to model and member state verification. Most consumer and industrial IoT manufacturers cannot avoid compliance entirely.
Key clarification: EN 18031 is a RED-specific harmonized cybersecurity standard enforced August 1, 2025. The Cyber Resilience Act (CRA, EU 2024/1387) is a cross-sector digital product resilience law phased in starting 2027. Wireless devices must first satisfy EN 18031, then upgrade to meet subsequent CRA obligations; the two frameworks operate in parallel with no substitution.
Procrastination carries severe risks: Non-compliant shipments risk customs seizure post-August 1, resulting in lost EU market access alongside financial losses beyond certification costs.Consultant of BlueAsia Testing & Certification: +86 13534225140 (Benson)
相关新闻
