In 2025, the EU introduced new cybersecurity regulatory requirements for all radio equipment under the Radio Equipment Directive (RED).
At the heart of these new rules lies the EN 18031 series of cybersecurity standards, which define mandatory protection measures for connected devices.
This guide summarizes the core content, application scope, certification paths, and compliance strategies to help manufacturers prepare for the upcoming enforcement.
The EN 18031 series standards directly correspond to RED Directive Article 3(3)(d), (e), and (f).
Each part focuses on securing a specific category of assets: network integrity, user privacy, and financial security.
| RED Clause | EN 18031 Standard | Focus Area | Key Limitation Conditions (Triggering NB Certification) |
|---|---|---|---|
| Article 3(3)(d) — Devices must not harm the network or degrade service. | EN 18031-1:2024 (General security requirements for connected radio equipment) | Network Protection — Prevent misuse, malware injection, or DDoS attacks. | If the device allows skipping password setup or uses default passwords (clauses 6.2.5.1, 6.2.5.2), NB certification is mandatory. |
| Article 3(3)(e) — Protection of user personal data and privacy. | EN 18031-2:2024 (Security for data-processing devices such as wearables, toys, or IoT cameras) | Privacy & Data Security — Protect user data, prevent unauthorized access. | If user passwords can be skipped, or if parental access control isn’t enforced (clause 6.1.3), NB certification is required. |
| Article 3(3)(f) — Fraud prevention for monetary or virtual value handling. | EN 18031-3:2024 (Security for financial and payment-related equipment) | Financial Security — Prevent fraud and tampering in transactions. | If relying solely on a single update method (e.g., only digital signatures), NB certification is mandatory. |
Starting August 1, 2025, all radio equipment entering the EU market must comply with the cybersecurity requirements outlined in EN 18031-1, EN 18031-2, or EN 18031-3, depending on product type.
EN 18031-1 — Networked devices (routers, gateways, IoT hubs, smart appliances).
EN 18031-2 — Devices processing personal data (smartwatches, security cameras, toys).
EN 18031-3 — Devices processing virtual or monetary data (POS terminals, payment readers, crypto wallets).
Certain categories are regulated separately and therefore exempt:
Medical devices (under MDR)
Aviation communication systems
Automotive electronics (under UNECE R155/R156 cybersecurity regulations)
Identify which EN 18031 part applies to your product.
Check if it triggers any “limitation conditions” that require Notified Body (NB) involvement.
If yes, self-declaration (Module A) is not allowed.
Assess current designs and firmware against the EN 18031 standard requirements:
Default Passwords: Must be disabled; users must change passwords at first use.
Data Encryption: Use strong encryption (e.g., AES-256, TLS 1.2+).
Secure Update Mechanism: Must support digital signature verification and anti-rollback protection.
Special Controls:
For children’s devices — include parental control.
For payment terminals — include hardware tamper resistance.
Technical Documentation: Include risk assessments, schematics, encryption implementation details, and test reports.
Certification Path:
Self-Declaration (Module A): Only for low-risk devices fully aligned with harmonized EN 18031 standards.
NB Certification: Mandatory if limitation conditions are triggered or for financial devices (EN 18031-3).
From August 2025, non-compliant products may face:
Market ban or customs rejection in the EU
Product recalls and penalties
Fines up to 4% of annual global turnover
| Product Type | Examples | Estimated Cost (EUR) |
|---|---|---|
| Basic Device | Bluetooth headset, smart plug | €5,000 – €8,000 |
| Medium-Risk Device | Smartwatch, IoT camera | €8,000 – €15,000 |
| Financial Device | POS terminal, crypto wallet | €20,000 – €30,000+ |
Tip: Early technical planning and cybersecurity integration can help reduce retesting costs by 20–30%.
Blue Asia Technology helps global brands navigate EN 18031 compliance efficiently — from gap assessment to test submission and NB coordination.
Phone/WeChat: +86 13534225140
Email: king.guo@cblueasia.com
Website: www.blueasialabs.com
Share your product details to receive a tailored certification roadmap and quotation.
Q1. Is EN 18031 certification mandatory for all radio equipment?
Yes. From August 1, 2025, all radio products sold in the EU must comply with the EN 18031 cybersecurity requirements.
Q2. Can I use existing CE/FCC certifications?
No. EN 18031 adds cybersecurity-specific requirements not covered by CE or FCC. You must update technical documentation and testing.
Q3. What if my product is for children or handles payment data?
It automatically triggers NB certification under EN 18031-2 or EN 18031-3.
Q4. How long does the EN 18031 certification take?
Typically 3–6 months, depending on device complexity and test results.
Q5. How can I minimize costs?
Integrate EN 18031 requirements early in your product design to reduce rework. Using pre-certified modules also helps lower total costs.
Related News
