From August 1, 2025, the EU will enforce the EN 18031 series of cybersecurity standards, and non-compliant radio equipment will face market access restrictions! This standard was developed by the European Committee for Standardization (CEN) and the European Electrotechnical Commission (CENELEC). It has been included in the coordinated standards of the Radio Equipment Directive (Directive 2014/53/EU), marking that the EU has erected a new "security barrier" in the field of radio equipment cybersecurity.
Comparison of the core contents of the EN 18031 series of standards
Ø EN 18031-1 standard
Scope of application: all networked radio devices (such as smart homes, routers);
Core requirements: anti-network attack, traffic control, elastic recovery mechanism;
Typical products: such as smart cameras, in-car entertainment systems, etc.
Ø EN 18031-2 standard
Scope of application: equipment that processes personal data (children's toys, wearable devices);
Core requirements: children's privacy protection, data deletion, user notification mechanism;
Typical products: such as smart watches, baby monitors, etc.
Ø EN 18031-3 standard
Scope of application: financial transaction equipment (POS machines, cryptocurrency wallets);
Core requirements: secure boot, tamper-proof design, multi-factor authentication;
Typical products: such as wallets, mobile payment terminals, etc.
Scope of products covered by the EN 18031 series of standards and exemption list
Ø Covered product scope
◆ Consumer electronics: such as smartphones, smart speakers, wireless headphones, etc.
◆ Internet of Things devices: such as smart door locks, cameras, industrial sensors, etc.
◆ Financial terminals: such as POS machines, ATM machines, cryptocurrency hardware wallets, etc.
◆ Children's products: such as smart watches, educational robots, toys, etc.
Ø Exemption list
Complete exemption clause: The requirements in 3.3(d), (e), and (f) of Article 3 of the RED Directive do not apply to medical devices governed by the EU Medical Device Regulation (MDR). For example: implantable pacemakers, medical monitors, etc.
Partial exemption clause: 3.3(d), (e), and (f) of Article 3 of the RED Directive do not apply to aviation or road traffic related equipment covered by three regulations, including Regulation (EU) 2018/1139 (aviation safety), Regulation (EU) 2019/2144 (vehicle safety), and Directive (EU) 2019/520 (road traffic safety). For example: aircraft communication systems, vehicle navigation equipment, etc.
FAQs about EN 18031 series standards
Ø Which products need EU cybersecurity certification?
1. Direct or indirect connection to the Internet: that is, products that can directly/indirectly connect to the Internet must be certified (indirect connection to the Internet definition: access the Internet through an intermediate device or network. Disconnect the connection medium of the intermediate device. If the IOT device can be controlled, the device must be certified). For example: products with WI-FI and 5G functional modules.
2. Connect to the Internet and have data processing functions: that is, products with data processing functions must be certified. For example: smart bracelets will record sports data and need to be certified. For massagers connected to Bluetooth, because the massager is just an execution device and does not collect data, it does not need to be certified.
3. Products that are connected to the Internet and have financial attributes such as payment functions must be certified.
Ø Under what circumstances can this standard be certified in series
In principle, series applications can be made for the same MCU&OS version&Firmware. If the firmware version is inconsistent, adding a new firmware will increase the workload by 50%, and series applications cannot be made.
◆ About Firmware version
Firmware is a software embedded in a hardware device that is used to control and manage the basic functions and operations of the hardware. The firmware version is an identifier for different iterations and updates of this software. For example: routers, printers and other devices have their own firmware, and by updating the firmware, vulnerabilities can be fixed, performance can be improved or new features can be added.
◆ About Hardware version
Hardware version refers to different versions of hardware devices in terms of design, manufacturing and functional characteristics. It involves changes in the physical components, circuit design, appearance, interface type and other aspects of the hardware. For example, different generations of mobile phones will have upgrades in hardware configuration, such as processor performance improvement, camera pixel increase, battery capacity change, etc., which are all hardware version updates.
Ø Is EU cybersecurity certification an access qualification to enter the EU market?
Yes, the EU has incorporated cybersecurity requirements into the compliance framework of the Radio Equipment Directive (RED) through Delegated Regulation (EU) 2022/30, and issued the supporting standard EN 18031 series. The regulation requires that from August 1, 2025, all radio equipment exported to the EU must pass EN18031 certification, otherwise it is prohibited from entering the EU market.
Ø Does cybersecurity have to be done together with CE-RED? It is still possible to issue a separate certificate and report
It is recommended to do CE-RED + cybersecurity together, but you can also find a laboratory with cybersecurity technology testing capabilities to do a separate test and report.
Ø What is the impact of entering the EU market if cybersecurity certification is not done?
◆ Market entry ban: After August 2025, uncertified products will be intercepted by EU customs and prohibited from entering the market for sale. Uncertified products that have been launched may face mandatory recalls.
◆ Brand trust crisis: Data leakage incidents may lead to a decline in consumer trust and affect corporate reputation and market position. Moreover, once a data leak occurs, the company will not only lose existing customers, but may also face legal proceedings and compensation liability.
◆ Peer complaint risk: Uncertified products may be complained by peer competitors, resulting in missed market opportunities. This will not only affect the company's market competitiveness, but may also damage the company's reputation in the global market.
Ø How to do this certification if you have entered the EU market and have done CE, and you will enter the EU market in the future
Find a laboratory with technical capabilities and qualifications to make up the cybersecurity report.
Ø Do module products need to do cybersecurity certification?
Module products do not need this certification.
Ø How long is the cybersecurity certification cycle?
From the receipt of the product, the certification report will be issued in about one month.
Ø The mandatory time of the EN 18031 series of standards is August 1, 2025. Is there a switching cycle?
Currently there is no switching cycle.
Ø Are there any successful cybersecurity certification cases?
There are cybersecurity certification cases for WI-FI smart light strips and network cameras.
Corporate Compliance Action Guide
1. Immediate self-inspection: confirm which category of EN 18031-1/2/3 the product belongs to, and clarify the specific requirements that need to be met.
2. Technical rectification: Strengthen the cybersecurity mechanism of the software to ensure that the product meets the requirements of the EN 18031 series of cybersecurity standards.
3. Document upgrade: Update technical documents, privacy policies, parental controls and other OJ mandatory requirements to meet the mandatory requirements of the EU Official Gazette.
4. Choose an authoritative certification body: Contact the EU authorized notified body (such as ZRLK testing) to obtain customized solutions to ensure a smooth and efficient certification process.
Warm Tips
The mandatory implementation of the EN 18031 series of standards is an important step in the EU's cybersecurity regulation and a threshold that companies must cross to enter the EU market. Seize the opportunity, take positive action, and complete relevant testing and certification to ensure that wireless products meet cybersecurity requirements. Our company has a professional technical team and rich product testing experience, and can provide companies with one-stop services from standard interpretation, technical rectification to NB certification. If you need it, please feel free to contact us, our engineers will serve you as soon as possible!
