The European Union is raising the bar on cybersecurity for wireless devices. A new series of standards – EN 18031 Parts 1, 2, and 3, titled “Common Security Requirements for Radio Equipment” – has been introduced to help manufacturers meet the Radio Equipment Directive’s latest security requirements. These standards are directly linked to the EU Radio Equipment Directive (RED) 2014/53/EU, which makes certain cybersecurity provisions mandatory for radio devices.
We’ll break down who must comply with EN 18031, key dates and milestones, how they relate to the RED Directive and Delegated Regulation 2022/30, and what the standards cover. We’ll also explain the certification and conformity process for manufacturers to help you prepare. Our goal is to demystify this complex topic in an expert yet approachable way – and show how Digital Cubes can support you in achieving compliance.
Who Needs to Comply?
Manufacturers of radio-enabled products are the primary group that must ensure compliance of their products with EN 18031. If you produce any device that falls under the Radio Equipment Directive and can connect to a network, these standards likely apply to you. The requirements target a broad range of modern devices, including but not limited to:
- Consumer IoT and smart home devices: Any radio-equipped gadget that connects to the internet, from smart speakers and security cameras to Wi-Fi lightbulbs…
- Wearables and health trackers: Smart watches, fitness bands, GPS trackers, and other wearables with wireless connectivity are in scope…
- Smart toys and childcare devices: This includes internet-connected toys, learning gadgets, and baby monitors with radio links…
- Payment terminals and digital wallets: Any radio equipment used to transfer money or virtual currency…
- Smartphones, tablets, and computers with cellular/Wi-Fi: Traditional consumer electronics that include radios (Wi-Fi, Bluetooth, LTE, etc.) and connect to the internet are subject to the RED and thus to these new security requirements.
The EN 18031 Certification Process
For manufacturers, knowing the standards is half the battle – the other half is navigating the conformity assessment process to actually certify and declare your product compliant.
Achieving compliance with the EN 18031 series and the RED Directive’s security requirements is certainly a challenge, but it’s also an opportunity. By investing in cybersecurity compliance, you not only meet legal obligations but also significantly enhance your product’s quality and trustworthiness.
That said, navigating the regulatory landscape can be complex. This is where Digital Cubes can assist. We are an expert consultancy specializing in guiding clients through compliance with technical standards and directives. For EN 18031 and the Radio Equipment Directive, Digital Cubes can help you:
-
- Assess Your Readiness: We perform gap analyses against EN 18031 to see where your product stands and what needs improvement.
- Technical Documentation & Risk Management: Our team can take the lead in preparing the required technical documentation, writing the security risk assessment and navigating trought the decision trees.
- Notified Body Liaisons: We liaise with Notified bodies, making the process smoother. We’ll present your technical documentation in a clear, organized manner and address any questions the NB may have about your cybersecurity measures. Think of us as translators between your development team and the regulatory evaluators.
EN 18031 and Radio Equipment Directive
To fully appreciate EN 18031, it helps to understand the legal context. The Radio Equipment Directive (2014/53/EU) is the main law that governs all wireless communications devices in the EU. Specifically, Delegated Regulation (EU) 2022/30 was enacted to “supplement” the RED with regard to Article 3(3) points (d), (e) and (f). These three points are defined in the directive as follows:
- Article 3(3)(d): Radio equipment must not harm communication networks or their functioning, nor misuse network resources in a way that causes unacceptable degradation of service.
- Article 3(3)(e): Radio equipment must have safeguards to ensure the protection of personal data and privacy.
- Article 3(3)(f): Radio equipment must support features to ensure protection from fraud.
So, how does EN 18031 fit in? EN 18031 is the practical tool to comply with those legal requirements. Each part of EN 18031 (1, 2, 3) will implement these legal requirements in a technial way:
- Part 1 (Internet-connected equipment): Contains all the baseline requirements applicable to any connected device.
- Part 2 (Data-processing, toys, wearables): This part adds enhanced requirements for privacy and safety.
- Part 3 (Financial transactions): Similarly, Part 3 would include extra requirements aimed at preventing fraud and ensuring financial-grade security.
Key Milestones for EN 18031 Compliance
Regulators have laid out a phased timeline to roll out these requirements. Below are the key milestones and dates to mark on your compliance calendar:
- January 2022 – Delegated Regulation Published: On January 12, 2022, the Delegated Regulation 2022/30 was published in the EU Official Journal. This made it official that radio equipment must soon comply with Article 3(3)(d), (e), (f) of the RED – which cover network protection, user privacy, and fraud prevention.
- August 2022 – Standards Development Kick-off: To support the new law, the EU issued a standardization request to the European standards organizations (CEN/CENELEC). This tasked experts with developing harmonized standards (what became the EN 18031 series) that manufacturers could use to meet the RED’s cybersecurity requirements.
- Mid 2024 – EN 18031 Standards Finalized: The three parts of EN 18031 were completed and published by CENELEC. Each part addresses one slice of the new requirements (general, data/child, and financial security).
- August 2025 – New Requirements Become Mandatory: This is the enforcement deadline. In practical terms, any relevant radio product placed on the EU market on or after that date must meet the Article 3(3)(d), (e), (f) requirements (following EN 18031). Manufacturers should target this date to update their product designs and documentation.
