On August 1, 2025, the EU RED Cybersecurity Delegated Act (EU 2022/30) became legally enforceable.
Many enterprises reverse the correct documentation order: writing documents first, then checking gaps against standards, and supplementing functions last. Resulting documents often mismatch actual products.
Correct Sequence:
Step 1: Inventory Existing Product Security FunctionsList implemented security features before writing documents: access control, encryption methods, security update mechanisms, logging functions, etc.
Step 2: Identify Gaps Against EN 18031Compare implemented functions against EN 18031 clauses to distinguish fulfilled vs. unmet requirements. Some functions may already exist but lack documentation; others require actual implementation.
Step 3: Supplement Required Security FunctionsAddress gaps by distinguishing product-level implementations from configuration/documentation solutions. Major, time-consuming function changes require early initiation.
Step 4: Draft Documentation Based on Actual ImplementationWrite technical files only after function completion, ensuring alignment between documents and products to avoid “documented functions not present in products”.
II. Formal Requirements for EN 18031 Documentation
Beyond content, format matters:
1.Language: Technical files may use the manufacturer’s national language (not mandatory English). English is recommended for NB pathways due to potential language barriers. User manuals must use EU official languages (English universally accepted).
2.Format: Clear structure with table of contents, chapter numbering, and version control for audit efficiency.
3.Version Control: Version numbers, dates, and change records to track product-document correspondence across iterations.
4.Test Report Alignment: Security mechanisms described in documents must match test items in reports. Auditors cross-verify; mismatches require supplementary testing or revisions.
III. Validity & Ongoing Obligations of EN 18031 Compliance
EN 18031 compliance is not permanent; enterprises must understand validity and continuous obligations.
1.Compliance Validity: Validity holds if products, standards, and regulations remain unchanged. Major design or software changes require reassessment of cybersecurity impact.
2.NB Audit Cycles: NB-issued certificates may set 3–5 year review cycles as internal body requirements, not statutory RED “validity periods”. Surveillance audits cover technical file updates, change management, and sustained compliance.
3.Technical Document Retention: RED mandates 10-year retention post-market launch, even after product discontinuation, for regulatory inspections.
IV. EN 18031 Continuous Compliance Obligations
1.Technical Document Retention: 10 years post-market launch
2.Change Management: Assess cybersecurity impacts of design/software changes; retest if necessary
3.Vulnerability Response: Establish vulnerability response mechanisms for timely remediation
4.Regulatory Cooperation: Cooperate with market surveillance inspections
Document retention is a lifecycle statutory obligation; vulnerability response and change management require framework establishment during certification.
Technical documentation is core to EN 18031 compliance.Contact BLUEASIA Testing & Certification Consultant: +86 13534225140
相关新闻
