Many people naturally think after seeing the news that “CRA will replace EN 18031 in 2027”: is there little point in obtaining EN 18031 certification now, since it will become obsolete in two years?
This understanding is wrong, and this misunderstanding may lead enterprises to make wrong decisions in the next two years.
1.The repeal effective date of EU 2022/30 (RED Cybersecurity Delegated Act) is December 11, 2027, and the European Commission formally adopted this repeal decision in February 2026. Before this date, EU 2022/30 and the EN 18031 series are fully valid as a statutory compliance pathway, with continuous market surveillance. Repeal does not mean “no longer in force now” — the framework will only switch on that exact date.
2.Compliance work for EN 18031 serves as the foundation for CRA compliance and will not be in vain. A key horizontal requirement standard (work item WI=JT013091) under development by European standardization bodies for CRA is formulated directly based on the EN 18031 series. In other words, the technical documentation, security design, and vulnerability management processes accumulated through EN 18031 today will retain corresponding value under the CRA framework, rather than requiring a complete overhaul.
3.The EN 40000-1-X series will succeed EN 18031 under the CRA framework, with EN 40000-1-1 and EN 40000-1-2 already in the drafting phase in 2025. Pursuant to standardization mandate M/606, all CRA-related standards are scheduled for completion by November 30, 2027 — note this timeline: it provides a roughly one-month window before December 11, 2027, for harmonized standards to be published in the EU Official Journal.
For enterprises, the real decision to make is: obtain EN 18031 certification now, while starting to understand the CRA requirement system, identify the risk category of your products under the CRA framework, and plan your 2027 compliance pathway in advance. This is a task for now, not something to delay until late 2026.
II. Two Key Milestones to Watch in 2026
From an enterprise operational perspective, two events in 2026 should be scheduled.
1.June 11, 2026: Provisions on Notified Body qualifications and notification obligations under CRA take formal effect. This date is not directly related to the compliance of existing products, but if your enterprise is planning a CRA certification pathway for 2027, you must confirm now: does your current laboratory or certification body have plans to obtain qualifications under the CRA framework? The CRA Notified Body system is new; existing RED Notified Bodies will not be automatically converted and must reapply for qualifications. By 2027, when you need CRA certification, if your partner lacks CRA accreditation, you will face two passive choices: switch bodies or wait.
2.September 11, 2026: CRA security incident reporting obligations come into force. Under Article 71 of CRA, starting on this date, manufacturers must report actively exploited vulnerabilities and major security incidents in products to ENISA (European Union Agency for Cybersecurity). This obligation applies based on thresholds and severity levels — not all minor issues require reporting — but it imposes specific internal management requirements: you must be able to identify “major security incidents” and establish internal processes for incident identification and escalation.
Many enterprises currently have no such internal mechanisms in place. Waiting until one month before September 11 to build these processes will leave very limited time. Furthermore, these processes are linked to vulnerability management mechanisms and must be planned together, not built in isolation.
A Commonly Overlooked Product Category
Online discussions about CE RED cybersecurity certification mostly focus on smart home devices, TWS earbuds, and wireless cameras. However, one category is frequently omitted: Bluetooth and Wi-Fi modules.
Module manufacturers sometimes assume: “We only sell modules; downstream customers handle certification for finished devices, so this does not concern us.” This mindset requires re-evaluation after August 2025.
When downstream finished device manufacturers conduct EN 18031 certification, they will require module-level security function descriptions, test data, and sometimes independent assessment evidence for the modules. If your module has design flaws — such as open debug ports by default or security vulnerabilities in communication protocols — these issues will carry over to finished device certification and ultimately require resolution from your side.
Proactively preparing module-level security documentation and clear security function descriptions provides a competitive differentiator for module manufacturers and avoids repeated requests for supplementary materials from customers.
Design Review and Technical Documentation Preparation Before EN 18031 Testing
With thorough preparation in these two areas, overall testing cycles and costs can be significantly reduced. The CRA transition on December 2027 is real but represents a clear transition, not an abrupt change.Contact BLUEASIA Testing & Certification Consultant: +86 13534225140
