On May 15, 2025, the European Commission published Implementing Decision (EU) 2025/893, updating several core EMC standards, including the EN 301 489 series, and setting clear expiry dates for some current versions. Earlier, on January 28, 2025, via Decision (EU) 2025/138, the EU formally incorporated the EN 18031 cybersecurity standard series into the harmonized standards under the Radio Equipment Directive (RED).
These seemingly separate regulatory actions point to a clear trend: simple Electromagnetic Interference (EMI) and Immunity (EMS) testing is no longer sufficient for EU market access. EMC certification is now deeply intertwined with cybersecurity and radio performance requirements, forming a more complex and stringent product compliance framework.
The EU compliance landscape is undergoing a quiet but profound transformation. The network of technical directives behind the CE mark is becoming more interconnected. While the EMC Directive was often assessed independently, it now increasingly intersects with the RED.
This trend became particularly evident in 2025, driven by two legally binding EC Decisions:
1.Cybersecurity as a Mandatory Requirement for Wireless Devices: Per (EU) 2025/138, the EN 18031-1, -2, -3 series are now harmonized standards under RED. This means that from August 1, 2025, all devices with wireless functions (e.g., Wi-Fi, Bluetooth, cellular) applying for CE certification must meet the corresponding cybersecurity, personal data protection, and anti-fraud requirements of EN 18031.
2.Consolidated Update of Core EMC Testing Standards: The May 2025 (EU) 2025/893 decision revised a large batch of harmonized standards. Changes to the EN 301 489 series (EMC standard for radio equipment) are particularly noteworthy. This decision not only set expiry dates for many current versions but also added over ten new standards to the Official Journal (OJEU), granting them harmonized status.
II. Detailed Breakdown of 2025 Core New Rules
The impact of the new rules is specific and can be summarized in three core changes defining current compliance priorities.
Change 1: Mandatory Cybersecurity under RED
This is 2025's most disruptive update. EN 18031 is divided into three parts:
-EN 18031-1: Ensures devices do not harm networks (e.g., DDoS protection). Applies to all internet-connected devices.
-EN 18031-2: Focuses on personal data & privacy protection (e.g., data encryption). Impacts wearables, smart home devices, children's toys.
-EN 18031-3: Targets devices with financial transaction functions (e.g., payment terminals), requiring anti-fraud measures.
Change 2: New Harmonized Standards & Old Version Expiry
Per (EU) 2025/893, manufacturers must immediately check the status of standards referenced by their products.
-Example: Key standard EN 301 893 for 5GHz devices (Wi-Fi 5/6) is updated to V2.2.1. Its old version V2.1.1 expires on May 15, 2028, providing a long transition.
-Example:EN 301 489-52 (for cellular devices) has a newer version whose old version expires on November 15, 2026, requiring more urgent planning.
Change 3: Refined Test Scope & Requirements
The new rules provide clearer test boundaries. For instance, notes for standards like EN 301 489-12 now explicitly state they do not apply to assessing disturbances below 9kHz. Also, devices using Ultra-Wideband (UWB) technology now require additional radiated emission tests in the 6.5–8.5 GHz band.
III. Impact on Businesses & Compliance Pathways
The new rules increase not only testing but also fundamentally alter compliance strategy and cost structure.
1.Increased Complexity & Cost: Cybersecurity assessment for wireless products is now mandatory, often requiring new tests (code audit, vulnerability scans) from specialized labs, adding significant time and cost. EMC testing itself may also introduce new/stringer requirements due to standard updates.
2.Unprecedentedly Strict Technical Documentation: The Declaration of Conformity can no longer rely solely on EMC/RF reports. Manufacturers must prepare detailed docs proving how their product meets EN 18031 clauses in hardware/software.
3.Higher Threshold for "Self-Declaration" Path: While EN 18031 is a harmonized standard (theoretically allowing self-declaration), (EU) 2025/138 attaches strict conditions. For example, if a device allows no password or lacks effective parental controls, it must undergo mandatory third-party certification by an EU Notified Body, barring the self-declaration route.
IV. Phased Response Strategy & Actionable Advice
Businesses need a systematic response plan:
1. Impact Analysis & Gap Assessment (1-2 weeks): Classify your product (wireless? handles data/payments?). Cross-reference all currently used EN standards/versions against the (EU) 2025/893 update list.
2.Design Modification & Pre-compliance Testing (4-8 weeks): Integrate security mechanisms (secure boot, encryption) into software architecture. Conduct pre-compliance EMC testing if standard updates might affect results.
3.Formal Certification & Documentation Prep (3-5 weeks): Select the appropriate certification body (Notified Body if required). Compile the expanded Technical File, including cybersecurity assessment and updated EMC reports.
4.Ongoing Compliance & Market Surveillance: Establish a mechanism to monitor future OJEU updates. Re-assess any design changes affecting EMC/cybersecurity characteristics.
The path for a Chinese smart device to reach European consumers is now encrypted with layers of updated Brussels regulations. The EU market door remains open, but the entry "security check" has upgraded from a simple "electromagnetic luggage scan" to a "full-body scan" covering hardware emissions, software vulnerabilities, and data flows.
BLUEASIA Tech: +86 13534225140 provides professional certification consulting services.
Related News
