If you are planning to enter the EU market with smart hardware products, "cybersecurity" is no longer an optional add-on—it is a mandatory requirement enshrined in EU law, critical for product market access. The commonly referenced "EN 1803 certification" in the market is actually a widespread typo or abbreviation, referring to the core of current EU cybersecurity compliance for radio equipment: the EN 18031 standard.
Understanding EN 18031 requires recognizing it as more than an isolated test item. It is essentially the definitive "answer sheet" for the Radio Equipment Directive (RED, 2014/53/EU) in the cybersecurity domain, serving as the most authoritative technical path for manufacturers to demonstrate product compliance.
First, establish a key understanding: Under the EU regulatory framework, EN 18031 itself is not a mandatory "certification".
1.Mandatory Law: The RED Directive: The EU mandates that all radio equipment (from mobile phones and Wi-Fi routers to smart home devices and in-vehicle wireless modules) must bear the CE mark before being placed on the market. The RED Directive explicitly includes basic safety requirements for cybersecurity, personal data protection, and fraud prevention.
2.EN 18031 as a "Harmonized Standard": To address the challenge of "proving compliance with legal requirements", the European Telecommunications Standards Institute (ETSI) developed a series of "harmonized standards" including EN 18031. When your product is fully designed and tested in accordance with EN 18031, it is legally "presumed to comply" with the relevant safety requirements of the RED Directive. This is a legally binding compliance shortcut, making it the "golden key" to accessing the EU market.
II. Core Requirements of the EU EN 1803 Standard (EN 18031)
EN 18031’s requirements extend far beyond "setting a password", encompassing three pillars with depth and breadth:
Pillar 1: Network Resilience
Ensuring the device itself does not become a vector or victim of cyberattacks. Requirements include:
1.Secure Access: Eliminating generic default passwords; mandating users to set strong, unique passwords or adopt equivalent secure authentication mechanisms.
2.Secure Communication: All sensitive data transmitted by the device (including management commands and user data) must be protected using strong encryption protocols such as TLS 1.2 or higher.
3.Secure Maintenance: The device must feature a reliable software update mechanism to patch discovered vulnerabilities, with updates themselves protected against tampering.
4.Attack Resistance: Product design and testing must verify resistance to common cyberattacks, such as denial-of-service (DoS) attacks and unauthorized access.
Pillar 2: Personal Data Protection
Ensuring user privacy is technically safeguarded at the device level. Requirements include:
1.End-to-End Encryption: Implementing end-to-end encrypted storage and transmission of personal data.
2.User Control: Providing clear user control mechanisms to ensure users can access, delete, or manage their personal data.
3.Privacy by Design: Incorporating privacy considerations into product design and default settings.
Pillar 3: Fraud Prevention and Integrity
Preventing device functions from being abused for fraudulent activities. Requirements include:
·For devices involving payments, transactions, or identity verification: Implementing advanced security features such as multi-factor authentication, secure logging, and non-repudiation of transactions.
·Ensuring critical software and configurations of the device are tamper-proof.
III. Scope of Products Subject to EU EN 1803 (EN 18031)
EN 18031 assessment is critical for any wireless device (supporting cellular networks, Wi-Fi, Bluetooth, LoRa, etc.) placed on the EU market. Typical products include:
1.Consumer Electronics: Smartphones, tablets, smartwatches, wireless headphones.
2.Smart Home & IoT: Smart speakers, security cameras, smart lighting, sensors, routers.
3.In-Vehicle Devices: Infotainment systems, Telematics Control Units (TCUs).
4.Industrial Equipment: Wireless industrial routers, gateways, controllers.
Note on Exemptions: Certain devices subject to strict EU sector-specific regulations (e.g., medical devices under MDD/MDR, complete vehicle certification) may still need to comply with the RED Directive for their wireless functions, but the compliance path may vary.
IV. EU EN 1803 (EN 18031) Compliance Path and Practice
For most radio equipment, the compliance path under EN 18031 is clear and efficient:
1.Technical Documentation: The core is developing detailed technical documentation explaining how the product design meets each requirement of EN 18031. This typically requires collaboration between in-house engineers and external professional laboratories or consultants.
2.Conformity Assessment: Manufacturers can issue a "EU Declaration of Conformity" (DoC) based on technical documentation and self-conducted tests (or tests commissioned to a laboratory). This is the most common path (Module A) and does not require mandatory certification by a third-party "certification body".
3.Affix the CE Mark: After completing the declaration, the CE mark can be affixed to the product, indicating compliance with the RED Directive (including cybersecurity requirements).
4.Notified Body Involvement: Mandatory involvement of an EU-designated Notified Body is only required for a small number of high-risk scenarios or as explicitly specified by regulations.
When faced with questions about "EN 1803 certification", your focus should be on the EN 18031 standard and the underlying cybersecurity requirements of the RED Directive. It represents the EU market’s elevation of product cybersecurity from a best practice to a legal entry barrier. For professional certification consulting services, contact BLUEASIA at +86 13534225140.
Related News
