On August 1, 2025, the EU RED Cybersecurity Delegated Act (EU 2022/30) became legally enforceable.
EN 18031 is a multi-part series, not a single standard:
·EN 18031-1: Applies to internet-connected radio equipment (Wi-Fi/network-enabled products)
·EN 18031-2: Applies to devices processing personal, traffic, or location data (smart watches, trackers, automotive devices)
·EN 18031-3: Applies to financial data processing devices (POS terminals, payment devices)
Key Point: Products may require multiple parts simultaneously. A networked, payment-enabled, positioning smart watch may need compliance with EN 18031-1/-2/-3. Test reports must list full standard numbers and versions, not generic “EN 18031”.
II. EN 18031 Standard Versioning
Standards have valid versions. The EN 18031 series was officially published in August 2024, with potential future revisions. Test reports must cite the latest valid versions.
Common Issues:
·Use of draft (prEN 18031) versions post-official publication
·Continued use of superseded old versions
·Incomplete standard references lacking year/version
Solution:
Confirm use of latest official versions (EN 18031-1:2024, EN 18031-2:2024, EN 18031-3:2024) with full standard numbering on reports.
III. Precise Mapping of EN 18031 Test Items
EN 18031 testing is product-specific, not one-size-fits-all. Reports must list test items with corresponding standard clauses.
Common Test Items:
1.Access Control Testing: Validates password policies, login lockout, session timeout (only for user-interfaced products)
2.Encryption Mechanism Testing: Verifies algorithm currency, secure key storage, and key updates
3.Security Update Testing: Checks signed updates, anti-tampering, and rollback mechanisms
4.Logging Testing: Ensures complete, tamper-proof security event logging
5.Communication Security Testing: Validates secure protocols, certificate verification, and MITM protection
Key Point: Test items must match product functionality. A pure Bluetooth speaker without Wi-Fi/APP/login does not require access control or communication security testing — but reports must explicitly state non-application with justification.
IV. Defining EN 18031 Testing Scope
Unclear scope is a leading cause of report rejection.
1.Product Boundary: Explicit model, firmware version, and coverage of multi-model configurations
2.Functional Boundary: Clarify APP/cloud inclusion (EN 18031 focuses on devices; APP/cloud scope must be stated if tested)
3.Interface Boundary: List tested communication interfaces (Bluetooth, Wi-Fi, NFC, USB) to avoid partial testing
V. EN 18031 Testing Method Selection
Multiple methods are allowed, but must be documented:
1.Document Review: Baseline for all products, verifying design compliance
2.Functional Testing: Validates operational security functions
3.Penetration Testing: Simulated attacks to identify vulnerabilities
4.Code Review: Source code verification for high-security products (not universal)
Key Point: Reports must specify methods per test item; justify absence of penetration testing where applicable.
VI. Formal Requirements for EN 18031 Test Reports
1.Laboratory Accreditation: ISO/IEC 17025 accreditation preferred for EU recognition
2.Report Content: Product info, standards, items, methods, results, conclusions
3.Signature & Date: Authorized signatory validation
4.Annexes: Complete technical files, test data, and screenshots for inspection
Test reports are core to EN 18031 compliance.Contact BLUEASIA Testing & Certification Consultant: +86 13534225140
Related News
