In 2025, the EU introduced new cybersecurity regulatory requirements for radio equipment, the core of which is the EN 18031 series of standards. Below, we outline the key points of this new regulation to help you quickly grasp compliance directions.
| RED Directive Clause | Corresponding EN 18031 Standard | Standard Core Focus | Key "Limitation Conditions" (Triggering NB Certification) |
Article 3(3)(d) Equipment must not harm the network or cause service degradation | EN 18031-1:2024 | (Common security requirements for networked radio equipment) Protecting Network Assets, e.g., preventing misuse, DDoS attacks. | If the device allows the user not to set or use a password (violating clauses 6.2.5.1 & 6.2.5.2), certification by a Notified Body (NB) is mandatory. |
Article 3(3)(e) Protection of personal data and privacy | EN 18031-2:2024 | (Security requirements for data processing equipment, e.g., networked devices, child care devices, toys, wearables) | 1. Allows the user not to set a password (as above). 2. For child care devices, etc., if parent or guardian access control is not ensured (violating clause 6.1.3, etc.), NB certification is also required. |
Article 3(3)(f) Ensuring fraud prevention | EN 18031-3:2024 | (Security requirements for equipment processing virtual currency or monetary value) Protecting Financial Assets, e.g., tamper resistance, fraud prevention. | 1.Allows the user not to set a password (as above). 2.For security updates, if relying solely on a single method (e.g., only digital signature or only access control) is insufficient for financial security needs, NB certification is mandatory. |
Important Timelines and Scope of Application:
1.EN 18031 Mandatory Enforcement Timeline:
·From August 1, 2025, all radio equipment placed on the EU market must comply with the cybersecurity requirements of points (d), (e), and (f) of Article 3(3) of the RED Directive.
2.Applicable Product Scope:
·EN 18031-1: Applies to all networked radio equipment, e.g., routers, smart home appliances, industrial IoT devices.
·EN 18031-2: Applies to devices processing personal data, e.g., smartwatches, security cameras, baby monitors, toys.
·EN 18031-3: Applies to devices processing virtual currency or monetary value, e.g., POS terminals, payment terminals, crypto wallets.
·Exempt Products: Note that some product categories governed by other specific regulations are generally exempt, e.g., **medical devices (under MDR), aviation equipment, and automotive electronics (governed by other specific regulations).
EN 18031 Certification New Regulation Enterprise Compliance Action Guide:
1.Confirm Applicable Standards & Limitation Clauses:** First, determine which part (EN 18031-1, -2, or -3) your product falls under based on its functionality. Then, carefully check the "Limitation Conditions" in the table above. Triggering any one condition means you must undergo third-party certification via a Notified Body (NB), and cannot use self-declaration.
2.Conduct Compliance Gap Analysis: Audit existing product designs against the core standard requirements. Focus on:
·Default Passwords: Are they mandatory disabled? Must the user change the password upon first use?
·Data Encryption: Is locally stored and transmitted data encrypted using strong algorithms like **AES-256**?
·Security Update Mechanism: Do firmware updates support digital signature verification and have anti-rollback design?
·Special Functions: For children's devices, is there hardware-level parental control? For payment terminals, is there hardware tamper-resistance design?
3.Prepare Technical Documentation & Choose Certification Path:
·Technical Documentation: Prepare detailed technical documentation, including risk assessment reports, technical specifications, test reports, etc.
·Certification Path:
Self-Declaration (Module A): Only applicable to low-risk devices that fully comply with the harmonized standards** and do not trigger any limitation conditions.
Notified Body (NB) Certification: If the product triggers limitation conditions, certification by a designated NB is mandatory. For financial devices under EN 18031-3, due to the standard's strict requirements regarding financial asset security updates, NB conformity assessment is typically mandatory.
EN 18031 Certification Non-Compliance Consequences & Cost Reference:
1.Non-Compliance Consequences: Products failing to meet the new requirements after August 1, 2025, will face risks including being banned from the EU market, recall of already sold products, and high fines (up to 4% of annual turnover).
2.Cost Reference: Certification costs vary by product complexity and risk. Below is a rough reference range:
·Basic Device (e.g., Bluetooth headset): approx. €5,000–€8,000
·Medium-Risk Device (e.g., Smartwatch): approx. €8,000–€15,000
·Financial Payment Terminal:** approx. €20,000–€30,000 or more
We hope this information helps you gain a preliminary understanding of EU EN 18031 certification. If you can share the specific product type you are responsible for, BLUEASIA Technology: 13534225140, will provide you with professional certification consulting services! Ensure your products can smoothly pass certification and enter the EU market on time.
Related News
