As of 2025, the EU EN 18031 series standards are now fully harmonized under the Radio Equipment Directive (RED). This means that to sell wireless or IoT devices in the EU, manufacturers must prepare complete and compliant documentation proving their cybersecurity and data protection measures.
This guide outlines the core documentation requirements, key limitation clauses, and validity rules for EN 18031 certification — helping you streamline your product’s compliance journey.
To process EN 18031 certification efficiently, manufacturers must compile a complete technical documentation file demonstrating product compliance.
Below is the core documentation checklist recommended by professional EU certification bodies:
| Documentation Type | Description & Examples | Notes |
|---|---|---|
| Product Basic Information | Product description, functional specifications, user manual, etc. | Clarify if the product falls within the EN 18031 scope. |
| Technical Design Documents | Circuit schematics, PCB layout, BOM, antenna report, etc. | Demonstrates how the device implements cybersecurity features at the hardware level. |
| Software/Firmware Information | Software architecture, key source code sections, version numbers, security update mechanism. | Must meet strict software integrity and update control requirements. |
| Risk Assessment Report | Threat modeling, vulnerability analysis, mitigation plan. | Shows proactive identification and control of cybersecurity risks. |
| Test Reports | Cybersecurity test results (e.g., encryption, authentication, secure storage). | Proves that the device meets EN 18031-1, -2, and/or -3 security objectives. |
| Declaration of Conformity (DoC) | Signed by the manufacturer, declaring conformity with the RED Directive and EN 18031 standards. | Mandatory for market entry under RED. |
Tip: All documentation should be compiled in English and retained for at least 10 years for audit and market surveillance purposes.
If your product falls under any of the following special conditions, you must apply for certification through an EU Notified Body (NB) — self-declaration (SDoC) is not allowed.
Password Requirement (Clause 6.2.5):
Devices must enforce password creation and cannot allow users to skip or retain default passwords.
Parental Control Requirement (Clause 6.1.3):
For child care devices and smart toys, parent or guardian access control must be secure and non-bypassable.
Security Update Mechanism:
For devices handling financial transactions or virtual currencies, update mechanisms relying solely on one method (e.g., digital signatures) are insufficient — NB review is mandatory.
These conditions directly impact whether your product qualifies for self-declaration or requires third-party evaluation by a Notified Body.
Unlike other certification systems, EN 18031 does not define a universal certificate validity period. However, there are several key principles manufacturers must follow:
The validity of an EN 18031 certification depends on the product’s design stability and the certification body’s policies.
Manufacturers must retain all technical documentation for 10 years after the product is placed on the market.
EN 18031 certificates or self-declarations can become invalid under the following circumstances:
Product Changes:
Any hardware, firmware, or software modification that affects cybersecurity or data protection functions requires partial or full re-testing.
Regulatory Updates:
If the EU updates the RED Directive or publishes a new EN 18031 version, existing certifications may lose validity unless re-assessed within the transition period.
NB Certificate Expiration:
Notified Body certificates typically carry a defined validity (e.g., 3 or 5 years). Renewal or re-assessment is required upon expiry.
Manufacturers are obligated to:
Keep technical files and DoC for 10 years
Provide them to market surveillance authorities upon request
Ensure all supporting documents are up-to-date with product versions
✅ Start Early: Early preparation of cybersecurity documentation avoids costly delays.
✅ Perform Internal Gap Analysis: Identify missing controls before submitting to the Notified Body.
✅ Maintain Change Control Logs: Keep detailed version control and security update records.
✅ Plan for Re-certification: Build a 3–5-year maintenance cycle into your compliance plan.
Blue Asia Technology provides end-to-end support for EN 18031 documentation preparation and certification consulting:
Gap analysis & pre-certification assessment
Technical documentation review (hardware & software)
Coordination with EU Notified Bodies
Fast-track certification solutions for RED compliance
Email: king.guo@cblueasia.com
Phone: +86 135 3422 5140
Website: www.blueasialabs.com
Q1: What is the minimum documentation I must submit for EN 18031?
A1: You must include design files, risk assessment reports, cybersecurity test reports, and the Declaration of Conformity.
Q2: Can I keep documents in Chinese or another language?
A2: No. The EU requires all documentation to be in English for RED market surveillance and audits.
Q3: How long is my EN 18031 certificate valid?
A3: Typically 3–5 years if issued by a Notified Body, but the technical documentation must be retained for 10 years.
Q4: What happens if I update my firmware after certification?
A4: If the change affects cybersecurity functions, you must perform partial or full re-assessment.
Q5: Can Blue Asia assist with document preparation and review?
A5: Yes, our experts help compile complete technical files and liaise with EU Notified Bodies to ensure compliance.
Related News
