In 2025, the EN 18031 certification process became a key requirement for manufacturers aiming to sell wireless and IoT products in the EU market under the Radio Equipment Directive (RED).
Understanding the step-by-step process will help ensure a smoother certification journey and faster time-to-market.
This foundational phase usually takes 1–2 months, and it lays the groundwork for the entire certification process.
During this phase, you need to:
Standard Mapping:
Identify which sub-standards apply based on your product’s features.
For instance:
A router may only require EN 18031-1.
A smartwatch with payment functions may need EN 18031-1, -2, and -3 simultaneously.
Technical Remediation:
Conduct a gap analysis and fix non-compliance points. Typical actions include:
1. Disabling default passwords and forcing a password change upon first use.
2. Upgrading encryption (e.g., TLS 1.2+, AES-256).
3. Implementing secure firmware update mechanisms with anti-rollback protection.
Documentation Preparation:
Start preparing essential documents such as:
Technical specifications
Circuit diagrams
Risk assessment reports
Cybersecurity design justifications
Once the preparatory work is complete, you’ll submit your application to the chosen certification body (or Notified Body).
This phase typically takes 1–2 weeks and includes:
Submitting application forms, product specifications, and technical files
Reviewing documentation completeness
Confirming scope, fees, and test schedule
Choosing the right path depends on your product’s risk level and data sensitivity.
Self-Declaration (SDoC):
Suitable for low-risk devices, such as smart home products with standard security controls and no personal data involvement.
Third-Party Certification (NB Assessment):
Required for high-risk devices, such as:
Industrial IoT sensors lacking authentication
Wearables processing children’s data
Payment terminals or crypto devices
This route involves laboratory testing and Notified Body review to ensure full EN 18031 compliance.
This is the core phase of EN 18031 certification, lasting 2–12 weeks depending on device complexity.
Laboratory Testing:
The certification body evaluates product samples through:
Cybersecurity tests (encryption validation, DDoS protection)
Privacy protection tests (secure storage, access control)
Note: The initial failure rate for first-time EN 18031 certifications can reach 40%–60%, so allow time for remediation and retesting.
Factory Audit:
For high-risk devices, a factory security audit may be required, typically adding 1–4 weeks.
Auditors inspect production process controls, firmware management, and traceability systems.
Once your product passes all evaluations, the certification body issues the EN 18031 Certificate.
However, certification is not permanent:
Valid for 3–5 years, with annual surveillance audits
If the EN 18031 standard is updated, manufacturers have 12 months to complete a re-assessment
Failure to update may result in certificate invalidation
| Product Type | Estimated Timeline | Key Factors Influencing Duration |
|---|---|---|
| Basic Device (e.g., Bluetooth Headset) | 3–4 months | Simple function, only EN 18031-1 testing |
| Medium/High-Risk Device (e.g., Smartwatch, POS) | 4–6 months or longer | Multiple standards, complex testing, 40%–60% initial failure rate |
| Expedited Projects | 6–12 weeks (cost +30%–50%) | Fast-track service available from some certification bodies |
Early preparation shortens total certification time
Secure-by-design principles reduce testing failures
EN 18031 compliance is mandatory for all RED products starting in 2025
Partnering with an experienced lab ensures smooth document handling and faster certification turnaround
Blue Asia Technology offers one-stop EN 18031 certification consulting services:
Gap analysis & technical guidance
EN 18031-1, -2, -3 compliance evaluation
Document review and risk assessment support
Liaison with EU Notified Bodies for faster certification
Email: king.guo@cblueasia.com
Phone: +86 135 3422 5140
Website: www.blueasialabs.com
Q1: How long does EN 18031 certification take?
A1: Typically 3–6 months depending on complexity, testing needs, and factory audit requirements.
Q2: Can I use SDoC instead of Notified Body certification?
A2: Only for low-risk devices that meet all password, encryption, and privacy protection requirements.
Q3: How often must the certificate be renewed?
A3: Every 3–5 years, with mandatory annual audits to maintain validity.
Q4: What if my product fails the initial test?
A4: You’ll receive a detailed corrective action report and can reapply after remediation—Blue Asia can help close gaps efficiently.
Q5: How can Blue Asia accelerate my EN 18031 project?
A5: We provide pre-test evaluations, fast document review, and work directly with accredited EU partners to cut processing time.
Related News
