Enforcement Status 8 Months After Mandate & CRA Transition (April 2026)
Again, there is no official “EN 18031 certification”. EN 18031 is a RED harmonised standard. Compliance is demonstrated via EU Declaration of Conformity and CE marking. The accurate term is RED cybersecurity compliance under EN 18031.
·30 Jan 2025: EN 18031 added to OJ, presumption applies
·1 Aug 2025: RED 3.3(d)(e)(f) mandatory
2. Actual Enforcement Situation
·Customs: Increased inspections since late 2025; goods missing cybersecurity documentation face detention risks.
·E‑commerce Platforms: Amazon, eBay, Temu strengthen CE document reviews; missing EN 18031 coverage may lead to delisting.
·Market Surveillance: France, Germany, Netherlands apply strictest oversight.
·Penalties: Include fines, recalls, sales bans, and Safety Gate notifications.
3. Abolition of (EU) 2022/30
On 10 December 2025, the Commission launched public consultation on repealing (EU) 2022/30. In February 2026, it adopted a draft repeal, planned to take effect 11 December 2027. Until then, (EU) 2022/30 and EN 18031 remain fully valid.
4. CRA Timeline (Regulation (EU) 2024/2847)
·11 June 2026: Chapter 4 (notification of conformity bodies) applies
·11 September 2026: Vulnerability and incident reporting mandatory
·11 December 2027: CRA full application; RED cybersecurity requirements replaced
5. CRA Standards System
·Horizontal standards: EN 40000 series (CEN/CENELEC JTC13 WG9)
·Vertical standards: ETSI EN 304 617 to 636 seriesNew requirements: SBOM and CVD (coordinated vulnerability disclosure).
6. Recommended Actions
·Complete EN 18031 compliance immediately for EU‑bound products.
·Prepare SBOM and vulnerability response for CRA.
·Monitor repeal progress and EN 40000 development.
·Require cybersecurity documentation from module suppliers.
For latest EN 18031 updates, contact BLUEASIA: +86 13534225140
Related News
