Over two years providing EN 18031 consultation at BlueAsia Testing, the most frequent question received is “Do I really need to apply Part 1 for my product?”. Inquiries come from manufacturers across all sectors: Bluetooth speaker makers, Wi-Fi module suppliers, smart socket factories, automotive T-Box developers, pet tracker producers. I always advise clients to cross-check line by line against official regulatory text to get a definitive answer quickly.

1.EN 18031-1 Applicable Definition: Internet-Connected Radio Equipment

EN 18031-1:2024 aligns with RED Directive Clause 3.3(d), outlining universal cybersecurity requirements for radio equipment capable of internet communication.

Simplified rule: If your product transmits radio frequency signals and connects to the internet via any method, EN 18031-1 compliance is mandatory.

The critical threshold hinges on internet connectivity, with two distinct connection models defined formally in regulation texts:

-Direct internet connection: Devices access cloud servers independently via Wi-Fi, cellular 4G/5G or Ethernet IP stacks. Examples include Wi-Fi routers, 5G communication modules, cellular-enabled tablets, internal Wi-Fi chips inside smart TVs – all unequivocally subject to compliance.

-Indirect internet connection: No native IP stack on the device itself, yet data transmits to the internet via intermediate hardware. The assessment core evaluates inherent design capabilities for cloud data upload, remote interaction and OTA firmware updates.

·Basic Bluetooth speakers solely streaming audio from mobile phone cloud platforms, with no proprietary user accounts, zero data uploads and no remote control logic: Most Notified Bodies and industry frameworks adopt lenient evaluation, deeming Part 1 non-mandatory.

·Speakers equipped with native cloud accounts, voice data upload pipelines or remote firmware upgrade functions: Internet communication is facilitated through a secondary mobile device, triggering full Clause 3.3(d) obligations. Identical logic applies to Zigbee gateways, Thread border routers and Bluetooth-gateway-linked IoT sensors whose data ultimately routes to public internet infrastructure.

Conversely, purely local-operation hardware escapes this clause entirely: Analog walkie-talkies with no network stacking, receive-only radios with no transmission or networking functions, passive NFC tags lacking RF transmit hosts and IP stacks, Bluetooth keyboards limited to local HID input with zero network interaction – none require EN 18031-1.

A vital edge case assessment: Accidental indirect connectivity via third-party gateways does not automatically enforce compliance. Industry and NB consensus evaluates native hardware architecture first. If a Bluetooth device’s protocol stack and application layer only support peer-to-peer local communication with no self-initiated gateway internet access capability, Clause 3.3(d) does not apply. If factory design integrates cloud API calls, OTA firmware channels or remote control interfaces, inherent internet connectivity capability activates mandatory Part 1 testing.

  2. Four High-Risk Product Categories Almost Always Mandated

Based on two years of consultation data, certain product lines universally fall under enforcement, while others consistently qualify for exemption:

-Wi-Fi and communication modulesRegardless of end-product integration, modules with native IP stack functionality require compliance. Module-level EN 18031-1 testing delivers superior cost efficiency versus whole-device certification. Valid test results from certified modules can be largely reused for end products providing security hardware, firmware and RF architecture remain unmodified.Supplementary integration audits are required if end-product revisions alter antenna layouts, cloud OTA service frameworks or power safety circuitry; full result reuse is not permitted.

-Wireless routers, cellular CPE and Mesh networking hardwareMandatory compliance, with far larger attack surfaces than standard terminal devices. Common audit failure points include factory-enabled Telnet ports, unencrypted HTTP web management dashboards and hardcoded default login credentials embedded within firmware – top non-compliance issues during EN 18031-1 assessments.

-Smart speakers and Wi-Fi-enabled home appliancesFull Part 1 enforcement applies. Voice assistant speakers additionally trigger Part 2 privacy evaluations, yet Part 1 network defense forms an unskippable foundational requirement. Wi-Fi-connected air conditioners, washing machines and refrigerators all fall within scope.

-Automotive-grade communication hardwareOnboard T-Boxes, vehicle communication modules and cellular OBD devices are fully mandated. A widespread misconception persists: Even for automotive wireless components regulated under Regulation (EU) 2018/858 for vehicle type approval, EN 18031-1 cybersecurity rules remain compulsory. No automatic exemptions exist for EN 18031-2 or EN 18031-3; limited cross-standard test data reuse may be approved via formal evaluation workflows. Automotive equipment cannot bypass EN 18031-1 certification.

-Bluetooth devices require case-by-case evaluation

·Basic Bluetooth earbuds with pure audio transmission, no App account binding, cloud linkage or data processing: Exempt from Part 1.

·Units featuring cloud voice assistants, biometric health tracking sensors or registered App user accounts: Mandatory compliance applies.Models equivalent to AirPods with iCloud account synchronization trigger Part 2 privacy obligations alongside foundational Part 1 cybersecurity testing. Budget Bluetooth earphones (QCY, Edifier) limited to audio transmission with no cloud accounts or OTA updates qualify for industry-standard exemption.

  3. Explicitly Exempt Product Lines

Regulatory frameworks outline clear exclusion pathways:

·Radio hardware with zero internet connectivity: Standalone walkie-talkies, broadcast radios, infrared remotes, passive NFC tags and local-only HID Bluetooth keyboards lack internet communication capacity, so Clause 3.3(d) does not apply.

·Wired-only network devices: Hardware with Ethernet ports restricted to closed local LANs, no RF transmission capability, sits outside RED Directive jurisdiction entirely – EN 18031-1 has no applicability whatsoever, as RED exclusively governs radio-emitting equipment.Critical hybrid hardware caveat: Dual wired + wireless interface devices remain under RED oversight due to RF transmit functionality; local LAN wiring status does not change overall regulatory classification.

·Medical device special provisions: Connected wireless medical hardware regulated under MDR (2017/745) or IVDR (2017/746) faces zero EN 18031-1 exemptions; cybersecurity compliance remains fully mandatory.

  4. Rapid Self-Assessment Two-Question Framework

A streamlined two-step check delivers instant eligibility results for nearly all consumer wireless hardware:Question 1: Does your product feature radio frequency transmission capability? If no – fully exempt. If yes, proceed to Question 2.Question 2: Can it connect to the internet (direct or indirect)? If no – EN 18031-1 not required. If yes – compliance mandatory.

This framework covers most mainstream consumer wireless goods, with narrow niche exceptions needing individual review: Aviation and railway dedicated wireless modules governed by exclusive UNECE industry regulations qualify for simplified evaluation tracks and cannot be judged solely by the two-question test.

BlueAsia has delivered hundreds of completed EN 18031-1 test projects, including Wi-Fi modules, Bluetooth gateways, automotive T-Boxes and smart speakers. Instead of parsing dense regulation text independently, submit your product specification datasheets for tailored compliance reviews. Consultant of BlueAsia Testing & Certification: +86 13534225140 (Benson)