RED Cybersecurity Compliance Based on EN 18031 – Standard Nature, Scope and Industry Impact
This article focuses on the EN 18031 series of standards. Before diving into technical details, one critical concept must be clarified: there is no official certification type called “EN 18031 Cybersecurity Certification”. EN 18031 is a harmonised standard under the Radio Equipment Directive (RED, Directive 2014/53/EU). After testing and technical documentation completion, the final compliance format is the EU Declaration of Conformity and CE marking. The legally accurate term for “EN 18031 certification” is RED cybersecurity compliance based on EN 18031.
This wording distinction is not trivial; misunderstanding it leads to practical misconceptions. Many businesses assume they will receive an “EN 18031 certificate” to attach to products, but in reality, they obtain a CE Declaration of Conformity and technical documentation under the RED framework. Clarifying this basic positioning will help you better understand certification routes and regulatory logic.
One of the most frequently asked questions in the industry is whether EN 18031 and UNECE R155 are equivalent standards.
They are not. The two regimes differ completely in regulatory scope, legal frameworks and compliance pathways.
·UNECE R155 is a regulation issued by WP.29 (UN World Forum for Harmonization of Vehicle Regulations). It governs cybersecurity for complete motor vehicles, including passenger cars (M categories), commercial vehicles (N categories), trailers (O categories) and motorcycles (R categories). Manufacturers must first establish and certify a Cybersecurity Management System (CSMS), then obtain Vehicle Type Approval (VTA) before placing vehicles on the EU market. R155 requires manufacturers to follow cybersecurity engineering processes equivalent to ISO/SAE 21434.
·EN 18031 governs cybersecurity for radio equipment under the RED Directive, enforced by the European Commission and national market surveillance authorities.
When do both standards apply?
Mainly at the automotive component supply chain level. A connected vehicle must comply with R155 and Regulation (EU) 2019/2144 on general safety. However, components such as T‑Box modules and Bluetooth accessories placed separately on the EU market (not only supplied as part of a vehicle) must comply with EN 18031. Components supplied exclusively to vehicle manufacturers without separate marketing are covered by the vehicle type approval and do not require standalone RED + EN 18031 compliance.
Complete vehicles are exempt from the RED Article 3.3(d)(e)(f) cybersecurity requirements because they are already governed by R155 and Regulation (EU) 2019/2144. EN 18031 does not exclude vehicles; RED simply does not duplicate coverage.
2. What Exactly Does the EN 18031 Series Cover?
The full English title of EN 18031 is Common Security Requirements for Radio Equipment. Developed jointly by CEN and CENELEC, it was officially published in August 2024. On 30 January 2025, the European Commission added EN 18031‑1, ‑2 and ‑3 to the RED harmonised standards list via Implementing Regulation (EU) 2025/138, published in the Official Journal (OJ). Compliance with EN 18031 grants a presumption of conformity with RED Article 3.3(d)(e)(f).
The RED Directive was introduced in 2014, originally covering only spectrum, power and EMC. As IoT security incidents escalated, the Commission added three cybersecurity essential requirements in January 2022 via Delegated Regulation (EU) 2022/30:
·(d) No harm to networks or misuse of resources
·(e) Protection of personal data and privacy
·(f) Prevention of fraud involving monetary value
EN 18031 defines exactly how to meet these abstract requirements.
Key Enforcement Dates
·30 January 2025: EN 18031 enters the OJ, granting presumption of conformity.
·1 August 2025: RED Article 3.3(d)(e)(f) becomes mandatory, regardless of whether harmonised standards are used.
1 August 2025 has now passed. Any wireless product sold in the EU without RED cybersecurity compliance must act quickly.
3. The Three Parts of EN 18031
·EN 18031‑1: CybersecurityCovers RED 3.3(d). Applies to radio equipment with direct or indirect internet connectivity. Requires resistance to common attacks, strong encryption (minimum TLS 1.2), secure update mechanisms with signature verification and anti‑rollback, and secure key management.
·EN 18031‑2: Data Privacy ProtectionCovers RED 3.3(e). Applies to devices processing personal data. Requires data minimisation, extra strict rules for children’s devices (parental controls, consent management, encrypted storage), and alignment with GDPR.
·EN 18031‑3: Anti‑Financial FraudCovers RED 3.3(f). Applies to devices handling monetary or virtual currency transactions, such as wireless POS terminals, NFC payment devices and hardware wallets. Requires transaction logging, audit trails, integrity verification and fraud detection.
Simple Scope Rule
·Internet‑connected wireless devices: at least EN 18031‑1
·Collect personal data: add EN 18031‑2
·Handle payments: all three parts apply
4. EN 18031 Compliance Routes
EN 18031 does not define conformity assessment modules; these come from RED.
·Module A (Self‑Declaration): Allowed if the product fully meets EN 18031 and does not trigger restriction clauses.
·Notified Body (NB) Route: Required if restrictions apply or full presumption is unavailable.
5. Key Restriction Clauses (EU 2025/138)
·Rationale and guidance sections do not grant presumption.
·Products allowing password‑free access lose presumption.
·Children’s/wearable devices without parental controls lose presumption.
·Certain update clauses in EN 18031‑3 do not grant presumption.
6. EN 18031 Process and Timeline
·Gap analysis: 2–6 weeks
·Design adjustment: 3–8 weeks
·Laboratory testing: 6–12 weeks
·NB review (if applicable): 4–10 weeks
·Declaration and marking: 1–3 weeks
Typical timelines:
·Low‑risk sensors: 3–4 months
·Medium‑risk devices: 4–6 months
·Children’s wearables: 5–7 months
·Payment terminals: 6–9 months
7. Exempt Products
·Medical devices: covered by MDR (EU) 2017/745
·Aviation equipment: covered by EU 2018/1139
·Complete vehicles: covered by R155 and EU 2019/2144
Payment terminals must comply with both PSD2 and EN 18031‑3.
For EN 18031 cybersecurity compliance, contact BLUEASIA certification consultant at: +86 13534225140
Related News
