Cybersecurity in Europe - EN 18031 is now a harmonized standard

On January 30, 2025, the European Commission officially listed the EN 18031 series in the Official Journal (OJ) of the European Union under the Radio Equipment Directive (RED). This marks a significant development for manufacturers of radio equipment, as these standards address cybersecurity requirements that will become mandatory from August 1, 2025.

Background on EN 18031 and the RED Cybersecurity Requirements

The Radio Equipment Directive requires that radio equipment sold within the EU must meet essential requirements related to safety, electromagnetic compatibility, and efficient spectrum use. In 2022, the Commission introduced also cybersecurity requirements under Article 3(3):

• Article 3(3)(d): Protection against network harm and service degradation
• Article 3(3)(e): Safeguards for personal data and user privacy
• Article 3(3)(f): Measures to prevent fraud in radio equipment handling virtual currency

OJ Listing and Its Restrictions

With the listing of EN 18031 in the OJ, manufacturers can now use these standards to claim presumption of conformity with RED’s cybersecurity requirements. However, this listing comes with certain restrictions, which must be carefully considered when implementing compliance strategies. These restrictions relate to:

• The sections “rationale” and “guidance”
• Use of password
• Parental or guardian access control
• Transfer of monetary value

Implications for Manufacturers

As the cybersecurity requirements of the RED are mandatory from August 1, 2025, manufacturers must act promptly to align their products with the new requirements. Key steps include:

1. Review the RED scope: Does your product come into the scope of the cybersecurity requirements of RED? A Notified Body like Nemko may assist determining the relevance for your product.
2. Review the EN 18031 Series: Understand how these standards apply to your products and any restrictions affecting their use.
3. Conduct a Compliance Gap Analysis: Assess your current cybersecurity measures against EN 18031 requirements.
4. Engage with a Notified Body: Both because the EN 18031 is a new standard (published only in August 2024) and the restrictions on EN 18031, consulting with a Notified Body remains important to ensure full compliance and is a requirement if having solutions alternative to the letter of the standard.
5. Prepare for Market Readiness: Implement necessary changes in design, testing, and documentation to meet the August 2025 deadline. A RED Notified Body certificate will be a good way to demonstrate compliance in the market. 
   

Conclusion

The listing of the EN 18031 series in the Official Journal provides much-needed clarity for manufacturers navigating RED’s cybersecurity requirements. However, the accompanying restrictions highlight the need for careful evaluation and expert guidance. As a Notified Body, we are here to support manufacturers in interpreting these requirements, conducting assessments, and ensuring their products meet all regulatory obligations before the compliance deadline.

For further guidance or to discuss your product’s certification process, contact us today.

Book a free online meeting with one from our cybersecurity team. 

If you want to read more about what Nemko does to secure your everyday cyber life - see our cyber security pages.