Cybersecurity standards EN 18031 are now harmonized

Published on: February 6, 2025

Estimated reading time: 4 minutes

The cybersecurity requirements of the Radio Equipment Directive (RED) Delegated Act will enter into force on August 1, 2025 (See also The Ultimate Guide to RED’s Newest Cybersecurity Requirements). The EN 18031 standard series was developed to help manufacturers implement these requirements (See also New RED Standards Published: Is Your Business Ready for Compliance?).

Now, the process is (almost) complete: on January 28, 2025, these standards were officially ‘harmonized with restrictions’ by the European Commission. Let’s look at what this means and why it’s an important step forward.

Harmonization: What does this mean?

A harmonized standard is a European standard that manufacturers, economic operators, and conformity assessment bodies can use to demonstrate compliance with relevant EU legislation. References to harmonized standards must be published in the Official Journal of the European Union (OJEU).

In simple terms, if a product complies with a harmonized standard, it is presumed to comply with the corresponding legislation - a concept known as “presumption of conformity.”

Harmonization: Why is it important?

Harmonization significantly impacts the process of demonstrating compliance with the RED Delegated Act.

When conducting conformity assessments before placing products on the EU market, manufacturers now have two options:

1. Third-party assessment – Certification by a Notified Body.

2. Self-assessment – If the product is designed according to a harmonized standard, the manufacturer can perform the assessment internally.

Before harmonization, manufacturers were required to involve a Notified Body. Now, thanks to EN 18031, they can opt for self-assessment, following the standard’s requirements and providing the necessary documentation. This simplifies the compliance process significantly.

Harmonization with restriction: What does this mean?

Although EN 18031-1, -2, and -3 are now harmonized, they include specific restrictions that may invalidate presumption of conformity for certain products. If your product falls under these restrictions, you must involve a Notified Body.

These restrictions are corrections to the standard’s text. It is possible that future revisions of EN 18031 will address the European Commission’s concerns.

Beware of guidance sections

The standards include ‘rationale’ and ‘guidance’ sections providing justifications and implementation examples.

• Restriction: These examples are not exhaustive. Implementing one of the suggested solutions does not automatically mean compliance; a thorough assessment is still required.

Do not skip password setup

EN 18031-1, -2, -3 (Clauses 6.2.5.1 and 6.2.5.2) state that if a product requires users to set a password, it must enforce a password change upon first use. The standard originally included an additional note allowing users to skip setting such passwords altogether.

• Restriction: The option to skip setting a password has been removed.

Parental Control for toys

EN 18031-2:2024 (Clauses 6.1.3 to 6.1.6) defines access control mechanisms, allowing different methods to be chosen.

• Restriction: For toy radio devices and childcare radio devices, parental control must be included as part of the access control mechanism.

Protect financial transactions

EN 18031-3:2024 (Clause 6.3.2.4) defines methods for secure updates in devices handling financial transactions.

• Restriction: None of the methods in this clause alone is sufficient to ensure secure updates for financial transaction devices.

  
  

Practical steps to ensure compliance with RED DA

Before placing your product on the market:

1. Identify applicable EN 18031 standards: Perform threat modeling to determine if your product falls under EN 18031-1, -2, and/or -3. The threat model should answer at least these questions:

   1. Does the product connect itself to the internet, either directly or via other equipment?

   2. Does the product process personal data?

   3. Does the product handle monetary transactions?

      
      

2. Check for restrictions: If your device violates any restrictions (e.g., allowing users to skip password setup), a Notified Body assessment may be required. Otherwise, you could proceed with self-assessment. Note that even when a Notified Body assessment is not required, a company can always decide voluntarily to proceed with a Notified Body assessment, instead of the self-assessment.

   
   

3. Self-assessment: Follow the standard’s guidance to prepare the required documentation and assess if the requirements are met based on the collected information.

   
   

4. Perform functional testing: Conduct the necessary tests to verify compliance with cybersecurity requirements and compile a test report ensuring that test results align with the documentation.

   
   

If everything is in order, your product will be RED DA-compliant and can be placed on the market after August 2025.

How Security Pattern can help

We offer various consultancy services and training modules to support your organization with cybersecurity challenges.

Compliance GAP analysis

• Discover our Compliance Gap Analysis for EN 18031.

Threat Modeling and Risk Assessment

• Threat modeling and risk assessment are critical activities in cybersecurity, aimed at identifying, evaluating, and prioritizing potential threats to assets.

Penetration Testing

• We can perform the functional EN 18031 tests as well as other types of tests such a penetration and fuzz testing.

Security Pattern’s cybersecurity experts have been supporting Device Manufacturers since 2017.