Professional Analysis | New Trends in EU RED Cybersecurity: Revealing the Core Points of the EN 18031 Standard

Professional Analysis | New Trends in EU RED Cybersecurity:
Revealing the Core Points of the EN 18031 Standard

In January 2025, the EN18031 series standards was published in the Official Journal of the European Union (OJ) with some restrictions which means they become a harmonized standard that fulfills the RED cyber security requirements (Art 3.3d/e/f).

PART 1 RED Cybersecurity Requirements

The EU issued the RED Directive Supplemental Authorization Acts (EU) 2022/30 and (EU) 2023/2444 in 2022 and 2023, respectively, stipulating that manufacturers must consider the three-point cybersecurity requirements of the RED Directive during design and production. These requirements will take effect on August 1, 2025.

Article3.3(d)：

Radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service;

Article 3.3(e)：

Radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected;

Article 3.3(f):

Radio equipment supports certain features ensuring protection from fraud; 

Part 2 Coverage and Exemptions

#1

Coverage

Article 3.3(d) applies to:

Any radio device capable of communicating via the Internet, whether directly or through another networked radio device.

Article 3.3(e) applies to:

Radio devices that process personal data, traffic data, or location data—including connected radio devices—as well as those used in child care, most radio toys (as defined under Directive 2009/48/EC), and wearable radio devices (even when not connected to the Internet).

Article 3.3(f) applies to:

Networked radio devices that enable the user or holder to transfer funds, financial value, or virtual currency.

#2

Exemptions

Articles 3.3(d), (e), and (f) do not apply to medical devices regulated under Regulations (EU) 2017/745 and (EU) 2017/746.

Articles 3.3(e) and (f) do not apply to remotely piloted unmanned aircraft systems regulated under Regulation (EU) 2018/1139, as well as specific non-airborne radio equipment that may be installed on aircraft; motor vehicles and related systems and components regulated under Regulation (EU) 2019/2144; and road toll systems regulated under Directive (EU) 2019/1520.

PART 3 EN 18031-1,-2,-3:2024

1. EN 18031-1:2024 corresponds to Article 3.3(d) cybersecurity requirements, applicable to internet-connected radio equipment. It primarily focuses on fundamental cybersecurity requirements for radio devices. The standard mandates comprehensive assessments of security and network assets/risks, while addressing critical evaluation components such as resilience mechanisms, network monitoring mechanisms, and authentication mechanisms. These provisions establish foundational safeguards for device cybersecurity.
2. EN 18031-2:2024 aligns with Article 3.3(e) cybersecurity requirements, covering radio equipment processing personal data. This includes both internet-connected devices and some non-connected devices such as childcare products, wearable radio devices. The standard emphasizes data processing security through privacy risk assessments, access control mechanisms, logging mechanisms, data erasure protocols, and user notification systems, ensuring robust protection of personal data.
3. EN 18031-3:2024 implements Article 3.3(f) cybersecurity requirements for radio equipment handling virtual currencies or financial data. Targeting internet-connected devices processing cryptocurrency or monetary value, it specifically addresses security/financial asset evaluations, risk assessments, incident tracing mechanisms, and software trustworthiness verification. These measures effectively ensure the security of financial transaction-related devices.

The EN 18031 standards divide assessment content into four types of assets: security assets, network assets, privacy assets, and financial assets. Security assets are required in all three standards, while the remaining three are distributed respectively across EN 18031-1/2/3, each with a different focus based on the asset type. In terms of assessment methods, EN 18031 adopts the concept of mechanisms to guide the application of specific security measures and evaluates these mechanisms to address issues of applicability and appropriateness.

#2

What changes are there compared to ETSI EN 303 645?

Based on the assessment content and mechanisms outlined above, EN 18031 differs significantly from ETSI EN 303 645. A more in-depth analysis of these differences, along with detailed interpretations of the EN 18031 series standards, will be provided.

PART 4 Manufacturer Response Measures

If the products are not full under the restriction, manufacturers may perform self-assessment based on the standard or opt for evaluation by independent third parties. And if the products are under the restrictions, manufacturers must chose a Notified Bodie to get the certificate.

About the restrictions:

Restrictions:

[all] if the manufacturer disregards the possibility of clauses 6.2.5.1 and 6.2.5.2 of allowing a user not to set any password.-> a Notify Body needs to be involved

[3.3.e & toy/childcare] if the manufacturer disregards the possibility of clauses 6.1.3, 6.1.4, 6.1.5 of not implementing parental or guardian control.-> a Notify Body needs to be involved

[3.3.f] A manufacturer of products covered by harmonised standard EN 18032-3:2024 to which clause 6.3.2.4 applies does not benefit from presumption of conformity regardless of the design of the product. -> a Notify Body needs to be involved

PART 5 How can we help you?

TÜV SÜD successfully expanded its notified body qualifications under the EU RED Directive for cybersecurity requirements specified in RED Article 3(3)(d)/(e)/(f) in 2023. Our in-depth understanding of the standards and strong expertise in cybersecurity enable us to provide RED network security testing and evaluation services for manufacturers in alignment with the EN 18031 series standards.

Additionally, for products that have already passed TÜV SÜD's ETSI EN 303 645 certification testing, we offer differential testing and certification update services based on the variances between standards. This helps manufacturers efficiently address compliance challenges across multiple standards and markets.