New series of cyber security standards now harmonised with RED Article 3(3)

03 feb. 2025

On Jan 30th 2025, the EN 18031 series of standards intended for use to show compliance with the cyber security requirements in the EU Radio Equipment Directive were published in the EU Official Journal. However, as these standards were harmonised with notices, compliance with the requirements are still not as clear cut as it could have been.

The delegated act on cyber security to RED came into force on February 1, 2022. Setting out cyber security requirements for all devices connected to the internet, this piece of legislation will be mandatory from August 1, 2025.  

After nearly a year of delays, the EN 18031 series of cyber security standards intended for use to show compliance with the cyber security requirements stipulated in this act, was published by CEN-CENELEC on August 14, 2024. On Jan 30, 2025, this series of standards was finally published in the EU Official Journal, a great step forward for cyber security conformity assessment in the EU.  

Accordingly, the following standards have been harmonised with the Article 3(3) in Directive 2014/53/EU: 

EN 18031-1:2024: Common security requirements for radio equipment internet connected radio equipment – Part 1: internet connected radio equipment, published in support of Article 3(3) (d) in Directive 2014/53/EU, “radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service”. 

EN 18031-2:2024 Common security requirements for radio equipment – Part 2: radio equipment processing data, namely internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment, published in support of Article 3(3) (e), “radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected”. 

EN 18031-3:2024 Common security requirements for radio equipment – Part 3: internet connected radio equipment processing virtual money or monetary value, published in support of Article 3(3) (f), “radio equipment supports certain features ensuring protection from fraud”. 

It is, however, important to note that the EN 18031 series has been published in the Official Journal with notices, which means that there are certain limitations / restrictions that need to be considered when evaluating the cyber security requirements set out in the RED Articles 3(3) d,e and f. 

These limitations are as follows: 

EN 18031-1:2024  

Notice 1: The sections named “rationale” and “guidance” in this harmonised standard do not confer a presumption of conformity with the essential requirement set out in Article 3(3), first sub-paragraph, point (d), of Directive 2014/53/EU. 

Notice 2: This harmonised standard does not confer a presumption of conformity with the essential requirement set out in Article 3(3), first sub-paragraph, point (d), of Directive 2014/53/EU if, when applying its clauses 6.2.5.1 and 6.2.5.2, the user is allowed not to set and use any password. 

 
EN 18031-2:2024  

Notice 1: The sections named “rationale” and “guidance”, in this harmonised standard, do not confer a presumption of conformity with the essential requirement set out in Article 3(3), first subparagraph, point (e), of Directive 2014/53/EU. 

Notice 2: This harmonised standard does not confer a presumption of conformity with Article 3(3), first subparagraph, point (e), of Directive 2014/53/EU if, by applying its clauses 6.2.5.1 and 6.2.5.2, the user is allowed not to set and use any password. 

Notice 3: For the classes or categories of radio equipment covered by clause 6.1.3, 6.1.4, 6.1.5 or 6.1.6 of this harmonised standard, this harmonised standard does not confer a presumption of conformity with the essential requirement set out in Article 3(3), first subparagraph, point (e), of Directive 2014/53/EU if, by applying its clauses 6.1.3.4.2, 6.1.4.4.2, 6.1.5.4.2 and 6.1.6.4.2, parental or guardian access control is not ensured 

 
EN 18031-3:2024  

Notice 1: The sections named “rationale” and “guidance”, in this harmonised standard, do not confer a presumption of conformity with the essential requirement set out in Article 3(3), first subparagraph, point (f), of Directive 2014/53/EU. 

Notice 2: This harmonised standard does not confer a presumption of conformity with the essential requirement set out in Article 3(3), first subparagraph, point (f), of Directive 2014/53/EU if, when applying its clauses 6.2.5.1 and 6.2.5.2, the user is allowed not to set and use any password. 

Notice 3: As regards the assessment criteria set out in clause 6.3.2.4 of this harmonised standard, this harmonised standard does not confer a presumption of conformity with the essential requirement set out in Article 3(3), first subparagraph, point (f), of Directive 2014/53/EU.

Notified body-involvement no longer required (in certain cases) 

Normally, when a harmonised standard is published in the OJ, it gives presumption to the directive it is harmonised against. However, in this particular case, the EN 18031 series has been published with notices, which means that self-assessment is only allowed if the relevant harmonised standards of the EN 18031:2024 family are applied to the product and are not affected by the restrictions applied and described above.   

Reference document:
COMMISSION IMPLEMENTING DECISION (EU) 2025/138

Profilbild på Interteks Chief Certification Officer Interteks National Certification Body i Sverige, Fredrik Wennersten
Fredrik Wennersten

Electrical Product Certification Manager at Intertek Semko AB

Fredrik Wennersten is Electrical Product Certification Manager at Intertek SEMKO AB, with more then 25 years within the Conformity Assessment industry. He is active globally within the IECEE CB scheme as both Convener of CMC Working Group 29 and Co-Chair of the Policy and strategy committee, as well as Vice President-elect of the European Certification organization ETICS.

Blogginlägg