News Center

EN 18031 Cybersecurity Standard Becomes Harmonized Under RED

The European Union has formally harmonized the EN 18031 cybersecurity standard series under the Radio Equipment Directive (RED) 2014/53/EU, providing manufacturers with a clear compliance pathway for newly enforced cybersecurity requirements applicable to radio-enabled products placed on the EU market.

This development marks a critical milestone ahead of the mandatory RED cybersecurity enforcement date of 1 August 2025.

What Is EN 18031?

EN 18031 is a European standard developed to support the cybersecurity related essential requirements of the Radio Equipment Directive, specifically Articles 3(3)(d), 3(3)(e), and 3(3)(f). The standard is divided into three parts:

  • EN 18031-1 – Cybersecurity requirements for internet-connected radio equipment (network protection and resilience)
  • EN 18031-2 – Protection of personal data, privacy, and safeguards for devices such as children’s products and wearables
  • EN 18031-3 – Cybersecurity requirements for radio equipment handling virtual money or monetary value (fraud protection)

These standards apply to a wide range of products, including connected IoT devices, wireless consumer electronics, wearables, and other internet-connected equipment.

What “Harmonized” Means

By being referenced in the Official Journal of the European Union (OJEU), the EN 18031 series is now considered a harmonized standard under RED. Manufacturers that fully implement the applicable parts of EN 18031 may claim presumption of conformity with the RED cybersecurity requirements covered by the standard.

This allows manufacturers, in many cases, to follow a self-declaration conformity route rather than requiring a full Notified Body cybersecurity assessment (provided all applicable clauses are met without deviation.)

Important Compliance Considerations

While harmonization provides a streamlined compliance path, it is not unconditional:

  • If a product does not fully meet certain EN 18031 requirements (e.g. update mechanisms, credential handling, parental controls, or security architecture limitations), presumption of conformity may not apply.
  • In such cases, involvement of a RED Notified Body may still be required.
  • EN 18031 applies only to products in scope of the Radio Equipment Directive and does not replace other EU cybersecurity legislation (such as the Cyber Resilience Act).

Manufacturers should carefully assess which parts of EN 18031 apply to their product and document how each applicable requirement is met.

Regulatory Timeline

  • 1 August 2025 – RED cybersecurity requirements become mandatory across the EU
  • EN 18031 is now the primary harmonized technical reference supporting compliance with those requirements

Products placed on the EU market after this date must comply with the RED cybersecurity obligations, either via EN 18031 or an alternative conformity assessment route.

Official EU Source

The harmonization of EN 18031 was published in the Official Journal of the European Union, formally recognizing the EN 18031-1, EN 18031-2, and EN 18031-3 standards as supporting the RED cybersecurity requirements.

  • Official Journal of the European Union – Harmonized Standards under RED:
    https://eur-lex.europa.eu
    (Search: EN 18031 Radio Equipment Directive cybersecurity)

Questions or Product Impact Review

If you have questions about this standard or determining whether EN 18031 applies to your product contact Nexus for more details.

Get COMPLEMENTARY Global Access Consultation with Us.

Whether you have some questions in the early stage of your product design or just need another look to see if you are missing anything from a compliance perspective, let us be there for you!

Get in Contact Today

© 2024 Nexus Compliance Solutions