EN 18031 published: the RED 3.3 path opens
News · Harmonised standards
In August 2024, CEN-CENELEC published the three standards EN 18031-1, EN 18031-2 and EN 18031-3. This was the missing piece, since the adoption of Delegated Regulation (EU) 2022/30 in 2021, the RED article 3.3 cybersecurity obligations existed without any documented path to demonstrate compliance. Their citation in the Official Journal of the European Union followed on 30 January 2025 with Implementing Decision (EU) 2025/138, which removed that obstacle and made possible the effective activation of article 3.3 on 1 August 2025.
What was published
Section titled “What was published”The three harmonised standards were drafted by the joint CEN-CENELEC technical committees under standardisation mandate M/585, issued by the European Commission in August 2022. The mandate explicitly requested standards covering the three activated paragraphs of the Delegated Regulation:
- EN 18031-1, common security requirements for radio equipment (article 3.3(d), network protection).
- EN 18031-2, requirements for radio equipment processing personal data (article 3.3(e)).
- EN 18031-3, requirements for radio equipment performing monetary transactions (article 3.3(f)).
The three texts were published in August 2024, roughly two years after the mandate was issued, a relatively short delay for harmonised standard production, driven directly by the pressure of an activation originally scheduled for the same date. Their citation in the OJEU followed on 30 January 2025, through Implementing Decision (EU) 2025/138, with restrictions (notably on the clauses allowing a user to set no password). OJEU citation is the legally structuring event: it confers the presumption of conformity on manufacturers who apply the standards.
Legal status of harmonised standards
Section titled “Legal status of harmonised standards”A harmonised standard is not a regulation: it remains voluntary in application. But it enjoys a particular status, if a manufacturer applies it in full, they are presumed to conform to the corresponding essential requirement of the directive. Any other approach remains possible, provided technical equivalence is demonstrated, which substantially increases the burden of proof. In practice, in about 95 % of cases, manufacturers follow the harmonised standard.
The three documents in detail
Section titled “The three documents in detail”EN 18031-1, network protection
Section titled “EN 18031-1, network protection”The text covers article 3.3(d) of the directive: preventing a compromised radio device from becoming an entry point into the networks it connects to. The controls assessed cover device authentication, restriction of unsolicited outbound connections, signed and verifiable software updates, default-off non-essential services, and logging of significant security events.
Quick reference: EN 18031-1.
EN 18031-2, personal data protection
Section titled “EN 18031-2, personal data protection”The text covers article 3.3(e). It applies to any radio equipment capable of collecting, transmitting or storing personal data, which in practice covers nearly every connected device. Controls focus on communication encryption (TLS 1.2 or higher), encrypted storage of secrets, password management (no shared factory default), secure erasure at end of life, and transparent documentation of collected data.
The scope partly overlaps with GDPR but operates at a different level: product compliance, not processing compliance.
Quick reference: EN 18031-2.
EN 18031-3, monetary transactions
Section titled “EN 18031-3, monetary transactions”The text covers article 3.3(f), much more narrowly scoped: it applies to equipment that performs or facilitates financial transactions, payment terminals, card readers, connected devices capable of in-app purchases validated on the product. Controls cover strong authentication of operations, integrity and non-repudiation of transactions, replay protection, and audit trail.
Quick reference: EN 18031-3.
Decision trees and pass/fail assessments, not assurance levels
Section titled “Decision trees and pass/fail assessments, not assurance levels”A common misconception attributes basic, substantial and high assurance levels to EN 18031. Those tiers belong to the Cybersecurity Act (Regulation (EU) 2019/881) certification framework, not to these standards. EN 18031 works differently:
| Mechanism | What it does |
|---|---|
| Risk assessment | The manufacturer identifies which parts apply: EN 18031-1 for 3.3(d), EN 18031-2 for 3.3(e), EN 18031-3 for 3.3(f) |
| Decision trees | Each requirement includes decision trees that determine whether it applies to the product |
| Per-mechanism assessment | Each applicable security mechanism receives a conceptual assessment (documented justification) plus functional completeness and functional sufficiency assessments |
Every assessment concludes pass or fail, there is no graduated level. The route to conformity depends on how the standards are applied: applied in full with none of the OJEU-citation restrictions of Implementing Decision (EU) 2025/138 triggered (no-password clauses 6.2.5.1/6.2.5.2 in all three parts, parental access controls for toys and childcare equipment in EN 18031-2, secure updates for financial assets in EN 18031-3), the manufacturer may self-assess under module A. Self-assessment does not mean "no work", it requires a formal risk analysis, an inventory of controls, and documented design choices, but it keeps the cost manageable. A triggered restriction or a partially applied standard imposes a Notified Body (EU-type examination, module B + C).
What the publication unlocks in practice
Section titled “What the publication unlocks in practice”Before August 2024, the situation was deadlocked: the Delegated Regulation set obligations, but no standard cited in the OJEU allowed compliance to be demonstrated in a recognised way. Laboratories hesitated to invest in EN 18031 accreditation scopes while the standards remained drafts. Manufacturers postponed RED 3.3 projects for lack of a clear method.
Publication, followed by the OJEU citation of January 2025, unlocked several things at once:
- Documented compliance path for manufacturers, the standard to apply exists, the methodology is fixed.
- Laboratory accreditation possible, accreditation bodies (COFRAC in France, DAkkS in Germany, UKAS in the UK) can now extend EN 18031 scopes.
- Effective activation of the Delegated Regulation on 1 August 2025, without published standards, activation would have been deferred again.
- Stabilisation of the assessment services market, evaluator training, standardised deliverables, report comparability across labs.
For the detail of the required assessments, see RED tests required.
What is covered and what is not
Section titled “What is covered and what is not”EN 18031 standards are focused on technical controls observable at finished product level. They do not cover several important cybersecurity topics addressed elsewhere in the European regulatory landscape:
- Software supply chain security (SBOM, inherited vulnerabilities): covered by the Cyber Resilience Act (CRA).
- Operator network infrastructure security, covered by NIS2.
- Manufacturer cybersecurity governance and organisation, partly covered by the CRA.
- Post-market vulnerability notification, framed by the CRA, not by EN 18031.
- Personal data protection in the processing sense: GDPR.
EN 18031 is therefore one piece of the puzzle, not the complete solution. A rigorous manufacturer must map obligations across the applicable regimes.
Relation to CRA, NIS2 and GDPR
Section titled “Relation to CRA, NIS2 and GDPR”The Cyber Resilience Act (Regulation (EU) 2024/2847, adopted October 2024) creates a horizontal product cybersecurity framework that will eventually cover all products with digital elements, not just radio equipment. CRA obligations enter full force in December 2027. In the meantime, EN 18031 remains the reference for radio products.
The Commission has explicitly indicated that EN 18031 technical controls will be recognised within the CRA framework for products in scope, there will be no double assessment for the common requirements. The CRA will essentially add supply chain and vulnerability notification obligations.
NIS2 (Directive (EU) 2022/2555) concerns critical infrastructure operators, not product manufacturers, the link is indirect. GDPR continues to apply independently to data processing, as a complement.
To anticipate regulatory evolution beyond the EU, see the EU-US dual certification guide, which compares RED 3.3 to the US FCC/CISA approach.
Key takeaways
Section titled “Key takeaways”- The three standards EN 18031-1, -2 and -3 were published in August 2024 and have been cited in the OJEU since 30 January 2025 (Implementing Decision (EU) 2025/138, with restrictions); they confer the presumption of conformity with RED articles 3.3(d), (e), (f).
- They were drafted by CEN-CENELEC under Mandate M/585 issued in 2022.
- No assurance levels: assessment relies on decision trees and pass/fail conceptual and functional evaluations; self-assessment (module A) is possible when the standards are fully applied and no OJEU restriction is triggered, otherwise a Notified Body is required.
- Publication, then OJEU citation, made possible the effective activation of RED 3.3 on 1 August 2025.
- The standards cover product-level technical controls only, supply chain and cybersecurity governance fall under the Cyber Resilience Act.
Further reading
Section titled “Further reading”- RED harmonised standards: full table
- RED tests required: detail of essays per articles 3.1 to 3.3
- EU-US dual certification: comparison of cybersecurity approaches
Sources & references
- EN 18031-1: Common security requirements for radio equipment , CENELEC www.cenelec.eu/
- EN 18031-2: Common security requirements for radio equipment processing personal data , CENELEC www.cenelec.eu/
- EN 18031-3: Common security requirements for radio equipment for monetary transactions , CENELEC www.cenelec.eu/
- Mandate M/585: Commission standardisation request , European Commission eur-lex.europa.eu/
- Implementing Decision (EU) 2025/138: citation of EN 18031-1/-2/-3 in the OJEU , European Commission eur-lex.europa.eu/eli/dec_impl/2025/138/oj