EN 18031 published in the OJEU: RED 3.3 compliance path opens

Author Hugues Orgitello Last updated 25 May 2026

News · Harmonised standards

In August 2024, the European Commission cited in the Official Journal of the European Union the three harmonised standards EN 18031-1, EN 18031-2 and EN 18031-3. This was the missing piece, since the adoption of Delegated Regulation (EU) 2022/30 in 2021, the RED article 3.3 cybersecurity obligations existed without any documented path to demonstrate compliance. The publication of the three standards removed that obstacle and made possible the effective activation of article 3.3 on 1 August 2025.

What was published

The three harmonised standards were drafted by the joint CEN-CENELEC technical committees under standardisation mandate M/585, issued by the European Commission in August 2022. The mandate explicitly requested standards covering the three activated paragraphs of the Delegated Regulation:

EN 18031-1, common security requirements for radio equipment (article 3.3(d), network protection).
EN 18031-2, requirements for radio equipment processing personal data (article 3.3(e)).
EN 18031-3, requirements for radio equipment performing monetary transactions (article 3.3(f)).

The three texts were cited in the OJEU in August 2024, roughly two years after the mandate was issued, a relatively short delay for harmonised standard production, driven directly by the pressure of an activation originally scheduled for the same date. OJEU citation is the legally structuring event: it confers the presumption of conformity on manufacturers who apply the standards.

Legal status of harmonised standards

A harmonised standard is not a regulation: it remains voluntary in application. But it enjoys a particular status, if a manufacturer applies it in full, they are presumed to conform to the corresponding essential requirement of the directive. Any other approach remains possible, provided technical equivalence is demonstrated, which substantially increases the burden of proof. In practice, in about 95 % of cases, manufacturers follow the harmonised standard.

The three documents in detail

EN 18031-1, network protection

The text covers article 3.3(d) of the directive: preventing a compromised radio device from becoming an entry point into the networks it connects to. The controls assessed cover device authentication, restriction of unsolicited outbound connections, signed and verifiable software updates, default-off non-essential services, and logging of significant security events.

Quick reference: EN 18031-1.

EN 18031-2, personal data protection

The text covers article 3.3(e). It applies to any radio equipment capable of collecting, transmitting or storing personal data, which in practice covers nearly every connected device. Controls focus on communication encryption (TLS 1.2 or higher), encrypted storage of secrets, password management (no shared factory default), secure erasure at end of life, and transparent documentation of collected data.

The scope partly overlaps with GDPR but operates at a different level: product compliance, not processing compliance.

Quick reference: EN 18031-2.

EN 18031-3, monetary transactions

The text covers article 3.3(f), much more narrowly scoped: it applies to equipment that performs or facilitates financial transactions, payment terminals, card readers, connected devices capable of in-app purchases validated on the product. Controls cover strong authentication of operations, integrity and non-repudiation of transactions, replay protection, and audit trail.

Quick reference: EN 18031-3.

Basic, substantial and high assurance levels

The three standards introduce an assessment-level logic, inspired by Common Criteria but substantially simplified:

Level	Who assesses	When to apply
Basic	Manufacturer self-assessment, documented	Low-risk consumer IoT products
Substantial	Accredited independent third party	Sensitive data, industrial use
High	Third party + penetration testing	Critical products, payment, infrastructure

The level is chosen based on a risk analysis conducted and documented by the manufacturer in the technical file. The basic level does not mean "no work", it requires a formal risk analysis, an inventory of controls, and documented design choices. But the assessment remains internal, which keeps the cost manageable.

What the publication unlocks in practice

Before August 2024, the situation was deadlocked: the Delegated Regulation set obligations, but no standard cited in the OJEU allowed compliance to be demonstrated in a recognised way. Laboratories hesitated to invest in EN 18031 accreditation scopes while the standards remained drafts. Manufacturers postponed RED 3.3 projects for lack of a clear method.

OJEU publication unlocks several things at once:

Documented compliance path for manufacturers, the standard to apply exists, the methodology is fixed.
Laboratory accreditation possible, accreditation bodies (COFRAC in France, DAkkS in Germany, UKAS in the UK) can now extend EN 18031 scopes.
Effective activation of the Delegated Regulation on 1 August 2025, without published standards, activation would have been deferred again.
Stabilisation of the assessment services market, evaluator training, standardised deliverables, report comparability across labs.

For the detail of tests required at each level, see RED tests required.

What is covered and what is not

EN 18031 standards are focused on technical controls observable at finished product level. They do not cover several important cybersecurity topics addressed elsewhere in the European regulatory landscape:

Software supply chain security (SBOM, inherited vulnerabilities): covered by the Cyber Resilience Act (CRA).
Operator network infrastructure security, covered by NIS2.
Manufacturer cybersecurity governance and organisation, partly covered by the CRA.
Post-market vulnerability notification, framed by the CRA, not by EN 18031.
Personal data protection in the processing sense: GDPR.

EN 18031 is therefore one piece of the puzzle, not the complete solution. A rigorous manufacturer must map obligations across the applicable regimes.

The Cyber Resilience Act (Regulation (EU) 2024/2847, adopted October 2024) creates a horizontal product cybersecurity framework that will eventually cover all products with digital elements, not just radio equipment. CRA obligations enter full force in December 2027. In the meantime, EN 18031 remains the reference for radio products.

The Commission has explicitly indicated that EN 18031 technical controls will be recognised within the CRA framework for products in scope, there will be no double assessment for the common requirements. The CRA will essentially add supply chain and vulnerability notification obligations.

NIS2 (Directive (EU) 2022/2555) concerns critical infrastructure operators, not product manufacturers, the link is indirect. GDPR continues to apply independently to data processing, as a complement.

To anticipate regulatory evolution beyond the EU, see the EU-US dual certification guide, which compares RED 3.3 to the US FCC/CISA approach.

Key takeaways

The three standards EN 18031-1, -2 and -3 have been cited in the OJEU since August 2024 and confer the presumption of conformity with RED articles 3.3(d), (e), (f).
They were drafted by CEN-CENELEC under Mandate M/585 issued in 2022.
Three assurance levels (basic, substantial, high): the choice depends on the manufacturer's risk analysis.
Publication made possible the effective activation of RED 3.3 on 1 August 2025.
The standards cover product-level technical controls only, supply chain and cybersecurity governance fall under the Cyber Resilience Act.