Interpretation of the EU Cybersecurity Law and its Coordinated Standard EN 18031

On January 30, 2025, the European Commission officially included the EN 18031 series of standards in the list of coordinated standards for the Radio Equipment Directive (RED) in the Official Journal of the European Union (OJ), marking that this series of standards has become an important basis for network security compliance of radio equipment within the EU. The new regulations will be enforced from August 1, 2025, undoubtedly posing an urgent requirement for manufacturers to take immediate action.

1、 New regulations content

The EN 18031 series standards are divided into three parts: EN 18031-1, EN 18031-2, and EN 18031-3, which correspond to the requirements (d), (e), and (f) of Article 3 (3) of the RED Directive, respectively, covering a variety of wireless devices:

1. EN 18031-1: Security Cornerstone of Internet Connection Devices

Wireless equipment focusing on Internet connection, including smart phones, tablet computers, smart home devices, etc. that can communicate independently on the Internet, and products that need to be connected indirectly with gateway, mobile phones, and other intermediary devices. This standard mainly controls security assets and network assets, and aims to ensure that when equipment connects to the Internet, it will not damage the network or its functions, and avoid abusing network resources to reduce service quality.

2. EN 18031-2: Privacy Fortress for Data Processing Devices

Radio devices suitable for processing data, such as Internet connection devices, child care devices, toy devices and wearable devices. This standard focuses on privacy protection and requires devices to establish privacy protection mechanisms such as access control and data encryption to ensure the security of users' personal data, transportation data, or location data.

3. EN 18031-3: Security Shield for Financial Trading Equipment

Internet connected radio devices for processing virtual currency or currency value, such as payment terminals supporting virtual currency transactions, encrypted currency hardware wallets, etc. This standard requires devices to have anti fraud functions, such as using logging, software integrity verification, and other means to ensure the security of financial transactions.

Exemption scope:

1. Medical devices and equipment not covered by MDR regulations.

2. Not applicable to Regulation (EU) 2018/1139 and Regulation (EU) 2019/2144.

3. Equipment related to aviation or road traffic within the scope of Directive (EU) 2019/520 is not applicable.

2、 Do I need to redo a product that has been CE certified before?

1. Situations requiring re authentication

The product falls within the newly added control scope of the RED directive

For example, smartphones, smart home devices, payment terminals, etc. must meet the requirements of network protection (3.3d), privacy protection (3.3e), and anti fraud (3.3f), and must pass the EN 18031 test and update the CE-RED certificate.

The original CE-RED certification did not cover network security terms

If the certificate does not include the RED-DA requirements supplemented in 2022 (such as device default password protection and financial transaction security mechanisms), additional testing is required.

2. No need for re authentication

The product does not fall within the newly added scope of the RED directive

For example, ordinary electrical appliances (such as electric fans and lamps) that only need to comply with EMC (electromagnetic compatibility) or LVD (low voltage directive), if the standards have not been updated and the design has not changed, the original certificate will continue to be valid.

The certification is still valid and the standards have not changed

The default validity period of the CE certificate is 5 years. If the product has not been modified and the directive has not been updated, there is no need for repeated certification.

3、 The situation where third-party authentication is required and NB certificate is needed:

1. Allow users to not set a password

Example: The phone allows the "unlock without password" function → requires third-party authentication.

2. Involving children or privacy sensitive devices

The product is a children's toy, baby monitor, or wearable device, and there is no mandatory parental control permission.

Example: Children's smartwatches do not have built-in remote camera disable function → require third-party authentication.

3. Financial transaction related equipment

Involving payments, virtual currency storage (such as POS machines, hardware wallets), and relying solely on a single security measure.

Example: Cryptocurrency hardware wallet only uses digital signatures to protect keys → requires third-party authentication.