Martin Walian
Martin Walian, MBA & Certified Export Control Manager (CECM)
EN 18031 Explained:
What It Means for Your IoT Product
EN 18031 is the harmonized European standard for cybersecurity in connected devices under the Radio Equipment Directive (RED). If your product has wireless connectivity and is sold in the EU, this standard defines the tests your product must pass. This guide explains what EN 18031 covers, who it applies to, and how to prepare.
We Prepare An Effective Strategy For Companies
EN 18031 is a family of three standards (EN 18031-1, EN 18031-2, and EN 18031-3) developed by CEN/CENELEC to support the Radio Equipment Directive (RED) delegated acts for cybersecurity. These standards were published in the EU Official Journal and provide a presumption of conformity with RED Articles 3.3(d), 3.3(e), and 3.3(f).
In practical terms, EN 18031 defines the security requirements your connected device must meet to be sold in the EU. It covers network protection, privacy safeguards, and fraud prevention for any product that communicates wirelessly.
The standard became mandatory on August 1, 2025. Products placed on the EU market after this date must demonstrate compliance.
2. The Three Parts of EN 18031
EN 18031 is divided into three parts, each mapping to a specific RED delegated act requirement:
Understanding which parts apply to your product:
-
EN 18031-1: Network Security (RED Art. 3.3(d)) Protects network infrastructure from harm. Applies to any device connecting to the internet. Covers access control, secure communications, software update mechanisms, and resilience against attacks. -
EN 18031-2: Privacy Protection (RED Art. 3.3(e)) Safeguards personal data and user privacy. Applies to devices that process personal information — wearables, cameras, voice assistants, health monitors. Covers data minimization, encryption, consent mechanisms, and secure storage.
-
EN 18031-3: Fraud Prevention (RED Art. 3.3(f)) Prevents unauthorized financial transactions. Applies to devices involved in monetary exchanges — payment terminals, connected vending machines, smart meters with billing. Covers transaction integrity and authentication.
-
Most IoT devices need Part 1 at minimum If your device connects to any network, EN 18031-1 applies. Most consumer IoT products also trigger Part 2 due to personal data processing.
-
Multiple parts can apply simultaneously A smart payment terminal would need all three parts. A connected thermostat that collects user data needs Parts 1 and 2. Identify your product's functions to determine scope.
3. Key Security Requirements
EN 18031 defines specific security requirements that your product must implement. These are testable, concrete requirements — not vague guidelines. Your product must demonstrate compliance through testing and documentation.
The core requirements span access control (unique credentials, no default passwords), secure communications (encrypted data in transit), software updates (signed firmware, secure update delivery), data protection (encryption at rest, deletion capabilities), and resilience (graceful degradation, recovery mechanisms).
4. Which Products Are Affected?
Compliance with EN 18031 requires a structured assessment process. This typically involves gap analysis, penetration testing, and documentation review. Here is what the assessment covers:
selling directly on Amazon EU marketplaces. You likely already have CE marking and a technical file from your manufacturing process. GPSR now additionally requires a named representative on your listing.
Since Brexit, the UK is a non-EU country. If you previously sold into the EU without a separate representative, that arrangement is no longer compliant. You need a dedicated EU Authorised Representative.
If you’re expanding from domestic sales to European Amazon marketplaces, retailers, or your own EU-facing Shopify store, you need a named representative before your first EU sale.
If your product falls under the Radio Equipment Directive, you likely already have an EAR through your CE marking process. However, the new RED cybersecurity requirements (EN 18031) may require updated documentation and Notified Body involvement.
Note: Self-assessment is permitted for most products under EN 18031. However, critical products (Class I and II under the CRA) may require third-party assessment by a notified body.
5. What Happens If You Don't Comply?
Many manufacturers encounter recurring challenges when preparing for EN 18031. Understanding these early can save significant time and cost:
Amazon has been enforcing GPSR compliance across all EU marketplaces since December 2024. Sellers without a named representative in their listing are being delisted. eBay, Etsy, and other platforms are following.
Distributors, retailers, and fulfilment partners in the EU may refuse to work with you without a compliant representative in place.
EU market surveillance authorities can order product recalls, impose market bans, or issue fines.
6. How to Prepare Your Product
Preparing for EN 18031 compliance requires both technical and administrative work. Start early — retrofitting security into a finished product is significantly more expensive than designing it in from the start.
Recommended preparation steps:
-
Determine which parts of EN 18031 apply Map your product's functions to the three parts. Does it connect to a network? Process personal data? Handle financial transactions? This determines your compliance scope.
-
Conduct an internal security review Before engaging an external assessor, review your product against the standard's requirements. Check authentication, encryption, update mechanisms, and data handling. Identify obvious gaps early.
-
Engage a qualified assessment provider Work with a team that has hands-on experience with EN 18031 testing. They should be able to perform gap analysis, penetration testing, and help you build the required technical documentation.
-
Build your technical file Compile your threat model, risk assessment, test reports, security architecture documentation, and Declaration of Conformity. This file must be maintained and available for market surveillance authorities for 10 years.
7. EN 18031 vs ETSI EN 303 645
EN 18031 and ETSI EN 303 645 both address IoT security, but they serve different purposes. ETSI EN 303 645 is a consumer IoT security baseline with 13 provisions. EN 18031 is a harmonized standard providing presumption of conformity under RED.
If you already comply with ETSI EN 303 645, you have a head start — many requirements overlap. However, EN 18031 is more detailed in several areas, particularly around formal testing methodology, documentation requirements, and specific technical controls. You cannot simply claim EN 18031 compliance based on ETSI EN 303 645 certification alone.
8. Key Dates and Timeline
The RED delegated acts and EN 18031 follow a defined timeline. Here are the critical dates:
-
January 2022: RED Delegated Acts Published The European Commission published delegated regulations activating Articles 3.3(d), 3.3(e), and 3.3(f) of the Radio Equipment Directive for cybersecurity, privacy, and fraud prevention.
-
February 2025: EN 18031 Published in Official Journal The harmonized standard EN 18031 (Parts 1-3) was formally cited in the Official Journal of the EU, providing a presumption of conformity pathway.
-
August 1, 2025: Compliance Becomes Mandatory All new radio equipment placed on the EU market must comply with the cybersecurity requirements. Products already on the market before this date are not affected.
-
December 2027: Cyber Resilience Act Applies The CRA introduces additional cybersecurity requirements that build on RED. Products already compliant with EN 18031 will have a significant head start on CRA compliance.
-
Ongoing: Market Surveillance EU market surveillance authorities can request technical documentation and test products at any time. Non-compliant products face recall, fines, and market withdrawal.
9. Frequently Asked Questions
-
Can I self-certify compliance with EN 18031? For most products, yes. The manufacturer performs an internal production control assessment (Module A) and issues a Declaration of Conformity. However, some higher-risk product categories may require third-party involvement under the Cyber Resilience Act.
-
Does EN 18031 apply to Bluetooth-only devices? Yes. EN 18031 applies to all radio equipment within scope of the RED delegated acts. Bluetooth devices that connect to networks or process personal data are covered.
-
What if my product is already ETSI EN 303 645 certified? You have a good foundation but will need a specific EN 18031 gap analysis. The standards overlap significantly but EN 18031 has additional and more specific requirements in several areas.
-
How long does EN 18031 assessment take? A typical assessment takes 4-8 weeks depending on product complexity and current security maturity. Products with significant gaps may need additional time for remediation and retesting.
-
Do I need to test every product variant? Not necessarily. If product variants share the same hardware platform, firmware, and communication stack, a single assessment may cover the product family. Differences in security-relevant features would require additional assessment.
-
What documentation do I need to maintain? You must maintain a complete technical file including: risk assessment, security architecture documentation, test reports, Declaration of Conformity, and user instructions regarding security features. This documentation must be available for 10 years after the last product is placed on the market.