The European Commission passed the Supplementary Authorization Act (EU) 2022/30 in 2022, which clearly requires radio equipment to meet network security, privacy protection and anti-fraud requirements.
• August 2024: Release supporting standards EN 18031 to refine the cybersecurity clauses in the RED Directive;
• January 30, 2025: EN 18031 is officially included in the RED Directive Coordination Standard List (EU Official Bulletin OJ);
• From August 1, 2025: All radio equipment exported to the EU must comply with the cybersecurity requirements of Article 3(3)(d)(e)(f) of the RED Directive, otherwise it is prohibited to enter the market.
Regulatory upgrades: From bills to standards, form a complete compliance framework;
Time node: August 2025 is the mandatory execution deadline;
Access conditions: Meet three core requirements: network security (anti-attack), privacy protection (data encryption), and anti-fraud (dual-factor verification).
The EN 18031 series standards are divided into three parts, which directly correspond to the three key requirements of Article 3(3) of the RED Directive:
For Internet-connected radio equipment, the main evaluation of the security of network assets is to resist network attacks, prevent network resource abuse and service interruption.
Applicable products:
• Mobile phones, tablets;
• Wi-Fi routers, gateways, connected air conditioners, refrigerators and other household appliances;
• Smart TV/TV box and 3G/4G/5G equipment;
• All devices with Wi-Fi communication capabilities;
• Vehicle networking components; power converter in energy systems.
For radio equipment that processes personal data, focus on privacy protection, and equipment requires access control, data encryption and privacy protection mechanisms.
Applicable products:
• Bluetooth devices (TWS headphones, audio), wearable devices (smart watches)
• Baby monitor, smart sensor, on-board GPS
• Air purifiers, vacuum cleaners and other household equipment
For devices that handle virtual currency or currency value, it is required to have functions to prevent fraud, such as logging, software integrity verification, etc.
Applicable products:
• POS machine, ATM machine
• Any device that supports virtual currency or transfer functions
• Medical devices: governed by MDR regulations
• Aviation Equipment: Applicable to Regulation (EU) 2018/1139
• Vehicle emergency system: applicable to Regulation (EU) 2019/2144
• Payment Terminal: Applicable to Directive (EU) 2019/520
Match standard categories according to device functions:
• Networking function → EN 18031-1
• Processing personal data → EN 18031-2
• Related to financial transactions → EN 18031-3
Determine whether it is subject to the new regulations
• Password Force Setting (EN 18031-1): Users must set passwords for the first time to use, and disable the default password
• Parental Control (EN 18031-2): Hardware-level implementation of guardian rights (such as physical buttons + biometrics)
• Multiple security updates (EN 18031-3): Digital signature + access control must be used at the same time (example: signature firmware + dynamic password)
Key verification:
• Is the default password forced to be disabled?
• Does data encryption meet the AES-256 standard?
• Whether security updates adopt a two-factor verification mechanism
1. Self-declaration: Available when fully complying with the coordination standards (technical documents need to be kept for 10 years)
2. NB organization certification is mandatory if the following situations exist:
• Allow users to skip password settings
• Adopt autonomous access control mode
• Use only a single security update method
