Learn everything about EN 18031, the new EU standard for cybersecurity in radio equipment. Requirements, tests and current developments.
Structure of EN 18031
The Radio Equipment Directive 2014/53/EU (see https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32014L0053), also known as the Radio Equipment Directive, previously focused mainly on safety aspects and electromagnetic compatibility. With the addition in Article 3(3) by the Delegated Regulation 2022/30 (see https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=CELEX%3A32022R0030), new cybersecurity requirements for internet-capable radio equipment were introduced.
The newly developed EN 18031 series is intended to give manufacturers uniform test procedures to demonstrate their products' conformity with these new cybersecurity requirements. From 1 August 2025, affected devices must comply with these provisions.
EN 18031 specifies the Radio Equipment Directive requirements with regard to cybersecurity. It consists of three parts:
EN 18031-1 - Radio equipment with internet connection
This standard defines test procedures and conditions to verify the conformity of internet-capable radio equipment with Article 3(3)(d) of the RED. That article requires that radio equipment must not have harmful effects on networks or their operation.
EN 18031-2 - Radio equipment that processes data
Part 2 covers data-processing radio equipment such as internet-capable devices, radio equipment for childcare, toy radios and wearable radio equipment. It verifies compliance with Article 3(3)(e) of the RED on the protection of personal data.
EN 18031-3 - Internet-capable radio equipment that processes virtual currency or monetary value
The third part deals with radio equipment that processes virtual currencies or monetary value. It defines test procedures for Article 3(3)(f) of the RED, which requires functions to protect against fraud.
Concepts of EN 18031
EN 18031 provides a comprehensive and flexible framework for the security of radio equipment. It takes into account the complexity and variety of modern devices and offers manufacturers clear guidelines for implementing robust security measures.
EN 18031 describes several concepts:
Security by design
The standard emphasizes the importance of integrating security into the development process from the start, rather than adding it later. Although EN 18031 itself does not prescribe detailed development processes, it refers to established methods and standards for secure product design.
Structured threat analysis
EN 18031 recommends using the STRIDE model. This model helps manufacturers systematically consider potential threats by looking at six main threat categories: spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege.
Categorization of security measures
The standard divides security requirements into five main categories:
- Identify: detecting security risks
- Protect: preventing or limiting security incidents
- Detect: discovering security incidents
- Respond: acting appropriately when incidents are detected
- Recover: restoring after a security incident
Assets
The standard introduces the term “assets” to define the main targets of security measures. These include network assets, security assets, privacy assets and financial assets. This approach helps manufacturers develop targeted protections for the most important parts of their product.
Mechanisms
The standard uses “mechanisms” to address specific security requirements. This approach allows requirements to be applied flexibly to different device types and use scenarios.
Practical assessment methods
The standard provides concrete tools for assessing conformity:
- Decision trees help determine whether certain requirements are applicable
- Requirements for technical documentation show what information manufacturers must provide
- Guidelines for security tests indicate how the implementation of requirements can be verified
Overall, EN 18031 aims to offer a balanced and practical approach to improving the security of radio equipment. The standard acknowledges that there is no one-size-fits-all solution and instead provides a framework in which manufacturers can develop appropriate security measures for their specific products.
Requirements of EN 18031
The requirements of EN 18031 are carefully structured and cover a wide range of security aspects, from basic network security to the protection of personal data and fraud prevention. They are based on the principle of security by design to enable a flexible yet robust security approach.
Below is a brief summary of the requirements by category:
Access control mechanism (ACM)
These requirements demand appropriate access control mechanisms to prevent unauthorized access to security and network resources. Mechanisms must be adapted to the respective resources and the intended usage environment.
Authentication mechanism (AUM)
This category defines requirements for authenticating entities that want to access network and user interfaces. At least one factor must be used for authentication. Authenticators must be validated and changeable. There are also provisions for passwords and protection against brute-force attacks.
Secure update mechanism (SUM)
The device must provide a software update mechanism that ensures the integrity and authenticity of updates. Updates must be automated or at least possible with minimal user interaction.
Secure storage mechanism (SSM)
Persistent security and network resources must be protected by appropriate mechanisms for integrity and confidentiality. Devices must employ secure storage mechanisms to ensure that stored security and privacy resources are protected against unauthorized access. This includes encryption and other forms of data protection.
Secure communication mechanism (SCM)
For the communication of security and network resources over network interfaces, integrity, authenticity, confidentiality and replay protection according to best practices are required. Requirements cover secure communication protocols that ensure data integrity, authenticity and confidentiality during transmission. This also includes protection against replay attacks.
Logging mechanism (LGM)
Devices should be able to log relevant internal activities to support privacy and security. Logs must be stored persistently and should be timestamped to assist investigations.
Deletion mechanism (DLM)
Mechanisms for secure deletion of data must allow users or authorized entities to delete personal and private data, which is important for secure disposal or replacement of devices.
User notification mechanism (UNM)
Devices should provide notification mechanisms to inform the user about changes that may affect the protection or privacy of personal information.
Resilience mechanism (RLM)
The device must have mechanisms to mitigate and recover from the effects of denial-of-service attacks on network interfaces.
Network monitoring mechanism (NMM)
Network devices must have mechanisms to detect signs of denial-of-service attacks in the processed network traffic.
Traffic control mechanism (TCM)
Devices that connect other devices to public networks must provide mechanisms to control and filter network traffic.
Confidential cryptographic keys (CCK)
These requirements address appropriate strength, generation and prevention of static default values for confidential cryptographic keys.
General equipment capabilities (GEC)
This includes requirements to eliminate known vulnerabilities, limit exposed services, document interfaces and services, remove unnecessary interfaces and validate inputs.
Cryptography (CRY)
The cryptographic methods used must follow best practices.
Because the requirements target different protection goals, not all requirements are included in every part of the standard.
| Requirements | EN 18031-1 | EN 18031-2 | EN 18031-3 |
|---|---|---|---|
| Access control mechanism (ACM) | x | x | x |
| Authentication mechanism (AUM) | x | x | x |
| Secure update mechanism (SUM) | x | x | x |
| Secure storage mechanism (SSM) | x | x | x |
| Secure communication mechanism (SCM) | x | x | x |
| Logging mechanism (LGM) | x | x | |
| Deletion mechanism (DLM) | x | ||
| User notification mechanism (UNM) | x | ||
| Resilience mechanism (RLM) | x | ||
| Network monitoring mechanism (NMM) | x | ||
| Traffic control mechanism (TCM) | x | ||
| Confidential cryptographic keys (CCK) | x | x | x |
| General equipment capabilities (GEC) | x | x | x |
| Cryptography (CRY) | x | x | x |
Testing and assessment
EN 18031 introduces a system of mechanisms to comprehensively assess and improve the cybersecurity of radio equipment. These mechanisms form the backbone of the standard and are carefully structured to address both applicability and suitability of security measures.
Mechanisms
Each mechanism begins with a test of applicability. This determines whether a particular security measure is relevant for the device or a specific component. This is an important first step because not every security measure makes sense or is necessary for every device. The applicability test prevents manufacturers from investing resources in irrelevant security features.
If a mechanism is deemed applicable, its suitability is then assessed. This step checks whether the implemented security measure meets the standard's requirements and whether it is effective enough to address the identified risks. This is critical because a poorly implemented security measure may provide insufficient protection or even create new vulnerabilities.
In addition to these main aspects, there are often supporting requirements. These serve to specify particular aspects of the main requirements further or to cover additional security aspects that are important for full implementation of the mechanism.
Assessment
To verify compliance with these mechanisms, EN 18031 defines three main types of assessments: the conceptual assessment, the assessment of functional completeness and the assessment of functional suitability.
The conceptual assessment focuses on reviewing documentation. It aims to understand how the manufacturer interprets the security requirements and plans to implement them. This is particularly important to ensure that the manufacturer has a comprehensive understanding of the security requirements.
The assessment of functional completeness checks whether all relevant aspects of the device and its security functions have been appropriately documented and considered. This can include using network scanners, for example, to ensure that all external interfaces have been correctly identified.
The assessment of functional suitability goes a step further and examines the actual implementation of the security measures. Practical tests are often used here, such as fuzzing tests to check the robustness of network interfaces.
To structure and guide these assessments, the standard uses decision trees. These help assessors navigate the evaluation process systematically and ensure that all relevant aspects are considered.
Overall, this approach provides a thorough and flexible method for evaluating the cybersecurity of radio equipment. It takes into account both theoretical and practical aspects of security implementation and ensures that security measures are not only present but also effective and appropriate.
Current status of EN 18031
On 30 January 2025, EN 18031 was officially recognized as a harmonized standard for the Radio Equipment Directive (RED). The Commission Implementing Decision (EU) 2025/138 (see https://eur-lex.europa.eu/eli/dec_impl/2025/138/oj) lists the EN 18031 series as a means to fulfil the requirements pursuant to Article 3(3)(d), (e) and (f) of the Radio Equipment Directive.
However, there are significant limitations to the presumption of conformity:
- Password use: If a device allows the option of not setting or using a password (clauses 6.2.5.1 and 6.2.5.2 of EN 18031), the presumption of conformity does not apply.
- Sections “Rationale” and “Guidance”: These sections in the standards are only supportive and do not give rise to a presumption of conformity.
- Child’s toy (EN 18031-2): For products classified as children’s toys, the presumption of conformity does not apply if the intended access control methods (RBAC, DAC, MAC) do not ensure that only parents or guardians exercise access control.
- Secure updates (EN 18031-3): The test criteria for secure updates (SUM-2, clause 6.3.2.4) do not automatically lead to a presumption of conformity under Article 3(3)(f) of the Radio Equipment Directive.
If the presumption of conformity is lost, a notified body must be involved.
Despite these limitations, the harmonization of EN 18031 represents a significant step forward, as it gives companies a standardized basis for meeting the RED's cybersecurity requirements. Manufacturers must, however, carefully check whether their products fully meet the requirements or whether an additional assessment by a notified body is necessary.
Support for implementing EN 18031
EN 18031 specifies the cybersecurity requirements for products with radio technologies under the Radio Equipment Directive (RED). For many manufacturers, implementation involves considerable effort - whether in technical hardening, internal process adjustments or evidence for authorities and testing bodies.
Secuvi supports companies in classifying and implementing the requirements of EN 18031 systematically and comprehensibly. Whether initial orientation, concrete implementation steps or preparation for a conformity assessment - we help find practical solutions that comply with regulatory requirements and align with existing development processes.
If you are wondering how to efficiently meet EN 18031, we offer technical and regulatory expertise to assist you.
More on this at: secuvi.com