EN 18031 & RED Cybersecurity: Key Steps for 2025 Compliance

Cyber threats targeting connected devices have become a stark reality for every industry, and the radio equipment sector is no exception. With more products incorporating wireless capabilities — whether a smart toy, a wearable, or a payment terminal — manufacturers are under increasing pressure to prove their devices are cyber-secure before placing them on the European market.

To address these concerns, the European Commission published Delegated Regulation 2022/30/EU under the Radio Equipment Directive (RED), setting forth specific cybersecurity requirements for radio devices. Come August 1, 2025, these new requirements will be in full force. Thus, if you produce or sell radio-enabled equipment in the EU, you must ensure your devices are protected against cyber risks, ranging from network threats to privacy violations and even monetary fraud.

In this article, we will explain the essentials of EN 18031, what the new harmonization means, and how penetration testing can help ensure your product meets these mandatory requirements. We’ll also highlight key steps to ease your path to compliance, drawing on a real-world experience guiding radio equipment manufacturers through the EU’s evolving regulatory landscape. Let’s dive in.

Understanding EN 18031

What Is EN 18031?

EN 18031 is a newly published series of European cybersecurity standards designed to address the Radio Equipment Directive’s (RED) cybersecurity requirements. Its main goal is to ensure that radio devices — ranging from consumer gadgets to industrial systems — are designed with security measures that are strong enough to defend against known and emerging cyber threats.

• Core Objective: Strengthen device security by protecting network resources, user privacy, and monetary transactions — three critical areas where vulnerabilities can cause severe real-world harm.
• Key Stakeholders: Manufacturers, integrators, retailers, and compliance teams all have a vested interest in adopting EN 18031. Failing to align with these standards can lead to regulatory hurdles and broader reputational risks if security incidents occur.

Main Features & Significance of EN 18031

On January 28, 2025, EN 18031 references were published in the Official Journal of the European Union (OJEU). This formally “harmonized” EN 18031 — with restrictions — under the RED, meaning manufacturers who implement it fully are presumed to meet the new cybersecurity obligations. However, if a product triggers any restricted clause (e.g., allowing users to skip setting a password), it won’t gain an automatic presumption of conformity, requiring Notified Body involvement instead.

Cybersecurity at Its Core

EN 18031 is tailored to help products comply with the RED’s cybersecurity provisions, focusing on:

• Network Protection (avoiding negative impacts on wireless networks or misuse of resources),
• Privacy Protection (guarding personal data and user confidentiality), and
• Monetary Fraud Prevention (addressing secure transactions and payment flows).

Implications for the Industry

By following EN 18031’s guidelines, manufacturers can:

• Demonstrate Compliance: Avoid lengthy third-party certification if no restricted clause is triggered.
• Establish Trust: Show regulators and consumers that products are designed with security in mind.
• Reduce Fraud & Risk: Standardized controls, such as strong password enforcement or secure update mechanisms, mitigate potential cyberattacks that lead to data breaches or financial loss.

Ultimately, EN 18031 is more than a checkbox exercise. Implemented correctly, it pushes organizations to design, test, and maintain safer radio-equipped devices, benefiting not just compliance efforts but also long-term security and brand reputation.

Key Components and Structure of EN 18031

The EN 18031 series comprises three standards aligned with the RED’s essential cybersecurity requirements. Each part targets different risk categories:

• EN 18031-1: Network Protection: 

Focuses on ensuring radio equipment does not harm network infrastructure or misuse resources. This includes measures like secure boot, encryption of communications, and robust access controls. Significantly, Clauses 6.2.5.1 and 6.2.5.2 detail password requirements: if a device permits skipping a password, manufacturers lose the presumption of conformity and must involve a Notified Body.

• EN 18031-2: Privacy Protection:

Addresses the secure processing of personal data, especially for IoT toys, wearables, and smart home devices. Key provisions guide manufacturers toward privacy-by-design principles—limiting data exposure, controlling third-party access, and managing parental or guardian controls where children’s data is involved. Failure to implement required parental control mechanisms (Clauses 6.1.3–6.1.6) triggers the restrictions and mandates Notified Body assessment.

• EN 18031-3: Monetary Fraud Prevention

Dedicated to devices that process monetary value or virtual payments, such as connected point-of-sale terminals or e-wallet wearables. Clause 6.3.2.4 stipulates secure update mechanisms but warns that no single solution (e.g., just a digital signature) is sufficient on its own for protecting financial assets. If a manufacturer cannot demonstrate stronger-than-baseline security, the presumption of conformity does not apply.

Applicability and Decision Trees

Each EN 18031 standard includes decision trees or guidelines to clarify whether a requirement is relevant to your product. This structure helps manufacturers:

1. Determine Applicability: Identify which elements of EN 18031-1, -2, and -3 apply to your device based on how it connects, what data it processes, and whether it handles financial transactions.
2. Confirm Implementation Suitability: Assess if your chosen security measures (e.g., firmware encryption, multi-factor authentication) effectively meet the required security outcome.
3. Pass/Fail Criteria: Understand whether design decisions comply fully with the standard or if they trigger any restrictions, particularly around passwords, parental controls, or secure updates.

By laying out specific technical and procedural requirements, EN 18031 provides a road map to building more robust products while ensuring manufacturers can demonstrate compliance under the RED cybersecurity mandate. However, if you fail to meet any restricted clause (e.g., allowing password bypass), the self-assessment route is closed, and you must engage a Notified Body for certification. 

The Role of Pen Testing in Achieving EN 18031 Compliance

Under EN 18031, radio devices must meet specific security benchmarks — from password enforcement and network protection to privacy safeguards and fraud prevention. Penetration testing (pen testing) is an effective way to:

1. Expose Vulnerabilities Early: Rather than wait for attackers to uncover weak points, proactive testing reveals software or firmware flaws, insecure communications, and exploitable loopholes before a product hits the market.
2. Validate Compliance Requirements: Pen tests map vulnerabilities directly against EN 18031-1, -2, and -3 requirements, verifying whether the chosen countermeasures — like secure boot or encryption — are implemented correctly.
3. Demonstrate Due Diligence: A comprehensive test report offers tangible proof to both internal stakeholders and regulators that rigorous security assessments have been performed, supporting the presumption of conformity when no restricted clauses apply.

Methodology of a Pen Test for EN 18031

1. Scope Definition: Identify which parts of the device fall under EN 18031’s umbrella — network interfaces, mobile apps, firmware, backend APIs — and ensure all relevant attack surfaces are included.

2. Threat Modeling: Work with development teams to map possible attack vectors (e.g., brute-force password attempts, privacy data leaks, interception of payment transactions). This step highlights the specific threats the pen test must explore.

3. Test Execution:

• Network/Infrastructure Testing: Check for open ports, insecure protocols, or unpatched vulnerabilities in wireless and wired communication layers.
• Application-Level Testing: Analyze mobile/desktop apps controlling the radio device, looking for insecure logins or data exposures.
• Firmware & Hardware Analysis: Reverse-engineer or probe firmware for backdoors, unsecured debug modes, or cryptographic weaknesses.

4. Reporting & Remediation: Compile a findings report that correlates each vulnerability to the relevant EN 18031 clause (e.g., insufficient password enforcement under EN 18031-1). Provide prioritized remediation guidance, such as password policy improvements or additional cryptographic layers, to address gaps quickly.

Ongoing Security Validation

Cyber threats evolve constantly, which is why one-off tests only give a snapshot of your security status. Ongoing validation through regular pen tests or integration with your Secure Development Lifecycle (SDLC) helps:

• Maintain Compliance Over Time: Stay on top of new threats that might undermine EN 18031 requirements.
• Simplify Future Updates: When firmware or functionality changes, re-test selectively to ensure new features don’t violate password rules, parental control mechanisms, or financial transaction safeguards.
• Build Trust with Stakeholders: Continuous testing demonstrates a commitment to safeguarding users, networks, and monetary transactions — strengthening relationships with regulators, partners, and end-users alike.

The Path to EN 18031 Compliance

Gap Analysis

The first step is to evaluate your current security posture against EN 18031 requirements:

1. Initial Assessment: Evaluate existing device designs, firmware security, and authentication against EN 18031.
2. Documentation Review: Inspect policies, processes, and code repositories for nonconformities.
3. Restrictions Check: Identify any restricted clauses (e.g., password skipping). If triggered, a Notified Body becomes mandatory.

Implementation and Development

Once you’ve identified gaps, it’s time to integrate security controls throughout the product lifecycle:

1. Technical Controls: Enforce strong cryptography, mandatory passwords, secure boot, and encrypted updates.
2. Policies and Processes: Enhance your secure SDLC, patch management, and incident response procedures.
3. Team Collaboration: Engage engineering, product, and compliance functions early, especially if your device handles financial data or requires parental controls.

Validation and Testing

After implementing the necessary controls, verify their effectiveness through targeted testing and compliance checks:

1. Penetration Testing: Confirm real-world resilience, mapping vulnerabilities to relevant EN 18031 clauses.
2. Functional Testing: Ensure new security measures don’t break user flows or device performance.
3. Compliance Checks:
   • Self-Assessment: If no restricted clauses apply, sign a Declaration of Conformity.
   • Notified Body: If restricted clauses are triggered, involve a Notified Body for a formal conformity assessment.

Harmonization Implications and the 2025 Deadline

By publishing EN 18031 in the Official Journal on January 28, 2025, the EU granted it “harmonized” status, meaning products fully implementing its clauses are presumed compliant with the RED’s cybersecurity requirements. It can spare you the Notified Body route, provided none of the restricted clauses apply.

The Deadline: August 1, 2025

From this date onward, all radio devices placed on the EU market must meet the new cybersecurity obligations. Even long-standing product lines need updating if they’re sold beyond August 2025. If you haven’t addressed EN 18031 or the restricted clauses, such as password skipping, missing parental controls, and inadequate update mechanisms, you risk noncompliance or may be forced to involve a Notified Body at the last minute.

Practical Impact

1. Plan Early: Start mapping out your technical file and compliance documentation now.
2. Assess Restrictions: Immediately determine whether any restricted clause applies and factor in Notified Body timelines if needed.
3. Optimize Resources: When feasible, self-assessment can reduce costs and speed time to market – an advantage only available if EN 18031 is applied in full.

How Our Cybersecurity Services Help

At Iterasec, our goal is to make EN 18031 compliance smoother, faster, and more cost-effective:

1. Advisory & Consultancy

• We perform compliance gap analyses to map your security posture to EN 18031.
• Our experts recommend customized remediation strategies aligned with network protection, privacy safeguards, and fraud prevention.

2. Penetration Testing

• We conduct comprehensive tests on firmware, apps, and backend systems, pinpointing vulnerabilities that could undermine EN 18031 compliance.
• Our reports clearly map every finding to the relevant clause, simplifying your internal reviews and documentation.

3. Remediation & Implementation Support

• If restricted clauses (like password skipping) affect your product, we guide you in redesigning key features and implementing robust controls.
• From cryptographic updates to parental control integration, our team ensures your defenses meet EN 18031 standards.

4. Notified Body Collaboration

• Should a Notified Body be required, we help streamline communication and evidence gathering, reducing certification delays and last-minute surprises.

Conclusion

With EN 18031 now harmonized (albeit with restrictions) and set against the August 1, 2025 compliance deadline, radio equipment manufacturers face a critical juncture. Implementing these standards in full enables a faster, more cost-effective self-assessment route; however, restricted clauses will require a Notified Body’s involvement.

Pen testing remains essential, mapping real-world attack scenarios to each requirement and pinpointing places where additional safeguards are needed. By adopting best practices early through technical controls, strong processes, and continuous security validation, organizations can achieve EN 18031 compliance, safeguard end-users, and gain a competitive advantage.

At Iterasec, we stand ready to support you from initial gap analysis through testing and certification, helping you create secure, market-ready devices that meet Europe’s evolving cybersecurity mandates. Reach out today to ensure your devices are secure and compliant, well in advance of the August 2025 deadline.