What is EN18031?
EN 18031 is a family of harmonised European standards linked to the cybersecurity requirements under the Radio Equipment Directive, RED. In January 2022, Commission Delegated Regulation (EU) 2022/30 activated RED Article 3(3)(d), (e), and (f) for certain categories of radio equipment. In January 2025, the European Commission published the references of EN 18031-1:2024, EN 18031-2:2024, and EN 18031-3:2024 in the Official Journal, giving manufacturers a harmonised standards route to support conformity with those requirements. The delegated regulation has applied since 1 August 2025.
The EN 18031 family includes three parts:
EN 18031-1, common security requirements for internet-connected radio equipment
EN 18031-2, common security requirements for radio equipment that processes personal, traffic, or location data
EN 18031-3, common security requirements for radio equipment that processes virtual money or monetary value
¿Necesita más información?
Al ponerse en contacto con QIMA usted acepta nuestra política de privacidad y nuestros términos y condiciones.
Who does EN 18031 Apply to?
EN 18031 matters to manufacturers of radio equipment that falls within the scope of the RED cybersecurity requirements. This can include internet-connected consumer devices, products that process personal or location data, and products where fraud protection is relevant.
For product teams, this matters because scope decisions affect technical documentation, launch readiness, and the evidence needed before placing products on the market.
How does EN 18031 Relate to RED Cybersecurity Requirements?
RED is the legal framework. EN 18031 is part of the standards layer manufacturers can use to support conformity with the cybersecurity-related requirements activated under Article 3(3)(d), (e), and (f). In practice:
RED sets the legal requirements
EN 18031 helps structure how those requirements can be addressed
technical documentation and evidence show how the product meets the relevant requirements
If you need the broader regulatory context first, see RED cybersecurity requirements and Radio Equipment Directive overview.
EN 18031 Scope Assessment for Radio Equipment
Scoping is one of the most important parts of EN 18031. For many connected products, the relevant scope goes beyond the physical device.
A realistic EN 18031 scope assessment for radio equipment may include:
the device itself
companion apps
cloud or backend services
account and access-control flows
update mechanisms
data processing and storage
vulnerability handling processes
That is why a device-only review is often not enough. For many connected products, the compliance picture extends across device, app, and backend.
For a deeper walkthrough, see EN 18031 scope and applicability.
EN 18031 Requirements, What They Mean in Practice
The exact requirements depend on the relevant part of the standard and the product category, but teams usually need to work through themes like:
Access control
Who can access the product, service, or administrative functions, and how that access is controlled.
Secure configuration
Whether the product starts from a secure state and reduces avoidable exposure.
Updates and change management
How firmware, software, and configuration changes are managed, verified, and documented.
Data protection and privacy
How personal, traffic, and location data are protected where relevant.
Fraud protection
How the product reduces risks tied to misuse, unauthorized actions, or monetary abuse where applicable.
Vulnerability handling
How vulnerabilities are identified, assessed, documented, and addressed over time.
EN 18031 Evidence Checklist
Manufacturers usually need more than a general statement that security was considered. They need structured evidence that supports the technical file and the conformity process. Typical evidence may include:
product scope and architecture definition
mapping of device, app, and backend boundaries
requirement-to-control mapping
security decisions and justifications
authentication and access-control documentation
update and patching approach
vulnerability handling process
data flow and data protection documentation
review, validation, or testing records where relevant
technical file support materials
Common Gaps Teams Run Into
Teams struggle because the work is fragmented across teams and tools. Common gaps include:
unclear product scope
missing links between device, app, and backend
generic controls with no product-specific justification
evidence scattered across documents and owners
weak mapping between requirements and documentation
poor visibility into what still needs to be prepared before launch
These gaps slow internal review and make readiness harder to manage.
How to Prepare Evidence for EN 18031 Compliance
For most teams, the next steps are:
confirm whether the product falls within scope
identify which part of EN 18031 is relevant
define scope across device, app, and backend
map requirements to the product architecture
prepare the evidence needed for the technical file
identify gaps before launch or assessment
This is usually the point where teams need a clearer workflow, not more fragmented documents.
How Cyberexpert Helps
Cyberexpert helps teams move from uncertainty to a more structured readiness workflow.
With Cyberexpert, teams can:
assess whether EN 18031 is relevant to the product
define scope across device, app, and backend
generate a product-specific requirements map
build an evidence checklist tied to the product architecture
document justifications and supporting materials in a clearer structure
prepare for expert review and next-step compliance work
The goal is not to replace legal review or testing. The goal is to make scoping, documentation, and readiness work faster and more manageable.