EN 18031 explained: the EU's cybersecurity rules for connected devices

· INTECH

If you sell a wireless, internet-connected product in the EU, the rules changed on 1 August 2025. From that date, the cybersecurity requirements of the Radio Equipment Directive (RED) became mandatory — and the practical way to meet them is the EN 18031 family of standards. Miss them, and your product can lose its presumption of conformity, and with it the right to carry CE marking.

This is the short, practical version of what EN 18031 is and what it asks of you.

What actually changed, and when

The legal basis is Commission Delegated Regulation (EU) 2022/30, which activated three cybersecurity-related essential requirements already present in Article 3(3) of the RED. It entered into force in January 2022. The original date of application — 1 August 2024 — was pushed back twelve months by Delegated Regulation (EU) 2023/2444, landing on 1 August 2025.

To give manufacturers a concrete way to comply, the EN 18031 series was developed and its references were published in the Official Journal of the EU on 28 January 2025 — harmonising the standards under the RED, though with restrictions (more on that below).

The three requirements

The RED cybersecurity obligations sit in Article 3(3):

  • 3(3)(d) — the device must not harm the network or misuse network resources.
  • 3(3)(e) — the device must protect users’ personal data and privacy.
  • 3(3)(f) — the device must include safeguards against fraud where it handles money or virtual currency.

The three parts of EN 18031

EN 18031 mirrors those three requirements. Which parts apply depends on what your product does:

PartCovers (RED article)Applies to
EN 18031-1:2024Network protection — 3(3)(d)All internet-connected radio equipment
EN 18031-2:2024Privacy & personal data — 3(3)(e)Devices processing personal data: connected devices, childcare equipment, toys, wearables
EN 18031-3:2024Fraud prevention — 3(3)(f)Devices handling money or virtual currency

The three parts overlap heavily — a large share of the requirement codes are common to all three, with wording tuned per context (the word “network” in part 1 becomes “privacy” in part 2 and “financial” in part 3). In practice, most connected products fall squarely under -1, many also under -2, and only payment-capable devices touch -3.

The catch: “presumption of conformity — with restrictions”

Fully implementing the applicable EN 18031 parts gives you a presumption of conformity: authorities accept that you meet the RED cybersecurity essential requirements, and you can self-declare.

But the harmonisation came with restrictions. Certain design choices trip a restricted clause and break that automatic presumption. The classic example: letting a user skip setting a password. Trigger a restricted clause and you can no longer self-declare against that requirement — you need a Notified Body to assess it.

This is why “we’ll just follow the standard” is not a plan. The details — password policy, access control, secure defaults — decide whether you stay on the cheap, fast self-assessment path or get pulled into Notified Body territory.

How you demonstrate conformity

For the cybersecurity requirements, the self-assessment route is Module A — no external test lab is mandatory. The manufacturer evaluates the product against EN 18031, produces the technical documentation, and takes responsibility for the declaration. That is genuinely lighter than a lab-tested route — provided you keep your presumption of conformity intact.

If a restricted clause applies, or you can’t fully meet a requirement through the standard, a Notified Body has to be involved for that part.

What to do now

  1. Scope it. Determine which of -1 / -2 / -3 apply to your product.
  2. Gap-analyse. Assess the current design against the applicable requirements.
  3. Watch the restrictions. Identify anything that would forfeit presumption of conformity — these are the expensive surprises.
  4. Document. Assemble the security-relevant evidence and rationale.

Done early, this is an engineering task measured in weeks, not a crisis. Done at the last minute, it stalls shipping.


This is general information, not legal advice. If you want a straight answer on where your product stands, our EN 18031 work starts with a gap analysis — engineers who understand both the standard and the firmware underneath it.

Sources: Commission Delegated Regulation (EU) 2022/30 and 2023/2444; EN 18031-1/-2/-3:2024; Official Journal of the EU, 28 January 2025.