EN 18031 Explained: Meeting EU Security Standards for IoT Devices
Wireless products that connect to the internet, handle personal data, or handle monetary value must meet the RED cybersecurity requirements. This comes from Delegated Regulation (EU) 2022/30 and its amendment that moved the due date to 1 August 2025.
The EN 18031 series is the main harmonized standard set for these security rules. The EU published EN 18031-1, -2, and -3 in the Official Journal on 30 January 2025, with restrictions.
What EN 18031 Covers
EN 18031 supports RED Article 3.3 points d, e, and f.
Part 1 covers protection of networks from harm or misuse.
Part 2 covers privacy and the protection of personal, traffic, and location data.
Part 3 covers protection against fraud for devices that process virtual money or monetary value.
Scope
You are covered if the device can connect to networks, processes personal data, or handles monetary value. These areas map to RED Article 3.3 d, e, and f and apply from 1 August 2025.
How EN 18031 is Treated by Authorities
Only the normative clauses count for the legal effect. The rationale and guidance sections do not have this effect.
The Official Journal notice adds conditions. If users can skip passwords, the standard does not give the legal effect for any part. For toy and childcare equipment, you must ensure parental or guardian control. For devices that handle monetary value, secure update methods listed in clause 6.3.2.4 are not sufficient on their own. Read the notice and plan accordingly.
Practical Workflow
-
- Confirm which of Article 3.3 d, e, and f apply.
- Run a gap analysis against EN 18031 parts 1, 2, and 3 as relevant.
- Implement missing controls in firmware and system design.
- Do pre-compliance checks and targeted security testing.
- Keep design decisions, test results, and risk records in the technical file.
- Choose the route. If the relevant harmonized standards apply in full and you follow them, you may self-assess and issue the EU Declaration of Conformity. If coverage is partial or you do not apply them, involve a Notified Body. Test labs can support, but their role is optional.
Key Technical Controls to Plan
Secure boot with verified integrity.
Signed updates with authentication and rollback protection.
Encryption in transit and at rest.
Unique device credentials.
Strong pairing and access control.
Guards against misuse of network resources.
Event logs that support security investigations.
Relation to CE Marking
EN 18031 covers the RED cybersecurity part only. Full CE marking also needs the other RED essential requirements and any other EU laws that apply, such as safety, EMC, and radio spectrum use.
Need support with EN 18031 and RED Security Work?
Oxeltech helps with gap analysis, firmware hardening, test planning, documentation, and the conformity route.
Contact: info@oxeltech.de
Please include your product type, radio interfaces, and timelines.
FAQs
What is EN 18031?
A set of harmonized standards that support the RED cybersecurity requirements in Article 3.3 d, e, and f. The EU listed the three parts in January 2025, with restrictions.
Which devices are covered?
Devices that connect to networks, process personal data, or handle monetary value. This is set by Article 3.3 d, e, and f and applies from 1 August 2025.
Do I need to consult a Notified Body?
Not if the relevant harmonized standards apply in full and you use them. If they do not cover your case, or you choose a different route, you need a Notified Body. Labs are optional.
Do guidance sections in EN 18031 have the same legal effect as clauses?
No. Only the normative clauses have this effect. The Official Journal notice also lists extra limits, including password and parental-control conditions, and limits for secure updates in monetary devices.
Can I place the CE mark after only meeting EN 18031?
No. You must also meet the other RED essential requirements and any other applicable EU laws.
