๐ก๏ธ EN 18031 Cybersecurity Testing for CE Radio Equipment under RED
From Directive to Implementation
The Radio Equipment Directive (RED) 2014/53/EU establishes essential requirements for all internet connected radio-enabled devices placed on the EU market.
Since August 2025, cybersecurity has become a mandatory part of CE marking through Articles 3(3)(d), 3(3)(e), and 3(3)(f) โ addressing network protection, user privacy, and fraud prevention.
The new EN 18031 series of standards are the first harmonized, testable framework enabling manufacturers to demonstrate conformity with these cybersecurity clauses. Compliance to EN 18031 is therefore equivalent to compliance with RED cybersecurity โ without RED applicable articles 3(3)(d), 3(3)(e), 3(3)(f), your CE marking is incomplete.
ย How EN 18031-x tests and assessments works?
EN 18031 defines both security requirements and test methods for internet connected radio products.
It provides a measurable, repeatable evaluation framework across several technical pillars:
1.1 Starting with defining your Assets:
Security Assets
Network Assets
Privacy Assets
Financial Assets
1.2 Evaluate the standards chapters:
The standards are divided into 14 chapters, covering the security requirements for internet connected radio equipment.
- ACM –ย Access Control Mechanism
- AUM –ย Authentication Mechanism
- SUM –ย Secure Update Mechanism
- SSM –ย ย Secure Storage Mechanism
- SCM –ย ย Secure Communication Mechanism
- RLM –ย ย Resilience Mechanism
- LGM –ย ย Logging Mechanism (Only for EN18031-2)
- NMM – Network Monitoring Mechanism
- DLM –ย ย Deletion Mechanism (Only for EN18031-2)
- TCM –ย ย Traffic Control Mechanism
- UNM –ย User Notification Mechanism (Only for EN18031-2)
- CCK –ย ย ย Confidential Cryptographic Keys
- GEC –ย ย ย General Equipment Capabilities
- CRY –ย ย ย Cryptography
1.3 Assessment and tests chapter by chapter per the applicable assets:
- ๐ค Authentication Mechanisms
- Verification of robust user and device authentication protocols.
- Testing ensures that only legitimate users, authorized devices and authorized network entities can access critical functionalities, preventing unauthorized control or data exfiltration.
- Assessment of default credentials.
- ๐ก๏ธ Software and Firmware Integrity & Update Security
- Verification of secure boot, digital signature validation.
- Validation of mechanisms for secure and authenticated software updates. This ensures that only authorized, cryptographically signed firmware can be installed, mitigating risks from malicious injections or downgrade attacks.
- Evaluation of rollback and update channel encryption.
- Testing for protection against unauthorized access and firmware tampering.
- ๐ Protection of Network Interfaces
- Examination of wireless and device connectors connectivity for unauthorized access points and unprotected services.
- Penetration testing of Bluetooth, Wi-Fi, Zigbee, and proprietary RF stacks for protocol-level vulnerabilities.
- ๐ซ Network Resilience and Robustness
- Evaluation of the deviceโs network resilience against various attack vectors. This includes penetration testing and vulnerability assessments to ensure the device operates securely even when subjected to adversarial network conditions.
- Assessment of brute-force resistance, and key-exchange mechanisms.
- ๐ Data and Privacy Protection
- Review and testing of secure data handling and privacy safeguards. This covers data in transit and at rest, ensuring encryption, access control, and adherence to privacy-by-design principles.
- Review of access control enforcement, logging mechanisms, deletion mechanism, notification mechanism for privacy policy alignment.
- ๐ Cryptographic & Key Management
- Assessment of cryptographic key management practices. This includes the secure generation, storage, usage, and revocation of cryptographic keys, which are fundamental to establishing secure communication and verifying identity.
- Evaluate BEST PRACTICE mechanisms are in used (i.e. TLS 1.3, AES256).
1.4 Report issue:
At the end of the process, the manufacturer needs to hold detailed report with evidence on every chapter and rational in case it is not applicable.