New standards, but no presumption of conformity for cybersecurity of wireless products

The EN 18031 series for RED 2014/53/EU + (EU) 2022/30


Positive voting

From August 1, 2025, the cybersecurity requirements for radio products will apply. Manufacturers expect the three standards EN 18031-1, -2 and -3 to be listed in the EU Official Journal in order to make use of the presumption of conformity and not necessarily have every product assessed by the Notified Body.

If the listing of the technical standards EN 18031-1, EN 18031-2 and EN 18031-3 does not appear in the Official Journal of the EU until after August 1, 2025 - or not at all - the conformity assessment must be carried out with a notified body (EU type examination) until the standards are listed in the Official Journal.



These three standards are being developed in the work program of the CEN/CLC/JTC 13 technical committee and the final drafts were recently approved by the EU member states:
 

  • EN 18031-1:2024 - Common security requirements for radio equipment - Part 1: Internet connected radio equipment
     
  • EN 18031-2:2024 - Common security requirements for radio equipment - Part 2: radio equipment processing data, namely Internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment
     

  • EN 18031-3:2024 - Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value

     

We have been working with the final drafts of the standards in regular practice since May 2024, e.g. FprEN 18031-1:2024. Previously, we tended to use the standards of the standardization organizations ETSI, ISO and IEC. Examples: 
 

  • ETSI EN 303 645 V2.1.1 (2020) - Cyber Security for Consumer Internet of Things: Baseline Requirements
     
  • ISO/IEC 27400:2022 - Cybersecurity - IoT security and privacy - Guidelines
     
  • ISO/IEC 27402:2023 - Cybersecurity - IoT security and privacy - Device baseline requirements
     
  • EN IEC 62443-4-2:2019- Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components

 

We feel that working with the EN 18031 series is a benefit. The threat modeling projects we have carried out have benefited from the EN 18031 series.

Decision trees are used in each of the three standards, which guide you through the assessment section by section. The useful annexes, which were not included in the previous drafts, should also be emphasized positively.

Annex A guides the conformity assessment through threat modeling and risk assessment.

Annexes B and C align the previously frequently used standards EN IEC 62443-4-2 and ETSI EN 303 645 with the new catalog of requirements. This allows the first step to focus on cybersecurity aspects that were not previously considered.

 

HAS assessment

A HAS consultant assesses the suitability of the standard to be listed in the Official Journal.

The HAS assessment form defines the requirements for the standard. Accordingly, "no unspecific or unverifiable requirements" may be included in the standard. In the annex, the standards directly admit the non-quantifiability and non-measurability of the suitability of most security measures ("A.2.8.3 Security testing"). It also describes that the result depends on the competence of the person performing the assessment and their experience in the threat landscape. 

Cybersecurity testing tools often use negative tests to prove that certain vulnerabilities are not obvious. However, as security tools are continuously updated, new issues may be discovered with updated information. Therefore, this also does not lead to reproducible test results.

The HAS evaluation sheet we are familiar with also stipulates that it must not be left to the manufacturer to decide on the application of provisions.

→ on the HAS evaluation form 

The approach chosen in the EN 18031 series improves the evaluation result, but cannot solve the problem that the evaluations are dependent on information provided by the manufacturer.

We are therefore not surprised that the latest HAS report certifies a lack of compliance with the quality requirements for a harmonized standard with presumption of conformity in the Official Journal.

We are of the opinion that the current rules and the existing HAS assessment form cannot lead to a positive assessment. If the rules for the HAS assessment of cybersecurity standards do not change, we do not see how this series of standards can make it into the Official Journal.


Please do not hesitate to contact us for further assistance or questions.

 

Author

Benjamin Kerger (B. Eng.)
Product Compliance Consultant

More Information

Published on 26.08.2024
Category: Focus Industry, Focus Consumer Goods & Retail, Fokus Electrical and Wireless, Fokus Medical Devices, Compliance

back to list

Breaking News in Standards and Product Compliance

The world of standards and market authorization requirements may turn slowly, but it does turn.  Regular updates, revisions and reforms prove it.  We'll keep you posted!

And in other news, here's the latest on Standards and Product Compliance
GLOBALNORM News
Review of the GLOBALnorm Customer Day 2025

From sharing experiences to dreams of the future: our standards event in Waldkirch

Read more

Our Christmas campaign “donate rather than send” 2024

Charity instead of Christmas cards

Read more

Awarded as an entrepreneur of the future 2024

First of all: The German Innovation Institute for Sustainability and Digitalization (diind) is a Hamburg-based institution that brings together science and business to provide communication and marketing managers with reliable, high-quality information.

Read more

STANDARDS News
Introduction of ISO/PAS 8800

Functional safety for AI in road vehicles

Read more

Draft DIN EN ISO 12100:2025-12

Safety of machinery - General principles for design - Risk assessment and risk reduction (ISO/DIS 12100:2024)

Read more

New DIN DKE SPEC 99100:2025-02

Requirements for data attributes of the battery passport

Read more

COMPLIANCE News
Inspection of the HAS evaluation forms

The right of access to European Parliament, Council and Commission documents

Read more

Listing in the Official Journal of the RED (2014/53/EU)

A new list appeared on 15.5.2025 since November 2023

Read more

Harmonized standards for the Machinery Regulation (EU) 2023/1230

The mandate

Read more

De
Login
x

In accordance with the EU ePrivacy (Cookie) Directive (2009/136/EG), we would like to inform you that our website uses cookies. By using our website, you accept and agree to our Privacy policy. Please view our Privacy policy to find out what cookies we use and how to disable them.

OK