EN 18031 Becomes the RED 3.3d/e/f Harmonized Standard

On January 30, 2025, the European Commission published Decision (EU) 2025/138 in the Official Journal of the European Union (OJEU), officially listing the en 18031 series of standards as harmonized standards under RED Article 3.3 d/e/f. However, the listing of EN 18031 includes certain limitations, which must be carefully considered when implementing compliance strategies. These limitations include:

Limitation 1:

The sections titled "Rationale" and "Guidance" in EN 18031 do not imply compliance with the requirements outlined in Article 3.3 d/e/f of the EU Directive 2014/53/EU.

Applicable standards:

EN 18031-1:2024, EN 18031-2:2024, and EN 18031-3:2024

Reason for the limitation:

The "Rationale" section provides reasons for the necessity of addressing certain risks, while the "Guidance" section offers examples and considerations for implementing certain mitigation measures. However, neither section establishes detailed specifications.

Q: Does the manufacturer need to conduct a third-party compliance assessment for this limitation?

A: No, this limitation is meant to clarify that the "Rationale" and "Guidance" are for informational purposes only and are not related to the determination of compliance.

Limitation 2:

If the standard's Sections 6.2.5.1 and 6.2.5.2 allow users not to set or use any passwords, this does not imply compliance with the requirements outlined in Article 3.3 d/e/f of EU Directive 2014/53/EU.

Applicable standards:

EN 18031-1:2024, EN 18031-2:2024, and EN 18031-3:2024

Reason for the limitation:

Sections 6.2.5.1 and 6.2.5.2 of the above standards involve default passwords and provide the option for manufacturers to allow users not to set or use any passwords. Implementing this option may fail to address identity authentication risks appropriately, thus not ensuring compliance with the Radio Equipment Directive (RED) 3.3d/e/f requirements.

Q: Does the manufacturer need to conduct a third-party compliance assessment for this limitation?

A: No, unless the manufacturer ignores the provisions in Sections 6.2.5.1 and 6.2.5.2 that allow users not to set any passwords.

Limitation 3:

For categories or types of radio equipment covered in Sections 6.1.3, 6.1.4, 6.1.5, or 6.1.6 of the harmonized standard EN 18031-2:2024, if, under the application of Sections 6.1.3.4.2, 6.1.4.4.2, 6.1.5.4.2, and 6.1.6.4.2, access control by parents or guardians is not ensured, this harmonized standard does not imply compliance with the essential requirements under RED Article 3.3(e) of the EU Directive 2014/53/EU.

Applicable standard:

EN 18031-2:2024

Reason for the limitation:

Sections 6.1.3, 6.1.4, 6.1.5, and 6.1.6 in EN 18031-2:2024 include requirements for access control mechanisms for radio toys and radio children’s care. The subsections in the “Evaluation Standards” describe categories such as role-based access control, autonomous access control, mandatory access control, or other access control mechanisms. Some of these categories may be incompatible with parental or guardian control mechanisms. If such controls are not implemented, it is considered that the related authentication risks are not adequately addressed, and compliance with RED 3.3(e) is not ensured.

Q: Does the manufacturer need to conduct a third-party compliance assessment for this limitation?

A: No, unless the manufacturer chooses to ignore the provisions regarding the non-implementation of parental or guardian controls in Sections 6.1.3, 6.1.4, and 6.1.5.

Limitation 4:

Section 6.3.2.4 of the harmonized standard EN 18031-3:2024 does not automatically imply compliance with the RED 3.3(f) essential requirements.

Applicable standard:

EN 18031-3:2024

Reason for the limitation:

Section 6.3.2.4 of EN 18031-3:2024 includes standards for assessing security updates. It describes four different implementation mechanisms: digital signatures, secure communication mechanisms, access control mechanisms, or other methods. Using only one of these methods may be insufficient to ensure the security of financial assets. As the evaluation standard is considered inadequate in addressing related authentication risks, it does not ensure compliance with the essential requirements of RED 3.3(f).

Q: Does the manufacturer need to conduct a third-party compliance assessment for this limitation?

A: Yes. Products covered by Section 6.3.2.4 of EN 18031-3:2024 require third-party assessment regardless of how the product is designed.

General Questions and Answers:

Q1: Is self-assessment (Module A) allowed to demonstrate compliance with the essential requirements of 3.3d/e/f (Commission Delegated Regulation 2022/30)?

A: Self-assessment (Module A) is only allowed when the relevant harmonized standards of the EN 18031:2024 series apply to the product and are not affected by the above limitations.

Q2: Can manufacturers voluntarily conduct a third-party compliance assessment?

A: Yes. The conformity assessment procedures for demonstrating compliance with the essential requirements of the Radio Equipment Directive (RED) are outlined in Article 17 of RED (for more details, see section 2.6.b of the Radio Equipment Directive Guide).

Q3: What notified bodies are available for selection?

A: The notified bodies under the Radio Equipment Directive (RED) are listed on the NANDO website. Only notified bodies with specialized cybersecurity capabilities under RED are authorized to issue EU type examination certificates according to the conformity procedure of RED (Commission Delegated Regulation 2022/30).

Q4: Does the Commission provide advice on the applicability of harmonized standards for specific products?

A: No. It is the manufacturer’s responsibility to assess applicability.

As the cybersecurity requirements under RED will become mandatory on August 1 of this year, manufacturers need to act swiftly to ensure their wireless products comply with cybersecurity regulations. As a renowned notified body in the EU, China's JJR Laboratory is committed to providing comprehensive RED directive cybersecurity compliance assessment services, assisting enterprises in meeting product cybersecurity regulatory compliance needs with professional and independent third-party evaluations.