EN 18031 European Union Cybersecurity Certification

EU RED Cybersecurity Certification, en 18031 Testing, uk psti, Applicable to Consumer IoT Devices, Routers, Optical Modems, Switches, etc.

With the explosive growth of Internet of Things (IoT) devices, security risks in areas such as smart homes, medical devices, and smart cities have risen sharply. To address this challenge, the European Union and the United Kingdom have successively introduced mandatory cybersecurity regulations, requiring manufacturers, importers, and distributors of consumer IoT devices to ensure their products comply with strict security standards. Otherwise, they will face market entry bans, hefty fines, and even legal liabilities.

EU Cybersecurity Certification Services

JJR LAB quickly responds to the market access certification requirements for IoT device cybersecurity: providing manufacturers and brands of consumer IoT devices with consultation on new EU and UK cybersecurity market access certification regulations, and offering one-stop certification services applicable to consumer IoT devices, routers, optical modems, switches, and more.

Regulatory Basis

The EU strengthens the supervision of IoT devices through the Cybersecurity Act and the Radio Equipment Directive (RED).

The UK introduced the Product Security and Telecommunications Infrastructure Act (psti Act), explicitly requiring IoT devices to meet minimum security requirements.

European Union (EU)

• Regulations & Standards: red directive 2014/53/EU Article 3.3(d)/(e)/(f). For Consumer IoT Devices: EN 18031-1/2/3:2024.

• Mandatory Implementation Date: August 1, 2025

United Kingdom (UK)

• Regulations & Standards: PSTI Act:

1. The UK Product Security and Telecommunications Infrastructure (Product Security) regime.

2. Product Security and Telecommunications Infrastructure Act 2022 – Part 1.

3. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
   For Consumer IoT Devices: ETSI EN 303 645.

• Mandatory Implementation Date: April 29, 2024

Product Control Scope for Consumer IoT Devices

European Union

Focuses on high-level security and data protection requirements for consumer IoT devices connected to network infrastructure (such as IoT or home networks) and their interaction with related services. Consumer IoT devices include, but are not limited to, the following devices:

• Connected children's toys and baby monitors

• Connected smoke detectors

• Door locks and window sensors

• IoT gateways, base stations, and hubs connecting multiple devices

• Smart cameras

• Televisions and speakers

• Wearable health trackers

• Connected home automation and alarm systems, especially their gateways and hubs

• Connected appliances, such as washing machines and refrigerators, and smart home assistants

United Kingdom

Connectable products refer to products that can connect to the internet or a network. The control scope includes:

• Children's toys and baby monitors

• Security products (smoke detectors, door locks, alarms, etc.)

• Cameras, televisions, and speakers

• IoT gateways, base stations, and hubs connecting multiple devices

• Home automation systems

• Medical devices equipped with software

• Wearable health trackers

• Base stations and hubs

• Tablets and laptops designed specifically for children under 14 years old

• Tablets with cellular connectivity capabilities

• Outdoor leisure products

• Connected appliances, such as washing machines and refrigerators, and smart home assistants

Cybersecurity Assessment Content and Process for Consumer IoT Devices

1. Main Requirements of Cybersecurity Standard EN 18031:

(Based on 2014/53/EU Article 3.3(d)/(e)/(f) / EN 18031-1 / EN 18031-2 / EN 18031-3)

Article 3: Section 3.3(d): en 18031-1:2024

• Requirements: Radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service.

• Controlled Product Examples: General internet-connected radio devices, such as routers, televisions, smart speakers, and smart home appliances.

Article 3: Section 3.3(e): EN 18031-2:2024

• Requirements: Radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected.

• Controlled Product Examples: Data processing equipment, wireless childcare devices, and wearable devices.

Article 3: Section 3.3(f): EN 18031-3:2024

• Requirements: Radio equipment supports certain features ensuring protection from fraud.

• Controlled Product Examples: Network virtual currency payment devices, such as POS machines and cash register equipment.

Significance of Cybersecurity Assessment for IoT Devices

• The significance of cybersecurity assessment for IoT devices lies in safeguarding the security of IoT devices and networks, preventing malicious attacks and data breaches, and ensuring the information security of users and enterprises.

• By evaluating the cybersecurity of IoT device hardware and related services, potential security vulnerabilities and risks are discovered, allowing for timely measures to strengthen security protections and improve the system's safety and stability.

• It helps enterprises and users understand the security performance of IoT device hardware and related services, enabling them to select safer and more reliable devices, mitigate security risks, and protect personal privacy and corporate confidential information.