How to get EN 18031 Certification for Wireless Products?

With the explosive growth of Internet of Things (IoT) devices, cybersecurity issues have become increasingly severe. The European Commission has officially issued the delegated regulation (EU) 2022/30, introducing mandatory cybersecurity requirements (Annex III, Part 3.3, points d, e, f) under the Radio Equipment Directive (RED). This means that starting from August 1, 2025, the vast majority of wireless products exported to the EU must not only pass traditional radio frequency (RF), electromagnetic compatibility (EMC) and safety tests, but also comply with the en 18031 series of standards to demonstrate sufficient cybersecurity defense capabilities; otherwise, they will not be allowed to clear customs and be sold.

What is en 18031 certification?

EN 18031 is a harmonized cybersecurity standard formulated to align with the new red directive requirements. It aims to ensure that wireless devices, when connected to the Internet, do not pose risks to the network and can effectively protect users' privacy data. It mainly corresponds to the following three clauses of the RED directive:

①　Art 3.3 (d) Network Protection: Devices shall not abuse network resources, leading to degradation or disruption of network services (preventing utilization for DDoS attacks).

②　Art 3.3 (e) Privacy Protection: Devices must incorporate mechanisms to protect users' personal data and privacy.

③　Art 3.3 (f) Anti-fraud: Devices must support functions designed to minimize the risk of fraud (primarily applicable to devices involved in electronic payments).

Which Products Fall Under the Mandatory Regulation Scope?

The new regulation has an extensive coverage, encompassing almost all wireless devices that can connect to the Internet either directly or indirectly. Key regulated products include but are not limited to:

①　Smart Home Category: Wi-Fi routers, smart cameras, smart door locks, smart sockets, robotic vacuum cleaners.

②　Wearable Device Category: Smart watches, Bluetooth headsets (some with app functions), health monitoring bracelets.

③　Children's Toy Category: Smart toys with wireless functions, baby monitors.

④　Security and Surveillance Category: Network cameras (IPC), alarm control panels.

Note: Even if a product itself does not have a direct Wi-Fi/4G interface, if it connects to a mobile app via Bluetooth and then accesses the Internet for data transmission, it still falls within the regulated scope.

Core Technical Requirements for Certification

The en 18031 standard specifies detailed technical requirements for product hardware and software design, which poses a significant challenge for many manufacturers accustomed to "only conducting hardware tests". Key testing areas include:

①　Default Password Management: The use of generic default passwords (e.g., "admin/123456") is strictly prohibited. Each device must have a unique factory-set password, or users must be forced to change the password upon initial use.

②　Vulnerability Management: Manufacturers must establish a vulnerability disclosure policy and be able to push security patches in a timely manner (ensuring the security of the OTA upgrade mechanism).

③　Communication Security: Communication between the device, cloud server and app must be encrypted (e.g., using the TLS protocol) to prevent data from being intercepted or tampered with during transmission.

④　Data Storage Security: Sensitive data (e.g., Wi-Fi passwords, user privacy) must be encrypted when stored locally on the device.

Arrange Testing as Soon as Possible to Avoid Disrupting Product Shipments

The mandatory enforcement date is August 2025, and the regulation is currently in force. Do not wait until your goods are held up at customs before taking action!

1. Long Rectification Cycle: Unlike EMC rectification, cybersecurity certification often involves chip selection, underlying firmware rewriting, app architecture adjustment, and even server-side configuration modification, with the rectification cycle usually measured in months.

1. Shortage of Testing Resources: As the deadline approaches, testing laboratories worldwide with EN 18031 qualification will face severe backlogs.

2. Advanced Requirements from Buyers: To ensure supply chain security, many major European purchasers and brand owners have already started requiring suppliers to provide evaluation reports demonstrating compliance with cybersecurity standards in advance.