RED DA (EN 18031) Certification Requirements

The EU Radio Equipment Directive (RED 2014/53/EU)is designed to ensure that all radio equipment placed on the EU market complies with essential requirements regarding safety, health, electromagnetic compatibility, and spectrum efficiency. As the directive continues to evolve, the EU has introduced a Delegated Act (DA), namely en 18031, which adds new cybersecurity compliance requirementsfor radio equipment.

For manufacturers, system integrators, and developers, it is critical to understand and implement these new requirements to maintain market access. This document provides a clear assessment framework to help businesses evaluate their current compliance status and identify key steps for certification.

What is RED DA?

RED DA (EN 18031)is an extension of the eu red directive, introducing mandatory cybersecurity requirementsfor wireless-connected products sold in the EU.

Manufacturers whose products already comply with RED must reassess their products by August 1, 2025, to ensure compliance with RED DA.

RED DA Cybersecurity Requirements

According to Article 3(3) of RED DA, three categories of cybersecurity requirements are introduced:

- Article 3(3)(d): Network Protection

Products must ensure secure network connectivity, strong authentication mechanisms, and prevention of unauthorized access.

- Article 3(3)(e): Personal Data & Privacy Protection

Products must implement data encryption, secure storage, and user authorization mechanisms to protect personal data and privacy.

- Article 3(3)(f): Fraud Prevention

Products must provide secure payment interfaces and transaction verification mechanisms to prevent financial fraud.

EN 18031 as a Harmonised Standard

To simplify compliance, the EU has published Harmonised Standardsthat translate legal requirements into technical implementation guidelines. When manufacturers follow these standards, they benefit from the “presumption of conformity”, meaning authorities will automatically consider the product compliant.

On January 28, 2025, the EU Commission published the references of the EN 18031 series in the Official Journal of the EU:

- en 18031-1:2024– Security requirements for connected radio equipment

- EN 18031-2:2024– Requirements for devices handling personal data

- EN 18031-3:2024– Requirements for devices with financial transaction capabilities

What Does This Mean for Manufacturers?

If you plan to sell wireless-enabled products in the EU, RED DA compliance is mandatory in the following cases:

- New product launches after August 1, 2025

- Security-relevant updates to existing products

- Even when using pre-certified wireless modules, the final product must be fully compliant

Compliance obligations depend on the product’s status at the date of enforcement:

- Products not yet on the market before August 1, 2025must comply with RED DA

- Products already shipped or publicly sold before that date are considered placed on the marketand are exempt

- However, security-relevant updates after August 1, 2025may trigger re-evaluation as a “new product”

EN 18031: Module vs. Final Product

EN 18031 applies to complete radio equipment with network connectivity, not just individual modules.

While modules may be certified independently, module certification alone does not ensure final product compliance. The final product manufacturerholds the compliance responsibility.

In short: secure modules support compliance but do not replace full product certification.

RED DA Compliance Pathways

Manufacturers may choose between two approaches:

1. Self-Assessment

- Advantages:

- Lower cost (no third-party fees)

- Saves time (avoids lengthy external reviews)

- Greater control over compliance process

- Requirements:

- Fully implement relevant EN 18031 requirements

- Prepare comprehensive technical documentation

- Sign a Declaration of Conformity (DoC)

- Provide documentation upon request by authorities

2. Notified Body (NB) Assessment

If the product does not fully comply with en 18031 standards, a Notified Bodymust be involved.

- Examples requiring NB involvement:

- User can bypass password requirements (contradicting EN 18031-1/2/3 password management provisions)

- Non-compliance with child access control requirements in EN 18031-2 (6.1.3–6.1.6)

- Inability to meet EN 18031-3 update mechanism requirements for financial authentication

- NB Responsibilities:

- Review technical documentation

- Assess RED DA compliance

- Perform additional testing if required

- Issue a conformity assessment certificate

Required Documentation

To comply with RED DA, manufacturers must prepare and retain:

- Product technical specifications

- Risk assessment and mitigation plan

- List of applied EN 18031 standards

- Declaration of Conformity (DoC)

- Self-assessment: signed by manufacturer

- NB assessment: issued by NB with supporting documents

Manufacturer Obligations

Manufacturers must:

- Prepare all compliance documentation before placing the product on the market

- Retain documentation for at least 10 yearsafter market placement

- Ensure manufacturing processes remain compliant

- Affix the ce markingto compliant products

Authorities may request compliance documentation at any time after market entry. Failure to provide it may result in re-certification, fines, or product recall.

Frequently Asked Questions (FAQ)

Does EN 18031 apply to modules or final products?

A: EN 18031 applies to complete connected radio equipment. Module use does not shift compliance responsibility away from the final product manufacturer.

What if the product developer lacks cybersecurity expertise?

A: Use the published security guidelines and consider engaging external consultants or accredited labs.

Is third-party certification always required?

A: No. Most cases allow self-assessment. Third-party (NB) involvement is required only in specific exceptions.

What happens if self-assessment documentation is incomplete?

A: Authorities may request corrections. Serious issues can result in fines or mandatory re-certification.

Who can request compliance documents?

A: Market surveillance authorities, certification bodies, and distributors.

In a dual-chip design (MCU + wireless module), who is responsible for RED DA compliance?

A: The final product manufacturer is responsible for ensuring full system compliance, including interactions between the MCU and wireless module.