EMC China Lab

Smart Locks and EN 18031 Certification

Views :
Update time : 2025-08-19

en 18031 Overview

As the EU’s mandatory cybersecurity standard for radio equipment, EN 18031will take effect on August 1, 2025, becoming the “entry threshold” for smart locks entering the EU market.

 

Rather than a single specification, EN 18031 is composed of three sub-standards:

- EN 18031-1: Focuses on network protection, covering defenses against DDoS attacks, encrypted communication, and other connectivity-related security needs.

- EN 18031-2: Specializes in personal data protection, including the secure handling of biometric data and unlocking records.

- EN 18031-3: Targets financial transaction security. Since smart locks typically do not involve payment functions, this standard is rarely applicable.

 

The key to determining whether a smart lock requires certification lies in two questions:

1. Does the product include a wireless communication module (i.e., is it considered radio equipment)?

2. Does the product involve network connectivity or the processing of personal data?

 

Purely wired devices or mechanical-electronic locks without communication modules fall outside the red directive’s scope and do not require en 18031 certification.

 

Smart Locks and EN 18031 Certification(图1)


Certification Requirements for Six Types of Smart Locks

Type 1: Standard Lock (No Communication Module)

- Supports only local unlocking methods (PIN, fingerprint, face recognition).

- No Bluetooth/WiFi modules → No EN 18031 certification required.

- If biometric data is stored, it is recommended to follow EN 18031-2 encryption requirements (e.g., AES-256) for enhanced data security.

 

Type 2: Bluetooth Locks

- Mobile App Control

- Connects via smartphone Bluetooth.

- App processes accounts, unlock records, and data transfers.

- Requires EN 18031-1(network security) and EN 18031-2(privacy protection).

- Testing focus: Bluetooth encryption (TLS 1.3), app permission control, biometric local storage compliance.

- Bluetooth Remote Control

- Operated by standalone remote, no app, no network.

- No EN 18031-1 required.

- If biometric unlocking is supported → EN 18031-2required.

 

Type 3: WiFi Locks & Type 4: 4G/5G Locks

- Support remote control, temporary password sharing, video monitoring.

- Store biometric data.

- Must pass both EN 18031-1 and -2.

- High-risk test areas:

- Communication security (TLS 1.3 to prevent MITM attacks).

- Data storage (biometric data must remain local and encrypted; cloud upload prohibited).

- Firmware updates (security patches required within 90 daysof vulnerability discovery).

 

Type 5: Wired Locks (Ethernet Connection)

- Connect to LAN/Internet via Ethernet cable.

- No wireless modules → outside RED scope → No EN 18031 required.

- Still recommended to implement equivalent protections (e.g., brute-force resistance, encrypted storage).

 

Type 6: Zigbee Locks (Gateway-Dependent)

- Relies on Zigbee gateway for connectivity.

- Lock body and gateway may be sold separately.

- Best practice: certify lock + gateway as one systemunder EN 18031-1 and -2.

- If lock body alone is tested with gateway, the report only certifies the lock, leaving hidden risks.

- Strongly recommended: joint certificationof gateway + lock.

 

High-Risk Vulnerabilities and EN 18031 Protection Value

Smart locks face three primary threats, which EN 18031 directly addresses:

- Weak password brute-force attacks

- 61% of users set simple passwords (e.g., birthdays).

- Such passwords can be cracked in ~4 minutes.

- EN 18031 requires: ≥8-character alphanumeric passwords and a 5-attempt lockout mechanism.

- Biometric data leakage

- Some products upload unencrypted fingerprint templates to the cloud.

- Risk of identity spoofing.

- EN 18031 requires AES-256 local storage only, cloud upload prohibited.

- Communication hijacking

- Unencrypted Bluetooth commands may be intercepted.

- Full takeover possible in ~7 minutes.

- EN 18031 mandates TLS 1.3encryption to prevent MITM attacks.

 

Non-certified products face dual risks:

- Legal: After August 2025, uncertified products are banned from EU markets; sold units may be recalled and fined up to 4% of annual revenue.

- Security: 97% of uncertified locks have high-risk vulnerabilities; some can be hacked in 3 secondsdue to missing electromagnetic shielding.

 

Implementation Recommendations for Manufacturers

1. Accurate Classification to Avoid Over-Certification

 - Standard/wired locks → no EN 18031.

 - Bluetooth remote locks → only EN 18031-2.

 - All other connected locks → EN 18031-1 & -2.

 

2. Zigbee Compliance Strategy

 - Prioritize joint certification of lock body + gateway.

 - Strengthen supply chain management (require pre-certification reports from gateway suppliers).

 

3. Technical Remediation Priorities

 - Address critical risks first (e.g., disable remote unlocking unless NB-certified, deploy dynamic passwords).

 - Cost optimization: use pre-certified secure chips (e.g., NXP SE050) to cut ~30% of test items.

 

With just one month left before August 2025 enforcement, manufacturers must immediately initiate vulnerability scans and documentation reviewsto ensure certification readiness and avoid market entry barriers.


Email:hello@jjrlab.com


Leave Your Message


Write your message here and send it to us


Related News
Read More >>
Amazon Toys TIC DV Validation Amazon Toys TIC DV Validation
07 .06.2026
Need Amazon Toys TIC DV Validation? JJR LAB offers direct reporting, ensuring laser, jewelry & s...
Austrian Amazon EPR Mandatory Compliance Austrian Amazon EPR Mandatory Compliance
07 .06.2026
Austrian Amazon EPR is mandatory for packaging, WEEE & batteries. Ensure products meet testing s...
The Differences Between CTA Network Access Certifi The Differences Between CTA Network Access Certifi
07 .06.2026
CTA regulates network access, while SRRC governs RF emissions in China. Complying with MIIT testing ...
Where to Get German LFGB Testing Done? Where to Get German LFGB Testing Done?
07 .05.2026
Need German LFGB testing? JJR LAB verifies food contact materials to strict LFGB Sec 30 & 31 sta...
966 Fully Anechoic Chamber 966 Fully Anechoic Chamber
07 .04.2026
At JJR LAB, our 966 Fully Anechoic Chamber provides expert EMC testing to EN55032 and IEC 61000 stan...
Power Adapter UL1310 Certification Power Adapter UL1310 Certification
07 .03.2026
JJR LAB provides professional UL1310 testing standard certification for Class 2 power adapters and c...
Standard for Air Conditioners and Dehumidifiers: I Standard for Air Conditioners and Dehumidifiers: I
07 .03.2026
JJR LAB provides expert testing for the new IEC 60335-2-40:2024 standard. Ed 8 updates safety rules ...
Guide to Children's Product Safety and Compliance Guide to Children's Product Safety and Compliance
07 .01.2026
Ensure children‘s product safety and compliance for toys and apparel by meeting strict testing stand...

Leave Your Message