The Relationship Between EN 18031 and CRA

In the past two years, the cybersecurity compliance of digital products in the European Union has ushered in a structural iteration: the old safety rules for wireless devices continue to be strictly enforced, while the brand-new Cyber Resilience Act (CRA) is being implemented in phases. The dual-system parallel regulation leaves the vast majority of IoT, smart hardware, and software companies expanding overseas with the same question:

If we have complied with en 18031, do we still need to comply with CRA?

EU CRA Act: Authoritative Definition & Key Milestones

The CRA (EU 2024/2847 Cyber Resilience Act) is a top-level horizontal legislation in the EU and will serve as the unified compliance standard for the cybersecurity of all digital products in the future.

Its regulatory scope covers all hardware and software with digital, processing, and networking functions. It is not limited to wireless devices but also includes wired devices, complete computer systems, application software, smart components, etc., making it a truly comprehensive regulatory act.

The CRA adopts a phased implementation model. Three time points directly determine the compliance rhythm for enterprises:

• ✅ December 10, 2024: The CRA officially came into effect and was incorporated into the EU legal system.

• ✅ June 11, 2026: The CRA Notified Body (NB) registration rules will be activated, and the official certification system will be formally implemented.

• ✅ September 11, 2026 (Core Mandatory Clause): The mandatory reporting obligation for manufacturers will take effect. If any high-risk vulnerabilities or security incidents occur in all on-sale/existing products, they must be reported to ENISA within 24 hours.

• ✅ December 11, 2027 (Ultimate Transition Day): All provisions of the CRA will be mandatorily enforced, the RED delegated security regulation EU 2022/30 will be repealed, and the old system will completely exit.

Penalties (Extremely High Risk): The maximum penalty for violations is 2.5% of the annual global turnover or €15 million (whichever is higher).

Unlike traditional standards that only test product technology, the CRA mandates that enterprises establish a full-lifecycle security system: pre-market secure design, post-market vulnerability maintenance, long-term firmware updates, risk disclosure management, etc.

Core Relationship Between CRA and EN 18031 (Key Distinctions)

The core misconception that traps many enterprises: believing that passing EN 18031 is equivalent to CRA compliance.

The official conclusion is very clear: The two have different hierarchies, different scopes, and different obligations. They will run in parallel during the transition period, and CRA will completely replace EN 18031 after 2027. They are not entirely equivalent.

1. Completely Different Positioning: Standard vs. Law

EN 18031: Merely a Technical Standard

• It falls under the Radio Equipment Directive (RED) and only targets wireless devices with radio frequency (Wi-Fi, Bluetooth, cellular products). It will become mandatory for CE-RED cybersecurity compliance on August 1, 2025.

• It only addresses the basic technical security of the device itself: cryptographic security, basic firmware protection, basic privacy protection, etc. There is no management system, no lifecycle obligations, and no reporting responsibilities.

CRA: An Official EU Law

• It covers all categories of wireless + wired + software products. It regulates not only product technical security but also the enterprise's entire set of compliance systems and lifecycle responsibilities.

2. Transition Period Exemption Rules (The Most Crucial Knowledge Point)

Based on the statutory exemption clause in CRA Article 2(4):

• ✅ Exemptible: For overlapping technical test items of EN 18031 that have already been conducted on wireless devices, the test reports and technical documentation can be directly reused without repeated testing.

❌ Non-Exemptible (CRA's Unique Mandatory Requirements):

1. Full-lifecycle documentation and management of SBOM (Software Bill of Materials).

2. Public disclosure and fulfillment of long-term firmware security updates and maintenance periods.

3. Establishment of a CVD (Coordinated Vulnerability Disclosure) mechanism.

4. Mandatory reporting of security vulnerabilities/incidents to ENISA within 24 hours + full-chain accountability.

Summary in one sentence: Technical testing can be exempted, but legal obligations cannot be avoided.

Enterprise Implementation Compliance Strategies (Clear Classification)

1. Wireless IoT / Wearables / Smart Home Devices (with Wi-Fi/Bluetooth)

Dual compliance runs in parallel during the transition period: First, ensure the successful passage of EN 18031; simultaneously, supplement the four major management system requirements of CRA, and complete vulnerability reporting, SBOM construction, and firmware lifecycle management in advance.

2. Wired Devices, Pure Software, and Non-RF Products

EN 18031 is not applicable. Simply proceed with pre-compliance directly according to CRA requirements.

3. Mandatory Time Node for Everyone

Vulnerability reporting and security emergency mechanisms must be implemented before September 2026; otherwise, it will directly trigger CRA regulatory risks.

EN 18031 is a short-term, technical-level entry threshold specifically for wireless devices; the CRA is a long-term, top-level compliance law for all product categories with dual control over both systems and technology. With the dual-track parallel implementation from 2025 to 2027, solely complying with EN 18031 cannot satisfy CRA compliance. Planning ahead for dual-system compliance is a mandatory prerequisite for securing your foothold in the EU market.