The European Commission has referenced the EN 18031 series in the Official Journal (OJ), harmonising these standards under the Radio Equipment Directive (RED) for cybersecurity requirements. This gives manufacturers a potential fast-track to compliance—but there’s a catch: if certain restrictions apply to your product, you’ll need to involve a Notified Body regardless. Read more here if you are wondering if your device needs to comply to the new regulations.
Why Harmonisation Is a Big Deal
Unlocking Presumption of Conformity
Harmonised standards grant Presumption of Conformity with specific legal requirements. If your product fully meets a harmonised standard, you can typically follow Internal Production Control (IPC) (module A) without consulting a Notified Body. This route is faster, cheaper, and more straightforward.
A Breakthrough for RED Article 3(3)
Before EN 18031, no harmonised standards existed for the Article 3(3)(d), (e), (f) cybersecurity obligations—forcing nearly all manufacturers to plan for Notified Body involvement. Now there’s an official route to compliance that could save significant time and resources.
The ‘Catch’: Restrictions That Trigger Notified Body Involvement
Despite their new harmonised status, EN 18031-1, -2, and -3 each come with clauses that can invalidate Presumption of Conformity for certain products. If your device falls under these restrictions, you must involve a Notified Body, even if you apply most parts of the standard.
Password Oversight (EN 18031-1, -2, & -3)
All three standards include clauses about password protections (e.g., 6.2.5.1 & 6.2.5.2) that require users to set and use strong credentials.
- If your product allows bypassing or skipping passwords, the standard isn’t considered “fully applied,” forcing a Notified Body route.
Parental/Guardian Controls (EN 18031-2)
For devices that process personal data, clauses 6.1.3–6.1.6 address parental or guardian access control.
- If your product is supposed to implement these controls but doesn’t, you can’t rely on EN 18031-2 alone and need external certification.
Secure Updates (EN 18031-3)
For equipment handling financial transactions, clause 6.3.2.4 outlines secure update mechanisms.
- If your product requires more robust security measures than what the standard provides, or if you can’t meet it fully, Notified Body involvement is mandatory.
Conformity Assessment: How Harmonisation Helps (Unless It Doesn’t)
Internal Production Control (IPC)
- Ideal Scenario: You fully comply with EN 18031 (no restricted clauses apply).
- Outcome: You can use IPC—compile your technical file, sign a Declaration of Conformity (DoC), and place your product on the market.
Notified Body Pathways
- EU-Type Examination: Present evidence to a Notified Body, receive a Type Examination Certificate, and ensure final products match the approved design.
- Full Quality Assurance: A more complex approach requiring comprehensive quality checks. Rarely chosen, but an option if you don’t or can’t apply a harmonised standard in full.
Practical Steps for Manufacturers
- Review the Standard’s Clauses
- Identify any that might disqualify you. For example, do you allow user password skipping? Do you lack parental controls for a child-oriented device?
- Conduct a Detailed Risk Assessment
- Document all cyber risks, even those not explicitly covered by EN 18031.
- Prove you’ve addressed each threat adequately.
- Confirm Your Conformity Route
- If no restricted clause applies: You can typically follow IPC.
- If any restriction applies: Prepare to involve a Notified Body early to avoid delays.
- Prepare Complete Technical Documentation
- Keep records of test reports, design details, and risk assessments.
- Cite the specific EN 18031 standard used and explain how each clause is fulfilled or deemed not applicable.
- Plan Ahead for August 1, 2025
- The new cybersecurity requirements impact every product placed on the market after this date—even long-standing models you’ve sold for years.
Frequently Asked Questions
Q: If my product meets 90% of EN 18031, do I still get Presumption of Conformity?
A: No. Partial use of a harmonised standard doesn’t grant Presumption of Conformity. If you can’t fully comply, a Notified Body must verify your approach.
Q: Are these restrictions permanent?
A: The Official Journal listing may evolve. However, as it stands, any restriction relevant to your device triggers mandatory Notified Body involvement.
Q: What if I don’t address the restricted clauses and skip the Notified Body?
A: Non-compliance risks legal consequences—including product recalls, fines, or denial of market access. More about this in our market surveillance blog.
Key Takeaways
- Yes, They’re Now Harmonised: The publication of EN 18031 in the OJ is a breakthrough for demonstrating compliance with the RED’s cybersecurity requirements.
- But There’s a Catch: If your product hits any restricted clauses—like allowing users to skip passwords—you lose the straightforward Internal Production Control option and must involve a Notified Body.
- Act Early: With August 1, 2025, on the horizon, it’s crucial to evaluate your product design and documentation now. Even products you’ve sold for a decade need to align with these requirements moving forward.
Final Thoughts
The harmonisation of EN 18031 standards under the Radio Equipment Directive marks a significant development for manufacturers aiming to meet the upcoming cybersecurity obligations. But don’t assume a free pass—review all restricted clauses carefully. If you can fully implement each standard’s requirements, you’ll enjoy a simpler compliance path. If not, plan for Notified Body involvement to ensure your product remains on the EU market without interruption.
Need Guidance?
If you’re unsure about applying EN 18031 or dealing with restricted clauses, consult IoT Consulting Partners. Early support helps you pinpoint compliance gaps and avoid last-minute barriers, letting you move forward confidently before the August 2025 deadline.
|
Do You Have Questions? Schedule a Free Consultation Now! |
|
