Before you read a NOTE: For more detailed information on the new cybersecurity regulations and how they might impact your devices, check out also our comprehensive guides:
– Understanding the 2025 Cybersecurity regulations for IOT compliance.
– Does you IoT Equipment need to comply with the New EU cybersecurity regulations.
As the August 2025 deadline approaches, IoT developers and economic operators must align their products with the latest EU cybersecurity regulations. Staying ahead of these changes is critical to avoiding compliance issues and ensuring product success. Here’s what you need to know.
Key Changes in EU Cybersecurity Standards
1. Transition to EN 18031 Standards
Previously, ETSI EN 303 645 (Cyber Security for Consumer Internet of Things: Baseline Requirements) was neither applicable nor intended for presumption of conformity under EU directive 2014/53/EU. However, in 2024, the EN 18031 series—comprising EN 18031-1, EN 18031-2, and EN 18031-3—was finalized. This new series replaces ETSI EN 303 645 as the benchmark for cybersecurity compliance and is intended for presumption of conformity under the directive.
2. Using EN 18031 for Compliance
While the finalized EN 18031 standards are available, they are not yet harmonized in the EU Official Journal (OJ). Until then, businesses can still use these standards for compliance, but must follow a different Conformity Assessment route. This involves using ANNEX III (Modules B and C), requiring a Notified Body. Once harmonized, the process will shift to ANNEX II (Module A), which allows for self-certification without a Notified Body.
Compliance Requirements
1. Current Compliance Process
Until EN 18031 is harmonized, compliance must follow ANNEX III, requiring:
- Module B: Type Examination
- Module C: Conformity to Type
This requires working with a Notified Body to verify compliance.
2. After Harmonization
Once the standards are harmonized and listed in the EU OJ, businesses will be able to self-certify under ANNEX II (Module A), eliminating the need for a Notified Body. However, full compliance with EN 18031 remains necessary, and an EU Declaration of Conformity must still be provided.
Understanding the EN 18031 Series
The EN 18031 standards are divided into three parts, each targeting specific security requirements for different IoT devices:
- EN 18031-1: Common security requirements for internet-connected radio equipment. (Corresponding with Essential requirement 3.3.(d) of directive 2014/53/EU).
- EN 18031-2: Focuses on radio equipment processing data, including childcare devices, toys, wearables, and other internet-connected devices. (Corresponding with Essential requirement 3.3.(e) of directive 2014/53/EU).
- EN 18031-3: Addresses internet-connected radio equipment handling virtual money or monetary value, ensuring secure transactions. (Corresponding with Essential requirement 3.3.(f) of directive 2014/53/EU).
Devices must meet the applicable parts of the EN 18031 series based on their functionality.
How IoT Consulting Partners Can Help
At IoT Consulting Partners, we provide expert guidance to ensure your products are compliant with the latest cybersecurity standards:
- Regulatory Guidance: Stay updated on EN 18031 and understand how it impacts your products.
- Compliance Testing: Ensure your products meet current and upcoming requirements with our comprehensive testing services.
- Strategic Support: We help you develop a long-term compliance plan to align with evolving EU regulations.
Get Ready for August 2025
Start preparing now to avoid last-minute compliance issues. For more information or assistance, reach out to IoT Consulting Partners.
Stay Updated: Want to receive more insights on IoT compliance?