OEU Cybersecurity Standards Update for Radio Equipment
On January 30, 2025, the European Commission published IMPLEMENTING DECISION (EU) 2025/138. This update revises the list of harmonized standards for radio equipment, focusing on cybersecurity compliance under Delegated Regulation 2022/30.
Focus on Cybersecurity
The updated standards emphasize network protection, data privacy, and fraud protection, aligning with Articles 3(3)(d), (e), and (f) of the Radio Equipment Directive (RED). These requirements will take effect on August 1, 2025.
Presumption of Conformity with Harmonized Standards
Manufacturers who follow these standards can presume their products meet RED’s essential requirements. A conformity assessment is needed to confirm compliance based on operating conditions and foreseeable use. If manufacturers don’t apply the harmonized standards fully, they must use alternative assessments like EU-type examination or full quality assurance.
New Standards: EN 18031-x
In 2024, the EN 18031-x series was introduced to address cybersecurity under RED. These standards now support network protection, data privacy, and fraud prevention.
- EN 18031-1:2024: Addresses security for internet-connected radio equipment (Article 3(3)(d)).
- EN 18031-2:2024: Focuses on security for internet-connected, childcare, toy, and wearable radio equipment (Article 3(3)(e)).
- EN 18031-3:2024: Targets security for internet-connected equipment dealing with virtual money (Article 3(3)(f)).
Restrictions on Presumption of Conformity
Certain restrictions limit the presumption of conformity:
- General Restrictions: “Rationale” and “guidance” sections are informative and don’t confer conformity.
- Specific Restrictions:
- Password Risk: If users can bypass setting passwords, the presumption is invalid due to authentication risks.
- Parental Controls: For specific devices, lack of parental access control disqualifies the presumption.
- Secure Updates: If updates use specific clauses, they don’t meet conformity due to insufficient authentication handling.
Impact of Restrictions
Manufacturers impacted by these restrictions can’t rely solely on the harmonized standards for conformity. They must engage a Notified Body for third-party assessments. If the standards aren’t fully applied, they must demonstrate compliance through alternative methods, such as EU-type examination or quality assurance.
Conclusion
The EN 18031-x standards offer a framework to comply with cybersecurity requirements under the RED. However, the restrictions mean manufacturers might need third-party assessments to prove compliance fully.
Impact on Type Approval and Market Access Requirements? – Yes
Impact on Imports, Customs, Trade, or Market Surveillance? – No
Impact on Spectrum Management? – No
Impact on Technical Standards? – Yes
