The Radio Equipment Directive (RED, Directive 2014/53/EU) provides the regulatory framework for placing radio equipment on the market within the European Union (EU). Since 13 June 2017, all radio equipment falling under the scope of this directive must comply with its requirements.
To strengthen the cybersecurity of specific categories of radio products, the European Commission adopted a Delegated Regulation (EU) 2022/30 under the RED. This regulation introduces additional obligations and will enter into force on 1 August 2025.
This Delegated Act enforces the followingessential requirements from Article 3 of the RED:
• 3.3(d): Ensure network protection –radio equipment must not harm thenetwork or its functioning nor misusenetwork resources.
• 3.3(e): Incorporate safeguards toensure the personal data and privacyof the user and subscriber areprotected.
• 3.3(f): Include features to protectagainst fraud.
🧩 What Is EN 18031?
EN 18031 is a multipart European standard that provides a structured framework for evaluating the security properties of IT products and systems, including:
- Operating systems
- Firewalls and network appliances
- Cryptographic modules
- Secure elements (e.g., smart cards, TPMs)
- Identity and access management components
EN 18031 is harmonized across Europe and aligned with ISO/IEC 15408, making it internationally recognized under the Common Criteria Recognition Arrangement (CCRA).
🔍 Key Components of EN 18031
EN 18031 is made up of several parts, including:
EN 18031-1: Network Protection: Ensures devices prevent harm to network infrastructure, avoid disruptions,and mitigate resource misuse, including resilience against denial-of-serviceattacks and unauthorized access.
EN 18031-2: Data Protection: Focuses on safeguarding personal data and user privacy throughencryption, robust authentication, and controls against unauthorized accessor interception.
EN 18031-3: Fraud Prevention: Addresses risks of unauthorized monetary transactions with securetransaction protocols, fraud detection mechanisms, and protection againstpayment system breaches.
🛡️ Will I need a Notified Body for Certification?
The EN 18031 standards have been harmonized. When these standards are applied in full, they provide automatic presumption of conformity with the relevant essential requirements, meaning the involvement of a Notified Body is not required.
The requirements become mandatory on 1 August 2025. Manufacturers should act now to prepare their products for compliance.
