The European Commission adopted Supplementary Delegated Regulation (EU) 2022/30 in 2022, explicitly requiring radio equipment to comply with cybersecurity, privacy protection, and anti-fraud requirements.
▍Regulatory Timeline
- August 2024: Publication of supporting standard EN 18031, detailing cybersecurity provisions under RED Directive;
- 30 January 2025: Formal inclusion of EN 18031 into RED Directive’s Harmonized Standards List (EU Official Journal OJ);
- 1 August 2025 onward: All radio equipment exported to EU must comply with cybersecurity requirements under Article 3(3)(d)(e)(f) of RED Directive, with market access prohibited for non-compliant products.
▍Key Requirements
Regulatory Upgrade: Complete compliance framework established from regulation to standard;
Critical Deadline: 1 August 2025 as enforcement cut-off date;
Market Access Prerequisites: Must satisfy three core requirements:
- Cybersecurity (Attack Prevention)
- Privacy Protection (Data Encryption)
- Anti-fraud Measures (Two-factor Authentication)
Ⅰ Core Standard Analysis: Three Clauses Precisely Mapped
The EN 18031 series of standards consists of three parts, which directly correspond to the three key requirements outlined in Article 3(3) of the RED Directive:
Ⅱ Comprehensive List of Applicability Scope (with Exemptions)
1. EN 18031-1 (Functional Safety Requirements for Internet Connectivity)
Applies to internet-connected radio equipment, focusing on cybersecurity assessments for network assets, including defenses against cyberattacks, prevention of network resource abuse, and service disruption mitigation.
Applicable Products:
- Mobile phones, tablets;
- Wi-Fi routers, gateways; internet-connected air conditioners, refrigerators, and other household appliances;
- Smart TVs/streaming devices and 3G/4G/5G equipment;
- All devices with Wi-Fi communication capabilities;
- Vehicle-mounted connectivity components; power converters in energy systems.
2. EN 18031-2 (Data Security Requirements)
Applies to radio equipment processing personal data, emphasizing privacy protection through access control, data encryption, and privacy-preserving mechanisms.
Applicable Products:
- Bluetooth devices (TWS earphones, speakers), wearables (smartwatches);
- Baby monitors, smart sensors, vehicle-mounted GPS;
- Air purifiers, robotic vacuum cleaners, and similar home appliances.
3. EN 18031-3 (Financial Function Safety Requirements)
Applies to devices handling virtual currencies or monetary value, requiring anti-fraud features such as transaction logging, software integrity verification, and tamper resistance.
Applicable Products:
- POS terminals, ATM machines;
- Any devices supporting virtual currencies or fund transfer functionalities.
⚠️ Exemption Scope:
- Medical devices: Governed by MDR (Medical Device Regulation).
- Aviation equipment: Subject to Regulation (EU) 2018/1139.
- Vehicle emergency systems: Covered by Regulation (EU) 2019/2144.
- Payment terminals: Compliant with Directive (EU) 2019/520.
Ⅲ Manufacturer’s Emergency Action Four-Step Protocol
Step 1: Product Classification Screening
Match device functionality to standard categories:
- Network connectivity → EN 18031-1
- Personal data processing → EN 18031-2
- Financial transactions → EN 18031-3
Determine if subject to new regulations.
Step 2: In-Depth Technical Clause Analysis
- Mandatory password setup (EN 18031-1): Users must set a password upon first use; default passwords are prohibited.
- Parental controls (EN 18031-2): Hardware-level implementation of guardian permissions required (e.g., physical button + biometric authentication).
- Multi-layered security updates (EN 18031-3): Dual mechanisms mandatory: digital signature + access control (e.g., signed firmware + one-time password).
Step 3: Compliance Gap Assessment
Key checks:
- Are default passwords fully disabled?
- Does data encryption meet AES-256 standards?
- Are security updates using dual verification mechanisms?
Step 4: Certification Pathway Selection
- Self-Declaration
Applicable if fully compliant with harmonized standards (must retain technical documentation for 10 years). - Notified Body (NB) Certification
Mandatory if:- Users can bypass password setup
- Proprietary access control modes are used
-
Only a single security update method is implemented
Anbotek Compliance Laboratory Ltd. (referred to as “Anbotek”), headquartered in Shenzhen, has established six large-scale comprehensive testing laboratory bases across China, with a total laboratory area exceeding 20,000 square meters.
With two decades of expertise in testing and certification, Anbotek has become a leading innovator in China’s third-party inspection, verification, testing, and certification services. The company has been honored with prestigious recognitions including:
- “Service-Oriented Manufacturing Demonstration Platform for Energy Storage Systems”
- “Guangdong Provincial New Energy Engineering Technology Research Center”
- “Shenzhen Renowned Brand”
Post time: Apr-18-2025
