EN 18031: The stepping stone for product security standardization

The EN 18031 series of standards has been published in the Official Journal of the European Union as harmonized standards for the cybersecurity extension of the Radio Equipment Directive RED. This is the first pointer to the eagerly awaited harmonized standards for the Cyber Resilience Act.

But first things first.

Quick recap: Harmonized standards (hEN) are European standards (EN) that are published in the Official Journal of the EU as harmonized standards for a specific EU law. These standards then provide a presumption of conformity — this means that if the harmonized standards are met, the user can assume that the requirements described in the law are fulfilled. Harmonized standards therefore provide clarity and a certain degree of legal certainty.

Harmonized standards are often very specific. For the EU Machinery Directive, for example, there are over 800 harmonized standards for different types of machinery. In the area of cybersecurity, there have not yet been any harmonized standards at all — because all EU harmonization regulations concerning the cybersecurity of products are still quite recent: The Delegated Act on the Radio Equipment Directive (RED-DA) was adopted in 2022, the new Machinery Regulation including cybersecurity requirements in 2023 and the Cyber Resilience Act in 2024.

That is why the publication of the EN 18031 series as harmonized standards is a milestone. Because it’s important to know that standardization is based on consensus. It’s similar to democracy: results take time, especially when new territory has to be plowed and all interest groups involved first have to find and balance their positions.
The EN 18031 series is the cornerstone of the large “harmonized standards for product security” building that the EU is currently constructing. This hard-won consensus will lead the way for the many other harmonized standards that are still to come in this area.

And therefore, even if the EN 18031 standards only fulfil the presumption of conformity for the RED-DA and not for the Cyber Resilience Act (CRA), and even if the RED-DA is likely to be withdrawn before the CRA comes into force, the contents of EN 18031 will certainly point the way for the harmonized standards of the CRA — and also for product security standardization in the EU in general, because national standards in EU member states must not conflict with harmonized standards.

For this reason, it is worth taking a closer look at the EN 18031 standard series.
It is called “Common security requirements for radio equipment” and has three parts:

• EN 18031–1:2024: Part 1: Internet connected radio equipment
• EN 18031–2:2024: Part 2: radio equipment processing data, namely Internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment
• EN 18031–3:2024: Part 3: Internet connected radio equipment processing virtual money or monetary value

Part 1 contains the general security requirements for “Internet-connected radio equipment”, while the other two parts contain more specific requirements for certain product groups. The 33 requirements are sorted into eleven groups (Access Control, Authentication, Secure Storage, Secure Communications, Resilience, Network Monitoring, Traffic Control, Confidentiality of Cryptographic Keys, General Device Capabilities, and Cryptography). The “General Device Capabilities” is the largest group; it includes hardening, input validation and vulnerability management. Useful detail: For some requirements, there are decision trees that help to clarify the details of applicability.

Without diving into the details, I don’t want to hide the fact that EN 18031 does not fully fulfill the presumption of conformity for the RED-DA — the full details are in the EU Official Journal: If manufacturers want to be RED-DA compliant, they must not allow the user NOT to set a password, contrary to EN 18031. For children’s toys and financial products, stricter requirements than those in EN 18031 must be implemented for access control and software updates.

In order to read the complete standard, it must be purchased. One of the questionable pleasures of European structures is that you cannot simply buy an EN standard from the CEN/CENELEC standardization organizations that developed it.
Instead, there is — EU style — a reference to 27 national standards organizations (which publish the EN in the national language).
However, you won’t necessarily find the standard there if you search today, as the national standards organizations have another six months time to publish it in their web stores after publication in the Official Journal.

And please note: Do not confuse EN 18031-x:2024 with ISO/IEC 18031:2025 (random bit generation)!

Don’t be discouraged by all this complexity!

If the Radio Equipment Directive is an issue for you, the publication of the EN 18031 series is good news, because you now have a manageable 33 requirements to work through.

And if you are dealing with the Cyber Resilience Act, it is also good news, because you already have a reference point. Depending on what kind of products you manufacture, it may not get much more specific until 2027 (it took three years for the RED-DA) — but the good thing is that no standard reinvents security; you’re certainly not going in the wrong direction with EN 18031. There is still a lot of standardization work to be done — but the foundation has been laid.

Cyber Resilience what? Read a 5-minute introduction to the EU Cyber Resilience Act here.

This article was part of the monthly Security Briefings for Hard Hats” [in German].