New EU Cybersecurity standards (the EN18031 series), to be made mandatory under the Radio Equipment Directive (RED) for CE marking, are now here.

European cybersecurity standards affect developers of connected products.

When will these product standards become mandatory under the RED?
It is expected that this will be 1 August 2025 meaning you have one year to prepare. The standards still need to be added to the harmonised standards journal by the EU.

What are the EN18031 series of standards?
EN 18031-1:2024 Common security requirements for radio equipment - Part 1: Internet connected radio equipment
EN 18031-2: 2024 Common security requirements for radio equipment - Part 2: radio equipment processing data, namely Internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment
EN 18031-3:2024 Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value

What are the objectives of compliance with these product standards?
From Article 3.3 of the RED, these standards seek to:

1. Enhance network protection by requiring devices to have features that prevent harm to communication networks and avoid disrupting the functionality of websites or services.
2. Strengthen the protection of personal data and privacy. This includes measures to prevent unauthorized access or transmission of consumers' personal data.
3. Reduce the risk of fraud, through mandating features like improved user authentication controls to minimise fraudulent electronic payments and monetary transfers

What products are covered by these standards?
Connected products. Any devices capable of communicating over the internet, either directly or through other equipment. This includes devices that may handle sensitive data, including personal data, traffic data and location data. Examples include: mobile phones, tablets, laptops, wireless toys, children’s safety equipment (such as baby monitors) and wearable devices, such as smartwatches and fitness trackers.

What are the product testing requirements?
Product Developers or manufacturers must conduct tests focusing on network security, data protection, and the integrity of communication protocols. Devices should be evaluated for their resilience against unauthorized access and potential fraud scenarios.

Why should I as a product developer, become familiar with these product standards and start planning for compliance now?
The forthcoming Cyber Resilience Act is aiming to strengthen cybersecurity across the EU for digital products, meaning that these standards are only the start. It is important to get on top of these now so that you are better prepared for what else is coming.

https://www.rbdevelopment.co.nz/connect
_____

---