APPLUS+ Labs explain how to use EN 18031 to comply with Radio Equipment Directive (RED) Delegated Act.

This webinar provides an overview of the EN 18031 standard, a key European regulation for the cybersecurity of radio equipment, developed to support the Radio Equipment Directive (RED) Delegated Act. APPLUS+ labs explain how to comply with RED DA using the EN 18031 standards. The mandatory compliance for all products sold in the EU is August 1, 2025.

Webinar Objectives

The webinar’s key objectives were:

1. To provide key insights and clarity on the structure of the EN 18031 standard.
2. To explain the application and assessment approach for the EN 18031 standard.
3. To support manufacturers in their efforts to achieve compliance with the Radio Equipment Directive (RED) Delegated Act ahead of the August 2025 deadline, using this standard.

Target Audience

1. Technical Engineers and Cybersecurity Managers: who understand technical requirements, mechanisms, testing.
2. Engineering Managers: who are responsible for product design and implementation of security measures.

Presenters and their profiles:

Nuria Carrio: Cybersecurity Technical Director at APPLUS+ Laboratories.

How EN 18031 maps to RED DA

The standard is divided into three parts, each mapping to a specific article of the RED:

• • Part 1 (Article 3.3d): General cybersecurity for all internet-connected radio equipment to prevent harm to networks.

• • Part 2 (Article 3.3e): Protection of personal data for devices like wearables, child care equipment, and toys.

• • Part 3 (Article 3.3f): Prevention of fraud for devices that handle financial transactions or virtual money.

How EN 18031 works:

• • Mechanisms, Not Solutions: The standard defines security “mechanisms” (what to achieve) rather than dictating specific technical “solutions” (how to achieve it), giving manufacturers flexibility.

• • Risk-Based Approach: The required level of security depends on the device’s intended use and a manufacturer-led risk assessment. A high-risk device requires stronger measures than a low-risk one.

• • Horizontal Standard: It applies to a wide range of products and technologies.

The Compliance and Assessment Process

The assessment process is a multi-step evaluation:

1. Manufacturer’s Prerequisite: Before assessment, the manufacturer must perform a risk analysis to identify assets and threats. This analysis forms the basis for all documentation and security decisions.
2. Applicability Check: For each security requirement, the manufacturer uses a “decision tree” to determine if it’s applicable to their device. This decision must be justified. If a requirement is not applicable, no further assessment is needed for it.

 
Sufficiency Assessment (if applicable): 

1. Conceptual Assessment: An evaluator reviews the manufacturer’s documentation to ensure the security mechanisms are properly explained and justified.
2. Functional Testing: Hands-on testing to verify that the security features described in the documentation are actually implemented and function correctly.
3. Security Testing: Actively testing the effectiveness of security measures through techniques like penetration testing, fuzzing, and code review to ensure they are robust against real-world attacks.

Further reading

The EN 18031 is seen as the first step towards a much more inclusive cybersecurity law called Cyber Resilience Act (CRA) by the European Union. Learn more about the CRA here: https://iotregulations.com/security/cen-cenelec-explain-cra/