CE Compliance

August 1, 2025 Deadline for CE Mark Cybersecurity

Posted on March 5, 2025 by - CE Compliance, Wireless Certification

Is Your Wireless-Enabled Product Compliant with the New Cybersecurity CE Mark Requirements in the Radio Equipment Directive?

Manufacturers of wireless-enabled products will need to comply with new cybersecurity regulations under the Radio Equipment Directive (RE-D) 2014/53/EU. These rules are designed to enhance network resilience, safeguard consumer privacy, and reduce the risk of monetary fraud, particularly for internet-connected products or those handling personal and financial data. The EU has introduced three new standards—EN 18031-1, EN 18031-2, and EN 18031-3—to help you navigate compliance. Want to know more? Read on to understand what these changes mean for your products.

Is your Wireless-Enabled Product Ready?

On August 1st, 2025, manufacturers of radio-enabled products will need to comply with the cybersecurity requirements in Europe’s Radio Equipment Directive (RE-D) 2014/53/EU.  

The RE-D essential requirements include safety, electromagnetic compatibility (EMC), and effective use of spectrum. In addition, RE-D compliance will now also mandate cybersecurity requirements that will improve network resilience, protect consumers’ privacy better, and reduce the risk of monetary fraud.  These new cyber requirements become active EU law on August 1st and will continue under the RE-D until the Cyber Resilience Act (CRA) takes over several years from now.  

What type of radio products must comply with these requirements? 

RE-D Article 3(3)(d) for network resiliency applies to radio equipment that can communicate over the internet, whether it communicates directly or via any other equipment.   Examples include electronic devices such as smartphones, tablets, electronic cameras, telecommunication equipment, and Internet of Things (IoT) products. This also covers toys, childcare equipment, and wearable devices like smartwatches and fitness trackers.

Article 3(3)(e) for privacy applies to internet-connected radio equipment capable of processing personal data, traffic data, and location data.  The previously noted examples of toys, childcare equipment, and wearables are a focus for this provision. 

Article 3(3)(f) applies to any internet-connected radio equipment that enables the holder or user to transfer money, monetary value, or virtual currency.

The provisions in Article 3(3)(d), (e), and (f) do not apply to radio equipment covered in the following EU Directives/Regulations since their cybersecurity is assessed by other, more specific EU legislation:

How should I evaluate my product for these requirements? 

Recently, three technical standards to assess compliance for Article 3(3)(d), (e), and (f) were published in the European Union Official Journal (EUOJ).  When a manufacturer’s product complies with these standards and they address restrictions connected to these standards in full, they are afforded the presumption of conformity with the RE-D cyber requirements. This means they can self-declare conformity, affix a CE Mark, and place products on the EU market.  When these standards are not applied in full, or when harmonized standard restrictions limit their use, then the conformity process is type-certification through a RE-D Notified Body.  A Notified Body is a third-party EU-designated certification provider that must have a scope of accreditation specifically designated for the cyber requirements in Article 3(3)(d), (e), and (f).   

This process of evaluating products to harmonized standards then self-declaration or type-certification for compliance, applies to any radio product placed on the market including those that are currently being sold in the EU. The CE Marking process does not support “grandfathering” compliance, which means all current production radio equipment entering the EU must now also comply with these cybersecurity requirements. 

Manufacturers should act now to update their DoC(s) and include reference to compliance with Articles 3(3) d/e/f, if applicable.  

The three newly published, harmonized cybersecurity standards are 

  • EN 18031-1 network resiliency internet-connected radio equipment
  • EN 18031-2 for protection of privacy for personal information
  • EN 18031-3 for protection against monetary fraud

The applicability of each depends on the radio equipment’s intended function and application.  The Section 1 Scope in each standard states the intended purpose and applicability, but an accurate determination for how this standard will apply should come from a comprehensive cybersecurity evaluation and risk assessment performed by the manufacturer. 

These harmonized standards define mechanisms and processes to ensure cybersecurity. They do not state solutions or prescribe specific tailored requirements to achieve compliance.  Considering the wide range of industrial and commercial products and applications, these standards are written to provide flexibility and should be applied with context.  

A cybersecurity plan, implementation, and evaluation to the EN 18031 standards generally includes the following steps: 

  1. Define product functions, users, connectivity, and applications 
  2. Perform a cybersecurity risk assessment 
  3. Determine optimal strategy for cyber protection measures 
  4. Prepare and document compliance evidence for EN 18031 standards 
  5. Perform testing and validation through self-assessment and third parties, as needed

The EN 18031 standards present concepts and mechanisms such as access control, authentication, and secure updates.  Additionally, they include network monitoring, traffic control, secure storage, and communications, as well as cryptography. Evidence of how these and related cyber processes are applied should be clearly documented in a manufacturers technical file. 

A cybersecurity evaluation should also confirm the adequacy of a product’s protection through validation testing such as fuzzing and penetration tests, along with code review, stress testing, and other techniques. 

For products that have already been evaluated to other cybersecurity standards, such as those for industrial or consumer products, the results from existing assessments may be relevant and applicable. For example, ETSI TS 103 929 provides a mapping matrix to connect IEC 62443-4-2 and ETSI EN 303 645 compliance requirements to the EN 18031 standards.  ETSI.org provides a wealth of information and guidance for CE Marking cybersecurity processes.  

Each piece of radio equipment and its specific application will vary, requiring is own unique set of protections. Applying strong cyber measures for simple devices may be overly burdensome, but complex systems may be vulnerable if not aggressively protected.  Manufacturers have the responsibility to determine the appropriate level of security and apply due diligence in their cyber protection approach. 

Updates and Guidance for EN 18031-1/2/3

One area of clarification that the European Union is actively answering is regarding the “restrictions” mentioned in the EUOJ for the EN 18031-1/2/3 standards.   Manufacturers should review 2025/138 Amending of Implementation Decision and determine if the restrictions apply to their particular case.  

For EN 18031-1 (and -2 & -3), the EUOJ listing of this standard mentions a restriction to sections named ‘rationale’ and ‘guidance’ noting they do not confer a presumption of conformity with the essential requirements. However, since these rationale and guidance sections in each of the three standards do not set out specifications, they are informative only and are not linked to a presumption of conformity.  This means that regarding this specific restriction, a manufacturer can apply this standard in full to self-declare to the EN 18031 standard without the need for third-party type approval. 

Similar in EN 18031-1 for the restriction noted to clauses 6.2.5.1 and 6.2.5.2, if a manufacturer disregards the possibility of allowing a user not to set any password, and instead requires a password be set, then a manufacturer can self-declare regarding this standard without the need for third party type approval.

For the EN 18031-2 restriction in clauses 6.1.3, 6.1.4, and 6.1.5, should the manufacturer disregard the possibility of not implementing parental or guardian control, and instead require parental or guardian controls, then a manufacturer can self-declare regarding this standard without the need for third party type approval.

If a radio equipment product is associated with handling of monetary assets or information, then EN 18031-3 will apply. This standard is published with restrictions such that a Notified Body must be engaged by the radio equipment manufacturer to issue the type-certification conformity assessment.  Again, the RE-D Notified Body must have Article 3.3(f) listed on its scope of accreditation.  A list of approved Notified Bodies is available on the NANDO site.  Note: Refine search for Legislation 2014/53/EU, All Procedures, Products Article 3.3.d, or Article 3.3.e, or 3.3.f.  

Conclusion

Radio equipment placed on the EU market after August 1st, 2025, must comply with the newly enacted cybersecurity essential requirements.  Manufacturers should first determine if their products fall within the scope and if their radio equipment has a direct or indirect connection to the internet. If they do, then the manufacturer can evaluate their products to the harmonized standards EN 18031-1, EN 18031-2, and EN 18031-3, where applicable. If the harmonized standards EN 18031-1 or EN 18031-2 are applied in full, and the restrictions noted in the EUOJ are addressed, then the manufacturer can self-declare compliance, update their Declaration of Conformity (DoC), and gain access to EU markets for their products. If the manufacturer does not apply these harmonized standards in full, not address the restrictions noted above, or if they fall within the scope of the EN 18031-3 standard for protection from monetary fraud, then the manufacturer will need a type certification through a RE-D Notified Body. 

For more information on these new requirements, contact Elite Electronic Engineering, Inc. to discuss your radio product and compliance service’s needs. 

Join Elite’s monthly newsletter for the latest on standards, test procedures, fascinating facts, profiles of Elite engineers, and more. Fill out the form below to become part of our global community!

Newsletter Sign Up

By submitting this form, you are consenting to receive marketing emails from: Elite Electronic Engineering, Inc., 1516 Centre Circle Drive, Downers Grove, IL, 60515, US, https://www.elitetest.com. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact.

This field is for validation purposes and should be left unchanged.

Elite Upgrades to New CMX500 5G Signaling Box

Posted on January 30, 2025 by - CE Compliance, FCC Compliance, Telecommunications, Wireless Certification

Elite has recently acquired the CMX500 from Rohde & Schwarz, a high-performance 5G New Radio (NR) test solution designed to meet the evolving demands of modern communications. This acquisition enhances Elite’s 5G NR testing capabilities, providing new opportunities to support cutting-edge technologies.

cmx 500 signaling box

The CMX500 is equipped to test the latest communication standards, including both stand-alone and non-stand-alone 5G modes. With its addition to Elite’s testing solutions, the CMX500 can measure Total Radiated Power (TRP) and Total Isotropic Sensitivity (TIS) for 5G NR transmitters that require CTIA OTA measurements to support PTCRB certification. For companies seeking CE marking for their 5G NR-enabled products, the CMX500 supports monitoring of throughput, a required criterion for ETSI EN 301 489-52 compliance. Furthermore, when integrating a modular certified 5G NR radio into a product, the CMX500 efficiently controls the radio to the desired test modes required for regulatory and network operator compliance, streamlining the integration process for customers.

For more information on how the CMX500 can enhance your 5G NR testing or to discuss your specific testing needs, please contact us. Our team is ready to assist you in optimizing your compliance testing to meet the latest industry standards.

Join Elite’s monthly newsletter for the latest on standards, test procedures, fascinating facts, profiles of Elite engineers, and more. Fill out the form below to become part of our global community!

Newsletter Sign Up

By submitting this form, you are consenting to receive marketing emails from: Elite Electronic Engineering, Inc., 1516 Centre Circle Drive, Downers Grove, IL, 60515, US, https://www.elitetest.com. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact.

This field is for validation purposes and should be left unchanged.

CE Mark Can Be Used Indefinitely for UK Compliance

Posted on October 18, 2023 by - CE Compliance, Wireless Certification

Ce mark or ukca mark

In January 2020, the Brexit withdrawal triggered new laws and regulations for the United Kingdom. Among them were changes to the conformity assessment process for manufactured goods.

The UK, while a member of the European Union, used the CE Mark as their compliance label covering a wide range of products. With Brexit, the UKCA Mark became the new compliance label for the UK countries of England, Scotland, and Wales. 

A transition period was set allowing either the CE or UKCA Mark, but only up to January 1, 2024. However, the UK Government recently announced an indefinite extension to this date, which means the CE Mark will continue to be recognized as an accepted regulatory compliance label. This revised policy applies to 18 UK Department for Business and Trade (DBT) regulations.

The extension provides businesses the choice to use either the UKCA or CE approach to sell products in Great Britain. Many Elite Regulatory EMC Testing clients are affected by this change since the UK EMC regulations for Radio Equipment, Low Voltage Electrical Equipment, and Machinery regulations are part of the 18 DBT requirements covered by this indefinite extension.

The official announcement can be viewed at the UK.GOV site. UK Government announces extension of CE mark recognition for businesses – GOV.UK (www.gov.uk)

For more information on the UKCA changes, contact Elite regulatory experts today.

Contact Us

You can also discuss these changes in-person with Elite and our global regulatory compliance partner Global Validity at the Automotive Testing Expo on October 24, 25 & 26, 2023. The event is held at the Suburban Collection Showplace, Novi, Michigan.

Visit booths 15042 and 15038 and talk to our experts in person.

Join Elite’s monthly newsletter for the latest on standards, test procedures, fascinating facts, profiles of Elite engineers, and more. Fill out the form below to become part of our global community!

Newsletter Sign Up

By submitting this form, you are consenting to receive marketing emails from: Elite Electronic Engineering, Inc., 1516 Centre Circle Drive, Downers Grove, IL, 60515, US, https://www.elitetest.com. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact.

This field is for validation purposes and should be left unchanged.