August 1, 2025 Deadline for CE Mark Cyber Security

Contact Us
Home | Blog | Electronics | August 1, 2025 Deadline for CE Mark Cyberecurity

March 5, 2025

Is Your Wireless-Enabled Product Compliant with the New Cybersecurity CE Mark Requirements in the Radio Equipment Directive?

Manufacturers of wireless-enabled products will need to comply with new cybersecurity regulations under the Radio Equipment Directive (RE-D) 2014/53/EU. These rules are designed to enhance network resilience, safeguard consumer privacy, and reduce the risk of monetary fraud, particularly for internet-connected products or those handling personal and financial data. The EU has introduced three new standards—EN 18031-1, EN 18031-2, and EN 18031-3—to help you navigate compliance. Want to know more? Read on to understand what these changes mean for your products.

Is your Wireless-Enabled Product Ready?

On August 1st, 2025, manufacturers of radio-enabled products will need to comply with the cybersecurity requirements in Europe’s Radio Equipment Directive (RE-D) 2014/53/EU.  

The RE-D essential requirements include safety, electromagnetic compatibility (EMC), and effective use of spectrum. In addition, RE-D compliance will now also mandate cybersecurity requirements that will improve network resilience, protect consumers’ privacy better, and reduce the risk of monetary fraud.  These new cyber requirements become active EU law on August 1st and will continue under the RE-D until the Cyber Resilience Act (CRA) takes over several years from now.  

What type of radio products must comply with these requirements? 

RE-D Article 3(3)(d) for network resiliency applies to radio equipment that can communicate over the internet, whether it communicates directly or via any other equipment.   Examples include electronic devices such as smartphones, tablets, electronic cameras, telecommunication equipment, and Internet of Things (IoT) products. This also covers toys, childcare equipment, and wearable devices like smartwatches and fitness trackers.

Article 3(3)(e) for privacy applies to internet-connected radio equipment capable of processing personal data, traffic data, and location data.  The previously noted examples of toys, childcare equipment, and wearables are a focus for this provision. 

Article 3(3)(f) applies to any internet-connected radio equipment that enables the holder or user to transfer money, monetary value, or virtual currency.

The provisions in Article 3(3)(d), (e), and (f) do not apply to radio equipment covered in the following EU Directives/Regulations since their cybersecurity is assessed by other, more specific EU legislation:

How should I evaluate my product for these requirements? 

Recently, three technical standards to assess compliance for Article 3(3)(d), (e), and (f) were published in the European Union Official Journal (EUOJ).  When a manufacturer’s product complies with these standards and they address restrictions connected to these standards in full, they are afforded the presumption of conformity with the RE-D cyber requirements. This means they can self-declare conformity, affix a CE Mark, and place products on the EU market.  When these standards are not applied in full, or when harmonized standard restrictions limit their use, then the conformity process is type-certification through a RE-D Notified Body.  A Notified Body is a third-party EU-designated certification provider that must have a scope of accreditation specifically designated for the cyber requirements in Article 3(3)(d), (e), and (f).   

This process of evaluating products to harmonized standards then self-declaration or type-certification for compliance, applies to any radio product placed on the market including those that are currently being sold in the EU. The CE Marking process does not support “grandfathering” compliance, which means all current production radio equipment entering the EU must now also comply with these cybersecurity requirements. 

Manufacturers should act now to update their DoC(s) and include reference to compliance with Articles 3(3) d/e/f, if applicable.  

The three newly published, harmonized cybersecurity standards are 

  • EN 18031-1 network resiliency internet-connected radio equipment
  • EN 18031-2 for protection of privacy for personal information
  • EN 18081-3 for protection against monetary fraud

The applicability of each depends on the radio equipment’s intended function and application.  The Section 1 Scope in each standard states the intended purpose and applicability, but an accurate determination for how this standard will apply should come from a comprehensive cybersecurity evaluation and risk assessment performed by the manufacturer. 

These harmonized standards define mechanisms and processes to ensure cybersecurity. They do not state solutions or prescribe specific tailored requirements to achieve compliance.  Considering the wide range of industrial and commercial products and applications, these standards are written to provide flexibility and should be applied with context.  

A cybersecurity plan, implementation, and evaluation to the EN 18031 standards generally includes the following steps: 

  1. Define product functions, users, connectivity, and applications 
  2. Perform a cybersecurity risk assessment 
  3. Determine optimal strategy for cyber protection measures 
  4. Prepare and document compliance evidence for EN 18031 standards 
  5. Perform testing and validation through self-assessment and third parties, as needed

The EN 18031 standards present concepts and mechanisms such as access control, authentication, and secure updates.  Additionally, they include network monitoring, traffic control, secure storage, and communications, as well as cryptography. Evidence of how these and related cyber processes are applied should be clearly documented in a manufacturers technical file. 

A cybersecurity evaluation should also confirm the adequacy of a product’s protection through validation testing such as fuzzing and penetration tests, along with code review, stress testing, and other techniques. 

For products that have already been evaluated to other cybersecurity standards, such as those for industrial or consumer products, the results from existing assessments may be relevant and applicable. For example, ETSI TS 103 929 provides a mapping matrix to connect IEC 62443-4-2 and ETSI EN 303 645 compliance requirements to the EN 18031 standards.  ETSI.org provides a wealth of information and guidance for CE Marking cybersecurity processes.  

Each piece of radio equipment and its specific application will vary, requiring is own unique set of protections. Applying strong cyber measures for simple devices may be overly burdensome, but complex systems may be vulnerable if not aggressively protected.  Manufacturers have the responsibility to determine the appropriate level of security and apply due diligence in their cyber protection approach. 

Updates and Guidance for EN 18031-1/2/3

One area of clarification that the European Union is actively answering is regarding the “restrictions” mentioned in the EUOJ for the EN 18031-1/2/3 standards.   Manufacturers should review 2025/138 Amending of Implementation Decision and determine if the restrictions apply to their particular case.  

For EN 18031-1 (and -2 & -3), the EUOJ listing of this standard mentions a restriction to sections named ‘rationale’ and ‘guidance’ noting they do not confer a presumption of conformity with the essential requirements. However, since these rationale and guidance sections in each of the three standards do not set out specifications, they are informative only and are not linked to a presumption of conformity.  This means that regarding this specific restriction, a manufacturer can apply this standard in full to self-declare to the EN 18031 standard without the need for third-party type approval. 

Similar in EN 18031-1 for the restriction noted to clauses 6.2.5.1 and 6.2.5.2, if a manufacturer disregards the possibility of allowing a user not to set any password, and instead requires a password be set, then a manufacturer can self-declare regarding this standard without the need for third party type approval.

For the EN 18031-2 restriction in clauses 6.1.3, 6.1.4, and 6.1.5, should the manufacturer disregard the possibility of not implementing parental or guardian control, and instead require parental or guardian controls, then a manufacturer can self-declare regarding this standard without the need for third party type approval.

If a radio equipment product is associated with handling of monetary assets or information, then EN 18031-3 will apply. This standard is published with restrictions such that a Notified Body must be engaged by the radio equipment manufacturer to issue the type-certification conformity assessment.  Again, the RE-D Notified Body must have Article 3.3(f) listed on its scope of accreditation.  A list of approved Notified Bodies is available on the NANDO site.  Note: Refine search for Legislation 2014/53/EU, All Procedures, Products Article 3.3.d, or Article 3.3.e, or 3.3.f.  

Conclusion

Radio equipment placed on the EU market after August 1st, 2025, must comply with the newly enacted cybersecurity essential requirements.  Manufacturers should first determine if their products fall within the scope and if their radio equipment has a direct or indirect connection to the internet. If they do, then the manufacturer can evaluate their products to the harmonized standards EN 18031-1, EN 18031-2, and EN 18031-3, where applicable. If the harmonized standards EN 18031-1 or EN 18031-2 are applied in full, and the restrictions noted in the EUOJ are addressed, then the manufacturer can self-declare compliance, update their Declaration of Conformity (DoC), and gain access to EU markets for their products. If the manufacturer does not apply these harmonized standards in full, not address the restrictions noted above, or if they fall within the scope of the EN 18031-3 standard for protection from monetary fraud, then the manufacturer will need a type certification through a RE-D Notified Body. 

For more information on these new requirements, contact Elite Electronic Engineering, Inc. to discuss your radio product and compliance service’s needs. 

Join Elite’s monthly newsletter for the latest on standards, test procedures, fascinating facts, profiles of Elite engineers, and more. Fill out the form below to become part of our global community!

Newsletter Sign Up

By submitting this form, you are consenting to receive marketing emails from: Elite Electronic Engineering, Inc., 1516 Centre Circle Drive, Downers Grove, IL, 60515, US, https://www.elitetest.com. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact.

This field is for validation purposes and should be left unchanged.