The European Commission has harmonized three EN 18031 standards for the Radio Equipment Directive (RED), with restrictions.

In August 2024, the EN 18031 series of RED standards had been finalized. On January 28, 2025, the European Commission published references to the three now harmonized EN 18031 standards, with restrictions, in the Official Journal of the European Union (OJEU). 

Why are harmonized standards important?
If applied in full, the EN 18031-X:2024 series of harmonized standards allow manufacturers to demonstrate regulatory compliance by offering self-declaration, thereby avoiding the involvement of a Notified Body. However, if a product does not fully comply, the manufacturer must go through a Notified Body.

What does this mean?
In this case, the EN 18031 series of standards can only be considered harmonized if the restrictions do not apply to a product. If the restrictions do apply, manufacturers must obtain certification via a Notified Body before placing their product onto the market. 

The European Commission has also published a guidance document explaining the application of the restrictions under EN 18031.

How to understand the EN18031 restrictions?

• EN 18031-1, 2 and 3 are considered harmonized except when, under Clauses 6.2.5.1 and 6.2.5.2, the user is allowed to not create and use a password. If these clauses do not apply to the product, or if the user must create and use a password, then this standard can be considered harmonized for the application
• EN 18031-2 additionally states that the standard cannot be considered harmonized under Clauses 6.1.3, 6.1.4, 6.1.5, or 6.1.6 when parental access control is not ensured. If these clauses do not apply, or if parental access control is ensured, then the standard can be considered harmonized
• EN 18031-3, in Clause 6.3.2.4, lays out four different implementation categories for secure updates, including digital signatures, secure communication mechanisms and access control mechanisms. No single method alone is sufficient for the handling of financial assets, and manufacturers must demonstrate that they exceed the requirements of the standard in this area. If this clause applies to a product, the standard is not considered harmonized 

How we support you

Brightsight, by SGS, can evaluate a wide variety of products, covering all applicable restrictions. The SGS Notified Body can then issue an EU Type Certificate for RED Articles 3(3) (d), (e) and (f) using the EN 18031 series of standards.

Leveraging our experience and expertise in cybersecurity evaluations across various products and solutions, we have developed a comprehensive, step-by-step approach to guide you through each stage of the evaluation and certification process. Our scope encompasses training, pre-assessment and evaluation services, helping you fast-track time to market. Through our global network, we can assess products against a wide variety of internationally recognized standards. As a Notified Body, we can also issue EU-type certification for products destined for European markets, demonstrating compliance with RED 3.3 (d), (e), (f).

• Training/workshops – helping manufacturers and developers gain a deeper understanding of the specific security requirements relevant to their products 
• Product design review – supporting the initial phases of product development with a thorough product design review and vulnerability scan 
• Product testing – conducting pre-market assessments using the new finalized EN 18031 standards
• SGS Cybersecurity Mark – upon successful completion of the assessment, a cybersecurity mark is issued to demonstrate the product's adherence to the highest security standards
• EU Type Certificate – SGS Notified Body issues an EU Type Certificate for RED Articles 3(3) (d), (e) and (f), using the new finalized EN 18031 standards