Home/Blog/EN 18031-1 Complete Guide
April 2026 · 12 min read

The Complete Guide to EN 18031-1 Compliance

Everything manufacturers need to know about meeting the harmonised cybersecurity standard for CE marking under the Radio Equipment Directive.

Introduction

EN 18031-1 has rapidly become the most important cybersecurity standard for manufacturers of connected radio equipment seeking access to the European market. As the harmonised standard under the Radio Equipment Directive (RED) 2014/53/EU, it provides a presumption of conformity for the cybersecurity essential requirements — making it the most efficient path to CE marking.

This guide covers everything you need to know: the scope of the standard, its structure, the evaluation methodology, documentation requirements, and practical guidance on achieving compliance.

Background: The Radio Equipment Directive and Cybersecurity

The RED established essential requirements for radio equipment placed on the EU market. In 2022, the European Commission activated the cybersecurity provisions under Article 3.3:

  • Article 3.3(d): Network protection — radio equipment must not harm the network or its functioning, nor misuse network resources
  • Article 3.3(e): Privacy safeguards — protection of personal data and privacy of users
  • Article 3.3(f): Fraud protection — radio equipment must support features to protect against fraud

EN 18031-1 provides the harmonised cybersecurity requirements and evaluation methodology that, when applied, give a presumption of conformity with these essential requirements.

Scope of EN 18031-1

EN 18031-1 applies to internet-connected radio equipment placed on the EU market. This includes a vast range of products:

  • Wi-Fi routers and access points
  • Smart home devices and IoT equipment
  • Wearable technology
  • Connected industrial equipment
  • Mobile phones and tablets
  • Any radio equipment with IP connectivity

The standard is divided into three parts, corresponding to the three essential requirements: EN 18031-1 (network protection), EN 18031-2 (privacy), and EN 18031-3 (fraud protection). Most manufacturers will need to address all three parts.

Structure and Key Requirements

EN 18031-1 is structured around security objectives and associated requirements. Key areas include:

Access Control

Products must implement appropriate access control mechanisms, including authentication, authorisation, and session management. Default credentials are prohibited; devices must use unique-per-device credentials or require user setup.

Secure Communication

All network communications must be appropriately encrypted and authenticated. The standard specifies requirements for cryptographic algorithms, key management, and certificate handling.

Software Update Mechanism

Products must support secure software updates with integrity verification. The update mechanism must be protected against rollback attacks and unauthorised modifications.

Secure Storage

Security-sensitive data — including credentials, cryptographic keys, and personal data — must be stored securely with appropriate protection against extraction and tampering.

Resilience

Products must be designed to maintain essential functionality during and after security incidents, including resistance to denial-of-service conditions.

The Evaluation Methodology

EN 18031-1 includes a detailed evaluation methodology that defines how conformity is assessed. The evaluation includes:

  1. Documentation review: Assessment of design documentation, security architecture, and risk assessment
  2. Functional testing: Verification that security mechanisms operate as specified
  3. Vulnerability analysis: Assessment of resistance to known attack vectors
  4. Configuration review: Verification of default and configurable security settings

Self-Declaration vs. Notified Body

Manufacturers have two options for demonstrating conformity:

Self-declaration (Module A) is appropriate when the harmonised standard fully covers the applicable essential requirements. The manufacturer (or a commissioned test laboratory) performs the assessment and issues an EU Declaration of Conformity.

Notified Body assessment (Module B+C) is required for certain product categories or when harmonised standards do not fully cover the essential requirements. A designated Notified Body conducts the EU-type examination. Read our detailed comparison in Self-Declaration vs. Notified Body.

Documentation Requirements

The technical file must include:

  • General product description and intended use
  • Design and manufacturing documentation
  • Cybersecurity risk assessment
  • Test reports demonstrating conformity with EN 18031-1
  • EU Declaration of Conformity
  • User documentation addressing security configuration

Technical documentation must be retained for at least 10 years from the date the product is placed on the market.

Practical Tips for Manufacturers

  1. Start early. EN 18031-1 compliance is much easier to achieve when security is considered from the design phase.
  2. Conduct a gap analysis first. Before committing to full testing, understand where your product stands. A targeted gap analysis saves time and money.
  3. Don't overlook documentation. Many non-conformities arise from documentation gaps, not technical failures.
  4. Plan for updates. Your product's security doesn't end at CE marking — plan for vulnerability handling and software updates throughout its lifecycle.
  5. Consider the CRA overlap. Products subject to EN 18031-1 may also fall under the Cyber Resilience Act. Plan your compliance strategy holistically.

How Vigilon Cyber Can Help

We provide end-to-end EN 18031-1 compliance services — from initial gap analysis through to full compliance testing, technical file preparation, and Notified Body assessment support. Our team has deep expertise in the standard and the regulatory landscape.

Discuss Your EN 18031 Project