Frequently Asked Questions

EN 18031-1 is the harmonised European standard that specifies cybersecurity requirements for radio equipment under the Radio Equipment Directive (RED). It provides a presumption of conformity — meaning that if your product meets EN 18031-1, it is presumed to satisfy the RED cybersecurity essential requirements. This is the most efficient path to CE marking for connected products.

The cybersecurity provisions under RED Article 3.3(d), (e) and (f) were activated by Delegated Regulation (EU) 2022/30 and became mandatory from 1 August 2025. All internet-connected radio equipment placed on the EU market must now demonstrate conformity with these requirements.

If a harmonised standard (such as EN 18031-1) fully covers the applicable essential requirements, you can self-declare using the internal production control procedure (Module A). If the standard doesn't fully cover the requirements, or your product falls into certain higher-risk categories, a Notified Body assessment (Module B+C) may be required. We support both pathways.

EN 18031 is a three-part standard. Part 1 covers network protection (Article 3.3(d)), Part 2 covers privacy safeguards (Article 3.3(e)), and Part 3 covers fraud protection (Article 3.3(f)). Most internet-connected products will need to address at least Parts 1 and 2.

A typical compliance testing engagement takes 4–8 weeks, depending on product complexity and readiness. A gap analysis can be completed in 2–3 weeks and is a valuable first step to understand your baseline position.

The CRA (Regulation (EU) 2024/2847) is the EU's horizontal cybersecurity regulation for products with digital elements. It establishes mandatory cybersecurity requirements covering the entire product lifecycle — from design through end-of-life — and applies to virtually all hardware and software products sold in the EU.

The CRA entered into force on 10 December 2024. Vulnerability reporting obligations apply from 11 September 2026. All provisions apply in full from 11 December 2027. Manufacturers should start preparing now to meet these deadlines.

Products subject to RED cybersecurity requirements must also comply with the CRA. There is significant overlap, but the CRA introduces additional obligations — particularly around vulnerability handling, SBOM management, and ongoing security update requirements — that go beyond the RED.

Yes. Under the CRA, manufacturers must generate and maintain a machine-readable SBOM documenting at minimum the top-level dependencies of their product. This must be available to market surveillance authorities upon request.

ETSI EN 303 645 is the European baseline cybersecurity standard for consumer IoT devices. It specifies 13 provisions covering fundamental security practices — from banning default passwords to requiring secure communications and software update mechanisms.

While the standard itself is voluntary, it is referenced by mandatory regulations including the RED and is expected to serve as a harmonised standard under the CRA. In the UK, the Product Security and Telecommunications Infrastructure (PSTI) Act mandates the first three provisions.

We recommend at minimum annual penetration testing, with additional tests after significant changes to your product or infrastructure. For products under active development, quarterly testing aligned with release cycles is ideal. The CRA and RED also imply ongoing vulnerability assessment obligations.

A vulnerability scan is an automated process that identifies known vulnerabilities in your systems. A penetration test combines automated scanning with manual expert analysis — testers actively attempt to exploit vulnerabilities to assess real-world impact. Penetration testing finds complex, logic-based vulnerabilities that automated scanners miss.

Yes. Our Professional and Enterprise packages include a free retest of all remediated findings within the support period. This ensures that fixes are effective and haven't introduced new issues.

Simply request a quote with details about your product and compliance needs. We'll schedule a free 30-minute consultation to understand your requirements and propose the best approach. You'll receive a detailed quote within 24 hours.

Absolutely. We regularly collaborate with test laboratories and Notified Bodies. We can prepare your product and documentation for third-party assessment, or work alongside your chosen partners throughout the process.

Yes. We offer ongoing retainer arrangements for clients who need continuous access to cybersecurity compliance expertise. This is particularly valuable for managing CRA vulnerability handling obligations and maintaining compliance as regulations evolve.