Radio Frequency Testing

With the explosive growth of Internet of Things (IoT) devices, cybersecurity issues are becoming increasingly serious. The European Commission has officially published Delegated Regulation (EU) 2022/30, initiating the mandatory requirements on cybersecurity in the Radio Equipment Directive (RED) (Article 3.3, paragraphs d/e/f). This means that from August 1, 2025, the vast majority of wireless products exported to the EU, in addition to passing traditional RF, EMC and safety tests, must also comply with the EN 18031 series of standards, proving that they have sufficient network security defense capabilities, otherwise customs clearance for sale will not be possible.

I. What is EN 18031 certification?

EN 18031 is a harmonized cybersecurity standard developed to cooperate with the new regulations of the RED Directive. It aims to ensure that wireless devices will not cause harm to the network when connected to the Internet, and can effectively protect users' private data. It mainly corresponds to the following three clauses of the RED Directive:

Art 3.3 (d) Network protection: Devices must not abuse network resources, causing network service degradation or interruption (to prevent exploitation for DDoS attacks).

Art 3.3 (e) Privacy Protection: Devices must contain mechanisms to protect the user's personal data and privacy.

Art 3.3 (f) Fraud prevention: Devices must support features designed to minimize the risk of fraud (primarily for devices involving electronic payments).

2. Which products fall within the scope of mandatory control?

The coverage of the new regulations is very wide, covering almost all wireless devices that can directly or indirectly connect to the Internet. Key controlled products include but are not limited to:

Smart home category: Wi-Fi routers, smart cameras, smart door locks, smart sockets, sweeping robots.

Wearable devices: smart watches, Bluetooth headsets (some with App functions), health monitoring bracelets.

Children's toys: smart toys with wireless function, Baby Monitor (Baby Monitor).

Security monitoring category: network camera (IPC), alarm host.

Note: Even if the product itself does not have a direct Wi-Fi/4G interface, if it connects to the mobile App through Bluetooth and then accesses the Internet to transmit data, it is also within the scope of control.

3. Core technical requirements for certification

The EN 18031 standard puts forward specific technical requirements for the software and hardware design of products, which is a huge challenge for many factories that are used to "only doing hardware testing". Test highlights include:

Default password management: It is strictly forbidden to use generic default passwords (such as "admin/123456"). Each device must have a unique factory password, or force users to change the password when they are used for the first time.

Vulnerability management: Manufacturers must formulate vulnerability disclosure policies and be able to push security patches in a timely manner (security of OTA upgrade mechanism).

Communication security: Communication between the device, the cloud, and APP must be encrypted (such as using the TLS protocol) to prevent data from being intercepted or tampered with during transmission.

Data storage security: Sensitive data (e.g. Wi-Fi passwords, user privacy) must be encrypted when stored locally on the device.

4. Arrange testing as soon as possible to avoid affecting product shipments

The enforcement date is August 2025, and the enforcement has been implemented. Don't wait until you get stuck after clearing customs before preparing!

1. Long rectification cycle: Network security certification is different from EMC rectification. It often involves chip selection, underlying firmware rewriting, App architecture adjustment and even server-side configuration modification. The rectification cycle is usually calculated in months.

2. Shortage of testing resources: As the deadline approaches, laboratories with EN 18031 qualifications around the world will face serious queuing.

3. Buyers' requirements in advance: In order to ensure the security of the supply chain, many large European buyers and brands have asked suppliers in advance to provide evaluation reports that meet network security standards.

5. GTG Guangce Group's one-stop solution

GTG Guangce Group closely follows the trends of EU regulations and has established a complete Internet of Things network security laboratory. We offer a full range of testing and evaluation services from ETSI EN 303 645 (Consumer IoT Security Baseline) to EN 18031 (RED Directive mandatory standard). Our team of cybersecurity experts can assist enterprises in code auditing, vulnerability scanning and penetration testing, and provide targeted rectification suggestions to help you calmly cope with the EU "cybersecurity barrier".