Radio Frequency Testing

1. EN18031 Certification Standards Overview

The EN18031 series of standards was developed jointly by the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC), and was officially included in the Radio Equipment Directive (RED) harmonized standards through EU Decision (EU) 2025/138. This standard is the world's first regulation to incorporate cybersecurity into mandatory CE marking certification, meaning wireless devices must meet cybersecurity requirements to obtain CE marking for the EU market.

The standards system is divided into three sub-standards, corresponding to different security dimensions:

• EN 18031-1: Network Asset Protection – Applicable to Wi-Fi routers, smart cameras, smart locks, in-vehicle infotainment systems and other radio equipment with internet connectivity. Core requirements include DDoS attack resistance, TLS 1.3 or higher encryption protocol verification, prohibition of default passwords, and provision of at least 2 years of security update support.
• EN 18031-2: Personal Privacy Data Protection – Applicable to TWS earbuds, smartwatches, fitness trackers, GPS trackers, children's smart toys and other devices involving personal data processing. Key requirements include AES-256 encryption for sensitive data storage and transmission, children's devices must have non-bypassable parental control functions, data breach notification to users within 72 hours, and support for user data deletion requests (response time ≤30 days).
• EN 18031-3: Financial Transaction Security – Applicable to smartphones, NFC devices, POS terminals, wearable payment devices and other devices involving financial transactions. Requirements include hardware encryption chip qualification proof, tamper-proof transaction log design, transaction traceability records meeting 7-year retention requirements, and protection against cryptojacking and biometric tampering.

2. EN18031 Certification Core Testing Items

According to EN18031 standard requirements, certification testing focuses on the following core security mechanisms:

2.1 Access Control Mechanism (ACM)

Verifies whether the device implements hierarchical access control, ensuring that users with different permission levels can only access functions and data corresponding to their roles. Testing includes: clear permission hierarchy, restricted guest access, independent administrator accounts, and secondary verification for sensitive operations.

2.2 Authentication Mechanism (AUM)

Verifies whether the device adopts strong identity authentication strategies, prohibiting the use of generic default passwords such as "admin/admin". Testing requirements include: mandatory password change upon first use, password complexity meeting length and character type requirements, recommended support for Multi-Factor Authentication (MFA), and effective login failure lockout mechanisms.

2.3 Security Update Mechanism (SUM)

Verifies whether the device supports secure firmware update mechanisms. Standard requirements include: update packages must be verified through digital signatures, anti-rollback design (prohibiting downgrade to vulnerable versions), update process must maintain data integrity, and manufacturers must provide at least 2 years of security update support commitment.

2.4 Secure Storage Mechanism (SSM)

Verifies the security of sensitive data during device storage. Core testing points include: sensitive data (such as location information, identity information, payment information) must be stored with AES-256 encryption, key management must comply with security specifications, sensitive areas must have tamper-proof physical protection, and encryption chips must have corresponding qualification certifications.

3. EN18031 Certification Process and Timeline

The EN18031 certification process is divided into three main stages, with different certification paths for different risk level devices:

1. ①Preparation Phase (1-2 months) – Determine the applicable sub-standard (EN 18031-1/2/3) based on product type, prepare technical documentation including cybersecurity risk assessment reports, security design documents, and vulnerability management plans. It is recommended to conduct pre-testing during this phase, which can effectively reduce rework by more than 30%.
2. ②Testing and Audit Phase (2-12 weeks) – Low-risk devices (e.g., Bluetooth speakers without data storage) can follow the Self-Declaration route, with testing taking approximately 2-4 weeks; High-risk devices (children's smart toys, POS terminals, financial terminals, etc.) require assessment by an EU Notified Body (NB), plus additional factory audits (including production security control and supply chain traceability), overall taking 2-12 weeks.
3. ③Assessment and Certification Phase (1-4 weeks) – After passing tests, low-risk devices directly receive Declaration of Conformity (DoC), while high-risk devices receive CE-RED certificates from the Notified Body. Certificates are valid for 5 years, but require annual surveillance audits.

4. EN18031 Technical Documentation Requirements

According to EU Decision (EU) 2025/138, certification materials must strictly match product risk levels:

EN 18031-1 Applicable Devices – Required: Cybersecurity risk assessment report, TLS 1.3 encryption protocol implementation description, security update strategy documentation.

EN 18031-2 Applicable Devices – Must additionally submit: Data Processing Impact Assessment (DPIA), parental control function description, sensitive data AES-256 encryption storage proof.

EN 18031-3 Applicable Devices – Must supplement: Hardware encryption chip qualification proof, tamper-proof transaction log design documentation, transaction traceability record 7-year retention proof.

Common basic documentation for all devices includes: Product technical specification, hardware/software Bill of Materials (BOM), vulnerability scan records. Non-EU companies also need to provide EU Authorized Representative (EC-REP) appointment documents.

5. Frequently Asked Questions

6. Summary and Recommendations

EN18031 certification, as the EU's first mandatory cybersecurity standard for radio equipment, signifies a significant increase in compliance thresholds for wireless products entering the EU market. This standard not only requires products to have basic security functions but also emphasizes continuous security update capabilities and user data protection mechanisms.

For companies planning to export wireless products to the EU market, recommendations include: Start certification preparation early and determine the applicable sub-standard based on product functionality; Conduct security design reviews in advance to avoid fundamental design flaws leading to significant rework; Choose professional laboratories with CNAS and EU Notified Body qualifications to effectively shorten certification timelines; Establish continuous security update mechanisms to ensure products remain compliant throughout the 5-year certificate validity period.

EN18031 certification serves as the "technical passport" for products entering the EU market. Although the certification process involves technical documentation preparation, testing, and rectification, with assistance from professional organizations, companies can successfully complete compliance certification and gain broader development space in the EU market.