The European Union has made one thing very clear: if a device is wireless, it must also be defensible. EN 18031 is the cybersecurity standard enforcing that reality. From 1 August 2025, conformity with the cybersecurity requirements under the Radio Equipment Directive RED Articles 33d, 33e, and 33f becomes mandatory for in-scope radio equipment placed on the EU market.
Lack of conformity with RED Articles 33d, 33e, and 33f means:
• CE marking is not legally justified for in-scope radio equipment
• The product cannot be lawfully placed on the EU market
EN 18031 is the primary harmonized route for demonstrating this conformity. OEMs who act early stay in control. Those who wait usually discover—too late—that cybersecurity retrofits are expensive, disruptive, and highly visible to regulators, customers, and importers.
What EN 18031 Really Requires from OEMs
EN 18031 is a harmonized European standard that translates RED Articles 33d, 33e, and 33f into concrete, testable cybersecurity requirements. This is not a paperwork-only exercise. EN 18031 evaluates how a product behaves under real-world stress—when networks are hostile, inputs are malicious, and trust boundaries are actively tested.
Expect scrutiny of:
• Firmware architecture and secure update mechanisms
• Network services, exposed interfaces, and trust boundaries
• Authentication, authorization, and misuse prevention
• Protection against compromise, manipulation, and fraud
The standard assumes attackers are automated, motivated, and patient. Security assumptions such as “no one would try that” are explicitly disregarded.
Why EN 18031 Is Both a Business Risk and a Business Opportunity
OEMs that treat EN 18031 as a late-stage obligation often experience:
• Failed or delayed conformity assessments
• Firmware and architecture redesigns under deadline pressure
• Escalating certification and engineering costs
OEMs that integrate EN 18031 early gain:
• Faster, more predictable CE marking
• Fewer late-stage design changes
• Lower regulatory risk
• Increased confidence from EU importers and distributors
• Stronger positioning in security-sensitive markets
EN 18031 Scope
Why Most OEM Products Are Already In Scope:
If your product includes radio or wireless communication, it is very likely in scope under the RED cybersecurity requirements, subject to specific exemptions defined by the Delegated Act and applicable guidance.
Common in-scope products include:
• Wi-Fi and Bluetooth devices
• IoT sensors, gateways, and hubs
• Industrial and enterprise networking equipment
• Smart home and consumer IoT products
• Connected medical, energy, and automotive systems
• Cellular, LPWAN, and short-range radio technologies
If your device connects, updates, syncs, authenticates, or exchanges data wirelessly, the real question is how deep the assessment goes, not whether it applies.
EN 18031 Structure
EN 18031 addresses three real-world cybersecurity risk categories:
Part 1: Network disruption, misuse, unauthorized access – Applies when your device connects to IP, cellular, or radio networks
Part 2: Data leakage, privacy violations, unlawful data handling – Applies when processing personal, operational, or confidential data
Part 3: Fraud, impersonation, unauthorized value manipulation – Applies when managing credentials, payments, assets, or trust chains
Most connected products fall under Part 1 by default. Parts 2 and 3 are triggered by design decisions, not marketing labels. Early architectural choices often determine compliance outcomes months later.
What the OEM Must Submit for CE RED
To legally place a product on the EU market, the OEM must prepare and retain a technical file for at least 10 years. Under EN 18031, cybersecurity evidence becomes a central part of that file.
Key Cybersecurity Elements in the Technical File:
• Product and Technical Description: Hardware and radio architecture, firmware and software components, interfaces, protocols, and connectivity, intended use and deployment environment
• Applied Standards: EN 18031-1, -2, -3 as applicable, other relevant RED, EMC, and safety standards
• Cybersecurity Evidence: Cybersecurity risk assessment, threat model and security concept, evidence of security implementation, SBOM and vulnerability management approach, user-facing security documentation, EN 18031 test reports, EU Declaration of Conformity
This documentation—not testing alone—often determines whether CE marking proceeds smoothly or becomes a prolonged, high-friction exercise.
Where Most EN 18031 Projects Struggle
Many EN 18031 projects stall before or during testing. The typical EN 18031 lab model focuses primarily on executing tests and issuing a test report, expecting the OEM to arrive with complete cybersecurity risk assessment, threat model, security concept, and SBOM documentation.
This model often results in:
• Heavy internal documentation workload
• Need for in-house cybersecurity compliance expertise
• Rework cycles when documentation does not align with EN 18031
• Longer time-to-market
For many OEMs, documentation becomes the biggest risk—not testing itself.
How DELTAPHI Labs Is Different
DELTAPHI operates as a full EN 18031 compliance partner, not just a test lab. The manufacturer always owns the technical file, approves all documentation, and signs the EU Declaration of Conformity.
DELTAPHI supports compliance by building most of the EN 18031 cybersecurity evidence that lives inside the technical file—aligned, structured, and regulator-ready. Advisory and documentation-support activities are structured to preserve ISO/IEC 17025 impartiality. Testing and assessment activities remain independent, and the OEM always retains final responsibility for design decisions and declarations.
What DELTAPHI Provides for EN 18031 Compliance
EN 18031 Testing & Independent Evidence:
• Applicability and scope definition (parts, clauses, firmware, models)
• Complete EN 18031 cybersecurity testing
• Detailed test report with objective evidence
• Clause-by-clause EN 18031 compliance matrix
• Cybersecurity summary suitable for direct inclusion in the technical file
As a NABL-accredited laboratory operating under ISO/IEC 17025, DELTAPHI’s outputs provide independent, repeatable, and auditable evidence suitable for regulatory and market surveillance review.
Documentation Support:
• Cybersecurity risk assessment
• Threat model
• Security concept and conceptual assessment
• Direct mapping of design decisions to EN 18031 clauses
• Guidance for SBOM and vulnerability management descriptions
All documentation is delivered as editable drafts for OEM review and approval.
Why This Matters for OEMs
Working with DELTAPHI results in:
• Faster CE readiness
• Lower internal documentation burden
• Reduced dependency on large in-house security teams
• Clear, regulator-aligned cybersecurity evidence
• Smoother interaction with EU market surveillance authorities
Less friction. Less rework. Faster EU market access.
Get EN 18031 Right—The First Time
EN 18031 is not just another standard. It is a market-access requirement. DELTAPHI Labs is your trusted partner for EN 18031 testing, cybersecurity evidence, and CE-ready documentation.
Contact DELTAPHI Labs today for a detailed EN 18031 applicability assessment and a compliance strategy tailored to your product—before the regulation forces the conversation for you.
Contact: info@deltaphi.in