Publications

Exploring the EN 18031 Standard: Cybersecurity testing for RED compliance

09/01/2025

    In a recent webinar, Núria Carrió, Technical Director of Cybersecurity Certification at Applus+ Laboratories, provided an in-depth overview of the EN 18031 standard. This article summarizes the key points discussed, offering valuable insights into the structure, application, assessment criteria, technical requirements, and mapping of the standard. The EN 18031 standard is crucial for manufacturers aiming to comply with the Radio Equipment Directive (RED) and its cybersecurity requirements, particularly Articles 3.3 D, E, and F.

    Introduction to EN 18031 Standard

    The EN 18031 standard was developed by the Technical Committee GT13 of CEN and CENELEC to support the essential requirements of the Radio Equipment Directive, specifically addressing Articles 3.3 D, E, and F. This standard aims to enhance the security of radio equipment connected to the Internet, ensuring they operate securely and prevent harm to networks. It is divided into three parts: general cybersecurity requirements, requirements for equipment processing personal data, and requirements for devices handling financial transactions. Each part is tailored to address specific security concerns relevant to the type of data and functionality of the equipment.

    Application of the EN 18031 Standard

    The standard introduces the concept of security mechanisms, which guide users on when and how to apply specific security measures. These mechanisms focus on two main aspects: applicability and sufficiency. If a mechanism is not applicable to a device, no further assessment is needed. However, if it is applicable, the device will undergo a functional and conceptual assessment. The standard is technology-agnostic and allows manufacturers to tailor their implementations based on the intended use and risk assessment of their devices. This flexibility ensures that the security measures are appropriate for the specific context and risk level of each device.

    Assessment Criteria and Process

    Manufacturers must prepare a comprehensive risk analysis and provide evidence to support compliance with the standard. The assessment process includes three main steps: conceptual assessment, functional testing, and security testing. The conceptual assessment examines documentation to ensure the chosen security mechanisms are justified and appropriate for the device. This involves using decision trees to determine the applicability of each mechanism and providing justifications for each decision. Functional testing verifies the accuracy of the documentation through hands-on testing, ensuring that the security mechanisms are correctly implemented. Security testing involves techniques like fuzzing, penetration testing, and code review to ensure the security mechanisms are effective in real-world scenarios. These tests simulate potential attacks to identify vulnerabilities and assess the robustness of the security measures.

    Technical Requirements and Mapping

    The EN 18031 standard covers various technical requirements designed to protect different types of assets, including security assets, network assets, privacy assets, and financial assets. Key requirements include access control mechanisms to prevent unauthorized access to assets, authentication mechanisms to verify the identity of users, secure updates to ensure the integrity and authenticity of software updates, and secure storage to protect data from unauthorized extraction. Other requirements include secure communication mechanisms to protect data transmitted over networks, resilience mechanisms to mitigate the effects of denial-of-service attacks, network monitoring mechanisms to detect and respond to security incidents, and cryptographic key management to ensure the secure generation and storage of cryptographic keys.

    The standard also provides mapping to other existing standards like ETSI 303645 and IEC 62443, allowing manufacturers to leverage their existing compliance efforts. This mapping helps manufacturers understand how their current security measures align with the requirements of the EN 18031 standard and identify any gaps that need to be addressed. By following the guidance provided in the standard, manufacturers can ensure that their devices meet the necessary security requirements and are prepared for the upcoming regulatory changes.

    Conclusion

    The EN 18031 standard provides a comprehensive framework for enhancing the security of radio equipment connected to the Internet. By following the standard's guidelines and conducting thorough risk assessments, manufacturers can ensure that their devices are secure and compliant with the Radio Equipment Directive. As the deadline for compliance approaches, it is crucial for manufacturers to start preparing now to meet the new requirements and protect their devices from potential security threats.

    For more detailed information and guidance on achieving compliance with the EN 18031 standard, manufacturers are encouraged to refer to the standard itself and consult with notified bodies for specific assessments and certifications.
     

    Download the full presentation here

    Watch the full video:

     

    Back to Publications

    Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

    Cookie settings panel