Understanding EN 18031 : Key Highlights Explained by The One
Understanding EN 18031 : Key Highlights Explained by The One
RED Cybersecurity Requirements
In 2022 and 2023, the EU issued supplementary delegated acts for the RED Directive, namely (EU) 2022/30 and (EU) 2023/2444. These acts mandate manufacturers to integrate three cybersecurity requirements into product design and production processes. The new rules will take effect on August 1, 2025.
- Article 3.3(d):
Radio equipment must not harm the network or its functionality, nor misuse network resources, thereby avoiding unacceptable degradation of service. - Article 3.3(e):
Radio equipment must include safeguards to protect the personal data and privacy of users and subscribers. - Article 3.3(f):
Radio equipment must support specific features to ensure protection against fraud.
Scope and Exemptions
Scope
- Article 3.3(d): Applies to any radio equipment capable of internet communication, whether directly or via other interconnected devices.
- Article 3.3(e): Covers radio equipment capable of processing personal, traffic, or location data. This includes internet-connected devices, child-care equipment, most wireless toys (per Directive 2009/48/EC), and wearable devices.
- Article 3.3(f): Applies to internet-connected radio equipment enabling the transfer of money, financial assets, or virtual currencies.
Exemptions
- Articles 3.3(d), (e), and (f) do not apply to medical devices regulated under (EU) 2017/745 and (EU) 2017/746.
- Articles 3.3(e) and (f) are also excluded for:
- Remote-controlled drones and specific non-airborne radio equipment under (EU) 2018/1139;
- Motor vehicles and related systems or components under (EU) 2019/2144;
- Road toll systems governed by Directive (EU) 2019/520.
EN 18031 Standards
The EN 18031 series comprises three parts (EN 18031-1, EN 18031-2, and EN 18031-3), each addressing different cybersecurity requirements in the RED Directive:
- EN 18031-1: Ensures that radio equipment does not adversely affect the network or its functionality and prevents misuse of network resources that could severely impact services. Applicable to all radio equipment capable of internet communication.
- EN 18031-2: Provides safeguards to protect users’ and subscribers’ personal data and privacy. Applicable to devices handling personal data, such as internet-connected devices, child-care equipment, wireless toys, and wearable devices.
- EN 18031-3: Ensures that internet-connected radio equipment facilitating the transfer of money or virtual currencies is equipped with features to prevent fraud.
Asset Types and Evaluation
The EN 18031 series categorizes assets into four types: security assets, network assets, privacy assets, and financial assets. Security assets are addressed across all three standards, while the other asset types are tailored to their respective standards. The evaluation process employs a mechanism-based approach to guide the application of security measures and assess their appropriateness and suitability.
Stay tuned as we delve deeper into the highlights of EN 18031-1, -2, and -3 in upcoming updates!
If you have any cybersecurity-related inquiries, feel free to contact our specialist, Charles, at charles.liao@theonelab.co.