KMO Provide Testing Sevice for EN 18031-1/-2/-3 Cybersecurity Standard Series

Ke Mei Ou Lab Among First in China to Achieve Full EN 18031 Series Cybersecurity Accreditation – Complete Coverage of RED Articles 3.3(d)(e)(f), Enabling EU Market Access for Connected Radio Equipment

(Shenzhen, China) – As of August 1, 2025, the EU Radio Equipment Directive (RED 2014/53/EU) has officially incorporated cybersecurity requirements as a mandatory market access condition for radio equipment entering the EU market. All internet-connected radio equipment must now demonstrate compliance with the cybersecurity, privacy protection, and anti‑fraud requirements set forth in RED Articles 3(3)(d), (e) and (f), in addition to traditional RF, EMC, and safety requirements.

Ke Mei Ou Lab Co., Ltd., one of China‘s leading third‑party testing and certification bodies, has officially added the following EU RED cybersecurity core test standards to its ISO/IEC 17025:2017 accreditation scope (ANAB Certificate No. AT-1532):

• EN 18031-1:2024 – Common security requirements for radio equipment – Part 1: Internet connected radio equipment (corresponding to RED Article 3(3)(d) – Network Protection)

• EN 18031-2:2024 – Common security requirements for radio equipment – Part 2: Radio equipment processing data, namely internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment (corresponding to RED Article 3(3)(e) – Privacy Protection)

• EN 18031-3:2024 – Common security requirements for radio equipment – Part 3: Internet connected radio equipment processing virtual money or monetary value (corresponding to RED Article 3(3)(f) – Fraud Prevention)

Ke Mei Ou Lab is now among the first testing laboratories in China accredited to perform full-scope testing to all three parts of the EN 18031 series, offering one‑stop EU RED cybersecurity compliance testing and technical services for manufacturers of connected radio equipment seeking smooth EU market access.

1. Regulatory Background – EU Cybersecurity Compliance Enters Full Enforcement

In 2022, the European Commission adopted Delegated Regulation (EU) 2022/30, supplementing RED 2014/53/EU with essential cybersecurity requirements under RED Articles 3(3)(d), (e) and (f). On August 1, 2025, this regulation became fully mandatory. All radio equipment entering the EU market must now satisfy these cybersecurity requirements; non‑compliant products are prohibited from CE-RED certification and EU market access.

In August 2024, CEN-CENELEC published the EN 18031 series. On January 30, 2025, the European Commission officially listed EN 18031-1:2024, EN 18031-2:2024 and EN 18031-3:2024 in the EU Official Journal as harmonised standards under the RED. Manufacturers that fully apply these harmonised standards may benefit from the presumption of conformity and may use the internal production control (Module A) procedure without Notified Body involvement for cybersecurity compliance, significantly simplifying the certification process.

2. Standard Overview – Three Core Dimensions of Cybersecurity

The EN 18031 series adopts an “asset‑based” approach, categorizing test assets into network assets, security assets, privacy assets, and financial assets to determine the applicability of each standard and define the scope of testing.

EN 18031-1:2024 – Network Asset Protection

Corresponds to RED Article 3(3)(d): Radio equipment shall not harm the network or its functioning, nor misuse network resources, thereby causing an unacceptable degradation of service.

Applicable to all internet‑connected radio equipment (smartphones, tablets, Wi‑Fi routers, gateways, smart appliances). Key test items include access control, secure update mechanisms, communication security, security logging, password security, and brute‑force resistance.

EN 18031-2:2024 – Privacy Asset Protection

Corresponds to RED Article 3(3)(e): Radio equipment shall incorporate safeguards to ensure that the personal data and privacy of the user and subscriber are protected.

Applicable to all radio equipment that processes personal data (including location data, traffic data, etc.) – wearables, smartwatches, baby monitors, smart sensors, children‘s toys, etc. Test items include data access control, data encryption, privacy‑preserving mechanisms, and parental/guardian access controls.

EN 18031-3:2024 – Financial Asset Protection

Corresponds to RED Article 3(3)(f): Radio equipment shall support certain features ensuring protection from fraud.

Applicable to all radio equipment that processes virtual currency or monetary value – POS terminals, payment readers, cryptocurrency hardware wallets, ATMs. Test items include transaction verification mechanisms, hardware tamper resistance, security log integrity, multi‑factor authentication, and multi‑layered security update mechanisms.

3. Harmonised Standard Limitations – The “Red Line” Rules

Although the EN 18031 series has been harmonised under the RED, certain “limitation” conditions have been imposed. If a product does not meet these baseline requirements, internal production control self‑declaration is not permitted, and Notified Body involvement becomes mandatory:

• EN 18031-1: If the user is allowed not to set and use any password, the standard does not confer presumption of conformity (this applies equally to EN 18031-2 and EN 18031-3).

• EN 18031-2: If parental or guardian access controls are not provided, the standard does not confer presumption of conformity.

• EN 18031-3: If only a single security update method is relied upon (e.g., digital signatures alone or access control alone), insufficient to ensure financial transaction security, the standard does not confer presumption of conformity, requiring Notified Body involvement.

4. Uniquely Positioned – One‑Stop EU RED Cybersecurity Compliance

Ke Mei Ou Lab is among the first testing laboratories in China to achieve full ISO/IEC 17025 accreditation for the entire EN 18031 series, offering the following competitive advantages:

• Full‑series coverage: EN 18031-1, -2 and -3 are all within the accredited scope, enabling comprehensive multi‑category cybersecurity assessment in a single test campaign (e.g., a connected smartwatch must comply with both EN 18031-1 and EN 18031-2).

• Compliance pathway identification: Assists manufacturers in determining which parts of EN 18031 apply to their products, identifying whether “limitation conditions” are triggered, and clarifying whether Notified Body involvement is required, thus optimizing compliance costs.

• Complete cybersecurity test suite: Access control verification (password policies, login lockout, session timeout), encryption mechanism validation (algorithm strength, secure key storage), secure update testing (signature verification, rollback protection), security logging validation, and communication security testing (secure protocols, certificate management).

• Global one‑stop service: In addition to cybersecurity, the laboratory offers EMC, RF, safety (LVD), energy efficiency (ErP), acoustics, and other testing capabilities, backed by FCC, ISED, OFCA, MCMC/SIRIM international accreditations, enabling comprehensive multi‑country market access.

The laboratory also maintains dual testing capabilities for both ETSI EN 303 645 (Baseline cybersecurity for consumer IoT) and the EN 18031 series, helping manufacturers address Europe‘s full spectrum of cybersecurity compliance requirements for IoT and radio equipment.

5. Representative Product Scope

Note: Under Article 1 of Delegated Regulation (EU) 2022/30, RED Article 3(3)(e) and (f) requirements do not apply to aviation equipment (Regulation (EU) 2018/1139) or motor vehicle equipment (Regulation (EU) 2019/2144), but Article 3(3)(d) (network protection) remains applicable. Medical devices under MDR are fully exempt from RED Article 3(3)(d)(e)(f)

For specific details and requirements, please contact our KMO!  ->> kmo@kmolab.com