Cenitia launchesLaunching September 2026 — first 250 founders get the launch price locked for life.

Reserve your spot →
Cenitia
How it worksLibraryGlossaryRegulationsToolsAbout
Reserve your spot
How it worksLibraryGlossaryRegulationsToolsAbout

On this page

  • Why three parts and not one
  • Part 1 — internet-connected radio equipment
  • Mechanism families in Part 1
  • Annex coverage
  • Part 2 — radio equipment processing personal data
  • Mechanism families in Part 2
  • Annex coverage
  • Part 3 — internet-connected radio equipment processing virtual money or monetary value
  • Mechanism families in Part 3
  • Annex coverage
  • Decision matrix — which parts apply to your product
  • Comparison table — mechanism families across the three parts
  • OJEU listing and the clauses excluded from presumption of conformity
  • Common mistakes
  • How Cenitia helps
  • Frequently asked questions
  • Related from the Library
  • Further reading
← Library
reference·RED·13 min read

EN 18031-1 vs -2 vs -3: which part applies to your radio product

EN 18031-1, -2 and -3 compared — scope, mechanism families, and a decision tree for RED Article 3(3)(d), (e) and (f) under Delegated Regulation 2022/30.

By Vladimír Vician · 29 June 2026

TL;DR

EN 18031 is a three-part European standard family (EN 18031-1, -2 and -3) approved by CEN on 1 August 2024, prepared by CEN/CENELEC JTC 13 "Cybersecurity and Data Protection", and listed in the OJEU via Commission Implementing Decision (EU) 2025/138 of 28 January 2025. Part 1 covers internet-connected radio equipment under RED Article 3(3)(d). Part 2 covers radio equipment processing personal data, traffic data or location data — internet-connected, childcare, toys and wearables — under RED Article 3(3)(e). Part 3 covers internet-connected radio equipment that transfers money or virtual currency under RED Article 3(3)(f). Most modern IoT products fall under at least two parts; many fall under all three. The parts share a common security mechanism core (ACM, AUM, SUM, SSM, SCM, CCK, GEC, CRY) but each adds part-specific families (Part 1: resilience, network monitoring, traffic control; Part 2: logging, deletion, user notification, child/parental access control; Part 3: logging, equipment integrity).

EN 18031 is the harmonised standard family that gives radio-equipment manufacturers a practical route to compliance with the cybersecurity essential requirements activated by Commission Delegated Regulation (EU) 2022/30. All three parts were approved by CEN on 1 August 2024, published in August 2024, and listed in the Official Journal on 30 January 2025 via Commission Implementing Decision (EU) 2025/138. Each part is a separate document and applies under a different sub-paragraph of Article 3(3) of the Radio Equipment Directive.

For the broader RED conformity path see the RED delegated act and EN 18031 walkthrough; for the Annex III versus Annex IV conformity-assessment choice see the RED Annex IV path; and for the gap to the Cyber Resilience Act see RED and CRA overlap for connected radio products.

Who this is for

RED conformity engineers, cybersecurity leads, notified body project managers and product compliance owners for any internet-connected radio product placed on the EU market. The article walks through the scope, mechanism families and clause-level decisions of EN 18031-1, -2 and -3. It is not legal advice — for binding interpretation, consult a CEN/CENELEC member body or a notified body authorised under RED.

Why three parts and not one

The European Commission's standardisation request to CEN-CENELEC tied each part of EN 18031 to a specific sub-paragraph of RED Article 3(3) that 2022/30 had activated. Splitting the standard avoided two problems. First, it kept each part focused — a Bluetooth speaker manufacturer should not have to read the financial-fraud clauses written for hardware wallets. Second, it kept the regulatory mapping clean — each part has its own informative Annex ZA describing the relationship with the specific Article 3(3) sub-point and the corresponding 2022/30 provision.

The trade-off: a product that triggers more than one of Article 3(3)(d), (e) or (f) must satisfy more than one part. Most modern IoT products do exactly that. A smart-home camera processes personal data (Part 2) and is internet-connected (Part 1). A payment terminal does both and also transfers monetary value (Part 3). The three parts are cumulative, not alternative.

Part 1 — internet-connected radio equipment

The verbatim scope of EN 18031-1, from clause 1 of the standard:

"This document specifies common security requirements and related assessment criteria for internet connected radio equipment (hereinafter referred to as 'equipment')."

Part 1 supports RED Article 3(3), first subparagraph, point (d) — the requirement that "radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service".

Mechanism families in Part 1

EN 18031-1 organises requirements into eleven mechanism families:

  • ACM — Access control mechanism (clauses 6.1.1 to 6.1.2)
  • AUM — Authentication mechanism (clauses 6.2.1 to 6.2.6)
  • SUM — Secure update mechanism (clauses 6.3.1 to 6.3.3)
  • SSM — Secure storage mechanism (clauses 6.4.1 to 6.4.3)
  • SCM — Secure communication mechanism (clauses 6.5.1 to 6.5.4)
  • RLM — Resilience mechanism (clause 6.6.1) — Part 1 only
  • NMM — Network monitoring mechanism (clause 6.7.1) — Part 1 only
  • TCM — Traffic control mechanism (clause 6.8.1) — Part 1 only
  • CCK — Confidential cryptographic keys (clauses 6.9.1 to 6.9.3)
  • GEC — General equipment capabilities (clauses 6.10.1 to 6.10.6)
  • CRY — Cryptography (clause 6.11.1)

Part 1 is the only part with the RLM resilience, NMM network monitoring and TCM traffic control families. That is consistent with its focus on network protection rather than on user data or financial transactions: the network can be harmed by denial-of-service from a flooded interface (TCM), by a compromised host that fails to detect inbound traffic anomalies (NMM), or by a device that cannot recover from a fault (RLM).

Annex coverage

Part 1 carries the informative Annex ZA showing the relationship to Delegated Regulation 2022/30, plus three informative cross-mappings: Annex B to EN IEC 62443-4-2:2019, Annex C to ETSI EN 303 645, and Annex D to the GlobalPlatform Security Evaluation Standard for IoT Platforms (SESIP). The Annex D SESIP mapping appears only in Part 1.

Part 2 — radio equipment processing personal data

The verbatim scope of EN 18031-2, from clause 1 of the standard:

"This document specifies common security requirements and related assessment criteria for radio equipment processing personal data or traffic data or location data for either internet connected radio equipment, radio equipment designed or intended exclusively for childcare, toys and wearable radio equipment (hereinafter referred to as 'equipment')."

Part 2 supports RED Article 3(3), first subparagraph, point (e) — the requirement that "radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected". Per Article 1(2) of Delegated Regulation 2022/30, point (e) is activated for four categories: internet-connected radio equipment, childcare radio equipment, radio toys covered by Directive 2009/48/EC, and wearable radio equipment, in each case where the equipment can process personal data, traffic data or location data.

Mechanism families in Part 2

EN 18031-2 organises requirements into twelve mechanism families:

  • ACM with six sub-clauses (6.1.1 to 6.1.6) — including four sub-clauses on toys and childcare default and parental/guardian access controls that exist only in Part 2
  • AUM with six sub-clauses (6.2.1 to 6.2.6)
  • SUM with three sub-clauses (6.3.1 to 6.3.3)
  • SSM with three sub-clauses (6.4.1 to 6.4.3)
  • SCM with four sub-clauses (6.5.1 to 6.5.4)
  • LGM — Logging mechanism with four sub-clauses (6.6.1 to 6.6.4) — Part 2 and Part 3 only
  • DLM — Deletion mechanism (clause 6.7.1) — Part 2 only
  • UNM — User notification mechanism with two sub-clauses (6.8.1 to 6.8.2) — Part 2 only
  • CCK with three sub-clauses (6.9.1 to 6.9.3)
  • GEC with seven sub-clauses (6.10.1 to 6.10.7) — Part 2 adds GEC-7 on documentation of external sensing capabilities
  • CRY (clause 6.11.1)

The DLM deletion and UNM user notification families are unique to Part 2. They reflect Article 3(3)(e)'s privacy focus: a user must be able to delete their personal data and must be notified about how data is being processed. The four ACM sub-clauses on child default and parental access controls are equally Part 2-specific — and apply only when the product is in scope of childcare equipment or radio toys.

Annex coverage

Part 2 carries the informative Annex ZA for Delegated Regulation 2022/30, plus Annex B (EN IEC 62443-4-2:2019 mapping) and Annex C (ETSI EN 303 645 mapping). Unlike Part 1, it does NOT carry the SESIP Annex D.

Part 3 — internet-connected radio equipment processing virtual money or monetary value

The verbatim scope of EN 18031-3, from clause 1 of the standard:

"This document specifies common security requirements and related assessment criteria for internet connected radio equipment. That equipment enables the holder or user to transfer money, monetary value or virtual currency (hereinafter referred to as 'equipment')."

Part 3 supports RED Article 3(3), first subparagraph, point (f) — the requirement that "radio equipment supports certain features ensuring protection from fraud". Per Article 1(3) of Delegated Regulation 2022/30, point (f) is activated for any internet-connected radio equipment that enables the holder or user to transfer money, monetary value or virtual currency.

Mechanism families in Part 3

EN 18031-3 organises requirements into nine mechanism families:

  • ACM with two sub-clauses (6.1.1 to 6.1.2) — same scope as Part 1, no child/parental sub-clauses
  • AUM with six sub-clauses (6.2.1 to 6.2.6)
  • SUM with three sub-clauses (6.3.1 to 6.3.3)
  • SSM with three sub-clauses (6.4.1 to 6.4.3)
  • SCM with four sub-clauses (6.5.1 to 6.5.4)
  • LGM with four sub-clauses (6.6.1 to 6.6.4) — shared with Part 2
  • CCK with three sub-clauses (6.7.1 to 6.7.3)
  • GEC with eight sub-clauses (6.8.1 to 6.8.8) — Part 3 adds GEC-7 and GEC-8 Equipment Integrity, which is unique to Part 3
  • CRY (clause 6.9.1)

The defining Part-3 addition is GEC-8 Equipment Integrity. It addresses the financial-fraud scenario where the device's hardware or firmware has been tampered with to redirect monetary transfers — a threat model not relevant to a smart-home camera (Part 2) or a smart bulb (Part 1) but central to a payment terminal or hardware wallet.

Part 3 omits RLM, NMM, TCM (Part 1's network families) and DLM, UNM (Part 2's privacy families). It picks up LGM from Part 2 for audit traceability — which fits the financial use case — and adds Equipment Integrity in GEC.

Annex coverage

Part 3 carries the informative Annex ZA for Delegated Regulation 2022/30, plus Annex B (EN IEC 62443-4-2:2019 mapping) and Annex C (ETSI EN 303 645 mapping). Like Part 2, it does NOT carry the SESIP Annex D.

Reserve your spot — Cenitia launches September 2026

One email at launch · cancel any time

Decision matrix — which parts apply to your product

Product profileArticle 3(3) activationEN 18031 parts
Smart bulb, smart plug, networked appliance — no personal data, no money transfer(d)Part 1
Smart-home Wi-Fi camera with cloud account(d) + (e)Part 1 + Part 2
Connected wearable (smartwatch, fitness tracker)(e)Part 2 (without ACM-3 to ACM-6 if not a toy)
Radio-enabled toy under Directive 2009/48/EC(e)Part 2 (including ACM-3 to ACM-6)
Childcare radio device (baby monitor, smart cot)(e)Part 2 (including ACM-3 to ACM-6)
Hardware crypto wallet with Wi-Fi or Bluetooth(d) + (f)Part 1 + Part 3
Connected POS terminal (Wi-Fi/cellular, NFC tap-to-pay)(d) + (e) + (f)All three parts
NFC-enabled smartphone(d) + (e) + (f)All three parts
Connected medical device under Regulation (EU) 2017/745None — Article 2 of 2022/30 carve-outNone under RED; CRA scope analysed separately

The matrix is a starting point, not a binding determination. The actual scope decision must be documented in the technical file with reference to Article 1 of 2022/30 and the specific RED Article 3(3) sub-points activated for the product category. Borderline cases — for example, a wearable that does not process traffic data — should be supported by an explicit justification, ideally reviewed by a notified body if you intend to take the Annex II self-assessment path.

Comparison table — mechanism families across the three parts

Mechanism familyPart 1 (Article 3(3)(d))Part 2 (Article 3(3)(e))Part 3 (Article 3(3)(f))
ACM — Access control2 sub-clauses6 sub-clauses (includes child/parental)2 sub-clauses
AUM — Authentication6 sub-clauses6 sub-clauses6 sub-clauses
SUM — Secure update3 sub-clauses3 sub-clauses3 sub-clauses
SSM — Secure storage3 sub-clauses3 sub-clauses3 sub-clauses
SCM — Secure communication4 sub-clauses4 sub-clauses4 sub-clauses
RLM — Resilience✅ Yes❌❌
NMM — Network monitoring✅ Yes❌❌
TCM — Traffic control✅ Yes❌❌
LGM — Logging❌✅ 4 sub-clauses✅ 4 sub-clauses
DLM — Deletion❌✅ Yes❌
UNM — User notification❌✅ 2 sub-clauses❌
CCK — Confidential cryptographic keys3 sub-clauses3 sub-clauses3 sub-clauses
GEC — General equipment capabilities6 sub-clauses7 sub-clauses (adds GEC-7 sensing doc)8 sub-clauses (adds GEC-7 + GEC-8 Equipment Integrity)
CRY — Cryptography✅ Yes✅ Yes✅ Yes
Annex D (SESIP mapping)✅ Yes❌❌

The shared core — ACM (in the simpler 2-sub-clause form), AUM, SUM, SSM, SCM, CCK, GEC (in some form) and CRY — is identical across the three parts. The differences are in (a) which part-specific mechanism families are added, (b) how many ACM sub-clauses are required, and (c) which extra GEC sub-clauses appear.

OJEU listing and the clauses excluded from presumption of conformity

Commission Implementing Decision (EU) 2025/138 of 28 January 2025, published in the OJEU on 30 January 2025, lists EN 18031-1:2024, EN 18031-2:2024 and EN 18031-3:2024 as harmonised standards supporting the cybersecurity essential requirements of RED Article 3(3)(d), (e) and (f) respectively.

The Decision contains an explicit exclusion list. Applying any of the following clauses does not generate presumption of conformity by itself:

  • All three parts: the "rationale" and "guidance" sections (informative annexes), and clauses 6.2.5.1 and 6.2.5.2 (password strength) if users can avoid setting passwords.
  • EN 18031-2 only: clauses 6.1.3, 6.1.4, 6.1.5 and 6.1.6 (default and parental/guardian access controls for children) if applied without parental/guardian access control.
  • EN 18031-3 only: clause 6.3.2.4 (a sub-element of secure updates) when relied on alone as assessment criteria.

If your assessment touches any excluded clause, RED Article 17(4) moves the affected Article 3(3) requirement off the Annex II self-assessment track and onto either Annex III (Module B+C) or Annex IV (Module H) with a notified body.

Common mistakes

  • Picking the wrong part. A wearable that processes traffic data is Part 2, not Part 1, even though it is also internet-connected. The activation lists in Article 1 of 2022/30 are dispositive — read them per product category and per Article 3(3) sub-point.
  • Treating the parts as alternatives. They are cumulative for products triggering multiple activations. A product needing both Part 1 and Part 2 must satisfy the union of their mechanism families.
  • Skipping the ACM child/parental clauses for toys. EN 18031-2 sub-clauses ACM-3 to ACM-6 are mandatory for radio toys and childcare equipment. Excluding them from your assessment forfeits presumption of conformity even if everything else is in place.
  • Trying to claim conformity through the rationale and guidance annexes. Those annexes are informative and explicitly excluded from presumption per Implementing Decision 2025/138. Compliance must rest on the normative clauses 6.x.
  • Confusing EN 18031 conformity with CRA conformity. EN 18031 only addresses RED Article 3(3)(d), (e) and (f). It does not satisfy CRA Annex I Part I (essential cybersecurity requirements) and has no equivalent of CRA Annex I Part II (vulnerability handling). See RED + CRA overlap for connected radio products.
  • Skipping the SESIP mapping in Part 1. If your product is already SESIP-evaluated, Annex D of Part 1 lets you reuse that evidence for some of the Part 1 mechanisms. Annex D does not transfer compliance — it shortens the evidence-gathering work.

How Cenitia helps

Cenitia models EN 18031 as a per-part, per-clause matrix. When you enter a product profile — internet-connected, processes personal data, transfers value, is in scope as a toy — the platform identifies which parts apply, which mechanism families are activated, and which clauses are NOT applicable given the product's category. For each applicable clause it surfaces the relevant test evidence templates, the Implementing Decision (EU) 2025/138 exclusion (if any), and the SESIP, EN IEC 62443-4-2 or EN 303 645 cross-reference where prior evidence may be reused.

When the OJEU listing is updated — for example, if a future Implementing Decision adds or removes excluded clauses — Cenitia's regulation watcher flags every technical file that needs re-review.

Reserve your spot — Cenitia launches September 2026

One email at launch · cancel any time

Frequently asked questions

How many parts does EN 18031 have, and what does each one cover?

The EN 18031 family has three published parts, all approved by CEN on 1 August 2024 and published in August 2024. EN 18031-1 covers internet-connected radio equipment under RED Article 3(3)(d) (network protection). EN 18031-2 covers radio equipment processing personal data, traffic data or location data — applied to internet-connected, childcare, radio toys and wearable equipment under RED Article 3(3)(e) (personal data and privacy safeguards). EN 18031-3 covers internet-connected radio equipment that enables the user to transfer money, monetary value or virtual currency under RED Article 3(3)(f) (fraud protection).

Can a single product be in scope of more than one part of EN 18031?

Yes — and most modern IoT products are. A smart-home Wi-Fi camera processes personal data (Part 2) AND is internet-connected (Part 1), so it must satisfy both. A connected payment terminal processes personal data (Part 2), is internet-connected (Part 1) AND transfers monetary value (Part 3) — so it must satisfy all three. The parts are not alternatives; they are cumulative for products triggering multiple Article 3(3) activations.

What are the main differences in security mechanisms between the three parts?

All three parts share a common core: Access Control (ACM), Authentication (AUM), Secure Update (SUM), Secure Storage (SSM), Secure Communication (SCM), Confidential Cryptographic Keys (CCK), General Equipment Capabilities (GEC) and Cryptography (CRY). EN 18031-1 adds three network-focused mechanism families: Resilience (RLM), Network Monitoring (NMM) and Traffic Control (TCM). EN 18031-2 adds three privacy-focused families: Logging (LGM), Deletion (DLM) and User Notification (UNM), plus four sub-clauses on default and parental access control for toys and childcare equipment. EN 18031-3 adds Logging (LGM) and one extra GEC sub-clause for Equipment Integrity (GEC-8).

Does compliance with EN 18031 give presumption of conformity for the CRA?

No. EN 18031-1, -2 and -3 are RED harmonised standards listed in Commission Implementing Decision (EU) 2025/138 of 28 January 2025. They give presumption of conformity for RED Article 3(3)(d), (e) and (f) only. The Cyber Resilience Act (Regulation (EU) 2024/2847) has its own essential requirements in Annex I Part I and vulnerability handling duties in Annex I Part II, which are not covered by EN 18031 — see our RED + CRA overlap article for the gap analysis.

Which clauses of EN 18031 does the OJEU listing EXCLUDE from presumption of conformity?

Commission Implementing Decision (EU) 2025/138 published in the OJEU on 30 January 2025 lists the three parts but explicitly excludes from presumption of conformity: the "rationale" and "guidance" sections of all three parts; clauses 6.2.5.1 and 6.2.5.2 of all three parts if users can avoid setting passwords; clauses 6.1.3, 6.1.4, 6.1.5 and 6.1.6 of EN 18031-2 without parental/guardian access control; and clause 6.3.2.4 of EN 18031-3 when relied on alone as assessment criteria. If your assessment touches an excluded clause, Article 17(4) of the RED puts you on the Annex III or Annex IV path with a notified body.

Do the EN 18031 parts map to any other security frameworks?

Yes, informatively. All three parts include an informative Annex B with a mapping to EN IEC 62443-4-2:2019 (industrial component security capabilities), and an informative Annex C with a mapping to ETSI EN 303 645 (Cyber Security for Consumer Internet of Things — Baseline Requirements). EN 18031-1 additionally includes an informative Annex D mapping to the GlobalPlatform Security Evaluation Standard for IoT Platforms (SESIP). These mappings are informative — they do not transfer compliance, but they let teams already certified to EN IEC 62443-4-2 or EN 303 645 see where their existing evidence partially supports EN 18031 conformity.

Related from the Library

  • RED Delegated Act and EN 18031 walkthrough
  • RED Annex IV path for radio equipment
  • RED + CRA overlap for connected radio products
  • Conformity assessment modules A to H
  • When you need a Notified Body

Further reading

  • Directive 2014/53/EU (RED) — HTML, EUR-Lex
  • Commission Delegated Regulation (EU) 2022/30 — activation of Article 3(3)(d), (e), (f)
  • Commission Implementing Decision (EU) 2025/138 — EN 18031 series in OJEU
  • Directive 2009/48/EC — Safety of toys (EUR-Lex)
  • CEN-CENELEC JTC 13 — Cybersecurity and Data Protection
  • ETSI EN 303 645 — Cyber Security for Consumer Internet of Things: Baseline Requirements
  • EN IEC 62443-4-2:2019 — IACS components, technical security requirements

Last reviewed: 5 July 2026. Cited regulations watched continuously by Cenitia — when one amends, this article is flagged for update.

FAQ

Frequently asked questions

  • How many parts does EN 18031 have, and what does each one cover?+

    The EN 18031 family has three published parts, all approved by CEN on 1 August 2024 and published in August 2024. EN 18031-1 covers internet-connected radio equipment under RED Article 3(3)(d) (network protection). EN 18031-2 covers radio equipment processing personal data, traffic data or location data — applied to internet-connected, childcare, radio toys and wearable equipment under RED Article 3(3)(e) (personal data and privacy safeguards). EN 18031-3 covers internet-connected radio equipment that enables the user to transfer money, monetary value or virtual currency under RED Article 3(3)(f) (fraud protection).

  • Can a single product be in scope of more than one part of EN 18031?+

    Yes — and most modern IoT products are. A smart-home Wi-Fi camera processes personal data (Part 2) AND is internet-connected (Part 1), so it must satisfy both. A connected payment terminal processes personal data (Part 2), is internet-connected (Part 1) AND transfers monetary value (Part 3) — so it must satisfy all three. The parts are not alternatives; they are cumulative for products triggering multiple Article 3(3) activations.

  • What are the main differences in security mechanisms between the three parts?+

    All three parts share a common core: Access Control (ACM), Authentication (AUM), Secure Update (SUM), Secure Storage (SSM), Secure Communication (SCM), Confidential Cryptographic Keys (CCK), General Equipment Capabilities (GEC) and Cryptography (CRY). EN 18031-1 adds three network-focused mechanism families: Resilience (RLM), Network Monitoring (NMM) and Traffic Control (TCM). EN 18031-2 adds three privacy-focused families: Logging (LGM), Deletion (DLM) and User Notification (UNM), plus four sub-clauses on default and parental access control for toys and childcare equipment. EN 18031-3 adds Logging (LGM) and one extra GEC sub-clause for Equipment Integrity (GEC-8).

  • Does compliance with EN 18031 give presumption of conformity for the CRA?+

    No. EN 18031-1, -2 and -3 are RED harmonised standards listed in Commission Implementing Decision (EU) 2025/138 of 28 January 2025. They give presumption of conformity for RED Article 3(3)(d), (e) and (f) only. The Cyber Resilience Act (Regulation (EU) 2024/2847) has its own essential requirements in Annex I Part I and vulnerability handling duties in Annex I Part II, which are not covered by EN 18031 — see our RED + CRA overlap article for the gap analysis.

  • Which clauses of EN 18031 does the OJEU listing EXCLUDE from presumption of conformity?+

    Commission Implementing Decision (EU) 2025/138 published in the OJEU on 30 January 2025 lists the three parts but explicitly excludes from presumption of conformity: the 'rationale' and 'guidance' sections of all three parts; clauses 6.2.5.1 and 6.2.5.2 of all three parts if users can avoid setting passwords; clauses 6.1.3, 6.1.4, 6.1.5 and 6.1.6 of EN 18031-2 without parental/guardian access control; and clause 6.3.2.4 of EN 18031-3 when relied on alone as assessment criteria. If your assessment touches an excluded clause, Article 17(4) of the RED puts you on the Annex III or Annex IV path with a notified body.

  • Do the EN 18031 parts map to any other security frameworks?+

    Yes, informatively. All three parts include an informative Annex B with a mapping to EN IEC 62443-4-2:2019 (industrial component security capabilities), and an informative Annex C with a mapping to ETSI EN 303 645 (Cyber Security for Consumer Internet of Things — Baseline Requirements). EN 18031-1 additionally includes an informative Annex D mapping to the GlobalPlatform Security Evaluation Standard for IoT Platforms (SESIP). These mappings are informative — they do not transfer compliance, but they let teams already certified to EN IEC 62443-4-2 or EN 303 645 see where their existing evidence partially supports EN 18031 conformity.

Portrait of Vladimír Vician

Written by

Vladimír Vician

Founder, Cenitia · Founder & Managing Director, Inovasense s.r.o.

Founded Inovasense in Bratislava in 2016. Specialises in EU-sovereign hardware — FPGA and embedded systems design, embedded security, and regulatory compliance under the CRA, RED (EN 18031), and the harmonised standards each cites. Named signatory on every Declaration of Conformity Inovasense ships.

Best reached on LinkedIn. For longer enquiries, the Inovasense contact form.

Inovasense profile · More about Cenitia

Continue reading

Related guides

  • reference

    ETSI EN 303 645 — the 13 consumer IoT controls explained

    The 13 high-level provisions of ETSI EN 303 645 v2.1.1 (June 2020) and v3.1.3 (September 2024) explained, with the TS 103 701 conformance assessment mapping.

    11 min read

  • reference

    RED Annex IV path: when radio equipment needs a Notified Body

    RED Annex IV path — when radio equipment requires Notified Body full quality assurance (Module H), versus Module A self-assessment under Article 17(2).

    9 min read

  • comparison

    RED and CRA overlap for connected radio products: 2025-2027 transition

    RED Delegated Act 2022/30 and CRA overlap for connected radio products — the 2025-2027 transition, EN 18031 coverage, gap to CRA Annex I Part II, dual obligations.

    10 min read

  • guide

    RED Delegated Act + EN 18031 — the self-assessment walkthrough for radio products

    Step-by-step walkthrough of RED Delegated Act 2022/30 cybersecurity self-assessment under EN 18031-1, -2, -3 — scope, process, tests, and CRA overlap.

    14 min read

Put this into practice

Free tools & references

  • Do I need a Notified Body?Find out, per regulation, whether a Notified Body is required.Open tool →
  • EU Directive SelectorDescribe your product and find which EU directives and regulations apply.Open tool →

New to the terminology? Browse the compliance glossary — plain-English, citation-backed definitions of every term above.

Reserve your spot — launching September 2026

One email at launch · cancel any time

← Back to Library

Cenitia

The EU compliance engine for hardware manufacturers. Cited drafts, electronic signing, regulation watching — all in one place.

A product of Inovasense s.r.o., Bratislava, Slovakia · Data hosted in Stockholm, EU

Site

  • How it works
  • Library
  • Glossary
  • Regulations
  • By product type
  • Tools
  • About

Legal

  • Imprint
  • Privacy
  • Terms

© 2026 Inovasense s.r.o. · cenitia.com

EU sovereign · EU data residency by design · Customer data never trains models