RED Delegated Act + EN 18031 — the self-assessment walkthrough for radio products

The RED Delegated Act — formally Commission Delegated Regulation (EU) 2022/30 — activated three previously dormant essential requirements in the Radio Equipment Directive 2014/53/EU. From 1 August 2025 onwards, every radio equipment in scope must meet cybersecurity essential requirements under Article 3(3)(d), (e), and (f) of RED to bear the CE mark.

This article walks through the scope of the Delegated Act, the three EN 18031 harmonised standard parts that give presumption of conformity, the seven-step self-assessment process under Module A, what evidence the Technical File needs, costs, common interpretation pitfalls, and how RED Delegated Act compliance relates to the Cyber Resilience Act starting 11 December 2027.

What the RED Delegated Act actually does

The Radio Equipment Directive entered force in 2014 with Article 3(3) listing seven essential requirements the Commission could activate via Delegated Acts when needed. Three of these — letters (d), (e), and (f) — addressed cybersecurity, privacy, and fraud protection. They remained dormant for nearly a decade.

Commission Delegated Regulation (EU) 2022/30 activated them. After multiple postponements, the application date was set to 1 August 2025. From that date onwards:

• Article 3(3)(d) — radio equipment must "not harm the network or its functioning, nor misuse network resources, thereby causing an unacceptable degradation of service"
• Article 3(3)(e) — radio equipment must "incorporate safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected"
• Article 3(3)(f) — radio equipment must "support certain features ensuring protection from fraud"

The Delegated Act specifies which categories of radio equipment fall in scope of each:

Most modern connected products fall in scope of all three sub-articles simultaneously.

The EN 18031 family

CEN-CENELEC developed harmonised standard EN 18031 to give a presumption of conformity with the RED Delegated Act essential requirements. The standard has three parts mapped one-to-one to the RED Delegated Act articles:

All three parts were cited in the Official Journal of the European Union in 2025 — giving manufacturers the presumption of conformity required for Module A self-assessment under RED Article 17(2)(a).

Most products in scope of the Delegated Act need to demonstrate compliance against all three parts of EN 18031 — there is little overlap between the parts and each addresses a different layer of the threat surface.

The seven-step self-assessment process

EN 18031 prescribes an asset-based risk assessment methodology that drives the rest of the conformity demonstration.

1. Confirm RED Delegated Act scope

Verify your product is in scope of one or more of Article 3(3)(d), (e), or (f). The Delegated Act's Article 1 lists the criteria. Almost any connected consumer product is in scope of at least 3(3)(e); connected products that touch the public internet add 3(3)(d); products targeted at children or processing payment information add 3(3)(f).

2. Identify the applicable EN 18031 parts

Map the in-scope RED articles to the EN 18031 parts. A typical connected consumer product needs all three.

3. Perform the asset-based risk assessment

The EN 18031 methodology in Annex A guides:

• Identify assets — what the product holds or controls that has value (network connectivity, user data, payment functions, sensor data)
• Identify threats per asset — STRIDE-style threat enumeration or equivalent
• Identify the security capabilities required to mitigate each identified threat
• Document the assessment — the methodology requires the assessment itself goes in the Technical File

4. Implement the required security capabilities

EN 18031-1 section 5 lists the security capabilities the product must implement based on the asset-threat mapping. The typical baseline:

• Authentication — strong unique credentials, no hard-coded passwords, brute-force protection
• Secure update mechanism — signed updates, integrity check, rollback protection
• Secure communication — TLS 1.2+ or equivalent, no plaintext credentials
• Secure storage — encrypted at rest where appropriate, no clear-text key material
• Access control — principle of least privilege, role-based access
• Logging and monitoring — security events captured, audit trail
• Cryptographic algorithm baseline — modern algorithms only, no MD5/SHA-1/DES/RC4
• Coordinated vulnerability disclosure — published policy, security.txt
• Secure-by-default configuration — out-of-the-box state must be secure

5. Test the implementation

Two layers of testing:

• Functional tests — does each security capability operate as designed? Tested in-house or by lab.
• Conformity tests — does each capability satisfy the EN 18031 acceptance criteria? Test reports include the methodology used, results, and pass/fail per capability.

For RED Delegated Act self-assessment, the lab does not need to be a Notified Body; it does need ISO/IEC 17025 accreditation for the security-test scope. EMC chambers traditionally accredited for radio emissions are often not accredited for security functional testing — manufacturers commonly use one lab for EMC and a different lab for security under EN 18031.

6. Compile the Technical File and sign the DoC

Update the Technical File with EN 18031 conformity evidence. The Declaration of Conformity cites:

• RED 2014/53/EU as the directive
• Commission Delegated Regulation (EU) 2022/30 as the activating instrument
• EN 18031-1:2024, EN 18031-2:2024, EN 18031-3:2024 (or the citation versions current at signing) as the harmonised standards applied

7. Continue post-market surveillance

Under RED Article 43, manufacturers monitor field incidents, react to vulnerability disclosures, and notify national radio authorities of serious incidents. From 11 September 2026 the parallel CRA Article 14 reporting obligations layer on top for in-scope products.

What goes in the Technical File for EN 18031

Beyond the standard Technical File sections, EN 18031 conformity adds:

• Asset-based risk assessment — the EN 18031 Annex A methodology applied, threats identified, capabilities mapped
• Security architecture documentation — diagrams of trust boundaries, authentication flows, update flow, data flow
• Implementation evidence per security capability — design documents, code review summaries, secure-by-default configuration evidence
• Functional test results — each capability tested with documented methodology and pass/fail
• Conformity test results — each EN 18031 requirement evaluated with citation to the standard subsection
• Vulnerability handling policy and security.txt URL — under EN 18031 the policy is part of the conformity evidence
• SBOM — CycloneDX or SPDX; required by CRA from December 2027 and a recommended addition under EN 18031 today

RED Delegated Act vs CRA — the overlap

Both regimes address similar essential requirements for similar products, but on different timelines and with different conformity assessment paths.

For a radio product placed on the market between 1 August 2025 and 11 December 2027, only the RED Delegated Act applies (plus general CRA Article 13 vulnerability handling and Article 14 reporting from September 2026 if the product is also in CRA scope, which most connected radio products are).

For a radio product placed on the market from 11 December 2027 onwards, both regimes apply — the DoC cites both RED 2014/53/EU + 2022/30 and CRA 2024/2847. EN 18031 satisfies most of the overlap but does not subsume CRA Annex I entirely; gap analysis is required.

A practical heuristic: a product fully compliant with EN 18031-1, -2, -3 in 2026 is approximately 70-85% of the way to CRA Annex I compliance in 2027. The remaining gap is the additional CRA Part II vulnerability handling formalisations (explicit SBOM, mandatory CVD policy, severity-tiered patch SLA).

Common interpretation pitfalls

From the Inovasense practice working with radio product manufacturers in 2025-2026:

• Treating EN 18031 as a feature checklist instead of an asset-based methodology. The standard's strength is its requirement that every implemented security capability traces back to an identified asset and threat. Manufacturers who skip the risk assessment and dive into implementation produce non-compliant Technical Files even when the product is technically well-secured.
• Citing EN 18031 without specifying the version date. "EN 18031-1" is ambiguous. "EN 18031-1:2024" is auditable.
• Forgetting Article 3(3)(f) fraud protection for non-payment products. Connected toys and wearables that don't process payments still fall under 3(3)(f) when they contain features marketed to children or store value (game currency, loyalty points).
• Assuming consumer IoT standards (EN 303 645) substitute for EN 18031. They don't. EN 303 645 is a baseline standard predating RED Delegated Act; EN 18031 supersedes it for products in scope of 2022/30.
• Self-assessing partially against EN 18031 and claiming Module A. Module A requires full application of the harmonised standard. Partial application pushes the product into Module B+C with Notified Body involvement.
• Missing the August 2025 enforcement date. Manufacturers who designed products in 2023-2024 without anticipating EN 18031 face costly retrofit campaigns.

How Cenitia helps

Cenitia identifies whether a product is in scope of RED Delegated Act 2022/30 and which EN 18031 parts apply, generates the asset-based risk assessment template, and produces the conformity evidence outline for each EN 18031 capability. The Cenitia regulation watcher tracks the EN 18031 family for amendments in the Official Journal — when a new version is cited, affected Declarations of Conformity are flagged.

For radio products that need Notified Body assessment under RED Annex IV (partial EN 18031 application), or specialist test labs for security functional testing, our parent company Inovasense provides consulting.

Frequently asked questions

What is the RED Delegated Act?

The RED Delegated Act is shorthand for Commission Delegated Regulation (EU) 2022/30, which activated three previously dormant essential requirements in the Radio Equipment Directive: Article 3(3)(d) on network protection, Article 3(3)(e) on personal data and privacy protection, and Article 3(3)(f) on fraud protection. The Delegated Regulation entered into application on 1 August 2025 — from that date, every radio equipment in scope must meet these cybersecurity essential requirements to bear the CE mark.

Which radio products are in scope of the Delegated Act?

Article 1 of Commission Delegated Regulation 2022/30 defines three categories. Article 3(3)(d) covers internet-connected radio equipment — Wi-Fi, Bluetooth, cellular, LoRa devices that connect to the internet directly or via a hub. Article 3(3)(e) covers radio equipment that can process personal data, traffic data, or location data — virtually any connected consumer product. Article 3(3)(f) covers connected toys, childcare equipment, and wearables. Most modern connected products fall under all three.

What is EN 18031?

EN 18031 is the harmonised standard family developed by CEN-CENELEC to give a presumption of conformity with the RED Delegated Act essential requirements. EN 18031-1 covers Article 3(3)(d) network protection. EN 18031-2 covers Article 3(3)(e) personal data and privacy protection. EN 18031-3 covers Article 3(3)(f) fraud protection. The standards were cited in the Official Journal in 2025 and are the canonical reference for radio equipment cybersecurity self-assessment under RED.

Can I self-assess against EN 18031 without a Notified Body?

Yes — RED Article 17(2)(a) permits Module A self-assessment when the manufacturer fully applies the harmonised standards. Applying EN 18031 fully means following its asset-based risk assessment methodology, implementing the required security capabilities, and producing the conformity evidence specified by the standard. If you deviate from EN 18031 — applying it partly or substituting other measures — Module A no longer applies and you need a Notified Body for Module B+C or H assessment under Article 17(2)(c).

How does the RED Delegated Act relate to the Cyber Resilience Act?

Both apply to connected products and overlap substantially. RED Delegated Act applies from 1 August 2025 to radio equipment; CRA applies from 11 December 2027 to every product with digital elements. For radio products on the market between August 2025 and December 2027, only the RED Delegated Act applies. From December 2027 onwards, radio products must satisfy both RED Delegated Act (via EN 18031) and CRA Annex I. EN 18031 was designed to be largely compatible with CRA Annex I requirements — a product compliant under EN 18031 is approximately 70-85% of the way to CRA Annex I compliance.

What does an EN 18031 conformity assessment cost?

Self-assessment internal engineering effort for a small connected consumer product: typically 8 to 16 person-weeks for first-time compliance, then 2 to 4 weeks per derivative product. Pre-compliance lab testing for security functions: €5 000 to €15 000 per product per testing campaign. If Notified Body assessment is needed (deviation from EN 18031), add €10 000 to €30 000 for Module B+C. Annual maintenance per product family: typically 1 to 2 person-weeks internal effort.

What evidence does the Technical File need for EN 18031?

The asset-based risk assessment per EN 18031 Annex A, mapping product assets to threats and to the security capabilities implemented. Security architecture documentation. Implementation evidence per security capability (authentication, secure update, secure storage, etc.). Functional test results showing each capability operates as designed. Conformity test results against EN 18031 acceptance criteria. SBOM in CycloneDX or SPDX (also satisfies CRA). Coordinated vulnerability disclosure policy. Update mechanism description.

What happens if my product fails to meet RED Delegated Act?

Under RED Article 43, non-compliant products are subject to market withdrawal, recall, and import bans. Administrative fines are set by member states under their national RED implementing legislation. National radio authorities (ARCEP in France, BNetzA in Germany, Ofcom in UK for legacy CE-marked products, Telekomunikačný úrad in Slovakia) have inspection and enforcement powers. The signing officer of the Declaration of Conformity is personally named in proceedings. From 11 December 2027, simultaneous failure to meet CRA Annex I adds the higher CRA penalty regime — €15 million or 2.5% of turnover.

Related from the Library

• CRA Annex I explained — the cybersecurity essentials that broadly overlap with EN 18031
• CRA timeline and reporting obligations — the layered CRA reporting that applies from September 2026
• CE Marking 101 — umbrella context for RED within the CE marking framework
• Conformity assessment Modules A through H — Module A self-assessment for full EN 18031 application

Further reading

• Commission Delegated Regulation (EU) 2022/30 — full text
• Radio Equipment Directive 2014/53/EU — Article 3(3)(d)(e)(f) and Article 17
• CEN-CENELEC cybersecurity work programme — EN 18031 family
• Official Journal — harmonised standards under RED

Last reviewed: 20 June 2026. Cited regulations watched continuously by Cenitia — when one amends, this article is flagged for update.