Laird Connectivity is now Ezurio
Understanding EU Commission Implementation of Decision (EU) 2025/138 - New Harmonized Standards and Restrictions
In this post, Ezurio breaks down the EU's new amendment to RED Implementation Decision (EU) 2022-2191, which adds harmonized standards and restrictions to EN 18031-1:2024, EN 18031-2:2024, and EN 18031-3:2024.
Published on February 7, 2025
This blog post is part of a series of posts Ezurio is publishing over the course of 2025, helping manufacturers understand the EU's RED Delegated Act 2022/30 and Cyber Resiliance Act (CRA). We'll be sharing what the legislation is, our road to securing compliance for our products, and how manufacturers can do the same. See this page for updates.
Impact of EU Commission Implementation of Decision (EU) 2025/138 which amends the Radio Equipment Directive (RED) Implementation Decision (EU) 2022/2191 to add Harmonized Cybersecurity Standards to the Radio Equipment Directive as EN 18031-1:2024, EN 18031-2:2024, and EN 18031-3:2024 with the addition of Annex I, Number 164,165, and 166.
The Notices contained in Annex I stipulate restrictions to the harmonized standards.
The EU Commission implemented an amendment to the latest Radio Equipment Directive (RED) [1] that adds a set of harmonized cybersecurity standards. The harmonized standards are EN 18031-1:2024, EN 18031-2:2024, and EN 18031-3:2024.
Parts of the EN 18031 Standard:
- The first part of the standard, EN 18031-1:2024 pertains to internet connected radio equipment.
- The second part of the standard relates to radio equipment processing data, namely internet connected radio equipment, childcare radio equipment, toy radio equipment and wearable radio equipment.
- The third part of the standard covers internet radio equipment processing virtual money or monetary value.
Restrictions to the Harmonized EN 18031 Standard:
The EU implementation decision [2] also carried a set of restrictions to be added to Annex 1 of latest changes to the latest Radio Equipment Directive.
Each part of the EN 18031 standard has a specific set of restrictions:
Restrictions to EN 18031-1:2024:
Restrictions to EN 18031-1:2024: Annex I, number 164, Notice 1:
The sections named “rationale” and “guidance”, in this harmonized standard, do not confer a presumption of conformity with the essential requirement set out in Article 3(3), first subparagraph, point (d), of Directive 2014/53/EU.
Directive 2014/53/EU, Article 3(3) (d) [3] : “radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service;”.
Restrictions to EN 18031-1:2024: Annex I, number 164, Notice 2:
This harmonized standard does not confer a presumption of conformity with the essential requirement set out in Article 3(3), first subparagraph, point (d), of Directive 2014/53/EU if, when applying its clauses 6.2.5.1 and 6.2.5.2, the user is allowed not to set and use any password.
[AUM-5-1] Requirement for factory default passwords. (AUM = Authorization Mechanism)
[AUM-5-2] Requirement for non-factory default passwords
Restrictions to EN 18031-2:2024:
Restrictions to EN 18031-2:2024: Annex I, number 165 Notice 1:
The sections named “rationale” and “guidance”, in this harmonized standard, do not confer a presumption of conformity with the essential requirement set out in Article 3(3), first subparagraph, point (e), of Directive 2014/53/EU.
Directive 2014/53/EU, Article 3(3) (e) [3] : “radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected;”.
Restrictions to EN 18031-2:2024: Annex I, number 165, Notice 2:
This harmonized standard does not confer a presumption of conformity with Article 3(3), first subparagraph, point (e), of Directive 2014/53/EU if, by applying its clauses 6.2.5.1 and 6.2.5.2, the user is allowed not to set and use any password.
[AUM-5-1] Requirement for factory default passwords. (AUM = Authorization Mechanism)
[AUM-5-2] Requirement for non-factory default passwords
Restrictions to EN 18031-2:2024: Annex I, number 165, Notice 3:
For the classes or categories of radio equipment covered by clause 6.1.3, 6.1.4, 6.1.5 or 6.1.6 of this harmonized standard, this harmonized standard does not confer a presumption of conformity with the essential requirement set out in Article 3(3), first subparagraph, point (e), of Directive 2014/53/EU if, by applying its clauses 6.1.3.4.2, 6.1.4.4.2, 6.1.5.4.2 and 6.1.6.4.2, parental or guardian access control is not ensured.
(ACM-4) Default access control to children's privacy assets for toys and childcare equipment (ACM = Access Control Mechanism).
Restrictions to EN 18031-3:2024: Annex I, number 166 Notice 1:
The sections named “rationale” and “guidance”, in this harmonized standard, do not confer a presumption of conformity with the essential requirement set out in Article 3(3), first subparagraph, point (f), of Directive 2014/53/EU.
Directive 2014/53/EU, Article 3(3) (f) [3] : “radio equipment supports certain features ensuring protection from fraud;”
Restrictions to EN 18031-3:2024: Annex I, number 166 Notice 2:
This harmonized standard does not confer a presumption of conformity with Article 3(3), first subparagraph, point (f), of Directive 2014/53/EU if, by applying its clauses 6.2.5.1 and 6.2.5.2, the user is allowed not to set and use any password.
[AUM-5-1] Requirement for factory default passwords. (AUM = Authorization Mechanism)
[AUM-5-2] Requirement for non-factory default passwords
Restrictions to EN 18031-3:2024: Annex I, number 166 Notice 3:
As regards the assessment criteria set out in clause 6.3.2.4 of this harmonized standard, this harmonized standard does not confer a presumption of conformity with the essential requirement set out in Article 3(3), first subparagraph, point (f), of Directive 2014/53/EU.’
(SUM-2) Secure updates
References: