Network Security certification
Details
In 2022, the European Commission issued the RED Directive Supplementary Authorization Act (EU) 2022/30, which sets out clear requirements for the cybersecurity, privacy protection and anti-fraud of radio equipment. The bill will come into effect on August 1, 2025. At that time, radio equipment must comply with the network information security requirements of points (d), (e) and (f) of Article 3(3) of the RED Directive before it can be sold in the EU market.
Standard Interpretation
01 Standard coordination
The EN 18031 series of standards is divided into three parts, namely EN 18031-1, EN 18031-2 and EN 18031-3, which respectively correspond to the requirements (d), (e) and (f) of Clause 3(3) of the RED Directive. Some chapters of the EN 18031 series standards are not considered harmonized in some cases. In the absence of harmonization, products must be certified by a designated notified body (NB) before they can be put on the market.
| Provisions related to the RED directive | Coordination standard | Restrictive conditions |
| Article 3:Section 3.3(d): Radio equipment does not damage the network or its functions, nor does it abuse network resources, thereby causing unacceptable service degradation. | EN 18031-1:2024 Common security requirements for radio equipment - Part 1: Internet connected radio equipment | Users are required to set and use passwords. If users are allowed not to set passwords, the EN 18031-1/2/3 standard will lose its compatibility. |
| Article 3:Section 3.3(e): Radio equipment includes protective measures to ensure that the personal data and privacy of users and subscribers are protected. | EN 18031-2:2024 Common security requirements for radio equipment - Part 2: radio equipment processing data, namely Internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment | Access control for parents or guardians must be ensured. If "; "is adopted "Autonomous Access Control" In incompatible modes, the EN 18031-2 standard will lose its compatibility. |
| Article 3:Section 3.3(f): Radio equipment supports certain functions to ensure fraud prevention. | EN 18031-3:2024Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value | Security updates are required to be implemented through multiple mechanisms. If security updates are implemented using only one method (such as digital signatures or access control), which is insufficient to meet financial security requirements, the EN 18031-3 standard will lose its coordination. |
02 Scope of Application
In accordance with the requirements of the RED Directive Supplementary Authorization Act (EU) 2022/30, the new regulations apply to the following three categories of products:
Wireless devices that are directly or indirectly connected to the Internet;
2. Devices involving the processing of user privacy data, such as children's care devices, toys, wearable devices, etc.
3. Internet currency payment, transfer and transaction devices.
Note: ① The requirements of Article 3:Section 3.3(d),(e),(f) of the RED Directive do not apply to medical device equipment within the scope of the MDR regulation. ② The requirements of RED Directive Article 3:Section 3.3(e),(f) do not apply to Regulation (EU) 2018/1139, Regulation (EU) 2019/2144 and Directive (EU). Aviation or road traffic-related equipment within the scope of regulation 2019/520.
| Product examples within the applicable scope | ||
|
|
|
|
| Example 1: Router | Example 2: Fitness wristband | Example 3: POS machine |
03 Test Requirements
In order to ensure that the test requirements are consistent among the three parallel standards (EN 18031-1/2/3), the new standard introduces the concept of "assets" as the main test object and classifies "assets", with each type of asset corresponding to different standard test requirements.
| Standard | EN 18031-1 | EN 18031-2 | EN 18031-3 |
| Provisions related to the RED directive | 3.3.(d) | 3.3.(e) | 3.3.(f) |
| Security asset 安全资产 | √ | √ | √ |
| Network asset | √ | _ | _ |
| Privacy asset | _ | √ | _ |
| Financial asset | _ | _ | √ |
The test contents of the EN 18031 series standards are as shown in the following table, and it is required that these test contents be subject to" Conceptual assessment” "“" "Functional completeness assessment" And ";" Functional sufficiency assessmentFunctional sufficiency assessment”。
| Standard | General Requirements | Special requirements |
| EN 18031-1 | Access Control Authentication 安全升级Secure Update Secure Storage Secure Communication Confidential Cryptographic Keys General Equipment Capabilities |
For security and network assets: Resilience Network Monitoring Traffic Control |
| EN 18031-2 | Access Control Authentication Secure Update Secure Storage Secure Communication Confidential Cryptographic Keys General Equipment Capabilities |
For security and privacy assets: Parental Control Logging Deletion User Notification External Sensing Capabilities |
| EN 18031-3 | Access Control Authentication Secure Update Secure Storage Secure Communication Confidential Cryptographic Keys General Equipment Capabilities |
For security and financial assets: Logging Equipment Integrity (Secure Boot) |
Scan WeChat to chat