The networking of modern devices is advancing rapidly – from smart toys and industrial radio modules to complex IoT systems. This also increases the risks: insecure authentication, manipulable updates or weak default settings can seriously endanger users. This is precisely where the DIN EN 18031 series of standards comes in. For the first time, it defines binding technical requirements for the cyber security of radio equipment that communicates via the internet or processes personal data, and since 1 August 2025, it has been the authoritative technical reference point for products covered by the Radio Equipment Directive (RED).
DIN EN 18031 – the technical standard for secure radio systems
The EN 18031 series was developed to make the extended cybersecurity requirements of the RED (in particular Articles 3(3)(d), (e) and (f)) precisely comprehensible. DIN EN 18031-2, the German version of which has been available since March 2025, plays a central role in this. It addresses radio equipment that processes data, including internet-enabled toys, childcare radio equipment and portable radio devices. The DIN Consumer Council closely monitored the development process and contributed consumer requirements, particularly with regard to smart toys.
Important in practice: Since its listing in the EU Official Journal on 28 January 2025, EN 18031 has been established as a harmonised standard, albeit with restrictions. In principle, the standard stipulates that manufacturers can specify that passwords cannot be changed by the user. However, this option is not considered compatible with the basic RED security requirements. In such cases, the presumption of conformity no longer applies and products require assessment by a notified body. This increases the burden on manufacturers, both technically and organisationally.
Since 1 August 2025, affected radio equipment may only be placed on the market if it reliably meets the requirements of EN 18031. For many companies, this meant a thorough reassessment of existing product lines. Even previously uncritical devices could suddenly fall under the extended security requirements due to individual functional features – for example, if secure update mechanisms or effective access controls were missing. The standard thus establishes security by design as a consistent guiding principle: security is not retrofitted, but integrated into development from the outset – including documentation, secure standard configurations and proof that devices neither endanger networks nor inadequately protect personal data.
From technical standard to EU-wide regulation: the bridge to the CRA
While DIN EN 18031 specifies the technical implementation for radio equipment, the Cyber Resilience Act (CRA) has provided a legally binding minimum standard for all products with digital elements since its publication as an EU regulation. In terms of content, the two overlap: what EN 18031 specifies methodically for radio equipment – such as secure by design and secure by default – is prescribed horizontally for the entire internal market in the CRA. Anyone who has been consistently developing products in accordance with EN 18031 since 2025 will thus have created a solid foundation for efficiently fulfilling the CRA obligations.
The Cyber Resilience Act – the EU legal framework for digital products
The CRA applies to almost all products with digital components – from smart home devices and enterprise software to industrial systems. Non-commercial open source software is exempt. The CRA came into force 20 days after its publication in the EU Official Journal and has been implemented in stages since then; from the end of 2027, new products placed on the market must fully comply with the requirements.
The central goal is to consider cybersecurity throughout the entire life cycle: manufacturers take risks into account from the development stage onwards, implement secure default settings (e.g. prohibition of weak default passwords, automatic security updates), operate vulnerability management and provide security updates throughout the entire support period – usually over five years. A key innovation is the mandatory Software Bill of Materials (SBOM), which clearly documents which components are included in the software. The European IT security authority ENISA provides a central platform for reporting actively exploited vulnerabilities and serious security incidents, which manufacturers are required to use. Depending on the product class, proof of compliance is provided in the form of a self-assessment or via notified third-party bodies – stricter procedures apply to “important” or “critical” products, such as firewalls or smart meter gateways.
Common goal: a resilient, secure EU digital market
Since August 2025, DIN EN 18031 has set the technical standard for radio equipment, and since the end of 2027, the CRA has been fully effective for newly marketed products. Together, they ensure that cybersecurity is not optional, but an integral part of product development and operation. This creates clear guidelines for manufacturers – from architecture, updates and SBOM transparency to reporting requirements and conformity assessment.
Für Unternehmen wie SE‑Elektronic eröffnet diese Entwicklung Chancen: Wer Produkte seit der EN‑Umstellung normgerecht gestaltet, ist CRA‑ready, stärkt die Marktzulassung im Binnenmarkt und baut Vertrauen bei Kundinnen und Kunden auf – ein entscheidender Wettbewerbsfaktor in einem Umfeld, in dem Sicherheitsvorfälle schnell zu Reputationsschäden führen.
Would you like to see DIN EN 18031-compliant radio modules and components that are already “secure by design”? Discover our products now.
