In an era where Internet of Things (IoT) devices are proliferating at an unprecedented rate, ensuring robust security measures is no longer optional—it is a necessity. The new European standard EN 18031-1/-2/-3:2024 sets a critical baseline for security in internet-connected radio equipment, including industrial IoT devices, providing manufacturers, integrators, and businesses with a clear framework to mitigate cybersecurity risks and ensure compliance with upcoming EU regulations.
A new standard is being introduced to tighten cybersecurity requirements. From August 2025 (originally planned for 2024, but now confirmed for 2025), technology companies will face a new reality. The EU’s updated Radio Equipment Directive (RED) comes with stricter cybersecurity regulations—rules that will impact everything from smartwatches to network equipment and IoT sensors. The tricky part? Without this certification, your product will not meet CE marking requirements. And if you are not ready? The consequence could be that you are forced to halt sales until you can prove compliance! As always with new regulations, the real pitfalls hide in the fine details.
Grand promises -tough requirements
The cybersecurity requirements are clear. From August 2025, radio equipment that processes personal data or connects to a network must ensure the protection of user data and privacy. The goal is simple: to prevent devices from becoming a threat to networks or users. Additionally, robust mechanisms to counter cybersecurity threats must be in place.
For those who have not designed their products with cybersecurity in mind, this could mean patching security holes and addressing existing vulnerabilities. But in the long run, it is about building solutions with “Security by Design,” where security is embedded from the initial design phase all the way to product launch.
There has been a great deal of uncertainty about which standard companies must certify against to meet the requirements. The European Commission has delayed the process to an absurd degree. The uncertainty surrounding what applies can be compared to building a house without knowing exactly which construction standards will be enforced. Should you wait and risk delays, or take a chance and risk having to rebuild everything? Until recently, most of the available information online pointed toward a different standard than the one that was ultimately approved. So, it is like building a house based on YouTube tutorials, only to realize too late that you got stuck in the wrong filter bubble and followed recommendations that were completely incorrect. That is the situation many developers have found themselves in—until now.
To make life easier for those working with hardware, an extended period has been granted for product adaptation, but authorities have not been clear about what exactly should be adapted. A reasonable timeframe? Less than six months. Within this period, all products falling within the directive’s scope must be tested and verified against standard EN 18031-1:2024 (or EN 18031-2:2024 / EN 18031-3:2024, depending on the product). The goal is razor-sharp, but the timeline feels about as realistic as us building townhouses on the moon within five years (based on YouTube guides). And here lies the real headache—time. If you want to do this properly and do not know how, you should bring in an accredited lab.
What’s at stake?
The consequences of not being ready could be costly. Without proper CE marking, you will not be allowed to sell your products within the EU. Non-compliance can lead to fines and legal risks, and an insecure product is never a good product—customers do not forget a security breach.
As cyber threats evolve, implementing the guidelines set forth is crucial for safeguarding data integrity, device security, and network resilience. Organizations failing to comply may not only expose their IoT deployments to attacks, data breaches, and operational disruptions, but also risk non-compliance with regulatory frameworks such as the EU Radio Equipment Directive (RED).
Understanding EN 18031
The standard defines common security requirements for internet-connected radio equipment, including industrial IoT devices, smart meters, connected sensors, and embedded systems that rely on network communication. The standard addresses key cybersecurity principles, such as:
- Access Control Mechanisms (ACM): Ensuring only authorized entities can access security and network assets.
- Authentication (AUM): Implementing robust identity verification to prevent unauthorized access.
- Secure Firmware Updates (SUM): Ensuring firmware integrity with cryptographic verification.
- Data Encryption & Secure Storage (SSM, CCK): Protecting sensitive data and cryptographic keys from unauthorized extraction.
- Secure Communication (SCM): Ensure secure communication protocols such as TLS for MQTT or end-to-end encryption for LoRaWAN, mutual authentication, and replay protection.
- Resilience & Network Monitoring (RLM, NMM): Implementing logging, intrusion detection, and real-time network surveillance.
By aligning with best practices in cybersecurity, EN 18031-1:2024 sets a baseline for security-by-design, significantly reducing the attack surface of connected devices.
Cybersafety is not just about compliance. It’s not about showcasing a certificate in August, but a continuous and demanding journey to keep the bad actors away from the device you sell to your customer.
The adoption of EN 18031-1:2024 is not just about compliance; it is about future-proofing IoT systems against an increasingly sophisticated threat landscape. Below are key reasons why organizations should implement the standard as soon as possible:
Step 1: Conduct a security gap assessment
Evaluate existing security measures against the requirements in EN 18031-1:2024. Identify weaknesses in access control, encryption, firmware updates, and authentication mechanisms.
Step 2: Strengthen cryptographic security
Implement TLS encryption for MQTT communications. Secure cryptographic keys using hardware security modules (HSM) or TPM. Introduce key rotation policies to prevent static credential reuse.
Step 3: Secure the firmware update process
Enforce signed firmware updates to block unauthorized modifications. Implement a secure boot mechanism to prevent tampering. Utilize a firmware integrity verification system to ensure that only trusted updates are installed, preventing unauthorized rollbacks or outdated insecure versions
Step 4: Hardening physical interfaces (Ethernet, RS-232, UART, I2C, GPIO)
Disable or restrict UART debug interfaces to prevent unauthorized access. Require authentication for accessing serial communication ports. Encrypt stored data to protect against hardware-based attacks.
Step 5: Implement continuous monitoring & incident response
Enable network logging and intrusion detection to detect security anomalies. Regularly audit device activity for unauthorized access attempts. Establish incident response protocols to mitigate cyber threats quickly.
Conclusion
While I do not claim to be an expert in certification, I recognize the critical importance of secure data transmission and compliance with cybersecurity regulations. But at the same time I embrace the idea of secure data transmission and protecting valueable data. Given the growing cybersecurity risks and tightening regulations, early adoption is not just recommended—it is essential.
For businesses looking to align with EN 18031-1:2024, the time to act is now. Evaluate your IoT security framework, implement necessary upgrades, and future-proof your devices against cyber threats. Your security strategy today will define your resilience tomorrow.