On January 28, 2025, the European Commission published the Commission Implementing Decision (EU) 2025/138, introducing three new harmonised cybersecurity standards for radio equipment. This decision, amending the earlier (EU) 2022/2191, aims to strengthen security measures in line with Directive 2014/53/EU, focusing on categories outlined in Delegated Regulation (EU) 2022/30.
These new standards reflect the EU’s commitment to enhancing cybersecurity in an era where connected devices dominate both personal and professional landscapes.
What Is Commission Implementing Decision (EU) 2025/138?
The Commission Implementing Decision (EU) 2025/138 serves to update the list of harmonised standards that ensure compliance with cybersecurity requirements for radio equipment. This decision is pivotal for manufacturers as it provides a clear framework to demonstrate conformity with EU regulations, enhancing product security and consumer trust.
The decision introduces three key standards:
- EN 18031-1:2024 – Common Security Requirements for Internet-Connected Radio Equipment
- EN 18031-2:2024 – Security Requirements for Childcare, Toys, Wearable, and Data-Processing Radio Equipment
- EN 18031-3:2024 – Security Requirements for Devices Handling Virtual Money or Monetary Value
Breakdown of the Three New Cybersecurity Standards
1. EN 18031-1:2024 – Internet-Connected Radio Equipment
This standard sets out common security requirements for devices that connect to the internet, addressing vulnerabilities in default settings, data protection, and secure communications.
- Key Focus: Default password security, data encryption, and risk mitigation strategies.
- Restriction: Devices that allow operation without password protection may not meet compliance standards.
2. EN 18031-2:2024 – Childcare, Toys, and Wearable Devices
Designed to safeguard radio equipment targeted at vulnerable groups (children and wearable tech users), this standard emphasizes parental control mechanisms and secure data management.
- Key Focus: Access control for toys, ensuring parental or guardian oversight.
- Restriction: Lack of robust parental control mechanisms could lead to non-compliance.
3. EN 18031-3:2024 – Devices Handling Virtual Money
This standard addresses security in devices processing virtual currencies or monetary values, focusing on secure transactions and data integrity.
- Key Focus: Secure update mechanisms, authentication protocols, and fraud prevention.
- Restriction: Inadequate secure update procedures may result in non-conformity with EU regulations.
For expert advice on compliance with EU cybersecurity standards or to ensure your products meet the latest requirements, reach out to iCertifi at info@icertifi.com. We’re here to help you navigate the complexities of regulatory compliance with ease.