The EN 18031 series is Europe’s emerging cybersecurity standard family for radio-equipped products, defining what it means for a connected device to be secure, robust, and resilient under the Radio Equipment Directive (RED) Article 3.3 (d), (e), and (f).

While Part 1 provides the horizontal baseline security requirements, Parts 2 and 3 add additional controls for specific categories of products: devices that process personal/traffic/location data and devices that process or transfer money or monetary value.

If your company designs, builds, or markets wireless, IoT, or data-processing products for the EU, the EN 18031 series is the central framework for your cybersecurity conformity assessment.

This post explains all three parts, how they apply to manufacturers, and why they matter.

Overview of the EN 18031 Series

The standard series is structured as follows:

  • EN 18031-1: Baseline cybersecurity requirements for all in-scope radio equipment.
  • EN 18031-2: Additional requirements for devices that process personal, traffic or location data — with particular emphasis on childcare equipment, toys, and wearables.
  • EN 18031-3: Additional requirements for equipment that processes or transfers money or monetary value.

In other words:

  • Part 1 = baseline security for radio products.
  • Part 2 = extra protection for people’s data, privacy, and location.
  • Part 3 = extra protection for payments and monetary value.

EN 18031-1: Base Requirements (Applies to Almost Everyone)

EN 18031-1 provides the horizontal baseline cybersecurity requirements that most radio equipment must meet. It covers:

  • Secure boot, firmware integrity, and update security.
  • Cryptographic protections and key management.
  • Access control and authentication.
  • Network integrity and resilience against attacks.
  • Data confidentiality and privacy controls.
  • Logging, monitoring, and security documentation.

Applicability:
Almost any radio-enabled product that falls under RED Article 3.3(d/e/f) will need to demonstrate compliance with EN 18031-1 or an equivalent technical basis.

EN 18031-2: Additional Requirements for Devices Processing Personal, Traffic or Location Data

EN 18031-2 builds on Part 1 with added protections for devices that process personal data, traffic data, or location data. This is especially relevant where the end users are children or where fine-grained location tracking is involved.

Who Does EN 18031-2 Apply To?

Your product is likely in scope for EN 18031-2 if it:

  • Processes personal data directly related to a specific user or child.
  • Handles telecom “traffic data” (who communicates with whom, when, how).
  • Collects, transmits, or stores location data, especially continuous tracking.
  • Targets children or vulnerable users as a primary audience.

Typical examples include:

  • Childcare and baby-monitoring equipment with radio connectivity.
  • Smart toys that connect to apps or cloud services.
  • Wearables such as smartwatches and fitness trackers with GPS.
  • Location-tracking devices (child locators, pet trackers, asset tags used on people).
  • Consumer devices that infer sensitive behaviours from traffic or location patterns.

What Additional Requirements Does EN 18031-2 Introduce?

On top of the Part 1 baseline, EN 18031-2 focuses on privacy, confidentiality, and misuse prevention, for example:

  • Stronger protections for the collection, storage, and transmission of personal data.
  • Safeguards against unauthorized access to traffic/location data, including robust authentication and access control.
  • Requirements for minimizing data collection and retention where possible (“data minimization” principles).
  • Enhanced protections to prevent covert tracking or surveillance of users, especially children.
  • Clear handling of consent, user awareness, and secure default configurations for privacy.

In practice, Part 2 pushes manufacturers to treat personal and location data as high-sensitivity information with appropriate technical protections.

EN 18031-3: Additional Requirements for Money and Monetary Value

EN 18031-3 introduces further requirements for radio equipment that processes or transfers money or monetary value. This includes devices that initiate, authorize, or execute payments, as well as equipment that stores or represents digital value.

Who Does EN 18031-3 Apply To?

Examples of in-scope products include:

  • Point-of-sale (POS) terminals and mobile payment readers.
  • Contactless payment devices and card readers.
  • Equipment used for ticketing and fare collection (transport cards, turnstile readers, etc.).
  • Radio-enabled devices that store or transfer prepaid balances, vouchers, or other forms of monetary value.
  • Embedded payment modules integrated into consumer products (e.g., wearables with NFC payment).

What Additional Requirements Does EN 18031-3 Introduce?

Building on the baseline of Part 1 (and Part 2 when personal data is involved), EN 18031-3 focuses on transaction integrity, anti-fraud, and protection of monetary value, for example:

  • Stronger requirements for cryptographic protection of payment data and keys.
  • Mechanisms to ensure that transactions cannot be modified, replayed, or forged in transit.
  • Protections against cloning or tampering with devices that hold monetary value or payment credentials.
  • Enhanced logging and traceability of payment-related events to support fraud detection and dispute handling.
  • Robust handling of secure elements, secure enclaves, or dedicated hardware used for payments.

In short, Part 3 treats radio equipment involved in payments as a financially critical system that must withstand more sophisticated attacks.

Why the EN 18031 Series Matters for Organizations

For manufacturers, the EN 18031 series is not just a paperwork exercise — it has direct implications for design, architecture, and market access.

  • Regulatory compliance: It provides the technical basis for demonstrating conformity with RED Article 3.3(d/e/f) cybersecurity requirements.
  • Privacy and safety: Parts 2 and 3 explicitly protect users’ personal data, location, and financial transactions.
  • Market differentiation: Demonstrating security-by-design and robust implementation can be a competitive advantage.
  • Alignment with broader EU initiatives: The series dovetails with the EU’s broader cybersecurity and product safety agenda (e.g. the Cyber Resilience Act).
  • Risk reduction: Early adoption reduces the risk of recalls, incidents, and costly post-market fixes.

Which Parts of EN 18031 Apply to Your Product?

A simple way to think about applicability:

  • EN 18031-1: Applies to most radio devices within the scope of RED Article 3.3(d/e/f).
  • EN 18031-2: Add this if your product processes personal, traffic, or location data — especially for children (toys, wearables, trackers, childcare equipment).
  • EN 18031-3: Add this if your product processes or transfers money or monetary value (payment devices, fare systems, prepaid value, etc.).

Many modern products will fall under multiple parts. For example:

  • A child’s smartwatch with GPS and payment capability could be in scope for all three: Part 1 (baseline), Part 2 (personal/location data), and Part 3 (monetary value).
  • A simple radio sensor that does not handle personal data or payments may only need Part 1.

Conclusion

The EN 18031 series clarifies what secure radio equipment must do across three layers: a baseline for all, extra protection for personal/location data, and targeted safeguards for payment-related functionality.

Manufacturers who map their products carefully to EN 18031-1, -2, and -3 can design security into their devices from the start, streamline their conformity assessment, and provide stronger assurances to regulators, customers, and end users.

As enforcement timelines approach, now is the time to align product roadmaps, firmware design, and documentation with the structure and intent of the EN 18031 series.

Need Help with EN 18031-1 Compliance? ← Back to Blog