Can manufacturers self-assess EN 18031 compliance?
Under RED Article 3.3(d), yes — the conformity route for EN 18031 cybersecurity requirements is Module A (self-declaration). Manufacturers complete their own assessment, document the evidence, and sign the Declaration of Conformity. But this is not the same as being able to skip the assessment itself. The standard provides detailed criteria, decision trees, and required evidence for each requirement. What you cannot substitute for a rigorous assessment: a vague reference to "we use TLS."
The question we hear most often
“Can we self-certify our EN 18031 compliance?”
Short answer: yes — and no. It depends on which part of compliance you are asking about.
Here is what actually goes on behind the Declaration of Conformity that every EU-sold connected device needs since 1 August 2025.
A real case that illustrates the problem
Earlier this year, a hardware team reached out to us. They had a connected industrial sensor — fully designed, prototyped, first production batch already ordered.
During a compliance review, we identified a gap in their OTA update mechanism. Their firmware was delivered as an unsigned binary over HTTPS. The TLS certificate was validated. The firmware payload itself was not.
Under EN 18031-1 Clause 6.3.2 [SUM-2], this is non-compliant. The standard requires that “each update mechanism shall only install software whose integrity and authenticity are valid at the time of the installation.”
Fixing it required a new signing infrastructure, bootloader changes, and — because their MCU had no hardware crypto accelerator — a PCB revision. Four months and approximately €12,000 later, they shipped.
This is the kind of gap that self-assessment is supposed to catch before you spin hardware.
The lesson: “We use HTTPS” does not satisfy [SUM]. You must document the full verification chain — who signs the firmware, what algorithm is used, where the public key is stored, and how the bootloader validates the signature before execution. Without that evidence in your Technical File, your self-assessment is not defensible.
What CE marking actually involves for connected products
When a connected product receives CE marking under the Radio Equipment Directive, it covers requirements from multiple articles — assessed by different parties:
| Article | What it covers | Who assesses it |
|---|---|---|
| RED Art. 3.1(a) | Electrical safety | Accredited laboratory (ISO 17025) |
| RED Art. 3.1(b) | EMC | Accredited laboratory (ISO 17025) |
| RED Art. 3.2 | Radio performance (frequency, power) | Accredited laboratory (ISO 17025) |
| RED Art. 3.3(d) | Cybersecurity — EN 18031-1 | Manufacturer self-assessment (Module A) |
This is the distinction most teams miss: Module A (self-declaration) means you sign the DoC yourself — it does not mean you test everything yourself.
RF, EMC, and electrical safety assessments must be performed by an accredited laboratory regardless of which conformity route you take for cybersecurity. Your self-assessment covers only the EN 18031 cybersecurity requirements.
EN 18031 became mandatory on 1 August 2025
EN 18031 became mandatory under Delegated Regulation (EU) 2022/30. It applies to any radio equipment that can connect to the internet — directly, via a gateway, or through a paired smartphone.
Unlike RF measurements, EN 18031 is primarily an architectural and design assessment. The manufacturer documents and verifies whether specific security mechanisms are implemented and functioning correctly. No specialized measurement equipment is required — but rigorous, clause-by-clause documentation is.
What EN 18031-1 self-assessment covers
EN 18031-1 defines six security capability areas. Each has its own assessment criteria:
[AUM] Authentication
Default passwords must be unique per device, or users must be forced to change them before first use. (Clause 6.2.5.1)
What “unique per device” requires in practice: a provisioning process at manufacturing that generates or assigns a distinct credential per unit — documented in your Technical File. Shared factory defaults (same password on every unit) are explicitly non-compliant.
[SUM] Secure Updates
Every software update must be verified for integrity and authenticity before installation. (Clause 6.3.2.1)
Evidence required: which signing algorithm is used, where the verification key is stored, and how the bootloader enforces rejection of unsigned or tampered payloads. Rollback protection is a best practice; the standard provides guidance but does not mandate hardware-enforced anti-rollback for [SUM] specifically.
[SSM] Secure Storage
Credentials, cryptographic keys, and sensitive parameters must be protected from unauthorized access or disclosure.
EN 18031 is technology-neutral on implementation: a hardware Secure Element, TrustZone-backed key service, OTP/eFuse storage, or a software-based mechanism can all satisfy SSM — but each requires a different level of documentation. A software-based SSM with no hardware isolation will face close scrutiny from any market surveillance authority reviewing your Technical File.
[ACM] Access Control
Access to network assets and security assets must be restricted to authorized entities. Unprotected debug interfaces, open MQTT brokers, and unauthenticated management APIs are common gaps here.
[SCM] Secure Communications
Communications must be authenticated and encrypted. Documenting SCM compliance means specifying the TLS version, cipher suites, certificate validation chain, and how certificate pinning or CA verification is enforced — not just noting “we use TLS 1.2.”
[RLM] Resilience
The device must be resilient against network-level attacks. Rate limiting, exponential backoff for reconnection, and protection against denial-of-service vectors are typical evidence points.
What self-assessment means in practice
Self-assessment for EN 18031 means four things:
- You define which mechanisms apply to your product and which clauses are relevant
- You document how each requirement is implemented, with reference to specific firmware, hardware, and configuration evidence
- You assess your implementation against the standard’s decision trees and pass/fail criteria
- You sign the Declaration of Conformity as the responsible manufacturer, taking legal accountability for the assessment
The standard provides explicit assessment criteria for each requirement. You work through these systematically — clause by clause, with referenced evidence for each.
What you cannot do: guess. “We use TLS” is insufficient. You need to document which TLS version, which cipher suites, how certificates are validated, how updates are signed, and how the signing key is protected.
Three misconceptions we encounter regularly
“Our module has a CE mark, so we’re covered.”
The module’s CE mark covers Art. 3.2 (radio performance) only. EN 18031 under Art. 3.3(d) is assessed at the complete product level. Your firmware, OTA mechanism, credential storage, and network architecture are your responsibility — not the module vendor’s. Not even a fully CE-marked module with an RF certificate transfers EN 18031 assessment to the module supplier.
“EN 18031 requires a Notified Body.”
No. EN 18031 falls under Module A — self-declaration. A Notified Body is only required if you choose not to apply the harmonized standard, or for specific radio standards (e.g., EN 301 893) where partial application of DFS requirements triggers Module H. Read more in our detailed RED Delegated Act and EN 18031 overview.
“Self-assessment means we can skip the testing.”
No. Self-assessment means you are responsible for the assessment. It must be rigorous, documented, and verifiable by a market surveillance authority. Germany’s Bundesnetzagentur, France’s DGCCRF, and the Dutch RDI all have active market surveillance programs for connected radio equipment. A non-defensible Technical File creates real enforcement exposure.
The complete compliance checklist for EU connected products
For an EU-compliant connected product placed on the market after 1 August 2025:
Laboratory tests (accredited lab required):
- ✅ RF test report — Art. 3.2, accredited ISO 17025 laboratory
- ✅ EMC test report — Art. 3.1(b), accredited ISO 17025 laboratory
- ✅ Electrical safety report — Art. 3.1(a), if applicable
EN 18031 self-assessment (manufacturer-completed):
- ✅ [AUM] Assessment — unique or forced-change default credentials documented
- ✅ [SUM] Assessment — firmware signing chain documented with evidence
- ✅ [SSM] Assessment — key and credential storage mechanism documented
- ✅ [ACM] Assessment — access control restrictions documented
- ✅ [SCM] Assessment — TLS version, cipher suites, certificate handling documented
- ✅ [RLM] Assessment — resilience mechanisms documented
Documentation:
- ✅ Technical File with all supporting evidence
- ✅ Declaration of Conformity referencing Arts. 3.3(d)(e)(f)
- ✅ Signed DoC — manufacturer takes legal accountability
For a full overview of which EU directives and standards apply to your specific product category, see our EU Compliance guide.
About the Author
Vladimir Vician is the founder of Inovasense, an EU-based embedded hardware and compliance engineering company. With over 10 years of experience in embedded hardware design, he works with hardware manufacturers on complete EU regulatory compliance — from silicon selection and Technical File preparation through CE marking, EN 18031 assessment, and CRA readiness. He is the author of the MCU vs MPU Architecture Advisor tool used by hardware teams across Europe.
Connect on LinkedIn · Inovasense Embedded Security & IoT
Official References
- EN 18031-1:2024 — ETSI full standard text — ETSI
- Commission Delegated Regulation (EU) 2022/30 — RED Delegated Act full text — EUR-Lex
- Directive 2014/53/EU (RED) — Base directive — EUR-Lex
- Harmonised standards list for RED — European Commission — European Commission
This article is for informational purposes only and does not constitute legal or compliance advice. Requirements vary by product category and applicable clauses. Always verify against the full standard text and consult a qualified compliance professional for your specific product.