EN 18031 Clause Mapping Tools: How to Choose the Right One
Clause mapping is the core activity behind EN 18031 compliance. The right tool can turn months of manual spreadsheet work into a structured, guided workflow. This article compares three categories of tools and explains what to look for in an EN 18031 clause mapping solution.
March 28, 2026
EN 18031 clause mapping is the process of systematically linking every requirement in the standard to the corresponding evidence, assessment outcome, and documentation in your device's technical file. Without an effective tool, this process is error-prone, slow, and difficult to maintain across product variants.
Clause mapping is mandatory, not optional: EN 18031 compliance requires demonstrating that every applicable requirement has been addressed with documented evidence - clause by clause, table by table.
Three categories of tools exist: Manual spreadsheets, dedicated compliance trackers, and AI-powered platforms each offer different levels of automation and structure.
AI-powered tools deliver the highest efficiency: Platforms like RedComply automate clause-to-evidence linking, decision tree navigation, test plan generation, and Declaration of Conformity output.
The standard's structure demands specialized tooling: EN 18031's hierarchy of sections, subsections, tables, and decision trees does not fit well into generic GRC or spreadsheet tools.
Multi-standard scope adds complexity: Projects targeting EN 18031-1, -2, and -3 simultaneously need tools that understand standard field inheritance and can filter requirements dynamically.
Clause mapping in the context of EN 18031 means tracing each requirement in the harmonised standard back to specific evidence in your device's technical documentation. The Radio Equipment Directive (RED) - via Delegated Regulation (EU) 2022/30 - requires manufacturers to demonstrate conformity with Articles 3.3(d), 3.3(e), and 3.3(f). EN 18031 (parts 1, 2, and 3) provides the presumption of conformity framework.
Unlike simpler standards that use flat checklists, EN 18031 has a deeply nested structure:
Sections: Top-level compliance domains such as Equipment Identification, Access Control Mechanisms, Vulnerability Handling, Cryptography, Software Update Mechanisms, and Logging
Subsections: Finer divisions within each section, often with their own standard applicability (EN 18031-1, -2, or -3)
Tables: Structured data entry grids where manufacturers document assets, mechanisms, assessment outcomes, and justifications
Decision trees: Branching questionnaires linked to specific table rows that produce PASS, FAIL, or NOT_ASSESSED outcomes
Test plans: Three-tier assessments (Conceptual, Functional Sufficiency, Functional Completeness) with auto-calculable verdict criteria
A clause mapping tool must handle all these levels. A flat spreadsheet can track clause numbers, but it cannot enforce the hierarchical relationships, automate decision tree navigation, or calculate test plan verdicts.
Clause mapping is one phase of a larger workflow. Our risk assessment guide shows how it fits into the complete EN 18031 compliance process.
Why Standard Field Inheritance Matters
EN 18031 uses a concept called standard field inheritance. The `standard` field (indicating whether a requirement applies to EN 18031-1, -2, -3, or any combination) cascades from sections down to subsections, tables, and individual columns. If a subsection does not specify a standard, it inherits from its parent section. Any tool that claims to support EN 18031 clause mapping must respect this inheritance - otherwise, manufacturers will see requirements that do not apply to their project scope, or worse, miss requirements that do.
Not all tools are created equal. The market for EN 18031 compliance tooling can be divided into three broad categories, each with distinct strengths and limitations.
For a broader evaluation of compliance management platforms beyond just clause mapping, see our compliance management solutions guide.
1. Manual Spreadsheets and Document Templates
The most common starting point. Manufacturers create Excel or Google Sheets files with columns for clause numbers, requirement descriptions, compliance status, evidence references, and notes. Some consulting firms provide pre-built templates.
Pros: Low cost, familiar tools, full control over structure
Cons: No enforcement of clause hierarchy, no decision tree support, manual verdict calculation, high risk of copy-paste errors, difficult to maintain across product families
Best for: Small manufacturers with a single device and no plans for multi-standard or multi-device compliance
2. Dedicated Compliance Tracking Tools
A growing category of software products designed specifically for regulatory compliance tracking. These tools offer structured clause management, status tracking, and sometimes basic reporting. Examples include general GRC platforms adapted for EN 18031 or niche tools built for RED compliance.
Pros: Structured clause tracking, status dashboards, team collaboration features, better than spreadsheets for audit trails
Cons: Typically lack EN 18031-specific features (decision trees, test plan auto-calculation, standard field inheritance), may require significant manual configuration, limited or no AI assistance
Best for: Medium-sized teams needing structured tracking but willing to handle assessment logic manually
3. AI-Powered Compliance Platforms
The newest category, purpose-built for the specific structure and workflow of EN 18031. These platforms encode the standard's template hierarchy directly, support decision trees and test plans natively, and use AI to assist with documentation, consistency checking, and verdict calculation.
Pros: Full EN 18031 template structure built in, AI-assisted table completion and consistency checking, automated decision tree navigation, test plan auto-calculation with verdict criteria masks, Declaration of Conformity PDF generation, multi-standard filtering via standard field inheritance
Cons: Higher learning curve for first-time users, subscription cost, dependency on platform availability
Best for: Manufacturers with multiple devices, multi-standard projects (EN 18031-1 + -2 + -3), or teams that need to produce technical documentation efficiently and consistently
The following table summarises how each tool category handles the key requirements of EN 18031 clause mapping.
| Capability | Spreadsheet | Dedicated Tracker | AI-Powered Platform |
|---|---|---|---|
Clause hierarchy support | Manual (flat rows) | Partial (folder/tag-based) | Full (template-encoded sections, subsections, tables) |
Standard field inheritance | Not supported | Rarely supported | Automatic filtering per project scope |
Decision tree navigation | Not supported | Basic (checklist approach) | Guided step-by-step with recorded outcomes |
Test plan auto-calculation | Manual formulas | Limited | Auto-calculated verdicts with pass/fail criteria masks |
Multi-device reuse | Copy-paste files | Clone projects | Clone and adapt with AI-highlighted differences |
AI assistance | None | None or generic chatbot | Standard-trained AI with context awareness |
DoC PDF generation | Manual document assembly | Basic export | One-click structured PDF from compliance data |
Audit trail | Version history only | Built-in logging | Full change tracking with assessment history |
The gap widens significantly for manufacturers working across multiple EN 18031 parts. A project targeting both EN 18031-1 (network security) and EN 18031-3 (fraud prevention) must filter sections and tables based on which standard applies at each level. Only platforms with built-in standard field inheritance handle this correctly without manual intervention.
When evaluating tools for EN 18031 clause mapping, use this checklist to ensure the solution fits the standard's specific demands.
Does it encode the EN 18031 template structure? The tool should know about sections (Equipment Identification, Access Control, Vulnerability Handling, etc.), their subsections, and the tables within each. You should not have to build this structure from scratch.
Does it support decision trees? EN 18031 compliance assessments use branching yes/no questionnaires that produce PASS/FAIL/NOT_ASSESSED outcomes. The tool should support navigating these trees and recording results per table row.
Does it handle standard field inheritance? If your project targets EN 18031-1 and EN 18031-2 but not EN 18031-3, the tool should automatically hide sections and tables that only apply to EN 18031-3.
Does it support the three-tier test plan? Conceptual Assessment, Functional Sufficiency Assessment, and Functional Completeness Assessment each have their own verdict logic. The tool should auto-calculate verdict conditions and final verdicts.
Can it generate a Declaration of Conformity? The final deliverable for RED compliance is a structured PDF. A good tool compiles all assessment data into this document without manual layout work.
Does it offer AI assistance? An AI assistant trained on EN 18031 can search the standard, suggest responses, flag inconsistencies, and reduce the time needed to populate compliance tables.
Does it support multi-device projects? Most manufacturers have product families. The tool should allow cloning and adapting compliance data across devices rather than starting from scratch each time.
If a tool checks all seven boxes, it is designed for EN 18031. If it checks fewer than four, you are likely adapting a generic compliance tool to a standard it was not built for - which means more manual work and higher risk of errors.
Can I use a generic GRC tool for EN 18031 clause mapping?
Technically yes, but with significant limitations. Generic GRC (Governance, Risk, and Compliance) tools are designed for frameworks like ISO 27001, SOC 2, or GDPR. They lack EN 18031-specific features such as decision trees, standard field inheritance, test plan auto-calculation, and DoC generation. You would need to build the entire EN 18031 structure manually, which defeats the purpose of using a tool.
How many clauses does EN 18031 have?
The exact number of individual requirements depends on the part and the device's scope. EN 18031 is organised into sections (Equipment Identification, Access Control Mechanisms, Vulnerability Handling, Cryptography, Software Update Mechanisms, Logging, Network Monitoring, and more), each containing multiple tables with structured columns. A full assessment for all three parts can involve hundreds of individual data points across dozens of tables and decision trees.
What is the difference between EN 18031-1, -2, and -3?
EN 18031-1 covers network security requirements (RED Article 3.3(d)). EN 18031-2 covers privacy and personal data protection (Article 3.3(e)). EN 18031-3 covers fraud prevention (Article 3.3(f)). Many sections and requirements overlap across parts, but each has unique subsections. A clause mapping tool must understand which parts apply to which requirements.
Do I need a separate tool for the test plan?
Ideally not. The test plan is tightly integrated with the clause mapping data - it references decision tree outcomes, asset inventories, and compliance table entries. A tool that separates clause mapping from test plan management creates data silos and increases the risk of inconsistencies. The best approach is a platform that handles both in a unified workflow.
How long does EN 18031 clause mapping take with the right tool?
With an AI-powered platform that provides pre-built EN 18031 templates, guided decision trees, and auto-calculated test plans, a compliance engineer can complete an initial device assessment significantly faster than with spreadsheets. The exact timeline depends on the device complexity and the number of applicable standards, but the structured workflow eliminates the hours spent on manual data entry, cross-referencing, and document formatting.
EN 18031 clause mapping is not a simple checklist exercise. The standard's hierarchical structure - with sections, subsections, tables, decision trees, and three-tier test plans - demands tools that understand and enforce that structure. Spreadsheets get manufacturers started, but they cannot scale. Generic compliance trackers help with status management, but they miss the EN 18031-specific assessment logic.
AI-powered platforms purpose-built for EN 18031 offer the most complete solution: pre-built templates, automated decision trees, test plan auto-calculation, multi-standard filtering, and Declaration of Conformity generation. For product security managers and compliance engineers at EU-focused IoT manufacturers, choosing the right clause mapping tool is one of the highest-leverage decisions in the compliance process.
The key question is not whether to use a tool, but which category of tool matches your team's complexity, scale, and timeline.
RedComply is purpose-built for EN 18031 clause mapping and RED cybersecurity compliance. The platform encodes the full EN 18031 template structure - sections, subsections, tables, decision trees, and test plans - so you never have to build the clause hierarchy from scratch.
Here is how to get started:
Create a project and select which EN 18031 parts apply to your device (1, 2, 3, or any combination). The platform automatically filters all sections and tables based on your selection.
Add your device and begin identifying security assets - the mandatory first step of any EN 18031 assessment. The AI assistant helps you work through asset categories systematically.
Map clauses through structured tables using pre-built compliance grids with select dropdowns, pick lists, and extra-info fields. AI suggests appropriate values and flags inconsistencies.
Navigate decision trees step by step with guided workflows that record PASS/FAIL/NOT_ASSESSED outcomes directly in the relevant table rows.
Generate your test plan with auto-calculated verdict conditions for all three assessment tiers - Conceptual, Functional Sufficiency, and Functional Completeness.
Export your Declaration of Conformity as a structured PDF ready for regulatory review - compiled automatically from all your compliance data.
The built-in AI assistant searches EN 18031 directly, answers context-specific questions, and can update compliance tables on your behalf. Visit redcomply.com to see how the platform transforms clause mapping from a manual burden into a guided, automated workflow.