Why is EN 18031 compliance important?

Since August 1, 2025, RED cybersecurity requirements are legally mandatory for radio equipment with internet connectivity (direct or indirect) sold in the EU. EN 18031 is the harmonized standard that defines how to meet these requirements. Without demonstrating compliance with these cybersecurity requirements, you cannot legally place your wireless, internet-connected products on the EU market.

How does RedComply facilitate EN 18031 compliance?

RedComply guides you with pre-built compliance templates tailored to your product. Our AI automatically analyzes your uploaded project documentation, maps it to EN 18031 requirements, and helps you interpret the harmonized standard at every step. You remain in control throughout the process, reviewing and validating all AI suggestions to ensure accuracy. This human-in-the-loop approach significantly reduces time and costs while maintaining quality.

What happens if a product does not fully comply with EN 18031?

Non-compliant products cannot legally enter the EU market after August 1, 2025, and existing products face market bans, mandatory recalls, and substantial fines. If your product cannot fully meet EN 18031 requirements, you have two options: redesign the product to achieve compliance, or work with a Notified Body for alternative conformity assessment procedures (which are significantly more expensive and time-consuming than self-declaration). Market surveillance authorities actively enforce these requirements, making compliance essential for continued EU sales.

Do I still need a Notified Body?

For many radio equipment categories, you can use our AI-guided self-assessment approach instead of expensive Notified Body reviews, saving thousands in costs and months in timeline. We'll help you determine if your product qualifies for self-assessment.

Can I import existing penetration-test reports?

Yes, our platform automatically ingests and maps existing security reports to EN 18031 requirements, saving you from starting compliance from scratch. We support common formats and can extract relevant findings automatically.

Absolutely. We're pursuing ISO 27001 certification and are GDPR compliant. All data is encrypted at rest and in transit, with enterprise-grade security controls. Your compliance documentation stays confidential and secure.

How long does a typical compliance run take?

With our AI automation, initial compliance assessment takes 2-3 weeks instead of 3-6 months manually. Complex products might take longer, but you'll see progress immediately and can generate preliminary reports within days.

How do updates work when I release a new firmware?

We help you identify what changes have been made and assess whether any compliance requirements are impacted. Our platform versions your compliance documentation and generates updated Declarations of Conformity (DoC) for each firmware release, ensuring you maintain compliance throughout your product lifecycle.

Risk Assessment for RED Cybersecurity Compliance

Conducting a risk assessment is the foundation of EN 18031 compliance. This guide walks you through each step - from scoping your standards and identifying assets to evaluating threats, running decision trees, and documenting results in a Declaration of Conformity.

March 12, 2026

Key Takeaways

Risk assessment for RED cybersecurity compliance under EN 18031

A risk assessment for RED cybersecurity is the systematic process of identifying what needs protection on your device, what threats exist, and whether your security measures are sufficient to meet EN 18031 requirements. Unlike generic enterprise risk assessments, the RED risk assessment is standards-driven: it follows the structure of EN 18031 sections, uses decision trees for each requirement, and produces a specific regulatory deliverable - the Declaration of Conformity.

Scope first: Determine which EN 18031 parts apply to your device - EN 18031-1 (network security), EN 18031-2 (privacy/data protection), EN 18031-3 (fraud prevention) - before doing anything else.
Asset identification is mandatory: You must catalogue your device's security assets (security functions, security parameters, network assets, privacy assets, financial assets) before assessing any requirement.
Decision trees drive outcomes: Each EN 18031 requirement is evaluated through structured yes/no decision trees that produce PASS, FAIL, or NOT_ASSESSED results - not subjective risk scores.
Test plans validate your assessment: A three-tier test plan (Conceptual, Functional Sufficiency, Functional Completeness) verifies that your risk assessment conclusions are backed by evidence.
The output is a Declaration of Conformity: The entire assessment compiles into a structured PDF that demonstrates compliance to market surveillance authorities.

What Makes RED Risk Assessment Different

Most cybersecurity risk assessment guides describe a generic enterprise process: inventory your IT assets, score threats by likelihood and impact, create a risk matrix, and prioritise mitigations. That approach does not map to the Radio Equipment Directive (RED).

RED cybersecurity compliance under Delegated Regulation (EU) 2022/30 - activating Articles 3.3(d), 3.3(e), and 3.3(f) - requires manufacturers to follow EN 18031, a harmonised European standard with a specific structure. The risk assessment is not freeform. It is anchored to:

Predefined compliance sections (Equipment Identification, Access Control, Vulnerability Handling, Cryptography, Software Updates, Logging, Network Monitoring, and more)
Structured tables where you document assets, mechanisms, and justifications for each requirement
Decision trees that guide you through binary questions to reach deterministic outcomes (PASS/FAIL/NOT_ASSESSED)
Standard field inheritance that determines which sections, tables, and columns apply based on your project's selected EN 18031 parts

Aspect	Generic Risk Assessment	RED / EN 18031 Risk Assessment
Scope	All IT assets and processes	Specific device under assessment, filtered by applicable EN 18031 parts
Risk model	Likelihood x Impact matrix	Decision trees with binary PASS/FAIL outcomes per requirement
Asset categories	Hardware, software, data, people	Security functions, security parameters (CSP/SSP), network assets, privacy assets, financial assets
Output	Risk register with priorities	Declaration of Conformity (DoC) PDF for EU market access
Framework	NIST CSF, ISO 27001, MITRE ATT&CK	EN 18031-1, EN 18031-2, EN 18031-3
Frequency	Annual or continuous	Per-device, per-product variant, before EU market placement

Step 1: Define Your Compliance Scope

Before any assessment work begins, you must determine which EN 18031 parts apply to your device. This decision drives everything downstream - which sections appear, which tables you must fill, and which decision trees you must complete.

The three parts correspond to different RED articles:

EN 18031 Part	RED Article	Focus Area	Typical Devices
EN 18031-1	Article 3.3(d)	Network security - protecting networks from harm caused by the device	Any internet-connected radio equipment
EN 18031-2	Article 3.3(e)	Privacy and data protection - safeguarding personal data	Devices processing personal data (wearables, cameras, smart home)
EN 18031-3	Article 3.3(f)	Fraud prevention - preventing monetary or value fraud	Payment terminals, smart meters, devices with stored value

Most IoT devices require at least EN 18031-1. Many also require EN 18031-2 if they process personal data. A single project in RedComply can target any combination of parts, and the platform automatically filters sections and tables based on your selection using standard field inheritance rules.

What if I am unsure which parts apply?

Start by asking: does my device connect to a network? (Part 1 likely applies.) Does it collect, store, or transmit personal data? (Part 2 likely applies.) Does it handle financial transactions or stored value? (Part 3 likely applies.) When in doubt, include the part - it is better to assess and find requirements not applicable than to miss a mandatory section.

Step 2: Identify and Catalogue Your Security Assets

Asset identification is the mandatory first step of any EN 18031 risk assessment. Without knowing what needs protection, you cannot evaluate whether your security measures are sufficient. EN 18031 defines five categories of assets:

Security Functions

These are the mechanisms your device uses to enforce security. They fall into four subcategories:

Access control mechanisms - authentication, authorization, session management
Cryptographic mechanisms - encryption algorithms, key management, certificate handling
Communication security - TLS/DTLS implementation, secure protocols, firewall rules
System integrity mechanisms - secure boot, firmware verification, tamper detection

Security Parameters

These are the data values that security functions depend on. EN 18031 distinguishes between:

Confidential Security Parameters (CSP) - values whose exposure would compromise security (private keys, passwords, encryption keys)
Sensitive Security Parameters (SSP) - values whose modification would compromise security (configuration settings, access control lists, firmware signatures)

Network, Privacy, and Financial Assets

Depending on which EN 18031 parts apply, you must also identify network assets (network interfaces, protocols, data flows), privacy assets (personal data types collected, stored, or transmitted), and financial assets (payment credentials, stored-value mechanisms).

In RedComply, all asset categories have dedicated compliance tables. Once you populate the asset inventory, the platform automatically propagates identifiers into downstream assessment tables - access control, cryptography, vulnerability handling - so you never have to copy data manually.

Our guide to EN 18031 asset types covers each category in detail with practical examples.

Step 3: Evaluate Requirements Through Decision Trees

Step-by-step risk assessment workflow with decision trees producing PASS/FAIL outcomes

With your assets catalogued, you now evaluate each EN 18031 requirement systematically. Unlike generic risk assessments where you assign subjective risk scores, EN 18031 uses decision trees - structured sequences of yes/no questions that lead to deterministic outcomes.

How decision trees work

Each compliance table row can be linked to a decision tree. The tree presents a series of questions about your device's implementation. Based on your answers, the tree branches until it reaches one of three outcomes:

PASS - the requirement is met based on the evidence provided
FAIL - the requirement is not met; remediation is needed
NOT_ASSESSED - insufficient information to determine compliance; further investigation required

What does a decision tree question look like?

Decision tree questions are specific and binary. For example, in the access control section, a tree might ask: "Does the device enforce a minimum password complexity policy?" followed by "Is the policy configurable by the user?" Each answer directs you down a different branch. The tree records all responses in a structured `decisiontreeresponses` field, creating an auditable trail.

Working through sections systematically

EN 18031 organises requirements into sections: Equipment Identification, Access Control Mechanisms, Vulnerability Handling, Cryptography, Software Update Mechanisms, Logging, and Network Monitoring (among others). For each section relevant to your device, you work through every table row, answering decision trees and recording justifications.

This is where the volume of work becomes apparent - and where tooling matters. A single device assessment can involve hundreds of decision tree completions across dozens of tables. RedComply tracks your progress section by section, highlights incomplete trees, and flags inconsistencies between related answers.

For a methodology-focused deep dive on vulnerability identification and audit documentation, see our vulnerability management guide.

Step 4: Validate with Test Plans

Completing decision trees is not the end of the assessment. EN 18031 requires a three-tier test plan that validates your assessment outcomes with increasing rigour:

Assessment Tier	What It Evaluates	Key Question
Conceptual Assessment	Test items against DT results and expert justifications	Are the assessment conclusions logically sound?
Functional Sufficiency	Test cases against defined assessment units	Do the implemented measures actually work as claimed?
Functional Completeness	Gap analysis for missing test items	Have all requirements been covered - are there any gaps?

Auto-calculated verdicts

Each test plan row has verdict conditions - rules like "At least one PASS in column DT result" or "No FAIL entries present." These conditions are evaluated against your actual data to produce a final verdict. The priority order is: PASS > FAIL > NOT APPLICABLE. If data is incomplete, the system shows "-" rather than making assumptions.

In RedComply, verdict conditions auto-fill by detecting patterns in your data, and final verdicts are computed using pass/fail criteria masks from the EN 18031 templates. This eliminates manual calculation errors and immediately shows you where your assessment stands.

Step 5: Document Everything in the Declaration of Conformity

Compiling risk assessment results into a Declaration of Conformity PDF document

The final output of your RED risk assessment is the Declaration of Conformity (DoC) - the regulatory document that demonstrates your device meets the cybersecurity requirements of the Radio Equipment Directive.

The DoC compiles everything from your assessment:

Equipment identification rendered as key-value pairs (manufacturer, model, hardware/software versions)
Compliance tables from every assessed section, showing your answers, justifications, and decision tree outcomes
Test plan results with verdicts for all three assessment tiers
Pick list selections displayed as formatted lists (not raw JSON)
Extra-info fields split into the question portion and the additional details

The DoC is not a summary - it is a comprehensive record. Market surveillance authorities use it to verify that your assessment was thorough and that your conclusions are justified. Missing sections, incomplete tables, or undocumented decision tree branches can lead to compliance challenges.

RedComply generates the DoC as a structured PDF directly from your compliance data. Equipment identification renders vertically, assessment tables render horizontally, and all formatting (pick lists, extra-info splits, empty-table notices) is handled automatically.

If you are following the Module A self-assessment path, our self-assessment guide walks through the complete workflow.

Frequently Asked Questions

How long does a RED risk assessment take?

It depends on the device complexity, the number of applicable EN 18031 parts, and whether you have tooling. A simple single-function IoT sensor might take days; a complex multi-radio gateway with personal data processing and payment capabilities could take weeks. AI-assisted tools like RedComply significantly reduce the time by automating table population, decision tree tracking, and verdict calculation.

Do I need a separate risk assessment for each device?

Yes. Each device (or product variant with materially different hardware/software) requires its own assessment. However, devices sharing similar architectures can reuse compliance data as a starting point - you assess the differences rather than starting from scratch.

Can I use NIST CSF or ISO 27001 instead of EN 18031?

No. While frameworks like NIST CSF and ISO 27001 are valuable for organisational security, they do not provide a presumption of conformity with the RED cybersecurity requirements. EN 18031 is the harmonised standard that maps directly to Articles 3.3(d), 3.3(e), and 3.3(f). You may use other frameworks internally, but the regulatory documentation must follow EN 18031.

What happens if a decision tree results in FAIL?

A FAIL outcome means the requirement is not currently met. You have two options: remediate (modify the device design or implementation to address the gap, then re-assess) or document the justification if you believe the requirement is not applicable to your specific device context. The key is that every FAIL must be addressed before the DoC can be considered complete.

Is the risk assessment a one-time activity?

No. The assessment applies to a specific version of a specific device. Any material change to the hardware, software, or firmware that affects the security properties of the device may require reassessment. This includes adding new network interfaces, changing cryptographic implementations, or modifying access control logic.

Start Your RED Risk Assessment with RedComply

RedComply is purpose-built for EN 18031 and RED cybersecurity compliance. The platform guides you through every step of the risk assessment process - from scoping your standards to generating your Declaration of Conformity.

Here is how to start:

Create a project and select which EN 18031 parts apply (1, 2, 3, or any combination)
Add your device and begin identifying security assets - the mandatory first step of any EN 18031 assessment
Work through compliance sections using structured tables and guided decision trees
Generate your test plan with auto-calculated verdicts for all three assessment tiers
Export your Declaration of Conformity as a structured PDF ready for regulatory review

The built-in AI assistant helps you search the standard, understand requirements in context, and keep your assessment consistent across sections - so you can focus on the engineering decisions that matter.

Back to Home