RED Directive Cybersecurity Requirements – EN 18031 Compliance – Security by Design

Protect your connected products and ensure their compliance

Cybersecurity has become an essential requirement for internet-connected radio equipment and IoT devices to be placed on the European market. It aims to ensure the security of equipment and its users, as well as data protection. The Emitech Group offers a comprehensive range of tests to meet the requirements of Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive (RED), applicable from August 1, 2025.

Manufacturers of connected devices, R&D project managers, quality or cybersecurity managers: secure your products from the design stage, validate their robustness, and guarantee their regulatory compliance with our services.

Cybersecurity and IoT Compliance – Our Services

1. Compliance Assessment and Risk Assessment

• Initial assessment to determine whether IoT products are subject to the cybersecurity requirements imposed by the RED Directive (Articles 3.3 d, e, f) and the associated EN 18031-x standards.
• In-depth compliance assessment against EN 18031-x standards, accompanied by the preparation of the required documentation (QIRE and DCMOE) for the conformity assessment of your products.
• Risk assessment structured according to the EBIOS methodology.
• Awareness-raising sessions for your teams on the cybersecurity requirements defined in the RED Directive.

We offer a clear view of your level of compliance, identify any gaps and guide you toward a tailored solution to secure your connected equipment from the design stage.

2. Cybersecurity Testing and Penetration Testing

1. In-depth cybersecurity assessments in accordance with the requirements of EN 18031-x standards applicable to internet-connected radio equipment, in the context of the RED Directive 2014/53/EU (Articles 3.3 d, e, f).
2. Tests carried out in a secure environment, following a structured test plan covering all security mechanisms defined by the EN 18031-x standards:
   • ACM (Access Control): verification of access management to sensitive assets by authorized entities.
   • AUM (Authentication): assessment of the robustness of authentication mechanisms (passwords, certificates, tokens).
   • SUM (Secure Update): verification of the integrity, authenticity and control of updates.
   • SSM (Secure Storage): tests of the protection of stored assets against unauthorized access.
   • SCM (Secure Communication): validation of the confidentiality, integrity, authenticity of exchanges and protection against replay attacks.
   • DLM (Deletion): ability to securely delete sensitive data.
   • UNM (User Notification): control of the ability to notify the user during security events.
   •  RSM (Resilience): resistance to DoS/DDoS attacks.
   • NMM (Network Monitoring): detection of abnormal or malicious network activity.
   • TCM (Traffic Control): analysis of traffic behavior to prevent abuse.
   • CCK (Cryptographic Keys): key security (absence of default values, best practices for generation).
   • GEC (General Capabilities): compliance of equipment with general requirements (up-to-date hardware/software, limited exposed services).
   • CRY (Cryptography): assessment of the use of robust cryptographic techniques that comply with best practices.
3. Implementation of realistic penetration tests using white box, grey box, and black box approaches to simulate different levels of access and assess actual resistance to attacks.
4. Each test campaign concludes with the delivery of a detailed technical report including any detected non-conformities, their severity levels, and concrete recommendations for improvement.

3.Documentation and Functional Audits

• Analysis of the compliance of the documents provided (QIRE, DCMOE, manuals, technical specifications, update procedures, access security, etc.) with the requirements of the EN 18031-x standards and the RED Directive. The objective is to verify that the security mechanisms are correctly specified, documented, and traceable.
• Evaluation of the product in real-life conditions to confirm the existence, implementation, and effectiveness of the mechanisms declared in the documentation.

Method

• Cross-checking between documentation and the product
• Verification of consistency between technical specifications and actual observations

Objective

• Identify the gaps between what is declared and what is actually implemented, while supporting you in the gradual process of achieving compliance.

4. Our Testing Resources to Ensure a Comprehensive Assessment

1. Secure laboratory
   Tests are carried out in a secure, isolated test environment that complies with cybersecurity best practices, ensuring data confidentiality and reproducibility.
2. Tools and platforms used
   We use a range of specialized tools to cover all mechanisms required by the EN 18031-x standards:
   • Nmap: network mapping, detection of exposed services
   • Wireshark: network traffic capture and analysis
   • Metasploit Framework: realistic penetration testing (black/grey/white box)
   • Burp Suite: analysis of vulnerabilities on web/API interfaces
   • OpenVAS: detection of known vulnerabilities
   • Hydra: brute force testing on authentication systems
   • Binwalk & Firmware Analysis Toolkit: firmware analysis (extraction, reverse engineering)
   • OpenSSL: TLS/SSL connection verification
3. Tailored test setups:
   Implementation of evaluation scenarios adapted to each product's architecture.

These resources enable us to perform tests that are representative of real-world threats and to evaluate products under the most demanding conditions.

Types of Tests Performed on Your Products

To ensure compliance with the cybersecurity requirements of the RED Directive and the EN 18031-x standards, we perform a series of technical and functional tests covering the following aspects:

• Access and authentication tests
  Verification of access control mechanisms (ACM) and authentication mechanisms (AUM).
• Secure update tests (SUM)
  Assessment of the integrity, authenticity, and security of the update process.
• Secure storage tests (SSM)
  Protection of persistent sensitive data.
• Secure communication tests (SCM)
  Verification of confidentiality, integrity, and protection against replay attacks.
• Resilience tests (RSM)
  Simulation of DoS/DDoS attacks to assess system robustness.
• Logging and deletion tests (LGM/DLM)
  Verification of event traceability and secure data deletion.
• Network configuration analysis (NMM/TCM)
  Detection of abnormal or malicious behavior via network interfaces.
• Cryptographic testing (CCK/CRY)
  Evaluation of key management, cryptography used, and compliance with best practices.

Why Choose the Emitech Group?

• Secure your products against increasingly sophisticated cyber threats.
• Support you in achieving compliance with the amended RED Directive and EN 18031 standards.
• Offer highly specialized testing and support services for your connected devices.
• Integrate cybersecurity from the design phase to reduce your future risks (“security by design”).
• Emitech Certification is notified to assess the conformity of radio equipment with cybersecurity requirements.

Contact us for a quote

Anticipate regulatory requirements and protect your products today
Contact us for a personalized quote and secure your equipment against new cybersecurity requirements in the European market.