BS EN 18031-1-2024 PDF

Full title and description

BS EN 18031-1:2024 — Common security requirements for radio equipment — Part 1: Internet connected radio equipment. This British adoption of EN 18031-1 specifies baseline cybersecurity and secure-by-design measures for radio (wireless) devices that have direct or indirect access to the Internet.

Abstract

EN 18031-1:2024 sets out technical and organisational security requirements intended to reduce cyber risks for internet‑connected radio equipment. It covers threat assessment, secure development and operations, authentication and cryptography, secure update mechanisms, vulnerability management, logging and telemetry, and supply‑chain considerations. It is one part of the EN 18031 series addressing different categories of radio equipment.

General information

• Status: Current / Active standard (adoption published August 16, 2024)
• Publication date: 16 August 2024
• Publisher: British Standards Institution (BSI) — identical adoption of EN 18031-1:2024
• ICS / categories: 33.060.20 (Receiving and transmitting equipment); 35.030 (IT security)
• Edition / version: 1st edition (2024)
• Number of pages: 186

Scope

EN 18031-1 applies to radio equipment that is connected directly or indirectly to the Internet and is not specifically covered by Parts 2 or 3 of the EN 18031 series. The standard defines common cybersecurity requirements that designers, manufacturers and assessors can apply to reduce risks to device security, user privacy and the wider network. It is intended to support conformity assessment under the Radio Equipment Directive framework; note that the EN 18031 series was listed in the Official Journal of the European Union on 30 January 2025 (with specified restrictions) and became applicable for harmonisation purposes from 1 August 2025 subject to those restrictions.

Key topics and requirements

• Risk assessment and threat modelling for internet‑connected radio devices
• Secure‑by‑design principles and secure software development lifecycle (SSDLC)
• Authentication, access control and identity management for devices and services
• Cryptographic controls and key management guidance appropriate to device capabilities
• Secure firmware and software update mechanisms (integrity, authenticity, rollback protection)
• Vulnerability management, disclosure processes and patching obligations
• Logging, telemetry and incident detection requirements while protecting user privacy
• Supply‑chain security, component provenance and secure manufacturing practices
• Privacy protection for personal, traffic and location data when applicable
• Conformity assessment considerations and interplay with regulatory requirements (e.g., RED)

Typical use and users

Primary users are manufacturers and design teams of internet‑connected radio devices (consumer IoT, wearables, telematics, gateways), product security engineers, test laboratories, conformity assessment bodies and regulatory/compliance teams preparing declarations of conformity. The standard is also used by notified bodies and certification organisations as part of compliance assessments and by procurement teams specifying minimum security requirements for supplied radio equipment.

Related standards

EN 18031-1 is part of the EN 18031 series; related documents include EN 18031-2:2024 (data processing/personal‑data/childcare/toys/wearables) and EN 18031-3:2024 (devices handling virtual currency or monetary value). Other related cybersecurity or IoT standards often referenced alongside EN 18031 include EN 303 645 (IoT consumer security baseline), IEC/ISA‑62443 series (industrial security), and the Radio Equipment Directive 2014/53/EU (and its delegated acts addressing cybersecurity).

Keywords

cybersecurity, radio equipment, wireless devices, internet connected, secure‑by‑design, firmware update, vulnerability management, authentication, cryptography, Radio Equipment Directive, EN 18031

FAQ

Q: What is this standard?

A: BS EN 18031-1:2024 is the UK adoption of EN 18031-1:2024 providing common cybersecurity requirements for radio equipment that connects to the Internet. It defines baseline security measures manufacturers should implement.

Q: What does it cover?

A: It covers threat assessment, secure development, authentication and cryptography, secure update mechanisms, vulnerability handling, logging and privacy considerations, supply‑chain security and related conformity assessment topics applicable to internet‑connected radio devices.

Q: Who typically uses it?

A: Device manufacturers, product security teams, test laboratories, conformity assessors, notified bodies and procurement/compliance teams use the standard to design, test and demonstrate security for internet‑connected radio equipment.

Q: Is it current or superseded?

A: It is current. Publication date is 16 August 2024 (1st edition). The EN 18031 series was listed in the Official Journal of the European Union on 30 January 2025 with specified restrictions and became applicable from 1 August 2025 for harmonisation purposes under RED, subject to those restrictions.

Q: Is it part of a series?

A: Yes — EN 18031 is a multipart series. Part 1 addresses internet‑connected radio equipment; Part 2 and Part 3 address other radio equipment categories (personal data/childcare/toys/wearables and devices handling virtual currency, respectively).

Q: What are the key keywords?

A: Cybersecurity, radio equipment, internet connected devices, firmware updates, vulnerability management, authentication, cryptography, secure‑by‑design, Radio Equipment Directive, EN 18031.