Once the gatekeepers of digital security, passwords have become the primary weakness of modern, deeply embedded connected device ecosystems. Verizon’s 2023 Data Breach Investigations Report found that nearly 75% of breaches involved stolen credentials1, often the result of phishing or social engineering tactics. As these attack methods become more sophisticated, relying on passwords is no longer sufficient.
This shift is reflected in regulatory developments as well. On August 1st, 2025, three new EU Radio Equipment Directive (RED) requirements will apply to internet-connected radio equipment, devices that process personal data, and radio equipment that facilitates financial transactions. Instead of involving a Notified Body to assess conformity with Article 3.3(d), (e), and (f), reference will now be made towards the harmonized standards of EN 18031-1, -2, and -3 standards in the Official European Commission Journal.
Why traditional passwords may fall short under RED
Traditional password-based systems—especially those using default or hardcoded credentials—are increasingly viewed as inadequate for RED Article 3.3’s requirement of securing networks, protecting personal data, and preventing unauthorized access.
Devices that allow users to bypass or disable password protection, or that lack strong fallback authentication, may also fail to meet the intent of EN 18031-1, -2, or -3. In fact, such scenarios are explicitly listed as restrictions on the harmonized status of these standards. If a product falls under a restricted clause—for example, allowing a user to skip password setup or lacking robust parental controls—it may no longer qualify for Internal Production Control, and a Notified Body would be required for market access.
To meet RED requirements more effectively, many manufacturers are adopting passwordless authentication using public-key cryptography, biometrics, or secure token-based pairing. These technologies avoid shared secrets and are inherently more resistant to unauthorized access, better aligning with the expectations of Article 3.3(d), (e), and (f). However, fallback mechanisms—such as recovery codes or secondary device pairing—must be held to the same high standards. If poorly implemented, they can undermine an otherwise secure design and compromise RED compliance.
What harmonized standards are and why they matter
Harmonized standards are officially recognized by the European Commission as a valid means of demonstrating compliance with directives and regulations. While use of harmonized standards is voluntary, manufacturers who fully apply relevant harmonised standards can self-declare conformity via internal production control (Module A) according to Article 17 of the RED.
In contrast, those who opt for custom compliance strategies—such as using proprietary controls or non-harmonised international standards—must involve a Notified Body to assess their technical documentation. For RED Article 3.3(d), (e), and (f), manufacturers can now use the newly published EN 18031-1, -2, and -3 as harmonized standards for these articles and comply with RED’s cybersecurity provisions related to network protection, personal data safeguards, and fraud prevention.
Summary of conformity assessment options
Under Article 17 of the Radio Equipment Directive (RED), manufacturers have three options for Conformity Assessment:
- Internal Production Control (Module A) – the most straightforward route, allowing self-declaration of conformity without Notified Body involvement.
- EU-Type Examination + Conformity to Type – requires a Notified Body to review documentation and issue a Type Examination Certificate.
- Full Quality Assurance – a more complex process rarely used in practice.
While manufacturers are generally free to choose any route for Article 3.1 (safety and EMC) and Article 3.4 (common charger), stricter rules apply to Articles 3.2 (radio spectrum) and 3.3 (cybersecurity). For connected devices that rely on password protection—or offer the option to disable it altogether—compliance with Article 3.3(d), (e), and (f) becomes particularly critical.
Under Article 17, Internal Production Control (Module A) can only be used for these requirements if a harmonized standard is applied in full. If not—whether due to custom security implementations, fallback mechanisms, or lack of password protection—a Notified Body must assess the technical documentation before market entry. On the other hand, harmonized standards of EN 18031-1, -2, and -3 offer manufacturers a clear, accepted path towards cybersecurity compliance wherever user credentials and personal data processing is involved.
Limitations of harmonized standards EN 18031-1, -2 and -3
It’s important to note that standards are conditionally harmonized—meaning they only confer Presumption of Conformity if certain restrictions do not apply to your product. If your device falls under one of the restricted clauses, the standard is not considered harmonized for your application, and a Notified Body must still be involved prior to market placement.
EN 18031-1 (Network Protection)
This standard cannot be used as a harmonized standard if your product permits the user not to set or use a password (clauses 6.2.5.1 and 6.2.5.2). In other words, “password-optional” designs—such as smart displays or connected monitors where users can skip authentication—will not qualify for Internal Production Control. To benefit from harmonization, your device must either not fall under these clauses or enforce password usage by default.
EN 18031-2 (Personal Data Protection)
In addition to the same password restriction noted above, this standard introduces an additional limitation: if clauses 6.1.3 to 6.1.6 apply, the product must ensure parental or guardian access control. This is particularly relevant for smart toys and childcare devices. If your product does not implement sufficient safeguards for parental oversight, you cannot rely on this standard as harmonized, and a Notified Body must validate your approach.
EN 18031-3 (Fraud Prevention for Financial Transactions)
As with the previous two standards, password-related restrictions apply. In addition, clause 6.3.2.4 concerning secure update mechanisms introduces further limitations. If your product handles financial transactions and depends solely on the update categories outlined in this clause, it will not meet the necessary threshold for Presumption of Conformity. More robust update mechanisms must be demonstrated—typically with support from a Notified Body.
It’s also important to note that the Guidance and Rationale clauses within these standards are informative only, and cannot be used as the basis for Presumption of Conformity. Manufacturers are therefore advised to carefully evaluate the applicability of restricted clauses to determine whether intervention from a Notified Body is necessary.
Decode the path towards passwordless RED compliance
With the August 2025 RED enforcement deadline fast approaching, manufacturers must act now to future-proof their connected devices. Avoid costly delays by ensuring your risk assessments, technical documentation, and conformity procedures are in order—and consult a Notified Body when required. Remember, every unit placed on the EU market must carry the CE mark, regardless of whether it’s from a new or existing brand.
If navigating these requirements feels overwhelming, GRL can help. Gain a first-mover advantage by partnering with our experts for streamlined RED compliance and robust cybersecurity testing—purpose-built for today’s connected ecosystems.
References
1. https://www.beyondtrust.com/blog/entry/how-compromised-passwords-lead-to-data-breaches
