Discover our Compliance Readiness service for RED Cybersecurity Essential Requirements
The cybersecurity requirements of RED Art. 3.3 (d/e/f) put into force by the RED Delegated Act (EU) 2022/30 apply to internet-connected radio equipment. On January 28, 2025, the EN 18031 standards series was harmonized with restrictions.
Are you ready for compliance?
We are here to help.
What You Will Get
-
Production of a risk assessment document
-
Execution of a gap analysis with respect to EN 18031
-
Redaction of documentation for conceptual assessment, as per EN 18031
-
Execution and reporting of functional tests, as per EN 18031
-
First vulnerability report on the ARIANNA platform confirming that the product under examination is free from exploitable vulnerabilities at the time of the examination. Continuous vulnerability management will be required for addressing possible new exploitable vulnerabilities throughout the device lifecycle.
​
Those activities with their evidences are considered sufficient as self-assessment.
Discover our offering toward RED's cybersecurity requirements:
1
Risk Assessment
2
EN 18031 Gap Analysis
3
Conceptual Assessment
4
Vulnerability Asessment
5
Functional Tests
Risk Assessment ​​​​
​
The risk assessment is a key activity to understand the threats and weaknesses of the system, and to justify which security measures from the EN 18031 standard need to be applied. EN 18031 does not require the implementation of every measure, but instead expects manufacturers to apply only those relevant to their product’s actual risks.
​
The activity is carried out through dedicated sessions where the customer explains the product and Security Pattern collects the necessary information to identify threats and assess their severity and feasibility.
​
OUTPUT: A structured risk assessment document.
EN 18031 Gap Analysis
​​​
The reference standard for this consultancy service is the European standard EN 18031, which has been harmonized under the RED DA: compliance with the normative clauses of EN 18031 confers a presumption of conformity with the essential
requirements of Directive 2014/53/EU.
​
In this phase, each requirement from the applicable sections of EN 18031 is reviewed using the information provided by the customer. The goal is to check whether the device, in its current state, is likely to meet the RED cybersecurity requirements.
This step does not formally demonstrate compliance, but it helps identify any technical or procedural issues that need to be addressed. Since the conceptual tests required by EN 18031 are highly detailed and formal, it’s more efficient to run them only once the design and documentation are complete and aligned with the standard.
​
Each requirement is assigned one of the following outcomes:
-
PASS – appears satisfied based on current information
-
FAIL – clearly not met
-
NOT APPLICABLE – does not apply to the product
-
INCONCLUSIVE – not enough information to evaluate
​
Any FAIL or INCONCLUSIVE result means additional work or clarification is needed. Security Pattern experts will provide guidance on what needs to be changed and how to address the issue, so that the product can move toward full compliance.
​
OUTPUT: A gap analysis report listing the outcome for each requirement.
Conceptual Assessment​
After the gap analysis is complete, and adequate action has been taken to address the reported items, the process continues with the EN 18031 conceptual assessment.
​
This work is carried out together with Security Pattern during dedicated sessions, where we review the product design, implementation, and documentation in detail. Based on the collected information, Security Pattern will compile a full Conceptual Assessment Report in line with the requirements of EN 18031.
​​​
​​
OUTPUT: Conceptual Assessment Report compliant with EN 18031.
Vulnerability Assessment​
Before moving on to the functional tests, there is one requirement from EN 18031 that needs to be addressed separately: “The equipment shall not include publicly known exploitable vulnerabilities” (EN 18031-1, 6.10.1).
​
To support manufacturers in this process, Security Pattern developed ARIANNA, a platform for SBOM, HBOM, and vulnerability management. ARIANNA helps identify, assess, and document vulnerabilities, and can provide proof that a device has no known exploitable vulnerabilities. The onboarding phase for ARIANNA consists of two key activities:
-
Device Model Definition: a list of the device’s components (software, firmware, hardware, protocols) is created. This is done through a technical interview with your product team and a review of build artifacts.
-
Vulnerability Report and discussion: based on the collected information, Security Pattern generates a vulnerability report via the ARIANNA Platform. This report is reviewed together with the client to ensure all findings are properly understood, with a special focus on the potentially exploitable vulnerabilities if identified.
This vulnerability report serves as evidence of compliance with EN 18031’s vulnerability requirement. However, it represents a snapshot in time. Since new vulnerabilities emerge constantly, manufacturers should continue monitoring their device and apply security updates when necessary throughout the entire device’s lifecycle.
​
​​​​
OUTPUT: Device model and Vulnerability Report via the ARIANNA Platform.
Functional Tests
Once the conceptual test documentation is complete, Security Pattern performs the functional tests on the actual device, as required by EN 18031.
EN 18031 defines two types of checks:
-
Functional completeness assessment: ensures that what is described in the conceptual documentation is truly present and active in the device.
-
Functional sufficiency assessment: verifies that the implementation is technically robust.
The ARIANNA Initial Vulnerability Report is used as input for the functional tests: we verify whether any of the vulnerabilities flagged as potentially exploitable can be practically exploited. This allows us to confirm whether the device is compliant with EN 18031 vulnerability requirement.
​​​​
OUTPUT: Functional Test Report, documenting all results according to EN 18031 specifications.
Learn more about the
ARIANNA Platform
​
​From hardware to software, the ARIANNA Platform constructs a precise inventory of your device’s components, ensuring comprehensive visibility across the entire device lifecycle. This detailed inventory enables proactive identification and tracking of known vulnerabilities, as well as their evaluation and prompt resolution.
With ARIANNA’s comprehensive approach, you can stay ahead of cybersecurity threats while fully complying with evolving regulatory standards.
​
ARIANNA’s approach to building Device Models (SBOM+HBOM) is unique. By relying on the build procedure, we reach the highest level of accuracy and no false positives. Automation through APIs makes the maintenance of the components effortless, after every update. In addition, by monitoring the hardware, you can be assured of choosing the most secure hardware for your products and keeping this layer secure throughout the entire life cycle.
