Published on: June 24, 2025

Estimated reading time: 6 minutes

August is just around the corner, along with the deadline to comply with the cybersecurity requirements of the RED Delegated Act (RED DA). We have already published several blog posts on this topic, including 

• ‘How the Newest EU Cybersecurity Legislations Impact Your Products’, which explains who is affected and how to approach RED DA, and 

• ‘Cybersecurity standards EN 18031 are now harmonized’, which covers the harmonized standards EN 18031 that can be used to demonstrate compliance with RED DA. It also explains for which type of devices a self-assessment can be carried out, and for which a Notified Body assessment is required.

If you are still unsure whether your device with radio interfaces and internet connectivity is compliant, or if you have not yet prepared the required documentation, now is the time to act.

In this blog post, we take a practical approach: we explain the exact steps to follow, in the right order, to ensure your product is compliant and properly documented in time to avoid penalties. 

Self-Assessment Activities for Compliance

The RED Delegated Act requires formal steps and documentation to complete the self-assessment process against the EN 18031 standards series. Here is what you need to do.

The first step is to carry out a risk assessment. EU product legislation requires that you prepare a document to analyze the product’s use cases, environment, and potential risks. This is essential to apply EN 18031 in a meaningful and justified way.

Once the risks are clear, the next step is the EN 18031 assessment itself (e.g conceptual tests). This means going through the standard’s requirements and checking, for each requirement, whether it applies to your product and whether the implementation is in place. This includes a review of documentation (“have we implemented this?” or “is this not applicable?”), but also perform physical testing of the product to confirm that the measures are correctly in place and effective.

However, before diving into detailed documentation and testing, it is strongly recommended to first run a gap analysis. This is a high-level review to check if there are any missing elements in the current implementation. Fixing these early helps avoid repeating work later.

Be careful with one of the main EN 18031 requirements, stating that the product must not contain known exploitable vulnerabilities. Proving this requires a dedicated vulnerability assessment, which may include code analysis, software component review, and testing.

Once all these steps are complete, you are ready to place the CE marking on your product.

Now, let’s look at these steps in more detail and how Security Pattern can support you.

1. Risk Assessment

   
   

The risk assessment, or more completely, threat modeling and risk assessment, is a key activity to understand the threats and weaknesses of the system, and to justify which security measures from the EN 18031 standard need to be applied. This is essential because EN 18031 is flexible: it does not require the implementation of every measure, but instead expects manufacturers to apply only those relevant to their product’s actual risks.

The first and most important decision that the risk assessment supports is determining which of the three parts of the EN 18031 standard applies:

• EN 18031-1 for network-related risks,

• EN 18031-2 personal data protection, if applicable

• EN 18031-3 for fraud prevention in monetary transactions

  
  

The activity is carried out through dedicated sessions where the customer explains the product and Security Pattern collects the necessary information to identify threats and assess their severity and feasibility.

OUTPUT: A structured risk assessment document.

2. Gap Analysis

   
   

Once the relevant parts of EN 18031 have been identified through the risk assessment, the next step is the gap analysis.

In this phase, each requirement from the applicable sections of EN 18031 is reviewed using the information provided by the customer. The goal is to check whether the device, in its current state, is likely to meet the RED cybersecurity requirements. 

This step does not formally demonstrate compliance, but helps to identify any technical or procedural issues that need to be addressed. Since the conceptual tests required by EN 18031 are highly detailed and formal, it’s more efficient to run them only once the design and documentation are complete and aligned with the standard.

Each requirement is assigned one of the following outcomes:

• PASS – appears satisfied based on current information

• FAIL – clearly not met

• NOT APPLICABLE – does not apply to the product

• INCONCLUSIVE – not enough information to evaluate

Any FAIL or INCONCLUSIVE result means additional work or clarification is needed. Security Pattern experts will provide guidance on what needs to be changed and how to address the issue, so that the product can move toward full compliance.

OUTPUT: A gap analysis report listing the outcome for each requirement.

3. Conceptual Tests

   
   

Once all issues and anomalies from the gap analysis have been addressed, the next step is the compilation of the conceptual test documentation.

This work is carried out together with Security Pattern during dedicated sessions, where we review the product design, implementation, and documentation in detail. Based on the collected information, Security Pattern will compile a full Conceptual Test Report in line with the requirements of EN 18031.

This report is a required part of the product’s 'Declaration of Conformity'. It must be kept by the manufacturer and made available in case of inspection by market surveillance authorities. 

OUTPUT: Conceptual Test Report compliant with EN 18031.

4. Vulnerability Assessment

   
   

Before moving on to the functional tests, there is one requirement from EN 18031 that needs to be addressed separately: “The equipment shall not include publicly known exploitable vulnerabilities” (EN 18031-1, 6.10.1). 

This requirement is more complex than it may seem and involves identifying all known vulnerabilities affecting the device and assessing whether any of them could be exploitable in the context of its usage. If such vulnerabilities are found, they must be addressed before the product is placed on the market.

We explain more details in our blog post: ‘What Manufacturers Must Do to Meet EN 18031 (RED DA) Vulnerability Management Requirements.

To support manufacturers in this process, Security Pattern developed ARIANNA, a platform for SBOM, HBOM, and vulnerability management. ARIANNA helps identify, assess, and document vulnerabilities, and can provide proof that a device has no known exploitable vulnerabilities. The onboarding phase for ARIANNA consists of two key activities:

• Device Model Definition: a list of the device’s components (software, firmware, hardware, protocols) is created. This is done through a technical interview with your product team and a review of build artifacts.

• Vulnerability Report and discussion: based on the collected information, Security Pattern generates a vulnerability report via the ARIANNA Platform. This report is reviewed together with the client to ensure all findings are properly understood, with a special focus on the potentially exploitable vulnerabilities.

This vulnerability report serves as evidence of compliance with EN 18031’s vulnerability requirement. However, it represents a snapshot in time. Since new vulnerabilities emerge constantly, manufacturers should continue monitoring their devices and apply security updates when necessary throughout the entire device’s lifecycle.

OUTPUT: Device model and Vulnerability Report via the ARIANNA Platform.

5. Functional tests

   
   

Once the conceptual test documentation is complete, Security Pattern performs the functional tests on the actual device, as required by EN 18031.

EN 18031 defines two types of checks:

• Functional completeness assessment: ensures that what is described in the conceptual documentation is truly present and active in the device.

• Functional sufficiency assessment: verifies that the implementation is technically robust.

The ARIANNA Initial Vulnerability Report is used as input for the functional tests: we verify whether any of the vulnerabilities flagged as potentially exploitable can be practically exploited. This allows us to confirm whether the device is actually compliant with EN 18031 vulnerability requirement.

To carry out this activity, two samples must be provided:

• One in production-ready configuration, with all security features enabled as in the final version for the market.

• One in open sample configuration, with a debug interface (such as a terminal or serial port) and verbose output that allows visibility into internal device operations (e.g. firmware version, firmware upgrade success, cloud connection status, etc.).

OUTPUT: Functional Test Report, documenting all results according to EN 18031 specifications.

What To Do Now

The deadline of August 1, 2025, for meeting the RED cybersecurity requirements is getting close. If your product connects to the internet and uses radio interfaces, you need to make sure it’s compliant, both in how it works and in the documentation you’ll need to keep.

Going through the steps we’ve outlined, i.e. risk assessment, gap analysis, conceptual and functional testing, and a vulnerability assessment, will allow you to be ready to self-declare compliance with solid proof in hand.

If you haven’t started yet, you’re already late, as there's only about a month left. Now is the time to act.

How Security Pattern Can Help

Security Pattern supports device manufacturers in preparing for RED DA with the above-mentioned self-assessment activities. Those activities consist of: 

• Risk assessment

• Gap analysis

• Conceptual tests

• Vulnerability assessment

• Functional tests

  
  

For more information about our RED DA Compliance-readiness activities, see https://www.securitypattern.com/compliance-readiness/redda

For more information about the ARIANNA platform, see https://www.securitypattern.com/arianna-security-management-platform

Or Schedule a Demo

Want to see the ARIANNA Product Security Management Platform in Action? Contact us to schedule a one-hour demo and discuss your specific use case.​

Discover how device manufacturers ensure the cybersecurity and compliance of their interconnected products throughout various teams, business sectors, and stages of their lifecycle.