Selection of Relevant EN 18031 Standards for EU RED Article 3.3 Compliance Testing #14
-
|
If a device has to be tested for EU RED 3.3, under which standard should it be tested? Is it mandatory for every device to be tested under all EN 18031 parts (1, 2, and 3), or can it be tested only under the relevant standard based on the asset type? Who has the authority to decide whether a device should be tested only under a specific standard, and how is this decision made for any given device? For example, if a mobile phone needs to be tested, does it have to be tested under both EN 18031-1 and EN 18031-2 just because it has network, privacy, and security assets? Or can it be tested only under EN 18031-2 if it has more privacy-related assets compared to network assets—meaning that if it were tested under EN 18031-1, some test cases would be not applicable? Similarly, if a Wi-Fi Access Point (AP) needs to be tested, should it be tested only under EN 18031-1 since it has more network-related assets and only minimal privacy-related assets (such as an admin email ID)? Please explain the rationale for testing a device under a specific standard. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hello @bin-to-hex , Thanks for your question. It is the responsibility of the manufacturer to decide which standard(s) must be applied, and hence under which standard(s) an equipment must be tested. As explained in the Annex A of EN 18031, Section A.2.1 (and in the EU Blue Guide), a manufacturer will start by conducting a "product-relevant risk assessment [...] in order to identify threats and assess risks on the need to fulfil the essential requirements of the Radio Equipment Directive". In other word, the risk assessment enable the manufacturer to identify which essential requirements must be applied (Art. 3.3(d), (e), or (f)). From there, the manufacturer can then apply the respective harmonized standard(s):
This is what dictates the standard(s) against which the equipment must be tested. Note that the "amount of a given asset type" does not influence the standards to be applied. In your example of a Wi-Fi AP, if the manufacturer identifies during the risk assessment that personal information is processed, then the equipment must comply with Art. 3.3 (d) Art. 3.3 (e), and both EN 18031-1 and EN 18031-2 will be applied. Ultimately, it all boils down to the decisions taken by the manufacturer during the risk assessment. Guillaume |
Beta Was this translation helpful? Give feedback.
Hello @bin-to-hex ,
Thanks for your question. It is the responsibility of the manufacturer to decide which standard(s) must be applied, and hence under which standard(s) an equipment must be tested.
As explained in the Annex A of EN 18031, Section A.2.1 (and in the EU Blue Guide), a manufacturer will start by conducting a "product-relevant risk assessment [...] in order to identify threats and assess risks on the need to fulfil the essential requirements of the Radio Equipment Directive". In other word, the risk assessment enable the manufacturer to identify which essential requirements must be applied (Art. 3.3(d), (e), or (f)). From there, the manufacturer can then apply the respective …