(1)

In accordance with Article 16 of Directive 2014/53/EU of the European Parliament and of the Council (2), radio equipment which is in conformity with harmonised standards or parts thereof, the references of which have been published in the Official Journal of the European Union, is to be presumed to be in conformity with the essential requirements set out in Article 3 of that Directive where they are covered by those standards or parts thereof.

(2)

By Implementing Decision C(2022)5637 (3), the Commission made a request to the European Committee for Standardisation (CEN) and the European Committee for Electrotechnical Standardisation (Cenelec) for the drafting of new harmonised standards in support of Article 3(3), first subparagraph, points (d), (e) and (f), of Directive 2014/53/EU, for the categories and classes of the radio equipment specified in Commission Delegated Regulation (EU) 2022/30 (4) (‘the request’).

(3)

On the basis of the request, CEN and Cenelec drafted harmonised standards EN 18031-1:2024 on common security requirements for internet connected radio equipment, in support of the essential requirement set out in Article 3(3), first subparagraph, point (d), of Directive 2014/53/EU; EN 18031-2:2024 on common security requirements for internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment, in support of the essential requirement set out in Article 3(3), first subparagraph, point (e), of Directive 2014/53/EU; and EN 18031-3:2024 on common security requirements for internet connected radio equipment processing virtual money or monetary value, in support of the essential requirement set out in Article 3(3), first subparagraph, point (f), of Directive 2014/53/EU.

(4)

The Commission, together with CEN and Cenelec, has assessed whether those harmonised standards comply with the request.

(5)

Harmonised standards EN 18031-1:2024, EN 18031-2:2024 and EN 18031-3:2024 include numerous sections named ‘rationale’ and ‘guidance’. The section named ‘rationale’ aims to provide a justification for the need to address certain risks. The sections named ‘guidance’ includes examples and considerations on the possibilities to implement certain mitigation measures. Neither of the two aforementioned sections set out specifications. Additionally, the sections named ‘guidance’ include references to standardisation deliverables of national standardisation organisations. As a general rule, harmonised standards should not include normative cross-references to such standardisation deliverables.

(6)

Clauses 6.2.5.1 and 6.2.5.2 of harmonised standards EN 18031-1:2024, EN 18031-2:2024 and EN 18031-3:2024 deal with default passwords. Those clauses offer manufacturers the possibility to allow a user not to set or use any password. It is considered that, if this option is implemented, the relevant authentication risks will not be properly addressed and therefore conformity with the essential requirements set out in Article 3(3), first subparagraph, points (d), (e) and (f), of Directive 2014/53/EU would not be ensured.

(7)

Clauses 6.1.3, 6.1.4, 6.1.5 and 6.1.6 of harmonised standard EN 18031-2:2024 include specifications on access control mechanism for toy radio equipment and for childcare radio equipment. More specifically, the implementation categories described under the subsections ‘assessment criteria’ are the following: role-based access control, discretionary access control, mandatory access control or others. Certain of these categories might not be compatible with parental or guardian control. In such a case, it is considered that, if parental or guardian control is not implemented, the relevant authentication risks will not be addressed and, therefore, conformity with the essential requirement set out in Article 3(3), first subparagraph, point (e), of Directive 2014/53/EU would not be ensured.

(8)

Clause 6.3.2.4 of harmonised standard EN 18031-3:2024 includes assessment criteria for secure updates. Four different implementation categories are laid down, based on digital signatures, secure communication mechanisms, access control mechanisms or others. None of the methods alone are sufficient for the treatment of financial assets. It is considered that the assessment criteria do not properly address the relevant authentication risks and cannot therefore ensure conformity with the essential requirement set out in Article 3(3), first subparagraph, point (f), of Directive 2014/53/EU.

(9)

The references of harmonised standards EN 18031-1:2024, EN 18031-2:2024 and EN 18031-3:2024 should therefore be published in the Official Journal of the European Union with restrictions.

(10)

Annex I to Commission Implementing Decision (EU) 2022/2191 (5) provides the references of harmonised standards conferring a presumption of conformity with Directive 2014/53/EU. In order to ensure that the references of harmonised standards drafted in support of Directive 2014/53/EU are listed in one act, the references of harmonised standards EN 18031-1:2024, EN 18031-2:2024 and EN 18031-3:2024 should be included in that Annex, with restrictions.

(11)

Implementing Decision (EU) 2022/2191 should therefore be amended accordingly.

(12)

Compliance with a harmonised standard confers a presumption of conformity with the corresponding essential requirements set out in Union harmonisation legislation from the date of publication of the reference of such standard in the Official Journal of the European Union. This Decision should therefore enter into force on the day of its publication,