When Everything Must Connect

Understanding EU RED & EN 18031-1 Exemptions for Medical Devices: What Manufacturers Need to Know?

Written by Babar Hashim | July 7, 2025

The European Union is ushering in stricter cybersecurity requirements for internet-connected radio equipment under the Radio Equipment Directive (RED). Beginning August 1, 2025, manufacturers must comply with the harmonized standard EN 18031-1, which addresses key cybersecurity provisions.

However, a frequent and important question from our medical device customers is:

"Do medical devices also need to comply with EN 18031-1 under the RED?"

This blog post summarizes current guidance from EU regulations, Silex's internal findings, and lab feedback to help clarify when exemptions apply—and what manufacturers must do.

 

RED and EN 18031-1: A Brief Overview

  • RED (Directive 2014/53/EU): Governs radio equipment sold in the EU, including mandatory cybersecurity requirements under Article 3(3)(d)-(f).
  • Delegated Regulation (EU) 2022/30: Supplements RED by making those cybersecurity clauses enforceable.
  • EN 18031-1: A harmonized standard detailing how to implement cybersecurity for internet-connected radio equipment.

 

Medical Device Exemption: What the Regulation Says

Recital 15 of Delegated Regulation 2022/30 provides a clear exemption:

“Radio equipment to which [MDR or IVDR] apply should therefore not fall within the categories or classes of radio equipment which should comply with the essential requirements set out in Article 3(3), points (d), (e) and (f) of Directive 2014/53/EU.”

What does it mean?

If your product is a medical device regulated under:

  • MDR (Regulation 2017/745), or
  • IVDR (Regulation 2017/746),
    and your cybersecurity risks are addressed under these regulations, you are exempt from EN 18031-1 and RED Article 3(3)(d)-(f).

 

What Medical Device Manufacturers Must Do

To responsibly claim this exemption, manufacturers should:

  1. Verify Device Classification

Confirm that your product falls under:

  • EU MDR (2017/745) – for general medical devices
  • EU IVDR (2017/746) – for in vitro diagnostic devices
  1. Ensure MDR/IVDR Cybersecurity Compliance

You must already address:

  • Secure software lifecycle
  • Risk management & data protection
  • Threat mitigation for connected systems
  • Standards like IEC 80001-5-1
  1. Maintain Documentation

Even if exempt, you should:

  • Document your rationale for the exemption
  • Be prepared to demonstrate compliance under MDR/IVDR
  • Provide evidence during audits or CE marking reviews

 

Guidance from Certification Labs

Silex Technology has confirmed this interpretation with our internal certification team and third-party external labs, which supports the exemption stance, while also stressing that:

The final responsibility lies with the manufacturer.
Labs and suppliers can provide guidance, but only the legal manufacturer can make the compliance decision.

Summary:

Scenario

EN 18031-1 Compliance Needed?

Device regulated under MDR/IVDR and addresses cybersecurity

NO

Device not under MDR/IVDR or lacks cybersecurity controls

YES

Medical device with unclear classification

Investigate Further

 

Final Thoughts

The EU’s evolving cybersecurity landscape can seem complex, but it's designed to ensure product security without duplication. If you're a medical device manufacturer covered by MDR or IVDR and meet the cybersecurity obligations, you may confidently claim exemption from EN 18031-1.

Still unsure? Contact Silex or your regulatory advisor to confirm how this applies to your specific application or product.

Need Help?

Silex Technology offers technical, regulatory, and integration support for medical OEMs. Reach out to your account manager or contact us at sales@silexamerica.com.

 

References
View full post