EMEA Security Certification Guide: EN 50131, EN 18031-1, and CE Explained for Distributors
When a distributor stocks an alarm system that does not meet the grade required by the local insurer, the outcome is predictable: the installer cannot sign off the system, the end customer does not get insured, and the distributor shoulders the liability. In EMEA, certification is not a badge printed on a box. It is the legal and commercial foundation of every professional security installation.
Yet the certification landscape spans multiple European standards, country-specific marks, and a new cybersecurity regulation that is reshaping what compliance means for wireless security equipment. This guide maps the full terrain for distributors who need to verify product claims with confidence, understand what each certification actually requires, and avoid the gap between marketing language and regulatory reality.
The Three-Layer Certification Structure in EMEA
Security product certification in EMEA operates on three distinct layers. A product must satisfy all applicable layers to be legally sold and professionally installed in a given market. Understanding this structure is essential because one certification does not guarantee another.
Layer 1 — CE Marking. The baseline legal requirement for placing any security product on the European market. CE indicates conformity with applicable EU directives and regulations, including the Low Voltage Directive (2014/35/EU), the EMC Directive (2014/30/EU), and the Radio Equipment Directive (2014/53/EU). CE is a manufacturer-led declaration backed by technical documentation.
Layer 2 — Harmonised European Standards. Standards such as EN 50131 define performance levels for alarm systems. Compliance is technically voluntary under EU law, but insurance companies across Europe effectively mandate it by requiring Grade 2 or Grade 3 equipment as a condition of coverage.
Layer 3 — Country-Specific Marks. Individual EMEA countries maintain additional certification schemes. VdS in Germany, CNPP/APSAD in France, and NSI in the United Kingdom each require independent testing beyond the European base standards. Without these marks, products cannot access insurance-approved installations in those countries.
A product with CE marking and EN 50131 Grade 2 compliance may still face rejection in Germany without VdS certification. Distributors expanding across multiple EMEA markets must evaluate each country’s specific requirements separately.
EN 50131: The European Alarm Standard in Detail
EN 50131 is the harmonised European standard for intrusion and hold-up alarm systems. It defines four security grades that correspond to increasing levels of threat, required detection reliability, and supervision stringency. The grade determines supervision timing, component redundancy, tamper resistance, and communication path requirements.
Insurance companies across Europe tie their premium structures and coverage conditions to these grades. An installation that uses Grade 2 equipment in a building the insurer expects to see Grade 3 can result in refused claims.
Grade 1 — Low Risk
| Dimension | Requirement |
|---|---|
| Target threat | Casual or opportunistic intruder with basic tools |
| Fault supervision | Detection within 60 seconds |
| Intrusion detection | Detects intrusion within 30 seconds |
| Communication | Single-path, no mandatory redundancy |
| Insurance application | Rarely specified by insurers. Suitable for low-value contents in low-risk areas only |
| Market prevalence | Limited — mainly DIY or very low-security environments |
Grade 2 — Low to Medium Risk (The Commercial Standard)
| Dimension | Requirement |
|---|---|
| Target threat | Experienced intruder with common tools |
| Fault supervision | Detection within 40 seconds |
| Intrusion detection | Detects intrusion within 10 seconds |
| Communication | Two-path communication for signalling. Basic tamper protection on detectors |
| Insurance application | The minimum grade accepted by the majority of European insurers for standard commercial premises and residential properties. Most small-to-medium retail, office, and residential installations require Grade 2 |
| Market prevalence | United Kingdom, France, Netherlands, Belgium, Spain, Italy |
Grade 3 — Medium to High Risk
| Dimension | Requirement |
|---|---|
| Target threat | Experienced intruder with portable electronic tools, including jammers and bypass devices |
| Fault supervision | Detection within 10 seconds |
| Intrusion detection | Detects intrusion within 10 seconds |
| Communication | Encrypted communication paths mandatory. Enhanced tamper detection. Jamming detection required. Redundant signalling paths |
| Insurance application | Required for high-value commercial premises: jewellery stores, electronics warehouses, banks, government buildings. Some insurers in Germany and France mandate Grade 3 for any commercial property above a threshold value |
| Market prevalence | Germany (VdS requires Grade 3 for most commercial), Austria, Switzerland, Sweden |
Grade 4 — Maximum Security
| Dimension | Requirement |
|---|---|
| Target threat | Sophisticated intruder with full access to electronic and engineering tools |
| Fault supervision | Detection within 1 second |
| Intrusion detection | Requires defeat-resistant detection across multiple independent paths |
| Communication | Full redundancy. Military-grade tamper protection. Multiple independent encrypted paths. Defeat-resistant enclosures |
| Insurance application | Government, military, intelligence, high-security banking vaults, data centres. Very few standard insurance policies reference Grade 4 |
| Market prevalence | Specified only for highest-security installations across all markets |
Data provenance: The grade definitions, supervision timings, and detection requirements above are drawn from the EN 50131 series as published by CENELEC. Insurance applicability is derived from published guidelines from the Association of British Insurers, GDV (German Insurance Association), and FFSA (French Insurance Federation), cross-referenced with installer certification requirements from NSI and VdS.
EN 18031-1: Cybersecurity for Radio Equipment
EN 18031-1 is the harmonised European standard supporting the Radio Equipment Directive (RED) Delegated Regulation (EU) 2022/30. This regulation introduces mandatory cybersecurity requirements for wireless devices that can connect to the internet — including alarm hubs, sensors, cameras, and smart locks. For the first time, cybersecurity is a legal condition of sale for radio equipment in the EU, not a voluntary add-on.
The regulation targets three categories of risk:
- Network protection. The device must resist unauthorised network access and prevent use as a vector for broader network attacks.
- Data protection. Personal and operational data must be encrypted in transit and at rest, with secure key management.
- Financial transaction integrity. For devices that process payments, transaction data integrity and confidentiality must be maintained.
For security distributors, EN 18031-1 is directly relevant because it applies to virtually every alarm system component that communicates over IP or uses a wireless protocol connected to the internet. This includes modern alarm hubs, IP-enabled detectors, and cloud-managed control panels.
Transition Timeline
| Date | Milestone |
|---|---|
| February 2025 | RED Delegated Regulation (EU) 2022/30 became applicable for new radio equipment placed on the market. Manufacturers must demonstrate cybersecurity compliance |
| Q1 2025 | EN 18031-1 published as a harmonised standard, providing presumption of conformity with the delegated regulation |
| 2025–2026 transition | Market surveillance authorities (OFCOM, BNetzA, ANFR) begin active monitoring. Non-compliant products identified for withdrawal |
| From 2026 | Full enforcement phase. National authorities authorised to withdraw non-compliant products and impose penalties |
What this means for distributors: Any wireless alarm product in your catalogue must now meet cybersecurity requirements as a condition of legal sale in the EU and EEA. Insurers are beginning to reference EN 18031-1 in their certification requirements, particularly for Grade 3 and above installations. Distributors should request EN 18031-1 test reports from manufacturers and confirm the product was tested against the harmonised standard, not merely self-assessed.
Data provenance: The regulatory timeline is based on Delegated Regulation (EU) 2022/30 published in the Official Journal of the European Union on 7 December 2022, and the transition arrangements established in Commission Implementing Decision (EU) 2023/1967. Enforcement timelines may vary by member state transposition.
CE Marking: Self-Declaration vs. Notified Body
CE marking is often misunderstood. It is not a quality certification or a product endorsement. It is a declaration by the manufacturer that the product meets applicable EU health, safety, and environmental requirements. For security products, the route to CE marking depends on the product category and the applicable directives.
Self-declaration (majority of alarm components). Most wired detectors, control panels, and peripheral devices fall under directives where the manufacturer can self-declare conformity. The manufacturer issues a Declaration of Conformity (DoC) and maintains a technical file. No third-party testing is legally required under this route.
Notified body involvement (specific categories). Some radio equipment under the Radio Equipment Directive, fire safety products under the Construction Products Regulation, and certain intruder alarm components require involvement of a Notified Body (NB). The NB reviews the technical documentation, performs independent testing, or both. The NB’s four-digit identification number must appear on the product or packaging.
As a distributor, request three documents for every CE-marked product:
- The Declaration of Conformity (DoC). Must list the applicable directives and harmonised standards by reference number. A generic DoC with no specific standard references is a red flag.
- The technical file reference. The manufacturer must be able to produce technical documentation within a reasonable timeframe if requested by a market surveillance authority.
- The Notified Body certificate (if applicable). Verify the NB number is listed in the NANDO database — the European Commission’s official registry of notified bodies.
Data provenance: CE marking requirements and conformity assessment procedures are established in Decision No 768/2008/EC on the marketing of products and the “Blue Guide” on EU product rules (2022/C 247/01). Notified body registration is verified against the European Commission NANDO database.
Country-Specific Certifications Across EMEA
Beyond European-level standards, individual countries maintain certification schemes that effectively gate access to insured installations. Distributors expanding across EMEA must understand which marks apply in each target market. See our EMEA country-specific certification pages for detailed requirements per market.
VdS (Germany)
VdS Schadenverhütung is the dominant certification body for security equipment in Germany. VdS certification typically requires EN 50131 Grade 3 for commercial applications. Products are tested at the VdS laboratory in Cologne. German insurers, through the GDV association, expect VdS-certified equipment for insured premises. A product with EN 50131 Grade 2 claimed compliance but no VdS mark will not be accepted by most German installers.
CNPP / APSAD (France)
CNPP (Centre National de Prévention et de Protection) manages the APSAD certification scheme for intrusion detection systems. APSAD certification is referenced by French insurers through France Assureurs. French insurance contracts commonly specify APSAD certification as a condition for coverage. The certification covers detectors, control panels, alarm transmission equipment, and monitoring centres.
NSI and SSAIB (United Kingdom)
Following Brexit, the United Kingdom operates its own conformity framework. NSI (National Security Inspectorate) and SSAIB (Security Systems and Alarms Inspection Board) are the two UKAS-accredited certification bodies for security installers and products. While product certification follows EN 50131 standards, UK insurers typically require that both the product and the installing company hold appropriate certification. Products sold in the UK also require UKCA marking, which aligns closely with CE requirements for most security product categories.
SBSC (Sweden)
SBSC (SäkerhetsBranschens SC) provides third-party certification for security products in Sweden. The scheme references EN 50131 but adds Swedish-specific requirements for communication protocols and alarm receiving centre integration. Swedish insurers expect SBSC certification or equivalent third-party verification for commercial installations and are increasingly referencing this in policy terms.
CNBOP-PIB (Poland)
CNBOP-PIB (Centrum Naukowo-Badawcze Ochrony Przeciwpożarowej im. Józefa Tuliszkowskiego) is the Polish certification body for security and fire safety equipment. Poland applies conformity assessment for alarm systems under national building regulations. While EN 50131 is the reference standard, CNBOP-PIB certification is commonly required by Polish insurers and local building codes, particularly for commercial premises.
IMQ (Italy)
IMQ (Istituto del Marchio di Qualità) provides voluntary certification for security products in Italy. Although technically voluntary under EU law, IMQ certification is widely referenced by Italian installers and insurance companies. Products without IMQ certification face significant market resistance in Italian residential and commercial security installations.
SSF / Norwegian Insurance Association (Norway)
Norway follows EN 50131 standards as an EEA member state. The Norwegian Insurance Association (Norsk Forsikringsforbund) sets additional requirements through its certification guidelines for insured premises. While CE marking is accepted for legal sale, insurers commonly require third-party verification of EN 50131 Grade 2 or Grade 3 compliance. Products tested and certified by recognised European bodies such as VdS, CNPP, or equivalent are typically accepted.
Data provenance: Country-specific certification requirements above are based on published documentation from the relevant certification bodies and cross-referenced with insurance association guidelines from GDV (Germany), France Assureurs (France), the Association of British Insurers (UK), and the Norwegian Insurance Association. Requirements may change — distributors should verify current status directly with the certification body.
Certified vs. “Designed to Meet” vs. “Compatible” — How to Verify Claims
Manufacturers use three different types of claims about standards compliance. Understanding the difference protects your liability as a distributor and ensures your customers receive products that perform as required. This section complements our broader guide on how to evaluate a security brand by focusing specifically on certification claims verification.
“Certified.” The product has been independently tested by a recognised certification body or an accredited in-house laboratory. The certification body issues a certificate with a unique reference number. This is the only claim an installer or insurer can rely on for compliance verification.
“Designed to meet.” The manufacturer engineered the product to comply with the standard but has not necessarily completed independent testing or received certification. This is a design intent claim, not a certification claim. Distributors should ask: “When will independent certification be completed, and what is the timeline?”
“Compatible with.” The product can function within a system certified to a given grade but is not itself certified to that grade. For example, a detector marketed as “compatible with Grade 2 systems” may only be Grade 1 certified. The system grade is determined by its lowest-certified component, so mixing compatibility claims with certification claims can create compliance gaps.
Verification Steps for Distributors
- Request the certification certificate, not just the data sheet or marketing brochure
- Verify the issuing body is accredited and listed in the NANDO database (for EU-recognised marks)
- Check the certificate validity period — certifications have expiry dates
- Confirm the scope of certification covers the specific product model and firmware version
- For wireless products, request the EN 18031-1 test report separately from the EN 50131 certificate — they cover different requirements
- Maintain a file of current certificates for every product in your catalogue, with renewal reminders
Data provenance: The distinction between certification claim types is established in ISO/IEC 17000 (conformity assessment — vocabulary and general principles) and reinforced by EU market surveillance guidance in the “Blue Guide” on EU product rules (2022/C 247/01).
EN 18031-1 Transition Timeline: What Distributors Should Do Now
By mid-2026, full enforcement of cybersecurity requirements under RED Delegated Regulation (EU) 2022/30 is expected across EU member states. National market surveillance authorities have the power to withdraw non-compliant products from the market and impose administrative penalties on distributors and importers.
Distributors should take these actions now:
- Audit your inventory. Identify every wireless product in your catalogue that communicates over IP or can connect to the internet. These are all subject to EN 18031-1 requirements.
- Request compliance documentation. Contact each manufacturer for their EN 18031-1 test report. Products certified before 2024 may not have been tested against the cybersecurity requirements — request updated documentation.
- Update supplier onboarding criteria. Make EN 18031-1 compliance a formal condition for adding any new wireless product to your catalogue, alongside existing EN 50131 and CE requirements.
- Inform your installer network. Notify installers that EN 18031-1 compliance may affect which products they can specify for insured Grade 3 installations. Provide guidance on what documentation to request from end users.
- Review existing contracts. Check your distribution agreements for compliance obligations. Some contracts already reference “all applicable regulations,” which now includes the cybersecurity requirements.
Six Questions Every Distributor Should Ask Manufacturers
- What grade of EN 50131 does this product hold, and which certification body issued the certificate? Look for a named certification body and a certificate reference number. Vague claims without documentation are not sufficient.
- Has this product been tested to EN 18031-1, and can you provide the test report? Self-declaration is not sufficient for cybersecurity requirements. Request the actual test report showing which clauses were tested and the results.
- Which country-specific certifications does this product currently hold? Ask specifically about VdS, CNPP/APSAD, NSI, SBSC, CNBOP-PIB, and IMQ. A product with only CE marking has limited market access across EMEA.
- Is the certification tied to a specific firmware version, and how does recertification work after updates? Firmware changes can invalidate cybersecurity certifications. Manufacturers should have a documented process for recertification after significant software updates.
- What environmental and end-of-life compliance documentation do you provide? ROHS, WEEE, and REACH compliance documentation may be required by your customers or national waste management regulations.
- What is the certification pipeline for markets where the product is not yet certified? If a product is “designed to meet” Grade 3 or a specific country mark but not yet certified, request a written certification timeline with target dates.
Frequently Asked Questions
What is the practical difference between EN 50131 Grade 2 and Grade 3 for an installer?
Grade 3 adds mandatory jamming detection, encrypted communication between all system components, and stricter supervision timing (10 seconds for fault detection versus 40 seconds under Grade 2). For the distributor, Grade 3 products cost more but are required for high-value commercial premises and for markets such as Germany where VdS mandates Grade 3 for most insured commercial installations.
Is EN 18031-1 mandatory for all wireless security products as of 2026?
EN 18031-1 compliance became mandatory for new radio equipment placed on the market under RED Delegated Regulation (EU) 2022/30 from February 2025. As of 2026, full enforcement is expected across EU member states. Products already in the supply chain before the effective date are covered by transitional arrangements, but all new stock entering the market should have EN 18031-1 compliance documentation. Verify with each manufacturer that their products are tested against the harmonised standard.
Does CE marking mean a product is certified for all EU countries?
No. CE marking allows legal sale across the EU and EEA, but it does not guarantee acceptance by insurance companies in individual countries. Germany (VdS), France (CNPP/APSAD), the United Kingdom (NSI/SSAIB), Sweden (SBSC), Poland (CNBOP-PIB), Italy (IMQ), and Norway each maintain additional certification schemes that insurers require for coverage on insured premises. CE marking is the starting point for market access, not the endpoint for market acceptance.
Can a product be described as “compatible with Grade 2” without being certified to Grade 2?
Yes. This is a common marketing claim that distributors should treat with caution. “Compatible with” means the product can function within a Grade 2 system but is not itself certified to Grade 2. The system grade is determined by its lowest-certified component, so using non-certified components in a certified system can void the overall system certification. Request the actual certification certificate, not the marketing language.
What documents should I request to verify a manufacturer’s certification claim?
Request the certification certificate with a unique reference number, verify the issuing body is listed in the NANDO database (for EU-recognised marks), check the certificate validity period, and confirm the specific product model and firmware version are covered. For CE marking, request the Declaration of Conformity listing specific harmonised standards. For wireless products, also request the EN 18031-1 test report. Certification claims in marketing materials without supporting documentation should not be relied upon.
What are the legal risks of distributing uncertified or under-certified products?
The installer bears immediate liability with the end customer if the system fails to meet insurance requirements, but the distributor faces contractual liability, product returns, and reputational damage. Under EU market surveillance regulations, national authorities can issue product withdrawal orders, require recalls, and impose administrative penalties on distributors and importers of non-compliant products. In regulated markets, these penalties can apply per-unit and accumulate significantly.
Compliance as a Commercial Advantage
Distributors who master the EMEA certification landscape can turn it into a competitive differentiator. When you can tell an installer exactly which certifications a product holds across every country in their territory, you reduce their specification risk and make the purchasing decision simpler. Certification expertise shortens sales cycles and builds trust.
The Roombanker Hub and wireless sensors are independently tested and certified to EN 50131 Grade 2 (Eurofins Product Testing, 2025), and are designed to meet EN 18031-1 cybersecurity requirements with test documentation available to distribution partners on request. Additional country-specific certifications are in active development for key EMEA markets. The RBF Protocol and RBF SIP Chip are designed to meet EN 18031-1 cybersecurity requirements, with test documentation available to distribution partners on request.
For a complete reference framework covering certification requirements across 12 EMEA markets, including step-by-step verification procedures for each country-specific mark, template questions for manufacturer audits, and a compliance timeline tracker, download the EMEA Certification Checklist for Distributors.
Explore more: RBF Protocol Technical Deep-Dive | SSG Romania Case Study | Roombanker Smart Hub | Become a Distributor