Success Story
EN 18031 Compliance Simplified: Loxone's Self-Assessment Success with Z-CMS
About
LOXONE stands for a way of living in which your building thinks with you. Founded in Austria, LOXONE has one clear goal: to make technology serve everyday life—simply and seamlessly. Light, climate, security and energy management all work together in perfect harmony, forming one intelligent system. The result is a space that combines comfort, energy-efficiency and quality of life—effortlessly, every day. With its global presence LOXONE brings this integrated experience to homes and commercial buildings around the world.
Products
At the heart of LOXONE lies a system that understands what you need—without you having to intervene constantly. From the LOXONE Miniserver to sensors, actuators and the app, everything works hand in hand. Lighting, heating, shading, security—all interact smoothly and adapt to you. The Loxone App gives you insight and control when you want it, from wherever you are. And because the system is open to many third-party devices, it grows with you—always simple, reliable and perfectly attuned to your way of living.
Headquarter
Austria
Challenge
Navigating the complexity and ambiguity of the EN 18031 standards made it difficult to document assets and track compliance effectively, resulting in confusion and inefficiencies.
Solution
Implementing Z-CMS provided a structured, automated approach that simplified documentation, streamlined assessments, and enhanced the overall compliance process.
Key Results
3 days to create the first version of Technical Documentation
2-person weeks to complete Technical Documentation
2 person-weeks to perform assessments (tests)
Up to 70% of cost saved by enabling self-assessment
LOXONE's EN 18031 Compliance Journey
At LOXONE, we design and produce high-quality products with a strong emphasis on robust technology and cybersecurity, which we prioritize from the outset. Our engineering team is highly experienced, possessing an deep knowledge of the technologies implemented in our products. Initially, we assumed that complying with the Radio Equipment Directive Delegated Act (RED DA) would simply involve applying the EN 18031 standards and documenting the required information.
We began our compliance project by thoroughly reading and researching the EN 18031 standards. To our surprise, we found these standards to be complex and ambiguous, with little guidance on interpretation. This lack of clarity seemed to be a common issue within the industry; resources on the topic were scarce, and when available, they were often conflicting and inconsistent. In an effort to gain clarity, we participated in a workshop hosted by a testing laboratory; however, it did not provide further clarity.
In our attempts to document the necessary assets, we produced a rough document that ultimately provided no clear direction. Grappling with this frustration led us to discover Zealience's GitHub resources, which offered invaluable templates and insights into interpreting EN 18031. This discovery encouraged us to explore Z-CMS, which we recognized as the structured solution we desperately needed.
Transitioning to Z-CMS proved to be a transformative experience. The software provided a user-friendly, step-by-step approach that guided us through the entire compliance process. The intelligent Q&A format simplified complex regulations into manageable tasks, allowing us to check off items as we progressed. This new structure eliminated ambiguity and helped us maintain clarity and focus.
With Z-CMS, the results were impressive. We dedicated only three days to draft our technical documentation, completing it in just two person-weeks with the efforts of two engineers. Testing was even more streamlined, requiring an additional two person-weeks with one engineer focused solely on this aspect.
As engineers who know our products best, we believe that conducting a self-assessment using Z-CMS without the need for third-party testing laboratories was the most time- and cost-effective solution we could adopt.
What LOXONE Loved About Z-CMS
-
Intelligent Q&A: The complexity and ambiguity of EN 18031 standards were perfectly solved by this feature. The Q&A guided us through the whole documentation process, allowing us to simply answer questions from top to bottom.
-
Task Assignment and Management: Z-CMS enabled us to create tasks for any questions that required further clarification. These tasks were aggregated into the "Task Management" page, ensuring no questions were left unanswered.
-
Test Plan Generation: With just a click, Z-CMS generated a comprehensive test plan based on our input data. We could therefore immediately start testing and complete the assessments required.
Before and After: How Z-CMS Provided More Efficient Approach
| Aspect | Manual Approach (Excel) | Z-CMS Approach |
|---|---|---|
| Time Required | Longer. It would have taken significant amount of time to complete the self-assessment. | Significantly shorter. Creation of documentation and assessments were completed in 4-person weeks. |
| Cost Efficiency | Higher expenses due to a prolonged project duration. It would have been even more expensive in case of third-party involvement. | Substantially lower costs achieved through in-house assessments enabled by Z-CMS. |
| Complexity of Documentation | High. Documenting assets and required information was cumbersome and disorganized. | Low. Structured, user-friendly interface simplifies documentation and testing. |
| Clarity of Compliance Status | Difficult to track overall progress; compliance status was often unclear. | Clear progress tracking through dashboards and visual representations of compliance status. |
| Task Management | Ad-hoc. Individual task management would have required much manual effort. | Integrated. Tasks are automatically aggregated and managed within Z-CMS. |
| Test Plan Development | Manual creation of test plans without clear guidance would have been challenging. | Automated generation of comprehensive test plans with actionable items in a fill-in-the-blank format. |
| In-House Testing Capabilities | Lacked structured support for building testing capabilities. | The automatic generation of detailed test plans helped the establishment of in-house testing capabilities. |
Pain Points and Solutions
1. Complexity and Ambiguities of EN 18031 Standards
Pain Point
Navigating the EU RED DA and EN 18031 standards was extremely challenging due to their complex nature. The standards list requirements in an unclear and illogical order, beginning with ACM-1, which calls for the documentation of all assets accessible by entities. There is a lack of guidance on what constitutes these assets and how to identify them. Consequently, we faced a significant roadblock already at the first requirement: "What are assets, how do we identify them, and when do we know we have documented them all?" The standards do not present their requirements in a logical sequence, which hampers effective implementation.
Solution
The Zealience team developed a new methodology to apply the EN 18031 standards in a logical sequence. Rather than adhering to the order in which the requirements are laid out, the entry point is the documentation of network interfaces. This approach is straightforward, as engineers already know what interfaces are available in the product. From that starting point, the intelligent Q&A guides us through various topics such as assets and security mechanisms in a step-by-step and iterative manner. The questions are well-articulated and supported by comprehensive guidance. As a result, users can input data effortlessly through the intelligent Q&A, and the software generates structured technical documentation and test plans, significantly improving efficiency and clarity.
2. Losing Track of the Overall Compliance Project
Pain Point
EN 18031 requires extensive documentation, and applying the standards manually can quickly become overwhelming. We lost sight of the overall compliance project and our current progress, making it difficult to estimate the workload ahead, which caused anxiety and uncertainty.
Solution
With Z-CMS, various features provide clarity on our progress.
- Progress Tracking: The overall progress percentage is tracked and displayed on the navigation page and dashboard for easy access. The EN 18031 standards are broken down into distinct topics; upon completing a topic, we could mark it as finished, thus increasing the completion percentage. Watching the completion percentage rise as we worked was both satisfying and encouraging.
- Task Management: When answering the Q&As, we encountered questions that required internal checks. In such cases, we could create tasks for those questions. Z-CMS aggregates these tasks on the Task Management page, giving us a comprehensive view of our outstanding tasks. Tasks can be assigned to team members, along with comments, enhancing our team collaboration.
- Dashboard Overview: The dashboard offers a comprehensive view of our overall compliance status. It features Decision Tree breakdowns (Pass, Not Applicable, Fail, Not Answered) clearly displayed for each topic, keeping us well-informed about the compliance statuses of our products. Since we utilize Z-CMS for four product families, the dashboard serves as a convenient tool for tracking our progress and efficiently reporting updates to key stakeholders, including project managers and upper management.
3. Setting Up In-House Testing Capability for Self-Assessments
Pain Point
Creating comprehensive technical documentation is just one part of the compliance process. Following that, we needed to conduct assessments (testing) - a new endeavor as the RED DA is the first regulation requiring product cybersecurity testing in a format similar to pen-testing. This necessitated building in-house capabilities for testing based on the test units outlined in EN 18031. Moreover, the standards do not provide any guidance on how to create test plans, leading to considerable uncertainty.
Solution
Based on the information entered into Z-CMS, the software produces a comprehensive test plan that covers all test units and requirements with just a click. Drawing on their expertise in IoT cybersecurity testing and certifications, the Zealience team developed this test plan. Considering that third-party assessments are often sold at much higher prices, it was impressive that we could produce such a comprehensive and actionable test plan at a fraction of the cost, at any time.
The test plan generated by Z-CMS is immediately actionable and provided in Word format. The software automatically lists all applicable requirements and test units based on our product information. The test plan is structured in a “fill-in-the-blank” style, with required assessments and instructions outlined, along with empty cells for our input. Once all tests are performed and the blanks filled in, the test plan becomes a test report, fulfilling our compliance needs for affixing the CE mark.
The clear instructions enabled us to swiftly establish our in-house testing capabilities for the required assessments. Consequently, with just one engineer assigned to testing, we completed the entire assessments in two weeks. The skills and capabilities developed in-house were invaluable as they enable us to keep on testing for the RED DA and subsequently the Cyber Resilience Act. Since we are the engineers who understand our products the most, we believe that conducting assessments ourselves was significantly more time- and cost-effective compared to outsourcing them to a third-party laboratory.
Conclusion
Transitioning to Z-CMS has transformed our compliance journey with the EN 18031 standards at LOXONE. The automated approach significantly streamlines our documentation and assessment processes, reducing the time required and minimizing the complexities associated with manual methods. By providing clear guidance, structured insights, and efficient task management, Z-CMS allows us to maintain a clear view of our compliance status and progress.
Moreover, the capability to generate actionable test plans drastically cuts down costs compared to outsourcing. The skills and capabilities we have developed in-house through Z-CMS empower us to conduct thorough assessments autonomously, saving us both time and expenses while ensuring our products meet and maintain compliance effectively.
As we continue to self-assess for the RED DA and the upcoming Cyber Resilience Act, we recognize that the advantages of utilizing Z-CMS will contribute to greater agility and resilience within our compliance operations.