American IoT company selling in the EU: cybersecurity compliance under Directive 2014/53/EU

EU cybersecurity compliance for American IoT companies: the numbers

The EU Radio Equipment Directive applies to any connected device with radio capabilities entering the European market. US IoT companies selling in Europe face a regulatory framework that has no direct equivalent in the US.

1 Aug 2025

Mandatory application date — no further postponements

0 FCC equivalence

FCC certification has zero coverage of EU cybersecurity requirements under Arts. 3(3)(d), (e) and (f)

$15,000–20,000

EU consultancy cost per model. REDCheck: €99

What REDCheck does with your product data

You enter your product specifications. REDCheck structures the cybersecurity documentation requirement by requirement, following the EN 18031 categories.

Company details

Legal name, role under Directive 2014/53/EU (manufacturer, Art. 10), country of manufacture, EU contact.

Product classification

Determines which essential requirements apply: Art. 3(3)(d) (network protection) for all internet-connected equipment. Art. 3(3)(e) (personal data) if your product processes personal data via its app or cloud service.

Cybersecurity assessment

Requirement-by-requirement review mapped to EN 18031-1 (network) and EN 18031-2 (personal data) categories: access control, authentication, secure communications, software updates, vulnerability management.

Risk assessment

Assessment of implementation status for each applicable requirement of Arts. 3(3)(d) and (e). Maps your answers to a structured risk table.

EU Declaration of Conformity

Formal declaration under Art. 18 and Annex VI. Signed by the manufacturer. Basis for CE marking under Arts. 19–20.

Download ZIP

5 PDF documents generated in your browser. Add to your technical file alongside test reports and user manual. Retain for 10 years (Art. 10(4)).

Three mistakes American IoT companies make about EU cybersecurity

❌

COMMON ERROR

"We comply with NIST — that should be enough for Europe"

NIST Cybersecurity Framework and EU Directive 2014/53/EU are separate systems with different legal force. NIST is voluntary guidance. The cybersecurity requirements under Art. 3(3)(d) and (e) are mandatory obligations backed by penalties under Art. 46. Following NIST may help you answer the EN 18031 requirements — but it does not replace the EU documentation.

❌

COMMON ERROR

"Europe is only 15% of revenue — we'll deal with it later"

Delegated Regulation (EU) 2022/30 applies from 1 August 2025. Products already on the EU market without cybersecurity documentation are non-compliant from that date. Market surveillance authorities and marketplace platforms can act immediately. 'Later' means listing removal, market withdrawal and revenue loss.

❌

COMMON ERROR

"Our EU distributor will handle the paperwork"

If you place the product under YOUR brand, you are the manufacturer under Art. 10. The obligation to produce technical documentation is non-delegable (Art. 10(3), Art. 11(1)). An importer (Art. 12) must verify your documentation — they cannot create it for you.

What's in the ZIP

5 PDF documents per product model. Each cites the exact article of Directive 2014/53/EU that it covers.

Product Classification

Art. 1, Del. Reg. (EU) 2022/30 + Art. 3(3), Dir. 2014/53/EU.

Cybersecurity Technical Documentation

Art. 21 + Annex V.

Risk Assessment

Arts. 3(3)(d) and (e).

EU Declaration of Conformity

Art. 18 + Annex VI.

Simplified Declaration + Label

Art. 10(9) + Annex VII.

Look before you buy — Download sample dossier (PDF, fictitious product)

Generated from your data, in your browser. No product data leaves your computer.

What you pay

🧾 EU CONSULTANCY

$15,000–20,000

Per model. 3–6 months. Time zones. 4 product lines = $60,000–80,000.

✓ REDCHECK

€99

5 documents. 30 minutes. 4 product lines = €396.

Technical documentation and third-party testing: two layers

● LAYER 1

Cybersecurity technical documentation (Annex V)

5 PDF documents. 30 min. €99 per product. The documentation that Art. 21 requires BEFORE your product can bear CE marking.

∅ LAYER 2

Conformity assessment by a Notified Body

If you fully apply EN 18031, you can self-declare via Module A (Annex II) without a Notified Body. If you partially apply or don't apply the harmonised standards, Art. 17(4) requires third-party involvement. REDCheck does not replace a Notified Body — it generates the documentation that is a prerequisite for any conformity route.

We do not sell testing. We do not sell consulting. We sell the tool that structures your cybersecurity documentation under Art. 21 and Annex V.

What happens without cybersecurity documentation

Art. 46 of Directive 2014/53/EU requires Member States to establish penalties that are effective, proportionate and dissuasive, including criminal penalties for serious infringements.

🇪🇺

Market withdrawal and sales prohibition

Immediate

Arts. 40(1), 40(4) and 43 of Directive 2014/53/EU.

🛒

Amazon EU listing removal

Revenue loss

Amazon requires conformity documentation. ASINs may be suspended immediately.

📉

Board and investor impact

Strategic

If Europe is 15-20% of revenue and growing, losing EU market access is a board-level event.

Alternatives

Alternative	Cost	What you get
EU compliance consultancy	$15,000–20,000 per model	3–6 months. Custom report.
Hire in-house EU regulatory specialist	$80,000–120,000/year	If you can find one. 3-month onboarding.
Assemble documentation yourself	$0 (your time)	EN 18031 has 600+ pages. Different framework from US.
REDCheck	€99	5 documents, 30 min, per model

Selling more than one IoT product in the EU?

If you document 10 or more product models, write to us for the Professional Pack: €999 for 70 generations.

Request volume pricing

Reply within one business day.

What REDCheck guarantees and what it does not

REDCheck generates a document structured under Art. 21 and Annex V of Directive 2014/53/EU based on the information you enter. The truthfulness, accuracy and completeness of that information is your responsibility as manufacturer of the radio equipment.

We guarantee that the document structure follows Art. 21 and Annex V of Directive 2014/53/EU and that the legal references cited are correct as of the latest verification date.

REDCheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

Does this apply to BLE-only devices or only WiFi?

Art. 1(1) applies Art. 3(3)(d) to any radio equipment that can communicate over the internet, directly or INDIRECTLY. A BLE device that connects to a smartphone which connects to the internet communicates indirectly over the internet. Art. 3(3)(d) applies.

We have Series A funding. Can we justify €99 to our board?

The alternative is $15,000–20,000 per product model at an EU consultancy. At €99 per model, the cost is immaterial relative to the EU revenue at risk. The documentation cites the same articles and annexes that a consultancy would reference.

Can I use Module A (self-declaration)?

Yes, if you fully apply EN 18031. Art. 17(3)(a) allows Module A when harmonised standards are fully applied.

What happens when the CRA replaces RED?

Delegated Regulation (EU) 2022/30 will be repealed from 11 December 2027. REDCheck covers 1 August 2025 to 11 December 2027. For CRA documentation, SolidwareTools offers CRACheck.

Is it a subscription?

No. One-time payment. Each license includes a 30-day editing window and up to 10 regenerations. The 5 PDF documents you download are yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the license you give express consent to the immediate generation of the digital content, waiving the 14-day right of withdrawal. Refunds are accepted only for reproducible technical failures reported to hello@solidwaretools.com within 14 days of purchase.

What if the regulation changes?

If Directive 2014/53/EU, Delegated Regulation (EU) 2022/30 or the EN 18031 standards change during your license validity period, you can regenerate the documents with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: REDCheck is a documentary self-assessment tool, not legal advice or a third-party audit. The document is generated from the data you enter. The accuracy of the data is your responsibility under Art. 10(1) of Directive 2014/53/EU. REDCheck does not replace a conformity assessment by a Notified Body where required under Art. 17(4) of the Directive.

Your American IoT company sells connected devices in Europe. From 1 August 2025, every product needs cybersecurity technical documentation under Art. 21 of Directive 2014/53/EU. FCC does not cover this. Without the documentation, your EU importers cannot legally market your products.

EU cybersecurity compliance for American IoT companies: the numbers

What REDCheck does with your product data

Three mistakes American IoT companies make about EU cybersecurity

"We comply with NIST — that should be enough for Europe"

"Europe is only 15% of revenue — we'll deal with it later"

"Our EU distributor will handle the paperwork"

What's in the ZIP

Product Classification

Cybersecurity Technical Documentation

Risk Assessment

EU Declaration of Conformity

Simplified Declaration + Label

What you pay

Technical documentation and third-party testing: two layers

Cybersecurity technical documentation (Annex V)

Conformity assessment by a Notified Body

What happens without cybersecurity documentation

Alternatives

Selling more than one IoT product in the EU?

What REDCheck guarantees and what it does not

Frequently asked questions

Official legal sources

Your investors expect EU revenue. Generate the cybersecurity documentation in 30 minutes.

Related landings

US manufacturer: RED Directive cybersecurity documentation

FCC vs CE: cybersecurity differences for radio equipment

Module A self-declaration for US manufacturers