Directive 2014/53/EU · Del. Reg. 2022/30Generate my documentation — €99
ACTIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Art. 3(3)(d), Art. 3(3)(e), Art. 3(3)(f) — three cybersecurity requirements under Directive 2014/53/EU. Which ones apply to your product depends on what it does, who it is for and whether it handles money.

Delegated Regulation (EU) 2022/30 does not activate all three requirements for all radio equipment. Art. 3(3)(d) — network protection — applies to ALL internet-connected radio equipment. Art. 3(3)(e) — personal data and privacy — applies to internet-connected equipment that processes personal data, PLUS childcare equipment, toys and wearables regardless of internet connectivity. Art. 3(3)(f) — fraud protection — applies only to equipment that enables money, monetary value or virtual currency transfers. Your documentation must cover exactly the requirements that apply — no more, no less. REDCheck's product classification step determines which articles apply and generates documentation only for the relevant requirements. Use the free test first or go directly to the generator. €99 per product.

Generate my RED documentation — €99Free test: which requirements apply to my product?

€99 one-time payment · 5 PDF documents in ZIP · 30 minutes · 100% in your browser

Directive 2014/53/EU · Art. 3(3)(d)(e)(f) · Art. 21 + Annex V · Art. 18 + Annex VI · Art. 10(9) + Annex VII · Delegated Reg. (EU) 2022/30 · EN 18031-1, -2, -3

The three cybersecurity requirements: at a glance

Each requirement has a different trigger condition defined in Art. 1 of the Delegated Regulation. Understanding which applies is the FIRST step in documentation.

Art. 3(3)(d)
Network protection. Trigger: any radio equipment that communicates over the internet, directly or indirectly (Art. 1(1)). Standard: EN 18031-1.
Art. 3(3)(e)
Personal data and privacy. Trigger: internet-connected equipment processing personal data (Art. 1(2)(a)) OR childcare (b) OR toys (c) OR wearables (d) — the last three even without internet. Standard: EN 18031-2.
Art. 3(3)(f)
Fraud protection. Trigger: internet-connected equipment enabling money, monetary value or virtual currency transfer (Art. 1(3)). Standard: EN 18031-3.

How to determine which requirements apply

Follow this decision tree. REDCheck's product classification step does this automatically.

1
Is your product radio equipment?
Art. 2(1)(1): does it intentionally emit or receive radio waves? WiFi, Bluetooth, BLE, Zigbee, Z-Wave, LoRa, NB-IoT, 4G/5G, DECT, NFC — all are radio technologies.
2
Does it communicate over the internet?
Directly (WiFi to router to internet) or indirectly (BLE to phone, phone to cloud)? If YES → Art. 3(3)(d) applies (Art. 1(1)).
3
Does it process personal data?
Personal data under GDPR Art. 4(1): name, email, location, images, voice, usage patterns, biometrics. If YES AND internet-connected → Art. 3(3)(e) applies (Art. 1(2)(a)).
4
Is it childcare, a toy or a wearable?
Childcare (Art. 1(2)(b)), toy under Dir. 2009/48/EC (Art. 1(2)(c)), or wearable (Art. 1(2)(d))? If YES and processes personal data → Art. 3(3)(e) applies EVEN WITHOUT internet.
5
Does it enable money transfer?
Money, monetary value or virtual currency as defined in Art. 2(d) of Directive 2019/713? If YES → Art. 3(3)(f) applies (Art. 1(3)).
6
Generate documentation for applicable articles
REDCheck covers any combination: (d) only, (d)+(e), (d)+(e)+(f), or (e) alone (childcare/toy/wearable without internet). €99 per product.

Three mistakes about which requirements apply

COMMON ERROR

"Art. 3(3)(d) applies to all radio equipment"

No. Art. 3(3)(d) applies to INTERNET-CONNECTED radio equipment (Art. 1(1)). A DECT baby monitor that communicates locally without internet is NOT subject to Art. 3(3)(d). However, it MAY be subject to Art. 3(3)(e) if it is childcare equipment processing personal data (Art. 1(2)(b)). The trigger for each article is different.

COMMON ERROR

"Art. 3(3)(e) only applies if we collect personal data through an app"

Art. 3(3)(e) applies when the RADIO EQUIPMENT processes personal data — not the app. If the device has a microphone, a camera, or a GPS, the EQUIPMENT is processing personal data. The app is a secondary processor. The trigger is the equipment's capability, not the app's data collection.

COMMON ERROR

"Art. 3(3)(f) applies to any product sold online"

No. Art. 3(3)(f) applies to radio equipment that enables the holder or user to transfer money, monetary value or virtual currency. Selling a product online is not the same as the product enabling payment. A smart plug sold on Amazon does not enable money transfer. An NFC payment terminal does. The distinction is the PRODUCT's function, not the sales channel.

What's in the ZIP

5 PDF documents. Doc 1 (Product Classification) determines which of Art. 3(3)(d), (e) and (f) apply based on Art. 1 of Del. Reg. (EU) 2022/30.

1

Product Classification

Art. 1, Del. Reg. (EU) 2022/30 + Art. 3(3), Dir. 2014/53/EU.

2

Cybersecurity Technical Documentation

Art. 21 + Annex V. Requirement-by-requirement documentation.

3

Risk Assessment

Arts. 3(3)(d) and (e). Structured risk table.

4

EU Declaration of Conformity

Art. 18 + Annex VI.

5

Simplified Declaration + Label

Art. 10(9) + Annex VII.

Look before you buy — Download sample dossier (PDF, fictitious product) — Real structure, real articles, real format. Fictitious data.

Generated from your data, in your browser. No product data leaves your computer.

What you pay

🧾 CONSULTANCY
€5,000–15,000
Per product model. Weeks of wait.
✓ REDCHECK
€99
5 documents. 30 minutes. Covers any combination of (d), (e), (f).

Technical documentation and third-party testing: two layers

● LAYER 1

Cybersecurity technical documentation (Annex V)

5 PDF documents. 30 min. €99 per product. The documentation that Art. 21 requires BEFORE your product can bear CE marking.

∅ LAYER 2

Conformity assessment by a Notified Body

If you fully apply EN 18031, you can self-declare via Module A (Annex II) without a Notified Body. If you partially apply or don't apply the harmonised standards, Art. 17(4) requires third-party involvement. REDCheck does not replace a Notified Body — it generates the documentation that is a prerequisite for any conformity route.

We do not sell testing. We do not sell consulting. We sell the tool that structures your cybersecurity documentation under Art. 21 and Annex V.

What happens without cybersecurity documentation

Art. 46 of Directive 2014/53/EU requires Member States to establish penalties that are effective, proportionate and dissuasive.

🇪🇺
Market withdrawal and sales prohibition
Immediate

Art. 40 of Directive 2014/53/EU. Market surveillance can require withdrawal across all 27 Member States.

🇩🇪
Germany — Produktsicherheitsgesetz
€3,000–€30,000

Administrative fines under §19. Up to 1 year of imprisonment under §20.

🛒
Marketplace listing removal
Revenue loss

Amazon and EU marketplaces require conformity documentation. Missing cybersecurity documentation triggers listing suspension.

Alternatives

AlternativeCostWhat you get
Notified Body / accredited lab€5,000–10,000 per model3–6 months. Full third-party assessment.
Cybersecurity consultancy€5,000–15,000 per modelCustom report. Weeks of wait.
Assemble documentation yourself€0 (your time)EN 18031 has 600+ pages. No template.
REDCheck€995 documents, 30 min, per model

Documenting more than one product?

Professional Pack: €999 for 70 generations.

Request volume pricing
Reply within one business day.

What REDCheck guarantees and what it does not

REDCheck generates a document structured under Art. 21 and Annex V of Directive 2014/53/EU based on the information you enter. The truthfulness, accuracy and completeness of that information is your responsibility as manufacturer of the radio equipment.

We guarantee that the document structure follows Art. 21 and Annex V of Directive 2014/53/EU and that the legal references cited are correct as of the latest verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case, nor by a commercial buyer in a procurement process.

REDCheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions — which cybersecurity requirements apply

My product is a WiFi smart plug. Which requirements apply?
Art. 3(3)(d): yes — it communicates over the internet via WiFi. Art. 3(3)(e): only if it processes personal data. If the companion app collects email, usage patterns or location, Art. 3(3)(e) applies. If no app and no data collection, only Art. 3(3)(d). Art. 3(3)(f): only if the plug enables monetary transactions — unlikely.
My product is a children's GPS watch with 4G and an app. Which requirements apply?
Art. 3(3)(d): yes — 4G communicates over the internet (Art. 1(1)). Art. 3(3)(e): yes on THREE grounds: (1) internet-connected and processes personal data (Art. 1(2)(a)), (2) wearable processing location data (Art. 1(2)(d)), and (3) possibly childcare equipment (Art. 1(2)(b)) if designed exclusively for childcare. Art. 3(3)(f): only if the watch enables payment.
My product is an NFC payment terminal. Which requirements apply?
Art. 3(3)(d): yes if it communicates over the internet. Art. 3(3)(e): yes if it processes personal data (cardholder data). Art. 3(3)(f): yes — it enables transfer of money (Art. 1(3)). All three requirements apply. REDCheck covers all three in a single documentation package.
What happens when the CRA replaces the RED cybersecurity requirements?
Delegated Regulation (EU) 2022/30 will be repealed with effect from 11 December 2027, when the Cyber Resilience Act — Regulation (EU) 2024/2847 — enters full application. REDCheck covers the window from 1 August 2025 to 11 December 2027. For CRA documentation from that date, SolidwareTools offers CRACheck.
Is it a subscription?
No. One-time payment. Each license includes a 30-day editing window and up to 10 regenerations. The 5 PDF documents you download are yours permanently.
Can I request a refund?
Under Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the license you give express consent to the immediate generation of the digital content, waiving the 14-day right of withdrawal. Refunds are accepted only for reproducible technical failures reported to hello@solidwaretools.com within 14 days of purchase.
What if the regulation changes?
If Directive 2014/53/EU, Delegated Regulation (EU) 2022/30 or the EN 18031 standards change during your license validity period, you can regenerate the documents with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: REDCheck is a documentary self-assessment tool, not legal advice or a third-party audit. The document is generated from the data you enter. The accuracy of the data is your responsibility under Art. 10(1) of Directive 2014/53/EU. REDCheck does not replace a conformity assessment by a Notified Body where required under Art. 17(4) of the Directive.

Find out which requirements apply — and generate the documentation in 30 minutes.

Five PDF documents. Art. 21 and Annex V fully structured. Directive 2014/53/EU. Your product data never leaves your computer.

€99 per product
One-time payment · No subscription · 30 minutes · 10 regenerations · 30-day editing window · Professional Pack: €999
Generate my RED documentation — €99

Related landings

⏳ Deadline

Delegated Regulation 2022/30: deadline 1 August 2025
📋 EN 18031

EN 18031 compliance tool: documentation generator
🛡 Risk assessment

Cybersecurity risk assessment for radio equipment under EN 18031
✓ Last regulatory check: 6 May 2026 · No substantive changes detected · View history