Directive 2014/53/EU · Del. Reg. 2022/30Generate my documentation — €99
ACTIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Missing cybersecurity documentation triggers three legal consequences for importers: Art. 43 formal non-compliance, Art. 40 market withdrawal, and national penalties including criminal sanctions. The liability is yours as the economic operator who placed the product on the EU market.

You are an EU importer. Your supplier has no cybersecurity documentation under Art. 3(3)(d) and (e). You placed the product on the market anyway — or you are about to. Art. 43(1)(f): technical documentation not available or not complete — the Member State shall require the economic operator to put an end to the non-compliance. Art. 40(4): the authority can prohibit sale, require withdrawal or order recall. Art. 46: penalties that are effective, proportionate and dissuasive, including criminal penalties. In Germany: €3,000–€30,000 and up to 1 year imprisonment. This is not a risk — it is an obligation with consequences. REDCheck generates the documentation. €99 per product. Send the link to your supplier.

Generate RED documentation — €99Free: does this product need RED cybersecurity documentation?

€99 one-time payment · 5 PDF documents in ZIP · 30 minutes · 100% in your browser

Directive 2014/53/EU · Art. 3(3)(d)(e)(f) · Art. 21 + Annex V · Art. 18 + Annex VI · Art. 10(9) + Annex VII · Delegated Reg. (EU) 2022/30 · EN 18031-1, -2, -3

Importer liability for missing documentation: the legal chain

Directive 2014/53/EU constructs a chain of liability. Missing documentation triggers formal non-compliance, which triggers enforcement, which triggers penalties.

Art. 43(1)(f)
Technical documentation not available or not complete = formal non-compliance. Member State requires the economic operator to put an end to it.
Art. 40(4)
If corrective action is not taken: authority can prohibit sale, require withdrawal, order recall.
Art. 46
Member States shall establish penalties — effective, proportionate, dissuasive. Including criminal penalties for serious infringements.

The liability chain — step by step

When cybersecurity documentation is missing, Directive 2014/53/EU activates a specific enforcement sequence.

1
Art. 43(1)(f) — Formal non-compliance
Market surveillance authority finds that technical documentation is not available or not complete. Requires the economic operator to put an end to the non-compliance.
2
Art. 43(2) — Continued non-compliance
If the non-compliance persists, the Member State takes all appropriate measures to restrict or prohibit the product being made available on the market, or ensures withdrawal or recall.
3
Art. 40(1) — Risk evaluation
If the authority has sufficient reason to believe the product presents a risk, it carries out a full evaluation. The importer must cooperate.
4
Art. 40(4) — Prohibition and withdrawal
If the importer does not take adequate corrective action, the authority takes provisional measures — prohibit, withdraw, recall.
5
Art. 12(7) — Importer corrective action
The importer must take corrective action on ALL affected products throughout the EU. Not just the products seized — all products of the same type across all Member States.
6
Art. 46 — Penalties
Member States establish penalties. Germany: €3,000–€30,000 + up to 1 year. Netherlands: €450–€900,000. Italy: €1,000–€100,000.

Three mistakes importers make about liability

COMMON ERROR

"Liability falls on the manufacturer, not the importer"

Art. 12(1): importers shall place ONLY compliant radio equipment on the market. Art. 12(7): if the product is non-compliant, the importer shall take corrective measures. Art. 43: formal non-compliance is enforced against the economic operator — and for imported products, that is the importer on EU soil.

COMMON ERROR

"Missing documentation is a minor infraction — just a warning"

Art. 43(2): if non-compliance persists, the Member State can restrict, prohibit or require withdrawal. Art. 46: penalties include criminal sanctions for serious infringements. Missing cybersecurity documentation for 100+ products is not minor.

COMMON ERROR

"I can produce the documentation retroactively if inspected"

Art. 21(2): the technical documentation shall be drawn up BEFORE the radio equipment is placed on the market. Producing documentation after inspection does not retroactively make the placement lawful. The infringement occurred at the moment of placement.

What's in the ZIP

5 PDF documents generated from the manufacturer's product data. Each cites the exact article of Directive 2014/53/EU that it covers.

1

Product Classification

Art. 1, Del. Reg. (EU) 2022/30 + Art. 3(3), Dir. 2014/53/EU.

2

Cybersecurity Technical Documentation

Art. 21 + Annex V. Requirement-by-requirement documentation.

3

Risk Assessment

Arts. 3(3)(d) and (e). Structured risk table.

4

EU Declaration of Conformity

Art. 18 + Annex VI.

5

Simplified Declaration + Label

Art. 10(9) + Annex VII.

Look before you buy — Download sample dossier (PDF, fictitious product) — Real structure, real articles, real format. Fictitious data.

Generated from your data, in your browser. No product data leaves your computer.

The cost of documentation vs the cost of non-compliance

⚠️ NON-COMPLIANCE COST
€3,000–€900,000
Fines per Member State. Plus withdrawal costs. Plus lost revenue. Plus criminal liability.
✓ REDCHECK
€99
5 documents per model. 30 minutes. Send to your supplier.

Technical documentation and third-party testing: two layers

● LAYER 1

Cybersecurity technical documentation (Annex V)

5 PDF documents. 30 min. €99 per product. The documentation that Art. 21 requires BEFORE your product can bear CE marking.

∅ LAYER 2

Conformity assessment by a Notified Body

If you fully apply EN 18031, you can self-declare via Module A (Annex II) without a Notified Body. If you partially apply or don't apply the harmonised standards, Art. 17(4) requires third-party involvement. REDCheck does not replace a Notified Body — it generates the documentation that is a prerequisite for any conformity route.

We do not sell testing. We do not sell consulting. We sell the tool that structures your cybersecurity documentation under Art. 21 and Annex V.

The enforcement chain in detail

Missing documentation activates enforcement across multiple levels.

⚖️
Art. 43 — Formal non-compliance
Immediate action

Missing or incomplete technical documentation. Authority requires end to non-compliance. If it persists: restriction, prohibition, withdrawal.

🇩🇪🇳🇱🇮🇹
National penalties
€3,000–€900,000

Germany: €3,000–€30,000 + 1yr. Netherlands: €450–€900,000. Italy: €1,000–€100,000. Each Member State enforces independently.

🌍
EU-wide recall — Art. 12(7)
Total cost

Corrective action on ALL affected products throughout the EU. Not limited to the Member State that initiated enforcement.

Options for your supplier

OptionCostWhat your supplier gets
Notified Body / lab in China€5,000–10,000 per model3–6 months. Full third-party assessment.
EU-based cybersecurity consultancy€5,000–15,000 per modelCustom report. Weeks of wait.
Supplier assembles documentation€0 (their time)EN 18031 has 600+ pages. No guidance.
REDCheck — send them the link€995 documents, 30 min, per model

Importing more than ten product models?

If your suppliers document 10 or more product models, we offer the Professional Pack: €999 for 70 generations with a single license key. You can purchase the Pack and distribute the license key to your suppliers.

Request volume pricing
Reply within one business day.

What REDCheck guarantees and what it does not

REDCheck generates a document structured under Art. 21 and Annex V of Directive 2014/53/EU based on the information you enter. The truthfulness, accuracy and completeness of that information is your responsibility as manufacturer of the radio equipment.

We guarantee that the document structure follows Art. 21 and Annex V of Directive 2014/53/EU and that the legal references cited are correct as of the latest verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case, nor by a commercial buyer in a procurement process.

REDCheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions — importer liability missing documentation

Does Art. 43 apply even if no cybersecurity incident has occurred?
Yes. Art. 43 addresses formal non-compliance — the documentation itself is missing. No incident is required. The absence of technical documentation is the infringement.
Can I be held personally liable as a company director?
Art. 46 empowers Member States to establish penalties including criminal penalties. In Germany, §20 ProdSG provides for imprisonment. Criminal liability can attach to individuals responsible for placing non-compliant products on the market.
What if my supplier produces documentation after I'm inspected?
Art. 21(2): technical documentation shall be drawn up BEFORE placement on the market. Retroactive documentation does not cure the infringement. The market surveillance authority may accept it as a corrective measure going forward, but the initial non-compliance stands.
What happens when the CRA replaces the RED cybersecurity requirements?
The Cyber Resilience Act (Regulation (EU) 2024/2847) will gradually replace the cybersecurity requirements of Art. 3(3)(d), (e) and (f) of Directive 2014/53/EU. The transition is expected by 2027–2028. Until the CRA fully applies, the RED cybersecurity requirements remain in force. Documentation generated now remains valid for products placed on the market during the RED regime.
Can I use Module A (self-declaration) instead of a Notified Body?
If you fully apply the harmonised standards EN 18031-1, EN 18031-2 and, where applicable, EN 18031-3, you can use Module A (self-declaration, Annex II) under Art. 17(3)(a) of Directive 2014/53/EU. No Notified Body required. If you partially apply or do not apply the standards, Art. 17(4) requires a Notified Body (Module B+C or Module H). REDCheck generates the documentation for both routes.
Is it a subscription?
No. One-time payment. Each license includes a 30-day editing window and up to 10 regenerations. The 5 PDF documents you download are yours permanently.
Can I request a refund?
Under Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the license you give express consent to the immediate generation of the digital content, waiving the 14-day right of withdrawal. Refunds are accepted only for reproducible technical failures reported to hello@solidwaretools.com within 14 days of purchase.
What if the regulation changes?
If Directive 2014/53/EU, Delegated Regulation (EU) 2022/30 or the EN 18031 standards change during your license validity period, you can regenerate the documents with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: REDCheck is a documentary self-assessment tool, not legal advice or a third-party audit. The document is generated from the data you enter. The accuracy of the data is your responsibility under Art. 10(1) of Directive 2014/53/EU. REDCheck does not replace a conformity assessment by a Notified Body where required under Art. 17(4) of the Directive.

Missing documentation is a formal non-compliance. Fix it now. €99 per product. 30 minutes.

Five PDF documents per model. Art. 21 and Annex V fully structured. Directive 2014/53/EU. Data stays in the manufacturer's browser. You verify and file.

€99 per product
One-time payment · No subscription · 30 minutes · 10 regenerations · 30-day editing window · Professional Pack: €999
Generate my RED documentation — €99

Related landings

📦 Art. 12

Importer obligations: RED cybersecurity under Art. 12
🇩🇪 Germany

German importer: RED cybersecurity documentation
🇨🇳 China

EU importer: Chinese supplier cybersecurity documentation
✓ Last regulatory check: 6 May 2026 · No substantive changes detected · View history