Your WiFi smart lighting already has CE marking for safety and EMC. From 1 August 2025, CE marking must also cover cybersecurity. The 50-page Word document you assembled from NCSC guides is not the documentation that Art. 21 of Directive 2014/53/EU requires.
You manufacture smart lighting with WiFi and Zigbee for offices, hospitals and residential use. You have UKCA and CE marking for safety (Art. 3(1)(a)) and EMC (Art. 3(1)(b)). For the UK, there is no cybersecurity equivalent — yet. For the EU, Delegated Regulation (EU) 2022/30 activates Art. 3(3)(d) and, if your system processes personal data through a management dashboard, Art. 3(3)(e). Your existing Word document does not follow the EN 18031 structure. A consultancy quotes £12,000 per model. REDCheck generates the 5 PDF documents structured under Art. 21 and Annex V. 30 minutes. €99 per product. 100% in your browser.
€99 one-time payment · 5 PDF documents in ZIP · 30 minutes · 100% in your browser
Cybersecurity documentation for smart lighting: the numbers
WiFi-connected smart lighting communicates over the internet — for remote control, scheduling, firmware updates or building management integration. Art. 1(1) of Delegated Regulation (EU) 2022/30 applies Art. 3(3)(d). If the management dashboard processes personal data (user accounts, occupancy patterns), Art. 3(3)(e) applies too.
1 Aug 2025
Application date — EU cybersecurity requirements mandatory. No UKCA equivalent.
Art. 3(3)(d)
Network protection — mandatory for all WiFi smart lighting that communicates over the internet
£12,000
Typical consultancy cost per product model. REDCheck: €99
What REDCheck does with your smart lighting data
You enter your product specifications. REDCheck structures the cybersecurity documentation requirement by requirement, following the EN 18031 categories.
Company details
Legal name, role under Directive 2014/53/EU (manufacturer, Art. 10), country of manufacture, EU contact.
Product classification
Determines which essential requirements apply: Art. 3(3)(d) (network protection) for all internet-connected smart lighting. Art. 3(3)(e) (personal data) if your management dashboard processes personal data.
Cybersecurity assessment
Requirement-by-requirement review mapped to EN 18031-1 (network) and EN 18031-2 (personal data) categories: access control, authentication, secure communications, software updates, vulnerability management.
Risk assessment
Assessment of implementation status for each applicable requirement of Arts. 3(3)(d) and (e). Maps your answers to a structured risk table.
EU Declaration of Conformity
Formal declaration under Art. 18 and Annex VI. Signed by the manufacturer. Basis for CE marking under Arts. 19–20.
Download ZIP
5 PDF documents generated in your browser. Add to your technical file alongside test reports and user manual. Retain for 10 years (Art. 10(4)).
Three mistakes smart lighting manufacturers make about RED cybersecurity
❌
COMMON ERROR
"Smart lighting is a building product — not consumer electronics"
Directive 2014/53/EU does not distinguish between consumer and commercial applications. Art. 1(1) of Delegated Regulation (EU) 2022/30 applies Art. 3(3)(d) to ANY radio equipment that communicates over the internet. A WiFi-connected luminaire in an office building has the same documentation obligation as a smart plug in a home.
❌
COMMON ERROR
"We wrote our own cybersecurity documentation using NCSC guides"
UK National Cyber Security Centre guides provide valuable cybersecurity advice. However, they do not follow the structure of EN 18031-1 and EN 18031-2, do not reference Art. 21 and Annex V of Directive 2014/53/EU, and do not produce the documentation format that EU market surveillance authorities expect. A well-intentioned Word document is not a technical file.
❌
COMMON ERROR
"Zigbee doesn't connect to the internet — only WiFi does"
If your smart lighting system uses BOTH Zigbee and WiFi, the system communicates over the internet. Art. 3(3)(d) applies to the product. The fact that Zigbee operates on a local mesh network is irrelevant — the product as a whole is internet-connected via its WiFi function.
What's in the ZIP
5 PDF documents generated from your smart lighting data. Each cites the exact article of Directive 2014/53/EU that it covers.
1
Product Classification
Art. 1, Del. Reg. (EU) 2022/30 + Art. 3(3), Dir. 2014/53/EU.
2
Cybersecurity Technical Documentation
Art. 21 + Annex V. Requirement-by-requirement documentation.
3
Risk Assessment
Arts. 3(3)(d) and (e). Structured risk table.
4
EU Declaration of Conformity
Art. 18 + Annex VI.
5
Simplified Declaration + Label
Art. 10(9) + Annex VII.
Look before you buy — Download sample dossier (PDF, fictitious product) — Real structure, real articles, real format. Fictitious data.
Generated from your data, in your browser. No product data leaves your computer.
What you pay
🧾 CONSULTANCY / LAB
£12,000
Per product model. Weeks of wait. 5 models = £60,000.
✓ REDCHECK
€99
5 documents. 30 minutes per model. 5 models = €495.
Technical documentation and third-party testing: two layers
● LAYER 1
Cybersecurity technical documentation (Annex V)
5 PDF documents. 30 min. €99 per product. The documentation that Art. 21 requires BEFORE your product can bear CE marking.
∅ LAYER 2
Conformity assessment by a Notified Body
If you fully apply EN 18031, you can self-declare via Module A (Annex II) without a Notified Body. If you partially apply or don't apply the harmonised standards, Art. 17(4) requires third-party involvement. REDCheck does not replace a Notified Body — it generates the documentation that is a prerequisite for any conformity route.
We do not sell testing. We do not sell consulting. We sell the tool that structures your cybersecurity documentation under Art. 21 and Annex V.
What happens without cybersecurity documentation
Art. 46 of Directive 2014/53/EU requires Member States to establish penalties that are effective, proportionate and dissuasive.
🇪🇺
Market withdrawal and sales prohibition
Immediate
Art. 40 of Directive 2014/53/EU. Market surveillance authorities can require withdrawal across all 27 Member States.
🏥
Hospital and public building contracts
Contract loss
Public procurement in the EU increasingly requires full CE compliance documentation, including cybersecurity. A missing Art. 3(3)(d) declaration can disqualify your bid for hospital or office building lighting projects.
🇩🇪
Germany — Produktsicherheitsgesetz
€3,000–€30,000
Produktsicherheitsgesetz §19 fines. Up to 1 year imprisonment for serious offences (§20). Germany accounts for ~25% of EU commercial lighting purchases.
Alternatives
| Alternative | Cost | What you get |
|---|
| EU cybersecurity consultancy | £12,000 | Per model. Weeks of wait. |
| UK-based regulatory advisor | £6,000–10,000 | May not know EN 18031 structure. |
| Assemble documentation yourself | £0 (your time) | EN 18031 has 600+ pages. No template. |
| REDCheck | €99 | 5 documents, 30 min, per model |
Manufacturing more than one smart lighting model?
If you document 10 or more product models, write to us for the Professional Pack: €999 for 70 generations with a single license key. One generation per product model.
Request volume pricingReply within one business day.
What REDCheck guarantees and what it does not
REDCheck generates a document structured under Art. 21 and Annex V of Directive 2014/53/EU based on the information you enter. The truthfulness, accuracy and completeness of that information is your responsibility as manufacturer of the radio equipment.
We guarantee that the document structure follows Art. 21 and Annex V of Directive 2014/53/EU and that the legal references cited are correct as of the latest verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case, nor by a commercial buyer in a procurement process.
REDCheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.
Frequently asked questions — RED cybersecurity for smart lighting
My luminaire uses Zigbee only — no WiFi. Does Art. 3(3)(d) apply?
If your luminaire uses Zigbee only and does not communicate over the internet, directly or indirectly, Art. 3(3)(d) does not apply. However, if the Zigbee luminaire connects to a gateway that communicates over the internet, the gateway itself is internet-connected and requires documentation. Check your system architecture.
Does our building management dashboard trigger Art. 3(3)(e)?
If the dashboard processes personal data — user accounts, occupancy patterns linked to individuals, energy usage per room associated with identifiable tenants — Art. 3(3)(e) applies to the radio equipment under Art. 1(2)(a) of Delegated Regulation (EU) 2022/30.
Is there a UKCA equivalent of the RED cybersecurity requirements?
As of the application date, the UK has not adopted an equivalent of Delegated Regulation (EU) 2022/30. UKCA does not include cybersecurity requirements for radio equipment. The UK PSTI Act covers different requirements for consumer connectable products.
Can I use Module A (self-declaration) instead of a Notified Body?
If you fully apply the harmonised standards EN 18031-1, EN 18031-2 and, where applicable, EN 18031-3, you can use Module A (self-declaration, Annex II) under Art. 17(3)(a) of Directive 2014/53/EU. No Notified Body required. If you partially apply or do not apply the standards, Art. 17(4) requires a Notified Body (Module B+C or Module H). REDCheck generates the documentation for both routes.
What happens when the CRA replaces the RED cybersecurity requirements?
The Cyber Resilience Act (Regulation (EU) 2024/2847) will gradually replace the cybersecurity requirements of Art. 3(3)(d), (e) and (f) of Directive 2014/53/EU. The transition is expected by 2027–2028. Until the CRA fully applies, the RED cybersecurity requirements remain in force. Documentation generated now remains valid for products placed on the market during the RED regime.
Is it a subscription?
No. One-time payment. Each license includes a 30-day editing window and up to 10 regenerations. The 5 PDF documents you download are yours permanently.
Can I request a refund?
Under Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the license you give express consent to the immediate generation of the digital content, waiving the 14-day right of withdrawal. Refunds are accepted only for reproducible technical failures reported to hello@solidwaretools.com within 14 days of purchase.
What if the regulation changes?
If Directive 2014/53/EU, Delegated Regulation (EU) 2022/30 or the EN 18031 standards change during your license validity period, you can regenerate the documents with the updated version of the generator at no additional cost.
⚠️ Important notice: REDCheck is a documentary self-assessment tool, not legal advice or a third-party audit. The document is generated from the data you enter. The accuracy of the data is your responsibility under Art. 10(1) of Directive 2014/53/EU. REDCheck does not replace a conformity assessment by a Notified Body where required under Art. 17(4) of the Directive.
Your EU clients expect compliant smart lighting. Generate the cybersecurity documentation in 30 minutes.
Five PDF documents. Art. 21 and Annex V fully structured. Directive 2014/53/EU. Your product data never leaves your computer. The ZIP you download is yours permanently.
€99 per product
One-time payment · No subscription · 30 minutes · 10 regenerations · 30-day editing window · Professional Pack: €999
Generate my RED documentation — €99