Directive 2014/53/EU · Del. Reg. 2022/30Generate my documentation — €99
ACTIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Your smartwatch processes heart rate, location, sleep data and user accounts. Art. 3(3)(e) of Directive 2014/53/EU requires cybersecurity documentation — and the wearable classification means it applies even without internet connectivity.

A smartwatch is wearable radio equipment under Art. 1(2)(d)(i) — worn on the wrist. If it processes personal data (heart rate, step count, sleep, GPS, user account) — Art. 3(3)(e) applies. Unlike most products, wearables face Art. 3(3)(e) even with Bluetooth-only connectivity. If your smartwatch ALSO connects to the internet (WiFi, LTE), Art. 3(3)(d) applies under Art. 1(1). Double requirement. REDCheck generates the 5 PDF documents covering both. 30 minutes. €99.

Generate my RED documentation — €99Free: does my product need RED cybersecurity documentation?

€99 one-time payment · 5 PDF documents in ZIP · 30 minutes · 100% in your browser

Directive 2014/53/EU · Art. 3(3)(d)(e)(f) · Art. 21 + Annex V · Art. 18 + Annex VI · Art. 10(9) + Annex VII · Delegated Reg. (EU) 2022/30 · EN 18031-1, -2, -3

Smartwatch cybersecurity compliance: the legal framework

Smartwatches sit at the intersection of two regulatory triggers: wearable classification (Art. 1(2)(d)) and internet connectivity (Art. 1(1)). Most smartwatches trigger both Art. 3(3)(d) and Art. 3(3)(e).

Art. 1(2)(d)(i)
Wearable radio equipment — worn on wrist. Triggers Art. 3(3)(e) independently of internet.
Art. 1(1)
Internet-connected — WiFi, LTE, or via phone app. Triggers Art. 3(3)(d).
EN 18031-1 + EN 18031-2
Both harmonised standards may apply. EN 18031-1 (network). EN 18031-2 (personal data).

What REDCheck does with your product data

You enter your product specifications. REDCheck structures the cybersecurity documentation requirement by requirement.

1
Company details
Legal name, role under Directive 2014/53/EU, country, EU contact.
2
Product classification
Determines applicable requirements: Art. 3(3)(d), (e) and/or (f).
3
Cybersecurity assessment
EN 18031 categories: access control, authentication, secure comms, updates, vulnerability management.
4
Risk assessment
Structured risk table per applicable requirement.
5
EU Declaration of Conformity
Art. 18 + Annex VI. Basis for CE marking.
6
Download ZIP
5 PDFs. Add to technical file. Retain 10 years (Art. 10(4)).

Three mistakes smartwatch manufacturers make about Art. 3(3)(e) compliance

COMMON ERROR

"Art. 3(3)(e) only applies to internet-connected devices"

WRONG for wearables. Art. 1(2)(d) creates a SEPARATE trigger. Art. 3(3)(e) applies to wearables that process personal data — regardless of internet connectivity.

COMMON ERROR

"Health data from our smartwatch is anonymous — not personal data"

Heart rate and sleep patterns linked to a user account are personal data under GDPR Art. 4(1). Anonymisation requires that data CANNOT be linked back to the person. Most smartwatch apps maintain user accounts, making anonymisation claims unsustainable.

COMMON ERROR

"Our smartwatch is medically certified — separate regulations apply"

If your smartwatch falls under Regulation (EU) 2017/745 (medical devices), Art. 2(1)(a) EXCLUDES it from RED cybersecurity requirements. However, most consumer smartwatches do NOT qualify as medical devices.

What's in the ZIP

5 PDF documents per product model. Each cites the exact article of Directive 2014/53/EU that it covers.

1

Product Classification

Art. 1, Del. Reg. (EU) 2022/30 + Art. 3(3), Dir. 2014/53/EU.

2

Cybersecurity Technical Documentation

Art. 21 + Annex V.

3

Risk Assessment

Arts. 3(3)(d) and (e).

4

EU Declaration of Conformity

Art. 18 + Annex VI.

5

Simplified Declaration + Label

Art. 10(9) + Annex VII.

Look before you buy — Download sample dossier (PDF, fictitious product)

Generated from your data, in your browser. No product data leaves your computer.

What you pay

🧾 NOTIFIED BODY / CONSULTANCY
€5,000–15,000
Per model. 3–6 months. Dual (d)+(e) requirement may cost more.
✓ REDCHECK
€99
5 documents. 30 minutes. Handles dual requirement automatically.

Technical documentation and third-party testing: two layers

● LAYER 1

Cybersecurity technical documentation (Annex V)

5 PDF documents. 30 min. €99. Art. 21 prerequisite for any conformity route.

∅ LAYER 2

Conformity assessment by a Notified Body

If you fully apply EN 18031, self-declare via Module A (Annex II). If not, Art. 17(4) requires third-party involvement.

We do not sell testing. We do not sell consulting. We sell the tool that structures your cybersecurity documentation.

What happens without cybersecurity documentation

Art. 46 of Directive 2014/53/EU requires effective, proportionate and dissuasive penalties.

🇪🇺
Market withdrawal
Immediate

Arts. 40(1), 40(4) and 43.

🇩🇪
Germany
€3,000–€30,000

Produktsicherheitsgesetz.

🛒
Marketplace listing removal
Revenue loss

Wearables are a high-volume category on Amazon EU.

Alternatives

AlternativeCostWhat you get
Notified Body / consultancy€5,000–15,000/model3–6 months. Dual requirement may cost more.
Internal certification team₩0 (staff time)EN 18031: 600+ pages. Wearable classification is easy to miss.
Assemble yourself₩0 (your time)No guidance on Annex V structure.
REDCheck€995 documents, 30 min, per model

Multiple smartwatch models?

Professional Pack: €999 for 70 generations.

Request volume pricing
Reply within one business day.

What REDCheck guarantees and what it does not

REDCheck generates a document structured under Art. 21 and Annex V of Directive 2014/53/EU based on the information you enter. The truthfulness, accuracy and completeness of that information is your responsibility as manufacturer of the radio equipment.

We guarantee that the document structure follows Art. 21 and Annex V of Directive 2014/53/EU and that the legal references cited are correct as of the latest verification date.

REDCheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

My smartwatch has LTE connectivity. Does that change which articles apply?
LTE = direct internet connection. Art. 3(3)(d) is triggered. Combined with wearable classification + personal data, you face BOTH Art. 3(3)(d) AND Art. 3(3)(e).
Is the medical device exclusion relevant to my smartwatch?
Only if your smartwatch qualifies as a medical device under Regulation (EU) 2017/745. General fitness/wellness trackers typically do NOT qualify.
My company already complies with GDPR. Does that cover Art. 3(3)(e)?
No. GDPR governs data processing as controller/processor. Art. 3(3)(e) requires the DEVICE to incorporate technical safeguards. These are hardware/firmware-level requirements mapped to EN 18031-2.
Can I use Module A (self-declaration)?
Yes, if you fully apply EN 18031. Art. 17(3)(a) allows Module A.
What happens when the CRA replaces RED?
Delegated Regulation (EU) 2022/30 will be repealed from 11 December 2027.
Is it a subscription?
No. One-time payment. Each license includes a 30-day editing window and up to 10 regenerations. The 5 PDF documents you download are yours permanently.
Can I request a refund?
Under Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the license you give express consent to the immediate generation of the digital content, waiving the 14-day right of withdrawal. Refunds are accepted only for reproducible technical failures reported to hello@solidwaretools.com within 14 days of purchase.
What if the regulation changes?
If Directive 2014/53/EU, Delegated Regulation (EU) 2022/30 or the EN 18031 standards change during your license validity period, you can regenerate the documents with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: REDCheck is a documentary self-assessment tool, not legal advice or a third-party audit. The document is generated from the data you enter. The accuracy of the data is your responsibility under Art. 10(1) of Directive 2014/53/EU. REDCheck does not replace a conformity assessment by a Notified Body where required under Art. 17(4) of the Directive.

Your smartwatch is wearable. It processes personal data. Art. 3(3)(e) applies. Generate the documentation in 30 minutes.

Five PDF documents. Art. 21 and Annex V fully structured. Directive 2014/53/EU. Your product data never leaves your computer.

€99 per product
One-time payment · No subscription · 30 minutes · 10 regenerations · 30-day editing window · Professional Pack: €999
Generate my RED documentation — €99

Related landings

🇰🇷 Korea

Korean wearable manufacturer: RED cybersecurity documentation EU

🏋️ Fitness bands

Fitness band manufacturer: EU cybersecurity documentation cost

🎧 TWS earbuds

TWS earbuds manufacturer US: EU cybersecurity Art. 1(2) wearable

✓ Last regulatory check: 6 May 2026 · No substantive changes detected · View history