PROFESSIONAL PACK Dir. 2014/53/EU Buy pack — €999
LIVE Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sources View regulatory intelligence →

A pentest report is not Art. 3.3 documentation. Your IoT clients need formal technical documentation per Annex V — and they expect you to deliver it. 50+ manufacturers, 20 hours per dossier manually, 20 minutes with REDCheck.

You are a cybersecurity consultancy serving manufacturers of connected products — smart home devices, BLE wearables, WiFi sensors, industrial IoT gateways, smart locks. Delegated Regulation (EU) 2022/30 activates Article 3(3), points (d), (e) and (f) of Directive 2014/53/EU. Your clients need formal cybersecurity documentation structured per Annex V, not a vulnerability scan. REDCheck Professional Pack: 70 licenses, €999 one-time. 8 structured PDF documents per product. Generated in your browser in 20 minutes.

Buy pack — €999 See what each dossier includes

€999 · One-time · 70 dossiers · 8 PDFs each · Your data never leaves your browser

Built on Directive 2014/53/EU + Delegated Regulation (EU) 2022/30 · Art. 3.3(d)(e)(f) structure · Annex V mapped · EN 18031 aligned · 100% browser-side — GDPR-native

The numbers that matter for your security practice

You know IoT security. You advise manufacturers on vulnerabilities, threat models, and secure design. Since August 2025, every internet-connected radio product needs formal cybersecurity documentation per Annex V — structured, traceable, ready for market surveillance. The clients asking for a pentest today will ask for Art. 3.3 documentation tomorrow.

70
Dossiers per pack. One license per product per manufacturer. Independent activation.
20 min
Per dossier — vs 15-20 hours of manual regulatory documentation drafting.
8 PDFs
Per product. Applicability report, Annex V documentation, Art. 3.3(d)(e)(f) assessments, DoC, CE marking guidance.

Who uses the professional pack

REDCheck Professional Pack is built for cybersecurity professionals who serve IoT manufacturers and need to formalize Art. 3.3 documentation as a scalable service offering.

🔒
IoT security consultancies
Advising manufacturers of connected devices on cybersecurity. Adding formal Art. 3.3 documentation to the service portfolio.
🛡️
Cybersecurity compliance firms
Translating security assessments into regulatory documentation. Bridging the gap between security testing and CE marking.
🔍
Penetration testing companies
Expanding from test reports to structured regulatory deliverables. Art. 3.3 documentation alongside security assessments.
🌐
Cross-border compliance advisors
Supporting non-EU IoT manufacturers entering the EU market. Ensuring Art. 3.3 documentation meets Annex V requirements.

What documenting 70 clients costs — with and without the pack

Without the pack
€84,000+
Manual drafting: 70 clients × 20h × €60-120/h of senior security engineer time
Or outsource regulatory documentation:
70 clients × €1,200-2,000 = €84,000-€140,000

Or enterprise SaaS platform:
€8,000-20,000/year + onboarding + integration
✓ REDCheck Professional Pack
€999
One payment. 70 dossiers. 20 minutes each.
Total time: 70 × 20 min = ~23 hours
No subscription. No vendor dependency.
No CE marking expertise required.

What this pack actually changes in your practice

Three inputs. Four answers. No signup required.

One license per product
Current time without the tool
Internal cost — not billing rate
×60
Capacity multiplier
Same person. Same hours. More output.
987h
Hours returned to advisory work
Time that goes back to billable engagements
€84,000
Cost of doing it manually
Professional time — documentation alone
First dossier delivered the same day. No setup. No onboarding. No integration project.
Ready on day one
Buy pack — €999
€999 one-time · No subscription · No vendor dependency · Enterprise SaaS alternative: €15,000–30,000/year + weeks of setup

What each dossier includes: 8 structured documents

Every license generates a complete Art. 3.3 cybersecurity documentation package. Each document cites the specific article of Directive 2014/53/EU and Delegated Regulation (EU) 2022/30 it complies with. The output is the formal regulatory deliverable — the pentest and security assessment remain the consultant's domain.

1

Art. 3.3 Applicability Report

Determines which points apply to the product: (d) network protection, (e) privacy and data protection, (f) fraud protection. Based on Delegated Regulation (EU) 2022/30, Articles 1 and 2.

2

Technical Documentation (Annex V)

Complete technical file structure for cybersecurity aspects. Product description, design, development methodology. Article 21 of Directive 2014/53/EU.

3

Network Protection Assessment

Art. 3.3(d) — radio equipment does not harm the network or its functioning nor misuse network resources. Aligned with EN 18031-1.

4

Privacy & Data Protection Assessment

Art. 3.3(e) — safeguards for personal data and privacy of user and subscriber. Aligned with EN 18031-2.

5

Anti-Fraud Assessment

Art. 3.3(f) — features ensuring protection from fraud when the equipment enables monetary transfers. Aligned with EN 18031-3.

6

EU Declaration of Conformity

Per Annex VI of Directive 2014/53/EU. Manufacturer identification, product identification, applicable essential requirements, conformity assessment reference.

7

Simplified EU Declaration of Conformity

Per Annex VII of Directive 2014/53/EU. Short-form declaration with URL reference to the full Declaration of Conformity. Article 10.9.

8

CE Marking Guidance Sheet

Printable label with CE marking, manufacturer contact details, product identification. Articles 19 and 20 of Directive 2014/53/EU.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

How it works — four steps

1
Buy the pack
70 license codes delivered by email via Gumroad. One payment. No subscription.
2
Activate a license
Each license has its own code. Activate when needed. 30-day editing window per license from first activation.
3
Generate the dossier
15-20 minutes. Guided form with references to every article. Enter the product data from the security assessment — the client does not need access to the tool.
4
Deliver to the client
8 PDFs in a ZIP file. Structured, article-by-article. Complements the security assessment with formal regulatory documentation.

Three mistakes that cost security consultancies time and clients

Pattern 1 — Delivering a pentest report when the importer needs Annex V documentation

A security assessment is not a conformity dossier

Article 21 of Directive 2014/53/EU requires technical documentation per Annex V — a structured file with product description, design documentation, conformity assessment references, and test reports. A penetration test or vulnerability scan is valuable supporting evidence, but it does not satisfy the documentation requirement on its own. The importer needs both: the security analysis AND the formal dossier.

Pattern 2 — Ignoring the regulatory documentation layer

Security expertise without regulatory output loses the contract

When a manufacturer receives a request from an importer or distributor for Art. 3.3(d)(e)(f) documentation, they need a deliverable structured per Annex V — not a slide deck. A cybersecurity consultancy that cannot produce formal regulatory documentation sends the client to a CE marking firm. That CE marking firm will bundle all directives and take the entire account.

Pattern 3 — Not formalizing cybersecurity services into a scalable offering

Each dossier from scratch means a bottleneck at 20+ clients

Drafting Art. 3.3 documentation manually for each client takes 15-20 hours per product. At 50+ manufacturers, a senior engineer spends 1,000+ hours on documentation alone. The bottleneck is not expertise — it is production capacity. Without a structured tool, the service does not scale.

Documentation and implementation: two layers

● LAYER 1 — What REDCheck does

Art. 3.3 cybersecurity documentation

8 structured PDF documents per product. Network protection assessment (Art. 3.3(d)), privacy and data protection assessment (Art. 3.3(e)), anti-fraud assessment (Art. 3.3(f)), Declaration of Conformity, CE marking guidance. Generated from input data in 20 minutes. Article-by-article traceability to Directive 2014/53/EU and Delegated Regulation (EU) 2022/30.

∅ LAYER 2 — What REDCheck does not do

Security testing and product implementation

Penetration testing, threat modelling, vulnerability scanning, firmware reverse engineering, secure boot implementation, SBOM generation from source code, EN 18031 laboratory testing, radio protocol security analysis. These are implementation-level services. REDCheck documents the cybersecurity posture — it does not assess it.

REDCheck structures and documents. The consultancy assesses, tests, and advises. The two layers complement each other — the security consultant fills the dossier with substance, and REDCheck provides the regulatory structure.

What your clients face without documentation

These are the consequences under Directive 2014/53/EU for radio equipment that does not comply with the essential requirements of Article 3(3). This is the argument to present when a client asks why formal documentation matters alongside a security assessment.

🇪🇺
Product withdrawal or recall by market surveillance
Market access blocked

Article 40 of Directive 2014/53/EU. Market surveillance authorities can require corrective measures, withdrawal from the market, or product recall for non-compliant radio equipment.

🇪🇺
National penalties — effective, proportionate, and dissuasive
Set by each Member State

Article 46 of Directive 2014/53/EU. Member States impose penalties for non-compliance, which may include criminal penalties for serious infringements.

🇪🇺
Formal non-compliance — CE marking blocked
Market prohibition

Article 43 of Directive 2014/53/EU. Missing or incomplete technical documentation, absent EU Declaration of Conformity, or improper CE marking triggers formal non-compliance proceedings and prohibition from the market.

The clients face these consequences. The consultancy offers the documentation that prevents them.

Alternatives for documenting 70 clients

OptionCost for 70 clientsTotal timeOutput quality
Manual drafting (Word templates)Professional time only1,400+ hoursVariable, no Annex V-specific structure
Outsource to CE marking firm€84,000-€140,000Depends on providerHigh, but cost-prohibitive at scale
Enterprise SaaS platform€8,000-€20,000/year2-4 weeks setupHigh, requires integration
REDCheck Professional Pack€999 (one-time)~23 hours totalStructured, Art. 3.3(d)(e)(f), article-by-article

What REDCheck guarantees and what it does not

REDCheck generates a structured documentation package covering Article 3(3), points (d), (e) and (f) of Directive 2014/53/EU, as activated by Delegated Regulation (EU) 2022/30, according to Article 21 and Annex V, from the information that the user enters. The truthfulness, accuracy and completeness of that information is the responsibility of the manufacturer — or of the consultant entering data on their behalf.

We guarantee that the document structure follows Annex V of Directive 2014/53/EU and that the legal references cited are correct as of the latest verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case, nor by a commercial buyer in a procurement process.

REDCheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions — professional pack

How do the 70 licenses work?
Each license is activated with a unique code and is associated with one specific product and manufacturer. One license equals one Art. 3.3 cybersecurity documentation dossier. The 70 licenses are used independently. They do not expire as a block — each one has its own 30-day editing window from its individual first activation.
Can I request a refund?
The pack is a digital product governed by Article 16(m) of Directive (EU) 2011/83 on consumer rights. By activating the first license and expressly confirming PDF generation, the buyer consents to the downloadable digital content nature of the product and waives the right of withdrawal. Refunds are accepted only for reproducible technical failures (generator error, PDF that does not download, verifiable bug) within 14 calendar days of purchase.
What if the regulation changes?
Unused licenses will generate the dossier using the updated version of the generator at no additional cost. REDCheck is updated within 48 hours of any regulatory change published in the Official Journal of the European Union.
Do I need legal expertise to use the tool?
No. The generator guides step by step with references to each article of Directive 2014/53/EU and Delegated Regulation (EU) 2022/30. The user enters the product data — manufacturer details, product description, radio technology, connectivity, security features, data processing activities. The tool structures the dossier according to Annex V. It does not replace legal advice but reduces documentation time from hours to minutes.
My deliverable is usually a pentest report. How is Art. 3.3 documentation different?
A penetration test report evaluates the security posture of a product at a point in time. Art. 3.3 documentation under Directive 2014/53/EU is formal technical documentation per Annex V that must demonstrate compliance with the essential requirements of Article 3(3)(d) (network protection), (e) (privacy safeguards), and (f) (anti-fraud measures), as activated by Delegated Regulation (EU) 2022/30. The documentation must be structured, traceable to specific articles, and available for market surveillance inspection. A pentest report can serve as supporting evidence within the dossier, but it is not the dossier itself. REDCheck generates the formal documentation structure and references; the security consultant contributes the technical substance.
My clients are non-EU manufacturers selling in Europe. Who is responsible for the documentation?
Under Article 10 of Directive 2014/53/EU, the manufacturer is responsible for drawing up the technical documentation and carrying out the conformity assessment. For non-EU manufacturers, Article 12 requires the importer to verify that the manufacturer has fulfilled these obligations before placing the product on the EU market. In practice, when a non-EU manufacturer has not produced Art. 3.3 cybersecurity documentation, the security consultant can generate it using the manufacturer's product data and deliver it as part of the compliance service — either to the manufacturer directly or to the EU importer who requires it.

Official legal sources

Directive 2014/53/EU — Radio Equipment Directive (EUR-Lex) Commission Delegated Regulation (EU) 2022/30 — supplementing Directive 2014/53/EU on Art. 3.3(d)(e)(f) (EUR-Lex)
⚠️ Important notice: REDCheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The documents are generated from your input data. You are responsible for the accuracy of the data you provide. REDCheck does not replace a qualified professional assessment.

Delegated Regulation (EU) 2022/30 has been in force since August 2025. Your IoT clients already need security assessments. The question is whether you add formal Art. 3.3 documentation to your service — or they find someone who does.

70 licenses. 8 PDF documents per product. Art. 3.3(d)(e)(f) structure. Browser-side. One payment.

€999 one-time
70 dossiers · 20 minutes per client · One payment · Directive 2014/53/EU + Delegated Regulation (EU) 2022/30
Buy REDCheck Professional Pack — €999

Related

PROFESSIONAL PACK

RED cybersecurity documentation tool for CE marking consultancies
PROFESSIONAL PACK

RED cybersecurity documentation tool for authorised representative services
INDIVIDUAL LICENSE

REDCheck — single license from €99