RED Directive 2014/53/EU, the complete checklist
Guide · RED, project checklist
This checklist breaks a RED project into six sequential phases, from product concept to market placement. Each phase lists the tasks to complete, the typical owner, and the evidence to file in the Annex V dossier. It is designed to be printed, ticked off and archived. It complements the detailed RED procedure, the required tests and the technical file structure. Adapt to product context, a simple LoRa sensor does not mobilise the same effort as an SDR cellular terminal with article 3.3 cybersecurity at substantial assurance level.
Phase 1: Regulatory scoping
Section titled “Phase 1: Regulatory scoping”Goal: lock down the RED perimeter before any irreversible hardware choice. Typical duration: 1 to 2 weeks.
- List all intentional radiators in the product (Wi-Fi 2.4 GHz, Wi-Fi 5/6 GHz, BLE, BLE Long Range, LoRa, LTE-M, NB-IoT, 4G/5G, NFC, UWB, etc.).
- List receive-only radios (GPS/GNSS, FM, DAB): these fall under RED for articles 3.1(a), 3.1(b) and 3.3.
- For every radio, identify the applicable articles: 3.1(a) health, 3.1(b) radio EMC, 3.2 spectrum, 3.3 cybersecurity.
- Check the applicability of article 3.3 cybersecurity (yes by default for any internet-connected radio product since 1 August 2024: Delegated Regulation 2022/30).
- Identify the targeted cybersecurity assurance level: basic, substantial, high.
- Select the harmonised standards in force for each band and article (EN 300 328, EN 301 489-17, EN 18031, etc.): check the OJEU for cited versions.
- Identify complementary directives: LVD (2014/35/EU) via 3.1(a), generic EMC for non-radio parts, RoHS, REACH, ecodesign, machinery.
- Check the national band allocations (CEPT ECC decisions) for the targeted markets.
- Decide the assessment module: A, A1, B+C, H, see RED procedure.
- If module B+C or partial A1, shortlist two notified bodies (NANDO database) and request a quote.
- Document the compliance plan: a short booklet listing articles, standards, modules and owners.
Phase 1 summary
Section titled “Phase 1 summary”| Task | Owner | Evidence / deliverable |
|---|---|---|
| Radios inventory | Project manager + RF engineer | Compliance plan, radios section |
| Articles 3.1/3.2/3.3 mapping | Compliance lead | Articles × radios matrix |
| Harmonised standards selection | Compliance lead + R&D | Signed list with exact ETSI versions |
| Assessment module decision | Compliance lead + executive | Decision note archived |
| Article 3.3 applicability | Compliance lead + IT security | 3.3 analysis note |
| Notified body quote (if needed) | Procurement + compliance lead | Archived NB offer |
Phase 2: Design and analysis
Section titled “Phase 2: Design and analysis”Goal: embed RED requirements in the product architecture before PCB tape-out. Typical duration: 4 to 8 weeks, in parallel with design.
- Run the article 3.1(a) risk analysis: RF exposure, SAR for body-worn equipment (< 20 cm from body), MPE for fixed equipment.
- Compute the power density at the intended use distance (EN 62311 method for fixed equipment).
- Draft the article 3.3 cybersecurity risk analysis: architecture diagram, trust boundaries, threats, controls.
- Build the critical components list: radio modules, antennas, oscillators, filters, amplifiers, power supplies.
- For every commercial radio module, collect the manufacturer's integration guide and verify compliance point by point (approved antenna, ground plane, spacing, shielding).
- If the antenna is selected outside the module's approved list, plan full article 3.2 + 3.1(b) radio retests.
- Document the hardware-firmware matrix for SDR equipment (HW versions × FW versions × enabled bands).
- Define anti-tamper radio protections: firmware signing, regional lock-down, anti-rollback.
- Prepare the radio configurations table (band, modulation, conducted power, EIRP, antenna, standard): required by Annex V.
- Define the cybersecurity architecture: device-to-network authentication, TLS 1.2+ minimum encryption, encrypted secret storage, signed OTA.
- Identify other applicable directives: if display above ecodesign threshold, battery under Regulation 2023/1542, etc.
Phase 2 summary
Section titled “Phase 2 summary”| Task | Owner | Evidence / deliverable |
|---|---|---|
| 3.1(a) risk analysis | RF engineer + compliance lead | Signed exposure analysis report |
| 3.3 risk analysis | Security architect | Security architecture document + threat/control matrix |
| Critical components list | Hardware R&D | Critical components table (linked datasheets) |
| Module integration guide | R&D + compliance lead | Manufacturer integration guide + compliance grid |
| HW-FW matrix (SDR) | R&D + software QA | Versioned matrix document |
| Radio configurations table | RF engineer | Versioned configurations table |
| Cybersecurity architecture | Security architect | Architecture document + diagrams |
Phase 3: Internal pre-tests
Section titled “Phase 3: Internal pre-tests”Goal: catch conformity gaps before committing external lab spend. Typical duration: 2 to 4 weeks.
- Measure conducted emissions on mains supply (LISN + analyser, 150 kHz – 30 MHz, target class B).
- Measure EIRP of each radio in max-power transmit mode, conducted at minimum, radiated if a semi-anechoic chamber is available.
- Verify spectrum occupation (duty cycle for sub-GHz, AFH for 2.4 GHz, DFS for Wi-Fi 5 GHz).
- Measure transmitter spurious emissions (extended-span spectrum analyser, search for harmonics and mixing products).
- Run a baseline ESD test with a calibrated gun (± 8 kV contact / ± 15 kV air) on user-accessible interfaces.
- Run an automated vulnerability scan (Nmap, TLS scanner, configuration audit) for baseline cybersecurity.
- Perform an EN 18031 architecture review: checklist of expected controls per part (-1 network, -2 personal data, -3 fraud).
- Verify firmware signature and boot verification by attempting to inject an unsigned binary.
- Test the OTA update procedure: interruption, rollback, integrity.
- Compile an internal pre-test report identifying gaps and corrective actions to close before shipping to the external lab.
Phase 3 summary
Section titled “Phase 3 summary”| Task | Owner | Evidence / deliverable |
|---|---|---|
| Conducted emissions | Internal EMC engineer | Internal conducted EMC report |
| Radio EIRP | RF engineer | EIRP measurement table per band |
| Baseline ESD | EMC engineer | ESD test note |
| EN 18031 architecture review | Security architect | Completed EN 18031 checklist |
| OTA & signature tests | Software QA | OTA test report |
| Pre-test synthesis | Compliance lead | Consolidated internal report + action plan |
Phase 4: External lab campaign
Section titled “Phase 4: External lab campaign”Goal: produce the signed test reports that will feed the Annex V dossier. Typical duration: 4 to 6 weeks excluding major retests.
- Select an ISO/IEC 17025 accredited laboratory with an explicit RED scope for the relevant articles (check the COFRAC or equivalent national accreditation certificate).
- Verify the lab's EN 18031 cybersecurity scope, scarce in 2026, book ahead.
- Prepare at least 3 identical samples, representative of series production (not hand-wired prototypes).
- Provide a shipping dossier to the lab: photos, drawings, BOM, schematics, radio configurations, user manual, access to test modes (3GPP test mode, RF unmodulated mode, etc.).
- Plan article 3.1(a) tests: SAR if body-worn, MPE calculation if fixed (EN 62311, EN 62209-1/-2/-3 methods).
- Plan article 3.1(b) radio EMC tests per the relevant EN 301 489 series (EN 301 489-1 + radio-specific part).
- Plan article 3.2 spectrum tests per each band's harmonised standard (EN 300 328, EN 301 893, EN 300 220, 3GPP TS for cellular).
- Plan the EN 18031 cybersecurity assessment at the chosen assurance level (basic / substantial / high).
- If module B+C, plan the EU-type examination by the notified body based on lab reports and design dossier.
- Receive and review every preliminary report, verify tested configurations, methodology, margins, conclusion.
- Process non-conformities: hardware corrections, firmware adjustments, documented partial retests.
- Archive final signed reports as PDF/A with their verification hash.
Phase 4 summary
Section titled “Phase 4 summary”| Task | Owner | Evidence / deliverable |
|---|---|---|
| Accredited lab selection | Compliance lead | Contract + lab accreditation certificate |
| Sample preparation | Industrialisation | Shipping form + sample photos |
| 3.1(a) health tests | External lab | SAR report or MPE calculation note |
| 3.1(b) radio EMC tests | External lab | Signed EMC report |
| 3.2 spectrum tests | External lab | Signed per-band reports |
| 3.3 cybersecurity assessment | Cybersecurity lab | Signed EN 18031-1/-2/-3 report |
| EU-type examination (if NB) | Notified body | EU-type examination certificate |
| Non-conformity processing | R&D + compliance lead | Correction record + partial retests |
Phase 5: Technical file assembly
Section titled “Phase 5: Technical file assembly”Goal: assemble the complete Annex V dossier, ready to present to a market surveillance authority. Typical duration: 2 to 3 weeks.
- Draft the general product description (article 18 + Annex V §1): designation, models, variants, photos, exploded view.
- Include design drawings, manufacturing diagrams and electronic schematics (Annex V §2).
- Include the bill of materials (BOM) and datasheets of critical components (Annex V §2).
- Include the functional description: data flows, operating modes, user interfaces (Annex V §2).
- Include the finalised radio configurations table (band, modulation, power, antenna, standard).
- For SDR products, attach the complete hardware-firmware matrix + signed update procedures.
- Attach the integration guide of commercial radio modules plus the compliance grid.
- Attach risk analyses: 3.1(a) health, 3.3 cybersecurity, and 3.1(b) EMC where relevant.
- Attach the list of applied harmonised standards with exact versions (e.g. EN 300 328 V2.2.2 (2019-07)).
- Attach justifications where a standard is only partially applied (alternative method, comparison with essential requirements).
- Archive all lab test reports (signed PDF/A) and the internal pre-test reports.
- If module B+C/A1/H, archive the notified body certificate and its scope.
- Complete the user documentation: paper/digital manual, safety warnings, operating frequency band(s) and max EIRP (article 10(8)), simplified DoC (article 10(9)).
- Verify that translations of the documentation and simplified DoC cover the languages required by each Member State of placement.
- Draft the complete DoC per Annex VI: unique number, product references, explicit reference to Directive 2014/53/EU, cited standards with versions, signatory, place, date.
- Have the DoC signed by a duly authorised person (board resolution or written delegation archived).
- Document the change-management procedure: who decides on a reassessment, how to increment the DoC.
- Document the cybersecurity vulnerability management procedure (3.3): disclosure channel, response team, patch SLA.
Phase 5 summary
Section titled “Phase 5 summary”| Task | Owner | Evidence / deliverable |
|---|---|---|
| Annex V compilation | Compliance lead | Structured technical file |
| Radio configs + SDR | RF engineer | Configurations table + HW-FW matrix |
| Risk analyses | Security architect + RF | Versioned analysis reports |
| Consolidated test reports | Compliance lead | Signed PDF/A index |
| Complete DoC | Authorised person | Dated and signed DoC |
| Translated user documentation | Product marketing + translator | Manuals per target language |
| Change & vulnerability procedures | QA + IT security | Written and circulated procedures |
Phase 6: Market placement and surveillance
Section titled “Phase 6: Market placement and surveillance”Goal: place product on the market without drift, and prepare 10 years of post-market surveillance. Duration: continuous over the product life cycle.
- Apply the CE marking to the product (height may be lower than 5 mm for radio equipment if visible and legible, otherwise packaging and manual must carry the mark).
- If module A1, B+C or H, apply the notified body 4-digit number next to the CE.
- Include the simplified DoC (article 10(9)) in the user manual, with a persistent URL to the complete PDF/A DoC.
- Verify that the DoC URL is public, requires no authentication or mandatory cookies, and will remain available for 10 years.
- Designate an authorised representative in the EU (article 11 of Directive 2014/53/EU) if the manufacturer is established outside the EU, name, address and contact archived.
- Set up production traceability: serial number, batch, HW version, FW version shipped, basis for targeted recall.
- Activate the vulnerability surveillance procedure: CVE watch on third-party components, open vulnerability disclosure channel, identified response team.
- Define the security update policy: minimum support duration, frequency, signed distribution mechanism.
- Archive the entire technical file for 10 years after the last unit was placed on the market (article 10(4)).
- Archive every firmware version distributed (not just the latest) with its hash and date of release.
- Keep a change log: component swap, antenna change, firmware update with radio impact, with the associated RED impact analysis.
- Monitor Safety Gate alerts for comparable products (market feedback loop).
- Plan an annual conformity review: harmonised standards (ETSI updates), regulatory evolutions (delegated regulations, Commission guidance), cybersecurity vulnerabilities.
Phase 6 summary
Section titled “Phase 6 summary”| Task | Owner | Evidence / deliverable |
|---|---|---|
| CE marking (+ NB if applicable) | Industrialisation | Production QA records + photos |
| Simplified DoC in manual | Product marketing | Controlled and dated manuals |
| Persistent DoC URL | IT / webmaster | Hosting record + continuity plan |
| EU representative (Art. 4) | Executive | Signed mandate + archived address |
| Production traceability | Industrialisation | Serialisation database + recall procedure |
| Vulnerability disclosure | IT security | Published procedure + dedicated mailbox |
| 10-year archival | Compliance lead | Archival system and continuity plan |
| Annual review | Compliance lead | Review minutes + action plan |
Quick reference
Section titled “Quick reference”Typical durations per phase
Section titled “Typical durations per phase”| Phase | Typical duration | Team load |
|---|---|---|
| 1: Scoping | 1 to 2 weeks | Compliance lead + project manager |
| 2: Design & analysis | 4 to 8 weeks (in parallel with design) | R&D + security architect |
| 3: Internal pre-tests | 2 to 4 weeks | Internal EMC + software QA |
| 4: Lab campaign | 4 to 6 weeks | Compliance lead + external lab |
| 5: File assembly | 2 to 3 weeks | Compliance lead |
| 6: Market placement | Continuous (10 years) | QA + IT security |
Total schedule from project kickoff: 4 to 6 months for a standard Wi-Fi/BLE IoT product with basic cybersecurity. 8 to 12 months for a cellular product with notified body and substantial cybersecurity.
Most frequent omissions
Section titled “Most frequent omissions”| Omission | Phase | Impact |
|---|---|---|
| Article 3.3 cybersecurity not assessed | 1 | Major non-conformity for post-August-2025 products |
| Module integration guide not respected | 2 | Module's CE marking invalidated |
| Antenna substituted without retest | 2 / 6 | Article 3.2 invalid |
| Radio configurations missing from file | 5 | Incomplete Annex V dossier |
| DoC missing EN 18031 references | 5 | Incomplete DoC, exposure to recall |
| EU representative (Art. 4) not designated | 6 | Customs rejection |
| Vulnerability procedure not documented | 6 | Article 3.3 non-conformity in market surveillance |
| Firmware versions not archived | 6 | Inability to trace drift |
See also the 14 common RED pitfalls for details on risks by family.
Going further
Section titled “Going further”- RED procedure: modules A / A1 / B+C / H and notified bodies
- RED tests: articles 3.1(a), 3.1(b), 3.2 and 3.3 in detail
- Technical file: Annex V content and DoC
- Common pitfalls: 14 recurring mistakes
- RED harmonised standards: full table by band
- CE marking: cross-cutting rules
Sources & references
- Directive 2014/53/EU, consolidated text , EUR-Lex eur-lex.europa.eu/eli/dir/2014/53/oj
- Annex V of Directive 2014/53/EU, technical file contents , EUR-Lex eur-lex.europa.eu/eli/dir/2014/53/oj
- Delegated Regulation (EU) 2022/30, activation of article 3.3 , EUR-Lex eur-lex.europa.eu/eli/reg_del/2022/30/oj
- Regulation (EU) 2019/1020, market surveillance and economic operators , EUR-Lex eur-lex.europa.eu/eli/reg/2019/1020/oj
- ETSI Standards Portal: RED harmonised standards , ETSI www.etsi.org/standards
Frequently asked questions
- When should the RED checklist start in a product project?
- As early as the product requirements document. Phase 1 (regulatory scoping) must be closed before the hardware architecture is frozen, otherwise component or antenna choices may turn out to be incompatible with the targeted harmonised standards.
- Does every RED product need a notified body?
- No. For a standard IoT product that fully applies the article 3.2 harmonised standards (Wi-Fi EN 300 328, BLE, sub-GHz EN 300 220) and the EN 18031 series for cybersecurity at the basic assurance level, module A (self-declaration) is sufficient. A notified body becomes mandatory if an article 3.2 standard is only partially applied or if the cybersecurity assurance level exceeds basic.
- How long between starting phase 4 and market placement?
- Eight to fourteen weeks for a standard product without major retest four to six weeks of lab work, two to three weeks of file consolidation, one to two weeks for the first marked units. A cellular product with a notified body adds eight to sixteen weeks.
- Which deliverables must be kept for the 10-year archival period?
- The entire Annex V dossier (description, drawings, BOM, radio configurations, risk analyses), every signed test report, the DoC, all firmware versions ever distributed, OTA update logs, vulnerability analyses and their fixes, and the production traceability data needed to execute a targeted recall.
- How do we handle a firmware update that changes radio parameters after market placement?
- Phase 6 must include a change-management procedure. Any firmware change that affects transmit power, modulation, band coverage or spectrum access mechanism triggers an article 3.2 reassessment, an update of the technical file and the issuance of a new dated DoC. The DoC reference number is incremented.