Skip to content
spilma

RED Directive 2014/53/EU, the complete checklist

Author Hugues Orgitello Last updated 25 May 2026

Guide · RED, project checklist

This checklist breaks a RED project into six sequential phases, from product concept to market placement. Each phase lists the tasks to complete, the typical owner, and the evidence to file in the Annex V dossier. It is designed to be printed, ticked off and archived. It complements the detailed RED procedure, the required tests and the technical file structure. Adapt to product context, a simple LoRa sensor does not mobilise the same effort as an SDR cellular terminal with article 3.3 cybersecurity at substantial assurance level.

Phase 1: Regulatory scoping

Section titled “Phase 1: Regulatory scoping”

Goal: lock down the RED perimeter before any irreversible hardware choice. Typical duration: 1 to 2 weeks.

Tasks

Section titled “Tasks”
  • List all intentional radiators in the product (Wi-Fi 2.4 GHz, Wi-Fi 5/6 GHz, BLE, BLE Long Range, LoRa, LTE-M, NB-IoT, 4G/5G, NFC, UWB, etc.).
  • List receive-only radios (GPS/GNSS, FM, DAB): these fall under RED for articles 3.1(a), 3.1(b) and 3.3.
  • For every radio, identify the applicable articles: 3.1(a) health, 3.1(b) radio EMC, 3.2 spectrum, 3.3 cybersecurity.
  • Check the applicability of article 3.3 cybersecurity (yes by default for any internet-connected radio product since 1 August 2025: Delegated Regulation 2022/30).
  • Identify the targeted cybersecurity assurance level: basic, substantial, high.
  • Select the harmonised standards in force for each band and article (EN 300 328, EN 301 489-17, EN 18031, etc.): check the OJEU for cited versions.
  • Identify complementary directives: LVD (2014/35/EU) via 3.1(a), generic EMC for non-radio parts, RoHS, REACH, ecodesign, machinery.
  • Check the national band allocations (CEPT ECC decisions) for the targeted markets.
  • Decide the assessment module: A, A1, B+C, H, see RED procedure.
  • If module B+C or partial A1, shortlist two notified bodies (NANDO database) and request a quote.
  • Document the compliance plan: a short booklet listing articles, standards, modules and owners.

Phase 1 summary

Section titled “Phase 1 summary”
TaskOwnerEvidence / deliverable
Radios inventoryProject manager + RF engineerCompliance plan, radios section
Articles 3.1/3.2/3.3 mappingCompliance leadArticles × radios matrix
Harmonised standards selectionCompliance lead + R&DSigned list with exact ETSI versions
Assessment module decisionCompliance lead + executiveDecision note archived
Article 3.3 applicabilityCompliance lead + IT security3.3 analysis note
Notified body quote (if needed)Procurement + compliance leadArchived NB offer

Phase 2: Design and analysis

Section titled “Phase 2: Design and analysis”

Goal: embed RED requirements in the product architecture before PCB tape-out. Typical duration: 4 to 8 weeks, in parallel with design.

Tasks

Section titled “Tasks”
  • Run the article 3.1(a) risk analysis: RF exposure, SAR for body-worn equipment (< 20 cm from body), MPE for fixed equipment.
  • Compute the power density at the intended use distance (EN 62311 method for fixed equipment).
  • Draft the article 3.3 cybersecurity risk analysis: architecture diagram, trust boundaries, threats, controls.
  • Build the critical components list: radio modules, antennas, oscillators, filters, amplifiers, power supplies.
  • For every commercial radio module, collect the manufacturer's integration guide and verify compliance point by point (approved antenna, ground plane, spacing, shielding).
  • If the antenna is selected outside the module's approved list, plan full article 3.2 + 3.1(b) radio retests.
  • Document the hardware-firmware matrix for SDR equipment (HW versions × FW versions × enabled bands).
  • Define anti-tamper radio protections: firmware signing, regional lock-down, anti-rollback.
  • Prepare the radio configurations table (band, modulation, conducted power, EIRP, antenna, standard): required by Annex V.
  • Define the cybersecurity architecture: device-to-network authentication, TLS 1.2+ minimum encryption, encrypted secret storage, signed OTA.
  • Identify other applicable directives: if display above ecodesign threshold, battery under Regulation 2023/1542, etc.

Phase 2 summary

Section titled “Phase 2 summary”
TaskOwnerEvidence / deliverable
3.1(a) risk analysisRF engineer + compliance leadSigned exposure analysis report
3.3 risk analysisSecurity architectSecurity architecture document + threat/control matrix
Critical components listHardware R&DCritical components table (linked datasheets)
Module integration guideR&D + compliance leadManufacturer integration guide + compliance grid
HW-FW matrix (SDR)R&D + software QAVersioned matrix document
Radio configurations tableRF engineerVersioned configurations table
Cybersecurity architectureSecurity architectArchitecture document + diagrams

Phase 3: Internal pre-tests

Section titled “Phase 3: Internal pre-tests”

Goal: catch conformity gaps before committing external lab spend. Typical duration: 2 to 4 weeks.

Tasks

Section titled “Tasks”
  • Measure conducted emissions on mains supply (LISN + analyser, 150 kHz – 30 MHz, target class B).
  • Measure EIRP of each radio in max-power transmit mode, conducted at minimum, radiated if a semi-anechoic chamber is available.
  • Verify spectrum occupation (duty cycle for sub-GHz, AFH for 2.4 GHz, DFS for Wi-Fi 5 GHz).
  • Measure transmitter spurious emissions (extended-span spectrum analyser, search for harmonics and mixing products).
  • Run a baseline ESD test with a calibrated gun (± 8 kV contact / ± 15 kV air) on user-accessible interfaces.
  • Run an automated vulnerability scan (Nmap, TLS scanner, configuration audit) for baseline cybersecurity.
  • Perform an EN 18031 architecture review: checklist of expected controls per part (-1 network, -2 personal data, -3 fraud).
  • Verify firmware signature and boot verification by attempting to inject an unsigned binary.
  • Test the OTA update procedure: interruption, rollback, integrity.
  • Compile an internal pre-test report identifying gaps and corrective actions to close before shipping to the external lab.

Phase 3 summary

Section titled “Phase 3 summary”
TaskOwnerEvidence / deliverable
Conducted emissionsInternal EMC engineerInternal conducted EMC report
Radio EIRPRF engineerEIRP measurement table per band
Baseline ESDEMC engineerESD test note
EN 18031 architecture reviewSecurity architectCompleted EN 18031 checklist
OTA & signature testsSoftware QAOTA test report
Pre-test synthesisCompliance leadConsolidated internal report + action plan

Phase 4: External lab campaign

Section titled “Phase 4: External lab campaign”

Goal: produce the signed test reports that will feed the Annex V dossier. Typical duration: 4 to 6 weeks excluding major retests.

Tasks

Section titled “Tasks”
  • Select an ISO/IEC 17025 accredited laboratory with an explicit RED scope for the relevant articles (check the COFRAC or equivalent national accreditation certificate).
  • Verify the lab's EN 18031 cybersecurity scope, scarce in 2026, book ahead.
  • Prepare at least 3 identical samples, representative of series production (not hand-wired prototypes).
  • Provide a shipping dossier to the lab: photos, drawings, BOM, schematics, radio configurations, user manual, access to test modes (3GPP test mode, RF unmodulated mode, etc.).
  • Plan article 3.1(a) tests: SAR if body-worn, MPE calculation if fixed (EN 62311, EN 62209-1/-2/-3 methods).
  • Plan article 3.1(b) radio EMC tests per the relevant EN 301 489 series (EN 301 489-1 + radio-specific part).
  • Plan article 3.2 spectrum tests per each band's harmonised standard (EN 300 328, EN 301 893, EN 300 220, 3GPP TS for cellular).
  • Plan the EN 18031 cybersecurity assessment at the chosen assurance level (basic / substantial / high).
  • If module B+C, plan the EU-type examination by the notified body based on lab reports and design dossier.
  • Receive and review every preliminary report, verify tested configurations, methodology, margins, conclusion.
  • Process non-conformities: hardware corrections, firmware adjustments, documented partial retests.
  • Archive final signed reports as PDF/A with their verification hash.

Phase 4 summary

Section titled “Phase 4 summary”
TaskOwnerEvidence / deliverable
Accredited lab selectionCompliance leadContract + lab accreditation certificate
Sample preparationIndustrialisationShipping form + sample photos
3.1(a) health testsExternal labSAR report or MPE calculation note
3.1(b) radio EMC testsExternal labSigned EMC report
3.2 spectrum testsExternal labSigned per-band reports
3.3 cybersecurity assessmentCybersecurity labSigned EN 18031-1/-2/-3 report
EU-type examination (if NB)Notified bodyEU-type examination certificate
Non-conformity processingR&D + compliance leadCorrection record + partial retests

Phase 5: Technical file assembly

Section titled “Phase 5: Technical file assembly”

Goal: assemble the complete Annex V dossier, ready to present to a market surveillance authority. Typical duration: 2 to 3 weeks.

Tasks

Section titled “Tasks”
  • Draft the general product description (article 18 + Annex V §1): designation, models, variants, photos, exploded view.
  • Include design drawings, manufacturing diagrams and electronic schematics (Annex V §2).
  • Include the bill of materials (BOM) and datasheets of critical components (Annex V §2).
  • Include the functional description: data flows, operating modes, user interfaces (Annex V §2).
  • Include the finalised radio configurations table (band, modulation, power, antenna, standard).
  • For SDR products, attach the complete hardware-firmware matrix + signed update procedures.
  • Attach the integration guide of commercial radio modules plus the compliance grid.
  • Attach risk analyses: 3.1(a) health, 3.3 cybersecurity, and 3.1(b) EMC where relevant.
  • Attach the list of applied harmonised standards with exact versions (e.g. EN 300 328 V2.2.2 (2019-07)).
  • Attach justifications where a standard is only partially applied (alternative method, comparison with essential requirements).
  • Archive all lab test reports (signed PDF/A) and the internal pre-test reports.
  • If module B+C/A1/H, archive the notified body certificate and its scope.
  • Complete the user documentation: paper/digital manual, safety warnings, operating frequency band(s) and max EIRP (article 10(8)), simplified DoC (article 10(9)).
  • Verify that translations of the documentation and simplified DoC cover the languages required by each Member State of placement.
  • Draft the complete DoC per Annex VI: unique number, product references, explicit reference to Directive 2014/53/EU, cited standards with versions, signatory, place, date.
  • Have the DoC signed by a duly authorised person (board resolution or written delegation archived).
  • Document the change-management procedure: who decides on a reassessment, how to increment the DoC.
  • Document the cybersecurity vulnerability management procedure (3.3): disclosure channel, response team, patch SLA.

Phase 5 summary

Section titled “Phase 5 summary”
TaskOwnerEvidence / deliverable
Annex V compilationCompliance leadStructured technical file
Radio configs + SDRRF engineerConfigurations table + HW-FW matrix
Risk analysesSecurity architect + RFVersioned analysis reports
Consolidated test reportsCompliance leadSigned PDF/A index
Complete DoCAuthorised personDated and signed DoC
Translated user documentationProduct marketing + translatorManuals per target language
Change & vulnerability proceduresQA + IT securityWritten and circulated procedures

Phase 6: Market placement and surveillance

Section titled “Phase 6: Market placement and surveillance”

Goal: place product on the market without drift, and prepare 10 years of post-market surveillance. Duration: continuous over the product life cycle.

Tasks

Section titled “Tasks”
  • Apply the CE marking to the product (height ≥ 5 mm, or smaller under size derogation provided packaging and manual carry the mark).
  • If module A1, B+C or H, apply the notified body 4-digit number next to the CE.
  • Include the simplified DoC (article 10(9)) in the user manual, with a persistent URL to the complete PDF/A DoC.
  • Verify that the DoC URL is public, requires no authentication or mandatory cookies, and will remain available for 10 years.
  • Designate an economic operator representative in the EU (article 4 of Regulation (EU) 2019/1020) if the manufacturer is established outside the EU, name, address and contact archived.
  • Set up production traceability: serial number, batch, HW version, FW version shipped, basis for targeted recall.
  • Activate the vulnerability surveillance procedure: CVE watch on third-party components, open vulnerability disclosure channel, identified response team.
  • Define the security update policy: minimum support duration, frequency, signed distribution mechanism.
  • Archive the entire technical file for 10 years after the last unit was placed on the market (article 21).
  • Archive every firmware version distributed (not just the latest) with its hash and date of release.
  • Keep a change log: component swap, antenna change, firmware update with radio impact, with the associated RED impact analysis.
  • Monitor Safety Gate alerts for comparable products (market feedback loop).
  • Plan an annual conformity review: harmonised standards (ETSI updates), regulatory evolutions (delegated regulations, Commission guidance), cybersecurity vulnerabilities.

Phase 6 summary

Section titled “Phase 6 summary”
TaskOwnerEvidence / deliverable
CE marking (+ NB if applicable)IndustrialisationProduction QA records + photos
Simplified DoC in manualProduct marketingControlled and dated manuals
Persistent DoC URLIT / webmasterHosting record + continuity plan
EU representative (Art. 4)ExecutiveSigned mandate + archived address
Production traceabilityIndustrialisationSerialisation database + recall procedure
Vulnerability disclosureIT securityPublished procedure + dedicated mailbox
10-year archivalCompliance leadArchival system and continuity plan
Annual reviewCompliance leadReview minutes + action plan

Quick reference

Section titled “Quick reference”

Typical durations per phase

Section titled “Typical durations per phase”
PhaseTypical durationTeam load
1: Scoping1 to 2 weeksCompliance lead + project manager
2: Design & analysis4 to 8 weeks (in parallel with design)R&D + security architect
3: Internal pre-tests2 to 4 weeksInternal EMC + software QA
4: Lab campaign4 to 6 weeksCompliance lead + external lab
5: File assembly2 to 3 weeksCompliance lead
6: Market placementContinuous (10 years)QA + IT security

Total schedule from project kickoff: 4 to 6 months for a standard Wi-Fi/BLE IoT product with basic cybersecurity. 8 to 12 months for a cellular product with notified body and substantial cybersecurity.

Most frequent omissions

Section titled “Most frequent omissions”
OmissionPhaseImpact
Article 3.3 cybersecurity not assessed1Major non-conformity for post-August-2025 products
Module integration guide not respected2Module's CE marking invalidated
Antenna substituted without retest2 / 6Article 3.2 invalid
Radio configurations missing from file5Incomplete Annex V dossier
DoC missing EN 18031 references5Incomplete DoC, exposure to recall
EU representative (Art. 4) not designated6Customs rejection
Vulnerability procedure not documented6Article 3.3 non-conformity in market surveillance
Firmware versions not archived6Inability to trace drift

See also the 14 common RED pitfalls for details on risks by family.

Going further

Section titled “Going further”

Sources & references

  1. Directive 2014/53/EU, consolidated text , EUR-Lex eur-lex.europa.eu/eli/dir/2014/53/oj
  2. Annex V of Directive 2014/53/EU, technical file contents , EUR-Lex eur-lex.europa.eu/eli/dir/2014/53/oj
  3. Delegated Regulation (EU) 2022/30, activation of article 3.3 , EUR-Lex eur-lex.europa.eu/eli/reg_del/2022/30/oj
  4. Regulation (EU) 2019/1020, market surveillance and economic operators , EUR-Lex eur-lex.europa.eu/eli/reg/2019/1020/oj
  5. ETSI Standards Portal: RED harmonised standards , ETSI www.etsi.org/standards
Edited by AESTECHNO, Montpellier, France · Legal notice