Cenitia launchesLaunching September 2026 — first 250 founders get the launch price locked for life.

Reserve your spot →
Cenitia
How it worksLibraryGlossaryRegulationsToolsAbout
Reserve your spot
How it worksLibraryGlossaryRegulationsToolsAbout

On this page

  • What Article 17 actually offers
  • The Article 17(4) trigger that forces Notified Body involvement
  • How presumption of conformity actually works
  • Annex III: Modules B + C, certificate per type
  • Annex IV: Module H, full quality assurance
  • Why this matters for the technical file and DoC
  • The Notified Body system itself
  • Common mistakes
  • How Cenitia helps
  • Frequently asked questions
  • Related from the Library
  • Further reading
← Library
reference·RED·9 min read

RED Annex IV path: when radio equipment needs a Notified Body

RED Annex IV path — when radio equipment requires Notified Body full quality assurance (Module H), versus Module A self-assessment under Article 17(2).

By Vladimír Vician · 2 July 2026

TL;DR

RED Annex IV is the full quality assurance route (Module H), not Module B+C — those belong to Annex III. Under Article 17(2) a manufacturer can freely pick Annex II, III or IV to demonstrate compliance with the Article 3(1) safety and EMC requirements. But Article 17(4) makes a Notified Body mandatory — via Annex III or Annex IV — whenever harmonised standards for Article 3(2) spectrum or Article 3(3) additional requirements (including the cybersecurity points (d), (e), (f)) are not applied, are applied only in part, or do not exist.

The Radio Equipment Directive (RED), Directive 2014/53/EU, gives manufacturers three conformity assessment routes — and most teams mislabel them. The most damaging mislabel is calling Annex IV the "Module B+C" path. It is not. Annex IV is Module H, full quality assurance. The Module B+C track lives in Annex III. Picking the wrong annex is not a paperwork nit: it changes whether you need a Notified Body certificate per product type, an approved quality system across your whole production, or no Notified Body at all.

This reference unpacks the three RED routes — Annex II (Module A), Annex III (Modules B+C) and Annex IV (Module H) — explains when Article 17(4) forces you off the self-assessment track, and shows how the cybersecurity requirements under Article 3(3) interact with the choice. For the underlying module taxonomy see Conformity assessment modules A to H and When you need a Notified Body.

Who this is for

Engineering, regulatory and quality leads at hardware manufacturers placing radio equipment on the EU market — Bluetooth, Wi-Fi, cellular, LoRa, sub-GHz, satellite, or any product with an intentional radio transmitter. This article is not legal advice — for binding interpretation, consult a qualified Notified Body or EU compliance lawyer.

What Article 17 actually offers

Article 17(2) of RED lists three procedures available to demonstrate compliance with the essential requirements of Article 3(1) (health, safety and electromagnetic compatibility):

  • Annex II — internal production control (Module A). Manufacturer self-declares. No Notified Body involved.
  • Annex III — EU-type examination followed by conformity to type based on internal production control (Modules B and C). A Notified Body examines the type.
  • Annex IV — conformity based on full quality assurance (Module H). A Notified Body approves and surveils the manufacturer's quality system.

For Article 3(1) only, this is a free choice. The manufacturer may pick the lightest path that the product and the available harmonised standards allow.

The Article 17(4) trigger that forces Notified Body involvement

The free choice ends when you reach the spectrum and additional requirements. Article 17(4) is explicit: when assessing compliance with the essential requirements set out in Article 3(2) (effective use of radio spectrum) and Article 3(3) (additional requirements such as network protection, privacy, fraud protection), if the manufacturer has not applied or has applied only in part the harmonised standards published in the OJEU, or where no such harmonised standards exist, the radio equipment must be submitted under either Annex III (EU-type examination plus Module C) or Annex IV (full quality assurance). Annex II Module A is not available for those requirements in that situation.

This is the trigger that catches most teams. It does not matter how confident you are in your in-house testing — if the harmonised standard you needed is missing, withdrawn, or you applied only part of it, the law sends you to a Notified Body.

How presumption of conformity actually works

The reason Module A self-declaration is even possible is Article 16: radio equipment in conformity with harmonised standards (or parts of them) whose references are published in the OJEU is presumed in conformity with the essential requirements those standards cover. Lose the standard, and you lose the presumption. Lose the presumption for Article 3(2) or 3(3), and Article 17(4) kicks in.

Article 3(3) of RED is a menu of nine essential requirements lettered (a) to (i) that the Commission can activate for specific categories of radio equipment via delegated acts. For the cybersecurity essential requirements, points (d) (network protection), (e) (personal data and privacy safeguards) and (f) (fraud protection) are the ones activated for internet-connected radio equipment by Commission Delegated Regulation (EU) 2022/30. Other points such as (a) interoperability with accessories or (i) interaction with software remain dormant unless a separate delegated act activates them. Whether you can keep the Module A path for the cybersecurity points depends entirely on whether you fully apply the harmonised standard supporting them — see RED delegated act and EN 18031 walkthrough.

EN 18031 OJEU status snapshot — verified 5 July 2026

The references for the EN 18031 cybersecurity series were published in the Official Journal on 30 January 2025 via Commission Implementing Decision (EU) 2025/138 of 28 January 2025. EN 18031-1:2024 supports Article 3(3)(d), EN 18031-2:2024 supports Article 3(3)(e), and EN 18031-3:2024 supports Article 3(3)(f). The Decision explicitly excludes the "rationale" and "guidance" sections of all three standards from presumption of conformity; it also excludes clauses 6.2.5.1 and 6.2.5.2 of all three parts where users can avoid setting passwords, clauses 6.1.3–6.1.6 of EN 18031-2 without parental/guardian access control, and clause 6.3.2.4 of EN 18031-3 when relied on alone as assessment criteria. If your assessment touches any excluded clause, Article 17(4) puts you in Annex III or Annex IV territory for that requirement.

Reserve your spot — Cenitia launches September 2026

One email at launch · cancel any time

Annex III: Modules B + C, certificate per type

Annex III is the classic EU-type examination path. Module B point 3 requires the manufacturer to lodge an application with a single Notified Body of choice, including a written declaration that the same application has not been lodged with any other Notified Body in parallel. The Notified Body examines the technical design.

Where the type meets the requirements that apply, Module B point 6 says the Notified Body issues an EU-type examination certificate containing the manufacturer details, the conclusions of the examination, the aspects of the essential requirements covered, any conditions for validity, and the data identifying the assessed type. Annex III point 8 also obliges the Notified Body to retain the certificate, its annexes and additions, and the technical file for 10 years after assessment or until the certificate expires.

Module C is then bolted on: the manufacturer self-declares conformity to the type covered by the EU-type examination certificate, controlled by their own internal production control.

Annex IV: Module H, full quality assurance

Annex IV is a different animal. Annex IV point 1 defines it as "Conformity based on full quality assurance" — the manufacturer operates an approved quality system covering design, manufacture, final radio equipment inspection and testing, and is subject to surveillance by a Notified Body.

The Notified Body audits and approves that quality system, then under Annex IV points 4.3 and 4.4 carries out periodic surveillance audits and may pay unexpected visits, during which it may carry out radio equipment tests to verify that the system is still being applied. There is no per-type certificate — the regulatory object is the quality system itself.

Under Annex IV point 5.1, the manufacturer affixes the CE marking and, under the responsibility of the Notified Body, that body's identification number to each item of radio equipment satisfying Article 3. This pairs with Article 20(3): the CE marking shall be followed by the identification number of the Notified Body where the conformity assessment procedure set out in Annex IV is applied.

Why this matters for the technical file and DoC

Whatever path you choose, Article 10(4) requires the manufacturer to keep the technical documentation and the EU declaration of conformity for 10 years after the radio equipment has been placed on the market. Under Annex IV point 5.2 the same 10-year retention applies, plus the manufacturer must keep records about the approved quality system, approved changes, and Notified Body decisions and surveillance reports.

If you are still building the underlying records structure, start with Technical file 101, the Declaration of Conformity 101 and Technical file retention requirements. For the DoC content itself see the Sample DoC walkthrough.

The Notified Body system itself

The reason this whole architecture works is Article 22: Member States must notify the Commission and the other Member States of bodies authorised to carry out third-party conformity assessment tasks under RED. These notifications create the publicly searchable list (NANDO) of bodies competent for RED, sometimes with explicit scope restrictions per annex. A body notified for Annex III is not automatically competent for Annex IV — check the scope before signing.

Common mistakes

Calling Annex IV "Module B+C". Annex IV is Module H. Annex III is Modules B+C. Confusing them in your DoC, technical file or supplier briefings creates audit findings.

Assuming Module A is always available for cybersecurity. Article 17(4) blocks Module A whenever the harmonised standard for Article 3(3)(d)/(e)/(f) is missing or only partly applied — exactly the situation many products were in during the 2024–2025 transition for EN 18031.

Applying to several Notified Bodies in parallel under Annex III. Module B point 3 explicitly requires a written declaration that no other application has been lodged.

Forgetting the four-digit Notified Body number next to the CE mark under Annex IV. Article 20(3) and Annex IV point 5.1 make it mandatory — and visual market surveillance catches its absence immediately.

Treating an Annex III EU-type examination certificate as permanent. It has a validity defined by the Notified Body, and both the manufacturer (Article 10(4)) and the Notified Body (Annex III point 8) must retain the file for 10 years.

For broader CE mistakes see Top 10 CE marking mistakes.

How Cenitia helps

Cenitia models the Article 17 decision as a structured tree against your product's actual radio profile, the Article 3 requirements that apply, and the harmonised standards you have or have not fully applied. When you change a standard reference — say, you drop a clause of EN 18031 — Cenitia tells you that Article 17(4) has just moved your Article 3(3)(d) assessment from Module A to either Annex III or Annex IV, and flags every section of the DoC and technical file that now needs a Notified Body trail.

When the OJEU list of harmonised standards changes, the regulation watcher flags affected products automatically — so you find out before market surveillance does. See also Updating a DoC after amendment and CE marking 101.

Reserve your spot — Cenitia launches September 2026

One email at launch · cancel any time

Frequently asked questions

What is the actual conformity module behind RED Annex IV?

RED Annex IV is titled Conformity Assessment Module H Conformity based on full quality assurance. It is not Module B or Module B+C — those are Annex III. Under Annex IV point 1 the manufacturer operates an approved quality system covering design, manufacture, final inspection and testing, with periodic Notified Body surveillance audits and possible unexpected visits.

When must I use a Notified Body under the Radio Equipment Directive?

Article 17(4) makes Notified Body involvement mandatory whenever you assess Article 3(2) or Article 3(3) essential requirements without applying the relevant harmonised standards in full, or where no such harmonised standards exist. In those cases you must use Annex III (Modules B+C) or Annex IV (Module H). For Article 3(1) alone you keep the free Article 17(2) choice including Annex II self-assessment.

Can I use Module A self-assessment for the RED cybersecurity requirements?

Only if a relevant harmonised standard for Article 3(3)(d), (e) or (f) is published in the OJEU and you apply it fully. If you do not apply that standard, only apply it in part, or it does not yet exist for your product class, Article 17(4) forces you into Annex III or Annex IV with a Notified Body.

What does the Notified Body actually do under Annex IV?

Under Annex IV points 3 and 4 the Notified Body audits and approves the manufacturer's full quality system, then carries out periodic surveillance audits and may pay unexpected visits, during which it can carry out radio equipment tests to verify that the quality system is being maintained.

Do I have to add the Notified Body number to the CE marking?

Yes, when Annex IV applies. Article 20(3) states that the CE marking shall be followed by the identification number of the Notified Body where the conformity assessment procedure set out in Annex IV is applied. Under Annex IV point 5.1 the manufacturer affixes that number to each radio unit under the Notified Body's responsibility.

How long do I keep records under Annex III and Annex IV of RED?

Article 10(4) requires the manufacturer to keep the technical documentation and the EU declaration of conformity for 10 years after the radio equipment has been placed on the market. Annex III point 8 imposes a matching 10-year retention obligation on the Notified Body for the EU-type examination certificate, its annexes, additions and the underlying technical file (or until that certificate expires).

Related from the Library

  • When you need a Notified Body
  • Conformity assessment modules A to H
  • RED delegated act and EN 18031 walkthrough
  • Technical file retention requirements

Further reading

  • Directive 2014/53/EU (RED) — HTML, EUR-Lex — full text, browseable by article in the navigation pane
  • Directive 2014/53/EU (RED) — consolidated PDF — single-file reference with Article 17, Article 20, Annexes II, III and IV
  • Commission Delegated Regulation (EU) 2022/30 — activation of Article 3(3)(d), (e), (f) — the delegated act that switches on the cybersecurity essential requirements for connected radio equipment
  • Commission Implementing Decision (EU) 2025/138 — EN 18031 series in OJEU — current harmonised standards reference with explicit clause exclusions
  • OJ L 153 of 22 May 2014 — original RED publication, Table of contents
  • NANDO database — Notified Bodies under RED 2014/53/EU — search by directive 2014/53/EU to verify Annex III versus Annex IV scope per body

Last reviewed: 5 July 2026. Cited regulations watched continuously by Cenitia — when one amends, this article is flagged for update.

FAQ

Frequently asked questions

  • What is the actual conformity module behind RED Annex IV?+

    RED Annex IV is titled Conformity Assessment Module H Conformity based on full quality assurance. It is not Module B or Module B+C — those are Annex III. Under Annex IV point 1 the manufacturer operates an approved quality system covering design, manufacture, final inspection and testing, with periodic Notified Body surveillance audits and possible unexpected visits.

  • When must I use a Notified Body under the Radio Equipment Directive?+

    Article 17(4) makes Notified Body involvement mandatory whenever you assess Article 3(2) or Article 3(3) essential requirements without applying the relevant harmonised standards in full, or where no such harmonised standards exist. In those cases you must use Annex III (Modules B+C) or Annex IV (Module H). For Article 3(1) alone you keep the free Article 17(2) choice including Annex II self-assessment.

  • Can I use Module A self-assessment for the RED cybersecurity requirements?+

    Only if a relevant harmonised standard for Article 3(3)(d), (e) or (f) is published in the OJEU and you apply it fully. If you do not apply that standard, only apply it in part, or it does not yet exist for your product class, Article 17(4) forces you into Annex III or Annex IV with a Notified Body.

  • What does the Notified Body actually do under Annex IV?+

    Under Annex IV points 3 and 4 the Notified Body audits and approves the manufacturer's full quality system, then carries out periodic surveillance audits and may pay unexpected visits, during which it can carry out radio equipment tests to verify that the quality system is being maintained.

  • Do I have to add the Notified Body number to the CE marking?+

    Yes, when Annex IV applies. Article 20(3) states that the CE marking shall be followed by the identification number of the Notified Body where the conformity assessment procedure set out in Annex IV is applied. Under Annex IV point 5.1 the manufacturer affixes that number to each radio unit under the Notified Body's responsibility.

  • How long do I keep records under Annex III and Annex IV of RED?+

    Article 10(4) requires the manufacturer to keep the technical documentation and the EU declaration of conformity for 10 years after the radio equipment has been placed on the market. Annex III point 8 imposes a matching 10-year retention obligation on the Notified Body for the EU-type examination certificate, its annexes, additions and the underlying technical file (or until that certificate expires).

Portrait of Vladimír Vician

Written by

Vladimír Vician

Founder, Cenitia · Founder & Managing Director, Inovasense s.r.o.

Founded Inovasense in Bratislava in 2016. Specialises in EU-sovereign hardware — FPGA and embedded systems design, embedded security, and regulatory compliance under the CRA, RED (EN 18031), and the harmonised standards each cites. Named signatory on every Declaration of Conformity Inovasense ships.

Best reached on LinkedIn. For longer enquiries, the Inovasense contact form.

Inovasense profile · More about Cenitia

Continue reading

Related guides

  • reference

    ETSI EN 303 645 — the 13 consumer IoT controls explained

    The 13 high-level provisions of ETSI EN 303 645 v2.1.1 (June 2020) and v3.1.3 (September 2024) explained, with the TS 103 701 conformance assessment mapping.

    11 min read

  • comparison

    RED and CRA overlap for connected radio products: 2025-2027 transition

    RED Delegated Act 2022/30 and CRA overlap for connected radio products — the 2025-2027 transition, EN 18031 coverage, gap to CRA Annex I Part II, dual obligations.

    10 min read

  • reference

    EN 18031-1 vs -2 vs -3: which part applies to your radio product

    EN 18031-1, -2 and -3 compared — scope, mechanism families, and a decision tree for RED Article 3(3)(d), (e) and (f) under Delegated Regulation 2022/30.

    13 min read

  • guide

    RED Delegated Act + EN 18031 — the self-assessment walkthrough for radio products

    Step-by-step walkthrough of RED Delegated Act 2022/30 cybersecurity self-assessment under EN 18031-1, -2, -3 — scope, process, tests, and CRA overlap.

    14 min read

Put this into practice

Free tools & references

  • Do I need a Notified Body?Find out, per regulation, whether a Notified Body is required.Open tool →
  • EU Directive SelectorDescribe your product and find which EU directives and regulations apply.Open tool →

New to the terminology? Browse the compliance glossary — plain-English, citation-backed definitions of every term above.

Reserve your spot — launching September 2026

One email at launch · cancel any time

← Back to Library

Cenitia

The EU compliance engine for hardware manufacturers. Cited drafts, electronic signing, regulation watching — all in one place.

A product of Inovasense s.r.o., Bratislava, Slovakia · Data hosted in Stockholm, EU

Site

  • How it works
  • Library
  • Glossary
  • Regulations
  • By product type
  • Tools
  • About

Legal

  • Imprint
  • Privacy
  • Terms

© 2026 Inovasense s.r.o. · cenitia.com

EU sovereign · EU data residency by design · Customer data never trains models