EN 15713 Explained: EU Document Destruction Guide
By Priya Nair • 15th Feb
Understanding the Standard
The EN 15713 standard is the European Code of Practice for secure destruction of confidential and sensitive material. It provides a comprehensive framework that anyone handling sensitive documents (whether as a service provider, business operator, or an individual managing personal records) can reference to ensure proper, verifiable destruction. Often discussed alongside DIN 66399, the German standard for information destruction, EN 15713 sets the European benchmark for preventing reconstruction and ensuring security without theater.
What Is EN 15713, and Why Does It Matter?
EN 15713:2023 is the most recent iteration of a European standard developed to standardize how confidential materials are managed, tracked, and destroyed. It replaces the 2009 version and applies across EU member states and beyond, including Switzerland, Norway, and the United Kingdom.
The core premise is straightforward: match the document risk to the shred, not the hype. The standard assumes that if you're destroying something, you want it genuinely unrecoverable, not just small enough to look secure. This means fragmentation is precise enough that reassembly is not possible, even for a single sheet. There are no shortcuts; the outcomes are measurable and verifiable.
Three Destruction Scenarios
EN 15713 covers three operational models:
- On-site destruction: Mobile equipment is brought to where documents are stored. The material stays in place; the shredder travels.
- Off-site destruction: Confidential material is collected, transported, and destroyed at a dedicated facility operated by a service provider.
- Co-located destruction: The organization owns or operates equipment at its own premises (a shredder in a clinic, law office, or small firm's building).
Each scenario has distinct chain-of-custody requirements. The standard does not cover digital erasure (crypto erasure, data overwriting, or degaussing); it focuses solely on physical destruction of paper, cards, magnetic media, and related materials.
Core Requirements: What Organizations Must Do
Personnel and Security Vetting
EN 15713 requires that staff involved in collection, transport, and destruction are properly vetted, trained, and visibly identified. This includes:
- Photographic identification and company-branded clothing for collection personnel.
- Employment verification (typically two years of written history) and character references.
- Regular training on handling, tracking, and security protocols.
- Authorized personnel only, no exceptions.
Timing and Retention Rules
Confidential material must be destroyed within one working day from arrival at the destruction centre, or within 96 hours from collection if off-site shredding is used. No stockpiling; no indefinite storage. This compressed timeline reduces the window for loss, theft, or accident.
Chain-of-Custody and Tracking
Every step must be logged:
- Sensitive items must be physically separated from non-sensitive materials during collection, transport, and storage (separate rooms or sealed containers).
- Tamper-evident seals are used and checked throughout the process.
- Tracking proof is required and retained in line with the company's document retention policy.
- Destruction must be visually confirmed by an authorized person.
This is not paperwork theater. During a routine records audit at my clinic, we had mapped document categories to DIN levels, labeled bins, and logged every pickup. When the auditor arrived, we simply showed the bins, the seals, the pickup log, the destruction certificates, and the audit moved on. Good privacy practice is boring by design. For a deeper dive into automated record-keeping, see our guide to DMS-integrated shredding for automated audit trails.
Facility and Environmental Controls
Facilities holding confidential material must have:
- Separate, secure storage areas (not commingled with general waste).
- CCTV surveillance of entrances, unloading, storage, and processing areas, with retention per policy.
- Restricted access (locked rooms, ID-controlled entry).
- Contingency plans for equipment failure or breakdown.
- Regular maintenance and servicing by competent personnel.
Destruction Equipment Standards
The machines themselves must meet performance criteria:
- Regular servicing and maintenance by qualified technicians in line with manufacturer specifications.
- Assessment at defined intervals to confirm continued compliance.
- Redundancy planning: if one unit fails, a backup is available to prevent delays.
- Authorized, trained operators who are regularly assessed on safe handling.
EN 15713 vs. DIN 66399: Key Differences
Scope and Geography
DIN 66399 is the German national standard for information destruction, with cutting specifications defined by six confidentiality levels (P-1 through P-7). It is widely adopted in Germany and recognized internationally.
EN 15713 is the European harmonized standard, applicable across EU nations and associated countries. It provides destruction outcome tables (Annexes A and B) that align with or complement DIN levels, but it emphasizes process, organizational controls, and chain-of-custody more heavily than DIN alone.
Practical Implications
| Aspect | DIN 66399 | EN 15713 |
|---|---|---|
| Focus | Cut level and particle size | Process, controls, and organizational oversight |
| Scope | Physical destruction of documents | Organizational procedures for secure destruction |
| Process Requirements | Implied; minimal detail | Explicit (vetting, timing, tracking, facilities) |
| Service Provider Rules | Limited | Comprehensive (contracts, personnel, transport) |
| Digital Media | Addressed in P-levels | Excluded (physical destruction only) |
In practice, organizations often use both: DIN 66399 levels guide the choice of equipment (e.g., P-4 for most business documents), while EN 15713 governs how the process is managed and documented. If you're unsure which level fits your documents, start with our security levels guide.
Material Categories and Destruction Outcomes
EN 15713 specifies destruction methods for different material types:
- Category A: Paper documents, plans, drawings → shredding to defined particle size.
- Category B: SIM cards, film negatives → fragmentation to prevent data recovery.
- Category C: Video/audio tapes, diskettes, cassettes → physical destruction or degaussing (not covered by EN 15713).
- Category D & beyond: Specialized materials requiring secure disposal matched to sensitivity.
Each category has outcome tables defining the maximum particle dimensions and methods required. A 4×40 mm shred is fundamentally different from a 2×15 mm cross-cut; the standard ensures you're not guessing.
Practical Implementation for Small Offices and Home-Based Teams
Right-Sizing Your Approach
Not every organization needs an industrial shredder. The standard allows co-located, smaller-scale setups: a small law firm or accounting practice can operate a quality desktop or office shredder on-site, provided it meets the confidentiality level required for the documents handled and the process is auditable.
Key questions to ask yourself:
-
What's your document sensitivity? Most personal and small-business records (bank statements, tax returns, medical records) fall into DIN P-4 territory (2×15 mm cross-cut). Healthcare practices handling HIPAA-regulated files may need P-5 shredders (2×12 mm). Unless you're handling classified government or top-secret corporate intelligence, you don't need P-7.
-
How much do you shred monthly? If your office shreds fewer than 5 kg per week, on-site equipment is practical. If you're processing 50+ kg weekly, outsourcing to a certified destruction service may be more reliable.
-
Can you maintain consistent practice? EN 15713 assumes repeatable, documented processes. If you're haphazard with storage, timing, or bin tracking, a service provider transfers that burden and risk to them (contractually).
Documentation and Compliance Proof
Keep simple records:
- Destruction logs: Date, material type, volume, operator name, seal numbers.
- Equipment maintenance records: Servicing dates and any repairs.
- Vetting documentation for staff (if you're running an internal program).
This is not a massive archive. It's a paper trail (literally) that shows you matched risk to process and followed through.
Why Security Without Theater Matters
The spirit of EN 15713 is pragmatism. The standard exists because organizations and individuals have a duty to render sensitive material unrecoverable. It's not about regulatory performance; it's about honest protection.
Oversecuring (buying a P-7 shredder for household documents) wastes money, energy, and space. Undersecuring (a strip-cut shredder for tax returns) invites risk and liability. Security without theater means understanding your actual risk, choosing the right cut level, documenting it once, and repeating the process reliably.
That boring consistency (the labeled bins, the pickup log, the seal check) is what makes compliance auditable and gives you genuine peace of mind.
Further Exploration
If your organization processes regulated data (healthcare, finance, legal), consult EN 15713 directly or work with a certified destruction service provider in your region. For an overview of key regulations and how shredding supports them, see our document destruction compliance guide. Look for providers certified to the standard; their contracts should reference EN 15713 compliance and include destruction certificates with your documentation.
For personal use, understanding whether you need P-4 or P-5 security is the starting point. From there, choose an on-site shredder or schedule periodic drop-off destruction, then log it. Simple, repeatable, boring, and secure.
Related Articles
