If you are preparing for R2v3 certification — or trying to understand why you failed your last surveillance audit — the place to start is the Core Requirements. There are ten of them. Every R2-certified facility must conform to all ten, regardless of size, location, or what specific processes they run. Understanding what each clause actually demands, not just what it says, is the foundation of a successful certification program. This article walks through all ten Core Requirements in plain terms, explains what auditors focus on, and tells you where most facilities fall short.
What R2v3 Is and Why Core Requirements Matter
R2v3 is the third version of the Responsible Recycling standard, published by SERI (Sustainable Electronics Recycling International) in July 2020. It fully replaced the previous version, R2:2013, as of December 31, 2023. Any facility still operating under R2:2013 after that date had its certification invalidated.
The standard is built on the ISO High Level Structure, which means it aligns architecturally with ISO 14001:2015 (environmental management) and ISO 45001:2018 (occupational health and safety). That alignment is intentional — it makes R2v3 easier to integrate with other management systems and gives auditors a consistent framework for evaluating conformance.
The standard is divided into two layers. The first layer is the ten Core Requirements, which are mandatory for every certified facility. The second layer is six Process Requirements (Appendices A through F), which activate only when a facility performs certain activities. This article covers the Core Requirements in full. The Process Requirements are addressed briefly at the end.
Understanding the Core Requirements matters for one practical reason: they define the minimum conformance baseline for your entire certification. You can have a world-class data sanitization program and still lose your certification if you are missing a legal register (CR4) or cannot demonstrate financial assurance for a facility closure (CR9). The Core Requirements are not optional, and they are not soft.
CR1 — Scope
The first Core Requirement establishes what your R2 certificate covers. Facilities must document and certify every process, equipment type, component category, and material stream that falls under their R2 operations. The activities that can appear on an R2 certificate include collection, renewal, repair, remarketing, disintegration, brokering, and recycling. If you perform an activity and it is not reflected in your documented scope, you have a problem — either the activity should be in scope and is not, or it is in scope but undocumented.
What auditors check: They will compare your documented scope against what they observe on the floor. If your facility is shredding circuit boards but your scope only mentions data sanitization and remarketing, that gap will generate a finding. They will also verify that your R2 certificate accurately reflects all R2-related activities you perform — the certificate itself is a compliance document.
The practical implication here is straightforward: scope creep kills certifications. When facilities add new processes or equipment categories without updating their documented scope, they create an audit target. Scope reviews should happen at least annually and whenever a new process or material stream is introduced.
CR2 — Hierarchy of Responsible Management Strategies
CR2 requires a written policy that prioritizes reuse above all other disposition options, followed by recovery, then recycling. This hierarchy exists to push electronic equipment toward its highest and best use — keeping functional devices in circulation rather than sending them to shredding or smelting prematurely.
The requirement has teeth in one specific area: disposal of Focus Materials is prohibited entirely under R2v3. Focus Materials — which include circuit boards, batteries, CRT glass, PCBs, and mercury-containing devices — cannot go to a landfill or incinerator. Full stop. This is not a preference or a best-practice recommendation. It is an absolute prohibition.
The policy itself does not need to be long. What it needs to do is clearly state the hierarchy and reflect that the facility has committed to following it in practice. Auditors will look for evidence that the hierarchy is being applied operationally, not just stated in a document. If your facility is sending repairable laptops straight to disintegration because it is faster, that is a conformance question under CR2.
This requirement connects directly to the circular economy principles that underpin the entire R2 program. SERI designed R2v3 to push the electronics recycling industry toward material conservation, and CR2 is the policy-level expression of that intent.
CR3 — EHS Management System
CR3 is one of the most substantive changes R2v3 made relative to R2:2013. Under the prior version, EHS management was a best practice. Under R2v3, it is a formal Core Requirement — and it must be a certified management system.
Facilities must maintain an Environmental Health and Safety Management System that aligns with ISO 14001:2015, ISO 45001:2018, or an equivalent standard such as RIOS. The EMS does not have to be separately certified by a third-party ISO auditor — the certification happens as part of the R2v3 audit itself. But it must conform to the requirements of those standards, which means it cannot be a loose collection of procedures. It has to be a system: planned, documented, implemented, and reviewed.
The specific elements CR3 requires include planning for environmental and occupational health hazards, risk assessment processes, periodic facility inspections, identification and control of hazardous substances, and documented procedures for safe handling of Focus Materials. Worker training, emergency response planning, incident investigation, and corrective action must all be part of the system.
Where smaller facilities tend to struggle with CR3 is the depth of documentation. Having a safety manual is not the same as having a management system. The distinction an auditor draws is whether the facility can demonstrate that its EHS processes are planned and controlled — not just that written procedures exist somewhere. The gap between paperwork and an actual functioning system is where most CR3 nonconformances originate.
CR4 — Legal and Other Requirements
CR4 requires facilities to identify, access, and comply with all applicable legal and regulatory requirements. This is broader than most people initially realize. It covers environmental regulations, worker safety laws, data privacy requirements (including GDPR and CCPA where applicable), transportation of hazardous materials, import and export controls, and transboundary movement rules for e-waste.
R2v3 also added labor standards to CR4 that were not present in R2:2013. Facilities must have a policy prohibiting child labor and forced labor, consistent with International Labour Organization (ILO) conventions. They must also maintain a non-discrimination policy that covers age, gender, race, religion, and sexual orientation. These are not soft corporate values statements — they are documented requirements that will be reviewed during an audit.
The core operational tool for CR4 is a legal register: a current, maintained document that maps applicable laws and regulations to the facility's operations. The register must be kept up to date as regulations change. Facilities that treat their legal register as a one-time setup exercise and never update it are setting themselves up for a major nonconformance. Regulatory environments change — state e-waste laws get amended, OSHA updates hazard communication standards, export rules shift. The legal register has to track those changes.
One practical note: many facilities underestimate the scope of their legal obligations, particularly around data privacy and export compliance. If your facility ships any electronics internationally, your legal register needs to address those requirements explicitly.
CR5 — Tracking Throughput
CR5 requires facilities to record and manage the throughput of all electronic equipment, components, and materials flowing through their operation. The emphasis on R2-Controlled Streams — the designation used for Focus Materials and other materials requiring tracked disposition — is particularly important. Facilities must maintain traceability records from receipt through final disposition for every R2-Controlled Stream they handle.
This is not just an inventory management requirement. It is a material accountability requirement. Auditors will ask to see records showing what came in, how it was categorized, where it went, and what documentation confirms it reached an appropriate end destination. Gaps in that chain — materials received but not tracked, or tracked internally but with no downstream confirmation — are findings.
The practical challenge for most recyclers is that throughput tracking has to be systematic and consistent, not just reactive. Doing a manual count before an audit does not constitute a tracking system. The records need to exist as materials flow through the facility in real time, maintained in whatever system the facility uses — whether that is a purpose-built ITAD software platform or a well-structured spreadsheet with consistent protocols.
CR6 — Sorting, Categorization, and Processing
CR6 requires facilities to evaluate and sort all incoming electronic equipment upon receipt using a structured process. The standard mandates use of the R2 Equipment Categorization (REC) reference document, which provides a framework for assigning three attributes to each device: cosmetic status, functional status, and data sanitization status.
The sorting process is not optional and it is not informal. When equipment arrives, it must be assessed. Devices that may contain data must be identified and directed to data sanitization. R2-Controlled Streams must be identified and directed to the appropriate processing pathway. Equipment suitable for reuse must be identified and directed to reuse channels rather than being sent straight to disintegration.
Where facilities create problems for themselves under CR6 is by letting intake become a bottleneck where categorization is skipped or delayed. Equipment sitting in an uncategorized pile represents both a compliance gap and a business risk — you do not know what you have, so you cannot manage it correctly. The intake sorting process needs to be staffed, documented, and followed consistently.
CR6 also connects directly to CR2 (the reuse hierarchy). Proper sorting is how the hierarchy gets applied in practice. If intake categorization is weak, the reuse priority is effectively bypassed, which creates exposure under both requirements.
CR7 — Data Security
Data security received the most significant upgrade from R2:2013 to R2v3. Under the previous standard, data security guidance was largely best-practice oriented. R2v3 made it a Core Requirement with specific technical and procedural mandates.
Facilities must have a formal facility security program that regulates physical access to areas where data-bearing devices are processed or stored. Data sanitization must follow either NAID AAA certification standards or the NIST 800-88 guidelines — which means documented, auditable methods for each device type, not ad hoc wiping practices. Facilities must maintain a documented Data Sanitization Plan that specifies the method used for each device category and establishes timelines for completing sanitization after intake.
Workers who handle data-bearing devices must sign confidentiality agreements and receive specific training on data security protocols. Background checks are required where appropriate, which in practice means any worker with unsupervised access to data-bearing devices before sanitization is complete.
The practical implication is significant for ITAD companies in particular. You cannot run a data sanitization operation under R2v3 without a documented, methodologically sound sanitization program. "We wipe everything" is not a Data Sanitization Plan. The plan needs to specify which tools are used, which standards they conform to, how verification is performed, and how records are generated and retained. If you are also subject to Appendix B (the Process Requirement for data sanitization), the documentation requirements go even deeper.
CR8 — Focus Materials
CR8 governs the handling of materials that carry elevated environmental and health risks. The R2v3 Focus Materials are: circuit boards, batteries, CRT glass, PCBs (polychlorinated biphenyls), and mercury-containing devices and components. These materials are also designated as R2-Controlled Streams, which means they are subject to tracking, handling, and downstream accountability requirements that go beyond standard materials.
CRT glass deserves specific mention. Each CRT tube contains between five and eight pounds of lead, making CRT glass one of the most hazardous materials routinely handled in electronics recycling. The handling, storage, and downstream disposition of CRT glass is heavily scrutinized during audits.
CR8 requires facilities to maintain a documented Focus Materials Management Plan. The plan must address how each Focus Material is identified at intake, how it is handled and stored, and how it moves through the downstream recycling chain. Facilities must maintain flowcharts showing the movement of each Focus Material type through their downstream vendors — not just a vendor name, but evidence of the disposition pathway.
One of the most practical strategies for reducing CR8 audit complexity is to route Focus Materials exclusively to other R2v3-certified facilities wherever possible. When your downstream vendors are R2v3 certified, the documentation burden is significantly lower because the standard already requires them to maintain conforming practices. Sending Focus Materials to non-certified vendors requires substantially more due diligence and documentation to demonstrate equivalent standards of care.
CR9 — Facility Requirements
CR9 addresses the physical and financial requirements for operating an R2-certified facility. It covers storage practices, facility security controls, insurance, and financial responsibility for facility closure.
The insurance requirement is specific: facilities that handle negative-value items — materials that cost money to process and dispose of rather than generating revenue — must carry pollution liability insurance. This is not general liability insurance. It is coverage that specifically addresses environmental contamination events, which is a realistic risk when handling CRT glass, batteries, and mercury-containing devices at scale.
The financial responsibility requirement is one that catches facilities off guard more than almost any other CR9 element. Facilities must be able to demonstrate that they have financial assurance instruments in place to cover the cost of an orderly facility shutdown. This can be satisfied through documented assets, a written corporate guarantee, a surety bond, or other instruments that a certification body will accept. The logic is straightforward: if a recycling facility closes abruptly and cannot fund proper disposal of the materials on site, the environmental liability falls to regulators and the public. R2v3 requires facilities to demonstrate they can cover that cost before they reach that point.
There is an exemption to the financial assurance requirement, but the bar is specific: total estimated closure costs must be under $10,000 USD, all buildings must be under 1,000 square meters, and the facility must entirely prohibit mercury-containing devices, CRT glass, lithium primary batteries, and polychlorinated materials. Most recyclers who handle any meaningful volume of electronics will not qualify for that exemption.
CR9 also requires a written Closure Plan — a documented procedure for how the facility would wind down operations, manage on-site materials, and ensure environmental compliance in the event of closure. This is not a theoretical exercise. Auditors will review it for completeness and feasibility.
CR10 — Transport
CR10 requires that all transport of R2-controlled materials comply with applicable laws. The requirement covers proper packing and containment, accurate and complete labeling, required shipping documentation (manifests, hazardous materials shipping papers, export documentation where applicable), physical media security during transit, and worker safety during loading and unloading.
This sounds straightforward, but compliance failures under CR10 are more common than they should be. The most frequent issues involve incomplete or inaccurate shipping documentation for hazardous materials, inadequate labeling of containers holding Focus Materials, and no documented procedure for verifying that contracted carriers are compliant with applicable transport regulations.
Facilities that use third-party carriers — which is most of them — need a documented process for qualifying those carriers and verifying that they are meeting applicable transport requirements. Handing a pallet of batteries to an unqualified carrier and signing a bill of lading is not sufficient. The carrier qualification process needs to be part of your documented procedures and should be reviewed annually.
Process Requirements: Appendices A Through F
Beyond the ten Core Requirements, R2v3 includes six Process Requirements that apply when facilities perform specific activities. These are not optional enhancements — they are mandatory requirements that activate based on what you do.
Appendix A — Downstream Recycling Chain applies whenever downstream vendors handle R2-Controlled Streams on your behalf. It requires rigorous due diligence on downstream vendors, documented contracts, and ongoing monitoring to ensure those vendors maintain equivalent environmental and compliance standards.
Appendix B — Data Sanitization applies if your facility performs any data sanitization at all, even a single hard drive wipe. It extends the CR7 requirements with detailed specifications for sanitization methods, verification, certification of destruction, and record retention.
Appendix C — Test and Repair applies when the facility tests or repairs equipment. It requires documented processes for functional testing, grading, and handling of non-conforming equipment.
Appendix D — Specialty Electronics Reuse applies when the facility handles verified specialty electronics — medical devices, industrial equipment, and similar items — for reuse. Additional traceability and verification requirements apply.
Appendix E — Materials Recovery applies to final processing operations: disintegration, shredding, smelting, and other recovery processes. It addresses containment, worker safety, emission controls, and output material quality.
Appendix F — Brokering applies when a facility buys material that is drop-shipped directly from a third party to another vendor, without the material physically passing through the facility. This scenario creates unique traceability obligations that Appendix F addresses specifically.
Most facilities will trigger at least two or three of these Appendices. The key is identifying which ones apply during scope definition (CR1) and building those requirements into your management system from the start.
Key Changes From R2:2013 to R2v3
For facilities that held R2:2013 certification and transitioned to R2v3, the most significant changes were not cosmetic. They required real system upgrades.
Data security moved from a best-practice recommendation to a mandatory Core Requirement with specific technical standards. Facilities that were loosely wiping drives without documented methods or verification processes had to build real programs. The EHS Management System similarly moved from guidance to a certified, structured requirement — a meaningful shift for smaller operations that had been operating with informal safety programs.
Labor standards were entirely new in R2v3. The prohibition on child and forced labor and the non-discrimination requirements had no equivalent in R2:2013. Downstream accountability requirements became substantially more rigorous, requiring documented evidence of due diligence rather than reliance on certificates of recycling alone. Multi-site operations were also affected: each facility location must now be independently certified, whereas R2:2013 allowed some flexibility in how multi-site operations were structured.
The structural alignment to ISO High Level Structure also matters operationally. It means R2v3 integrates more cleanly with ISO 14001 and ISO 45001 if your facility holds those certifications, and it means the audit methodology your certification body uses is more rigorous and systematic than what was typical under R2:2013.
Working With an R2v3 Consultant
The ten Core Requirements described in this article are the floor, not the ceiling. Conforming to them is what earns and maintains your R2v3 certificate. But actually building a management system that reliably conforms — across all ten requirements, all applicable Appendices, and the full scope of your operations — is where most facilities need help.
Common failure points include: incomplete or outdated legal registers, Focus Materials Management Plans that exist on paper but do not reflect actual material flows, Data Sanitization Plans that do not specify methods at the device level, and Closure Plans with financial assurance instruments that do not survive scrutiny. These are not obscure edge cases. They are the findings I see repeatedly when working with facilities preparing for initial certification or recovering from failed surveillance audits.
If you are building toward initial R2v3 certification or shoring up your program ahead of a scheduled audit, the place to start is a gap assessment against all ten Core Requirements and any applicable Appendices. That assessment tells you exactly where your system stands relative to what auditors will expect — and gives you a clear, prioritized path to conformance.
To talk through your facility's specific situation and where the most significant gaps are likely to be, schedule a free consultation. There is no obligation and no sales pitch — just a direct conversation about what R2v3 requires and what it will take to get your facility there.
FAQ: R2v3 Core Requirements
How many Core Requirements does R2v3 have?
R2v3 has 10 Core Requirements (CR1 through CR10) that apply to every R2-certified facility regardless of the processes they perform. In addition, there are six Process Requirements (Appendices A through F) that apply only when a facility performs specific activities such as data sanitization, downstream recycling chain management, or brokering.
What is the difference between Core Requirements and Process Requirements?
Core Requirements are mandatory for all R2v3 certified facilities, regardless of what they do. Process Requirements activate based on specific activities — for example, Appendix B applies if your facility performs any data sanitization, and Appendix A applies if downstream vendors handle R2-Controlled Streams on your behalf. Most facilities will trigger at least two or three Process Requirements.
What are Focus Materials under R2v3?
Focus Materials are materials that require additional handling controls due to their hazardous nature. Under R2v3, Focus Materials include circuit boards, batteries, CRT glass, PCBs (polychlorinated biphenyls), and mercury-containing devices. These materials are also called R2-Controlled Streams and cannot be sent to disposal — they must be tracked through an approved downstream recycling chain.
Does R2v3 require ISO 14001 certification?
R2v3 requires a certified Environmental Health and Safety Management System that aligns with ISO 14001:2015, ISO 45001:2018, or an equivalent standard like RIOS. The system does not have to hold a separate ISO 14001 certificate — it is evaluated and certified as part of the R2v3 audit itself. But it must conform to the structural and operational requirements of those standards.
When did R2v3 replace R2:2013?
R2v3 was published by SERI in July 2020. The transition deadline was December 31, 2023, after which R2:2013 certificates were no longer valid. All R2-certified facilities must now hold certification under R2v3.
Last updated: April 10, 2026
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is an R2v3 certification expert and founder of Certify Consulting, specializing in helping electronics recyclers and ITAD providers achieve and maintain R2v3 certification.