Are there different levels of security when it comes to a shredder?

Yes — shredders come with very different levels of document destruction security, and the difference between levels isn't just about particle size. It determines whether a motivated adversary could reconstruct your shredded documents, whether your destruction process meets regulatory requirements, and whether your organization faces liability in the event of a data breach traced to inadequate document disposal. This article explains what the security levels are, what they mean in practice, and how to determine which one your situation requires.

For guidance on choosing a specific shredder model once you've identified your required security level, see our buying guide on how to choose the right shredder.

What Is a Shredder Security Level?

Shredder security levels are standardized classifications defined by the DIN 66399 standard — a German industrial standard that has become the international benchmark for document destruction security. The standard classifies shredders on a scale from P-1 (lowest security, wide strip-cut output) to P-7 (highest security, fine particle output visible only under magnification). Each level specifies the maximum particle size permitted for that security classification, giving buyers a consistent, comparable benchmark regardless of the brand or model they're evaluating.

The DIN 66399 standard also covers optical media (O-levels), hard drives (H-levels), and film (F-levels), but for paper document shredding, the P-levels are the relevant classification. Understanding where your documents fall on the sensitivity spectrum tells you exactly which P-level is required — and that determination should drive your shredder purchase, not the other way around. For a full side-by-side comparison of all P-levels and their particle sizes, see our dedicated comparison article on the differences between shredder security levels.

The Seven DIN 66399 Security Levels for Paper

P-1 — General waste paper

Strip-cut output with strips up to 12mm wide. No meaningful security — original content is recoverable by anyone with patience. Appropriate only for reducing the volume of non-sensitive waste paper. Almost no regulated environment permits P-1 for any document with readable content.

P-2 — Internal documents

Strip-cut with strips up to 6mm wide. Marginally more difficult to reconstruct than P-1 but still categorized as low security. Suitable for non-sensitive internal documents where the concern is bulk volume reduction rather than information protection. Not appropriate for personal data, financial information, or any regulated document type.

P-3 — Standard confidential (most common)

Cross-cut output with particles up to 2mm x 15mm. This is the standard security level recommended for most office confidential documents — HR records, internal business correspondence, printed financial reports, and any document containing names, addresses, or other PII that isn't classified as particularly sensitive. P-3 is the entry-level security requirement under most general data protection guidelines. For how P-3 compares to strip-cut in practice, see our article on cross-cut vs. strip-cut shredders.

P-4 — Sensitive confidential

Micro-cut output with particles up to 2mm x 6mm. P-4 is required or strongly recommended for sensitive personal data, financial account information, medical records, and most HIPAA-regulated documents. The smaller particle size makes reassembly impractical for all but the most resource-intensive forensic reconstruction efforts. Most compliance frameworks referencing "adequate" document destruction for regulated data point to P-4 or higher.

P-5 — High security

Fine micro-cut with particles up to 0.8mm x 12mm. Required for classified, legally privileged, or highly sensitive commercial documents where professional forensic reconstruction must be prevented. Used by law firms, financial institutions handling classified transactions, and government agencies below classified level.

P-6 — Classified

Very fine particle cut with particles up to 0.8mm x 4mm. Used for classified government documents, sensitive defense contractor materials, and other high-sensitivity applications where even advanced forensic reconstruction should be rendered impossible.

P-7 — Top secret

The highest classification — particles up to 0.2mm x 0.8mm, visible only under magnification. P-7 shredders are used by intelligence agencies, military facilities, and classified government environments. The cutting heads are substantially more complex, more expensive, and require more frequent maintenance than lower-security machines.

How to Determine the Right Security Level — Step-by-Step

Step 1 — Identify all document types being shredded

Create a complete list of every document type that will go through the shredder. Don't assume — include everything from draft printouts to client contracts to HR records.

Step 2 — Classify each document type by sensitivity

Non-sensitive internal documents → P-2 or P-3 minimum. PII (names, addresses, contact information) → P-3 minimum. Financial account data → P-4 minimum. Healthcare or medical records (HIPAA) → P-4 minimum. Legally privileged documents → P-5 or per legal counsel's guidance. Classified government materials → P-6 or P-7 per applicable regulations.

Step 3 — Identify the highest security level required

The security level required is the highest level needed for any document in your list. A machine that handles your most sensitive documents handles all less-sensitive ones as well. Don't maintain separate machines for different security levels in the same environment — the risk of a document going into the wrong machine outweighs the cost savings.

Step 4 — Verify against specific regulatory requirements

Check the specific text of your applicable regulations. "Rendering information unreadable" (the HIPAA standard) is most commonly interpreted as P-4 or higher. "Adequate destruction" under GLBA is typically P-3 minimum. EU GDPR doesn't specify a DIN level but P-4 is the industry consensus for personal data.

Step 5 — Build the security level into your procurement requirements

Document the required security level as a non-negotiable procurement specification. Any shredder evaluated for purchase must meet or exceed this level — it's not a factor to weigh against cost or convenience. For supplies that support proper maintenance of any security-level shredder, see our guide on what supplies you should have with your shredder. For keeping the machine operating correctly so it delivers its rated security level, see our oiling guide at how to oil your shredder and our unjamming guide at tips for unjamming your shredder.

Quick Reference — DIN 66399 P-Level Summary

Troubleshooting

Unsure whether P-3 or P-4 is needed for a specific document type

When in doubt, choose P-4. The cost difference between a P-3 and P-4 machine at equivalent capacity is not significant enough to justify the risk of under-destroying sensitive documents. P-4 meets all P-3 requirements plus handles sensitive personal and financial data securely.

Organization uses multiple security levels in the same environment

Standardize on the highest required level for all machines in that environment. Maintaining separate low-security and high-security machines in the same area creates risk of sensitive documents entering the wrong machine — particularly in shared or unsupervised environments.

Compliance audit identified the current security level as insufficient

This is an organizational risk that requires immediate remediation. Replace or supplement the current machine with one meeting the required level as quickly as possible. Document the replacement process for audit purposes.

P-7 machine requires maintenance more frequently than expected

Very high security level shredders have complex, tightly-packed cutting elements that generate significant friction and heat. They require more frequent oiling, have shorter cutting head service intervals, and run at lower sheet capacities than lower-level machines. This is normal — budget for higher maintenance frequency from purchase.

Trying to justify using a lower security level than required to save cost

This isn't a machine problem — it's an organizational risk management decision. The cost of a data breach or compliance penalty for inadequate document destruction typically exceeds the cost difference between security levels by many orders of magnitude. Use the required level.

Frequently Asked Questions

What security level do most offices actually need?
P-3 cross-cut is appropriate for most general office environments destroying standard confidential documents. P-4 micro-cut is required for any environment handling regulated personal data, financial account information, or healthcare records. See our buying guide at how to choose the right shredder for the full selection process.

Does DIN 66399 apply outside Germany?
Yes — DIN 66399 has become the internationally accepted standard for document destruction security. It's referenced by ISO standards, EU regulatory guidance, and major compliance frameworks worldwide. When any compliance requirement references shredder security level, the P-level system is the assumed classification.

What's the highest commercially available security level?
P-7 is the highest DIN 66399 classification for paper destruction. P-7 shredders are commercially available but expensive and typically used only by government and defense organizations. For most commercial and institutional environments, P-4 or P-5 represents the practical upper limit of required security.

Is there a security level above P-7?
No — P-7 is the maximum classification in the DIN 66399 standard. For destruction requirements beyond P-7 (which is theoretical in commercial contexts), physical document destruction methods (incineration, pulping) are used rather than mechanical shredding.

How do I verify that a shredder actually meets its claimed security level?
Look for the DIN 66399 certification mark on the product documentation. Certified machines have been tested against the standard's requirements. For high-security applications, request the certification documentation from the manufacturer rather than relying solely on marketing materials. See our complete security level guide at the differences between shredder security levels.