-
ID Accessories 2
-
Paper Handling 3
-
Index Tabs 2
-
Ring Binders 2
-
Paper Shredders 2
-
Boards 2
-
Binding 5
-
Laminating 9
What do the different levels of shredder security mean?
Shredder security levels tell you something specific and measurable about what a shredder produces — not a vague quality rating, but a precise particle size standard. The DIN 66399 classification system assigns every shredder a P-level from 1 to 7 based on how small the output particles are, and that particle size is the only thing that matters when determining whether a shredded document can be reconstructed. This article explains what each level means in plain terms and how to match the level to your real-world document destruction requirements.
For a guide to choosing between specific shredder types once you understand the security levels, see our full shredder selection guide on how to choose the right shredder.
What Is the DIN 66399 Security Standard?
DIN 66399 is a German industrial standard that has become the internationally accepted classification system for document destruction equipment. It defines seven security levels for paper (P-1 through P-7), along with equivalent levels for optical media, hard drives, and film. Each P-level specifies the maximum particle size permitted — a shredder earns a P-3 rating, for example, only if no output particle is larger than 320 mm². This measurable, objective standard is what makes DIN 66399 useful: rather than relying on manufacturer marketing language about "high security" or "maximum protection," you can compare any two shredders by their P-level rating and know exactly what level of destruction protection each provides.
The seven levels are grouped into three protection classes. P-1 and P-2 are Class 1 — normal protection for non-sensitive documents. P-3 and P-4 are Class 2 — enhanced protection for confidential documents. P-5 through P-7 are Class 3 — highest protection for classified and regulated materials. For more detail on what each protection class means for compliance purposes, see our dedicated security level comparison at the differences between shredder security levels.
The key insight: Security level is determined entirely by the size of the output particles. Smaller particles = harder to reconstruct = higher security level. Every other shredder specification is secondary to this single measurement.
What Each Security Level Means in Practice
P-1 — Wide strip-cut (up to 2,000 mm² particle)
P-1 is the lowest classification. Shredders at this level produce wide strips — up to about 12mm wide — that retain the full vertical text of the original document. Reconstructing a P-1 shredded document requires only patience and tape. P-1 is appropriate only for bulk paper reduction on non-sensitive material — product descriptions, blank forms, advertising circulars — where information security is not a consideration at all.
P-2 — Narrow strip-cut (up to 800 mm² particle)
P-2 strips are narrower than P-1 (up to 6mm wide) but still retain vertical text continuity. Reconstruction is more time-consuming than P-1 but achievable with moderate effort. P-2 offers marginal security improvement over P-1. Neither P-1 nor P-2 should be used for any document containing personal information, financial data, or business confidential content.
P-3 — Standard cross-cut (up to 320 mm²)
P-3 is the minimum security level recommended for standard office confidential documents — HR records, internal business correspondence, financial reports without account-level detail, and general PII like names and addresses. Cross-cutting eliminates the vertical text continuity problem of strip-cut, requiring both the width and height position of each particle to be reconstructed simultaneously. A full A4 page becomes approximately 400 particles at P-3 — practical reconstruction by opportunistic adversaries is effectively eliminated. For most offices, P-3 is the floor for any confidential material.
P-4 — Fine cross-cut / micro-cut (up to 160 mm²)
P-4 approximately doubles the particle count of P-3, producing around 800 particles per A4 page. This is the level most commonly referenced in regulatory compliance guidance for personal data, financial account information, and medical records. P-4 is where the reconstruction difficulty crosses from "impractical for an opportunistic threat" to "impractical for a moderately resourced adversary." HIPAA, GLBA, and most EU GDPR interpretations point to P-4 as the minimum for regulated sensitive data.
P-5 — Fine micro-cut (up to 30 mm²)
P-5 produces approximately 2,000 particles per A4 page — reconstruction requires sophisticated automated equipment and significant time investment. P-5 is appropriate for classified commercial documents, legally privileged communications, and any environment where the threat model includes targeted forensic reconstruction efforts rather than just opportunistic access.
P-6 and P-7 — Classified and top-secret levels
P-6 (up to 10 mm²) and P-7 (up to 5 mm²) produce output that is essentially unreadable under any practical reconstruction scenario. These machines are used by government agencies, defense contractors, and intelligence organizations where document destruction must withstand nation-state-level forensic analysis. Commercial applications for P-6 and P-7 are rare.
How to Determine Your Required Security Level — Step-by-Step
Step 1 — Identify the most sensitive document type in your environment
List every category of document that will go through the shredder. The required security level is set by the most sensitive item, not the average.
Step 2 — Check applicable regulatory requirements
HIPAA-covered entities: P-4 minimum for PHI. Financial services under GLBA: P-3 to P-4 depending on data sensitivity. EU GDPR: P-4 industry consensus for personal data. SOX-regulated companies: P-3 minimum for financial records. Government classified material: P-5 or higher per applicable classification guidance.
Step 3 — Apply the maximum sensitivity principle
Once you've identified the highest-sensitivity category and its required level, that level applies to all shredders in the environment. Operating two different security-level machines in the same space creates the risk that sensitive documents enter the lower-security machine.
Step 4 — Verify DIN 66399 certification on the machine
Check the machine's documentation for a DIN 66399 P-level certification mark. Self-reported security levels without certification documentation should be treated as unverified. For guidance on the full range of shredder options available at each security level, see our shredder overview at what are my options for shredders. For personal shredder selection at the right security level, see our guide on what to look for in a personal shredder. For eco-friendly shredder features that reduce energy while maintaining security, see our article on eco-friendly shredder features.
Step 5 — Document your security level decision
Record the selected security level, the regulatory basis for the selection, and the date. This documentation is valuable evidence in compliance audits and data breach investigations. For shredder maintenance guidance that ensures your machine continues to deliver its rated security level over time, see our maintenance tips at tips for maintaining your shredder.
Quick Reference — DIN 66399 P-Levels at a Glance
| Level | Max Particle | Cut Type | Minimum Application |
|---|---|---|---|
| P-1 | 2,000 mm² | Wide strip | Non-sensitive waste only |
| P-2 | 800 mm² | Narrow strip | Internal non-sensitive |
| P-3 | 320 mm² | Cross-cut | Standard office confidential |
| P-4 | 160 mm² | Micro-cut | PII, financial, medical records |
| P-5 | 30 mm² | Fine micro-cut | Classified, legally privileged |
| P-6 | 10 mm² | Fine micro-cut | Government classified |
| P-7 | 5 mm² | Ultra micro-cut | Intelligence / top secret |
Troubleshooting
Unsure which level meets HIPAA requirements
The HIPAA Security Rule requires that PHI be rendered 'unusable, unreadable, or indecipherable' after destruction. The industry consensus interpretation of this standard is P-4 micro-cut minimum. If currently using P-3 or strip-cut for PHI, upgrade to P-4 as the minimum.
Current shredder's security level is unverified
Check the product documentation for a DIN 66399 P-level certification number. Without a verifiable certification number, the claimed level isn't reliable. For healthcare or regulated financial environments, only certified machines should be used.
Need a higher security level but budget is limited
P-4 machines at equivalent capacity are typically only 20 to 40% more expensive than P-3 machines. The risk-adjusted cost of under-destroying regulated data almost always exceeds the cost difference. Budget the higher level.
Two different security levels are currently in use in the same office
Standardize on the higher level immediately. Mixed-security environments create the risk of a sensitive document going through the lower-security machine — which invalidates the protection the higher-level machine provides.
Security level meets compliance requirements but output appears too coarse
Run a test shred and measure the output particles. If particles are within the P-level specification, the machine meets the standard regardless of visual impression. If actual output exceeds the rated particle size, the machine needs service or replacement.
Frequently Asked Questions
What security level do most offices actually need?
P-3 for standard office confidential documents. P-4 for any environment handling regulated personal, financial, or health data. P-5 or higher for classified or legally privileged materials. See the full comparison at differences between shredder security levels.
Is P-7 commercially available?
Yes — P-7 shredders are commercially available but primarily sold to government and defense organizations. They're significantly more expensive, lower-capacity, and higher-maintenance than commercial office shredders. For most organizations, P-4 or P-5 represents the practical upper limit of needed security.
Can I verify a shredder's P-level myself?
You can approximate verification by measuring output particles and comparing to the DIN 66399 maximum particle size for the claimed level. Formal certification requires accredited laboratory testing. For day-to-day compliance, looking for the certification mark and documentation from the manufacturer is the standard approach.
Does paper weight affect the security level achieved?
Not in terms of the standard — DIN 66399 specifies particle size regardless of input paper weight. However, very heavy paper or card stock may not shred as finely as standard bond in some machines. Always test your specific paper weight if shredding materials heavier than standard 20 lb bond.
What happens if a data breach occurs and the shredder doesn't meet the required P-level?
Using a shredder below the required security level for regulated documents creates significant liability — it demonstrates inadequate data destruction procedures, which is a specific aggravating factor in regulatory penalties. For maintaining your certified machine at optimal performance, see our maintenance guide at shredder maintenance tips.
Shop Shredders by Security Level
P-3 cross-cut, P-4 micro-cut, and high-security shredders — certified and in stock.
