01 / THE MAPThree standards, three governing bodies, three questions
The fastest way to un-blur the logos is to name what question each one answers:
| R2v3 | e-Stewards | NAID AAA | |
|---|---|---|---|
| Run by | SERI (Sustainable Electronics Recycling International) | Basel Action Network (BAN) | i-SIGMA (the information destruction industry association) |
| The question it answers | Is this facility a responsible electronics reuse & recycling operation, with accountable downstreams? | Is this facility environmentally and socially rigorous — including Basel-aligned export behavior? | Does this operation destroy data under audited security controls? |
| Scope | Whole facility & process flow, with appendices per activity (data sanitization, test & repair, brokering, etc.) | Whole facility & downstream chain, with prescriptive requirements | The destruction operation itself: people, process, custody, verification |
| Audit model | Accredited third-party certification bodies, surveillance audits | Accredited third-party certification bodies | Scheduled and unannounced audits |
| Current form | R2v3 (2020), successor to R2:2013 | Version 4.1 (published February 2022) | NAID AAA (continuously maintained) |
History in one line each: R2 emerged from an EPA-convened multi-stakeholder process in the late 2000s, and SERI now administers its third generation, R2v3. e-Stewards was created in 2009 by BAN — the watchdog group whose investigations of exported e-waste made “responsible recycling” a market demand in the first place. NAID AAA comes from the information-destruction industry's association (NAID, now part of i-SIGMA) and predates both in its focus on destruction operations.
02 / R2v3R2v3: flexible framework, accountable downstreams
R2v3 is the most widely held of the three and the one most enterprise RFPs name first. Its core mechanics:
- Core + appendices. Every certified facility meets a common core (legal compliance, EHS management, data security fundamentals, tracking throughput); specific activities — data sanitization, test and repair, specialty electronics reuse, materials recovery, brokering — each add a dedicated appendix with its own requirements. Reading which appendices a facility is certified for tells you what it's actually authorized to do.
- Downstream accountability. R2v3 requires facilities to qualify and document the downstream vendors that receive their material — the anti-pattern it exists to kill is “certified front door, mystery back door.”
- Focus materials. Materials of concern (mercury devices, batteries, CRT glass, and the like) get managed under a hierarchy of responsible options with documented flows.
- Data security. R2v3's data appendix aligns sanitization with recognized standards (the NIST 800-88 family) and requires verifiable processes — strong, though data destruction is one appendix among several rather than the standard's whole reason for existing.
Philosophically, R2v3 is a flexible standard: it defines outcomes and accountability and lets operations demonstrate conformance in ways that fit their model. Critics frame that as softer than e-Stewards' prescriptions; defenders frame it as why R2v3 scaled to the majority of the certified market.
03 / E-STEWARDSe-Stewards: the prescriptive, Basel-anchored standard
e-Stewards is best understood through its parentage: BAN built the program to make its Basel Convention position enforceable by market pressure. The standard's distinguishing features:
- Export posture. e-Stewards requires conformance with the Basel Convention's rules on transboundary movement of hazardous e-waste regardless of where the facility sits — the practical effect is a prohibition on exporting hazardous electronic waste from developed to developing countries. This is the sharpest single difference from R2v3, which permits documented, controlled exports in more circumstances.
- Composite requirements. The current Version 4.1 (published February 22, 2022) is built on an environmental management system — certified facilities must hold ISO 14001 or RIOS — and, since mid-2022, must hold NAID AAA for data security. In other words, one of the three logos in this comparison literally contains another.
- Prescriptive uniformity. Where R2v3 flexes to the operation, e-Stewards prescribes: consistent rules across facilities, with social criteria (e.g., prohibitions on prison and coerced labor) alongside the environmental ones.
Honest disclosure, since this page is published by an ITAD provider: CyberCrunch holds R2v3, NAID AAA, RIOS, and PA DEP permits — not e-Stewards. Plenty of excellent processors make the same choice (the overlap with R2v3 + NAID AAA + RIOS is substantial and the certification stack is expensive to duplicate), and plenty of excellent processors choose e-Stewards instead or as well. What matters for a buyer is that the certifications a vendor claims are real, current, and scoped to the services you're buying — which is the verification section below.
04 / NAID AAANAID AAA: the destruction operation, audited — sometimes unannounced
NAID AAA is narrower and deeper than the other two: it certifies the information destruction operation, whatever the media — drives, tapes, paper, and beyond. Its requirements are operational to the point of being granular:
- Personnel controls: background screening and drug testing of the people who touch data-bearing material.
- Process controls: defined destruction methods and particle/output specifications by media and endorsement, written procedures, and verification.
- Custody controls: access control, transport security, and documented chain of custody through destruction.
- The audit model that sets it apart: facilities are subject to scheduled and unannounced audits — the certification is designed around the idea that a destruction operation should be inspection-ready on any given Tuesday, not just renewal week.
NAID AAA is the certification most directly aimed at the question a security or compliance officer is actually asking — “will the data be destroyed, provably, by controlled people in a controlled process?” It's also why e-Stewards chose to incorporate it outright and why sophisticated buyers treat R2v3 + NAID AAA together as the pragmatic baseline: environmental and downstream accountability from one, destruction-operation rigor from the other. (CyberCrunch has held NAID AAA since 2012.)
05 / VERIFYVerify by number, then match the certification to your risk
Every one of these programs publishes a directory of certified facilities — SERI's for R2v3, e-Stewards' for its processors, i-SIGMA's for NAID AAA. Verification is a five-minute exercise: get the certificate number and facility name from the vendor, find them in the issuing body's directory, and confirm the scope covers the services and the specific facility you're using. A logo on a website is a graphic; a directory entry is a fact. (The 30-second version of this argument is our Logo Test episode; the two-minute structured version is the due-diligence scorecard.)
Choosing what to require comes down to your dominant risk:
- Data risk dominant (regulated data, CMMC/HIPAA/GLBA scope): require NAID AAA on the destruction operation, with R2v3 or e-Stewards covering the facility and downstream.
- Environmental/ESG risk dominant (public sustainability commitments, export sensitivity): weigh e-Stewards' Basel posture or R2v3's documented downstream accountability, and ask for the downstream documentation either way.
- Both — which is most enterprises: the combination is the answer, not a coin flip between logos. Our vendor due-diligence guide gives the full evidence checklist to run against any candidate.
Certification FAQ
Which one is “best”?
They answer different questions. NAID AAA is deepest on destruction operations; e-Stewards is strictest on exports and environmental prescription; R2v3 is the most widely held whole-facility standard with strong downstream accountability. For most enterprise buyers the practical requirement is a combination — commonly R2v3 plus NAID AAA — not a single winner.
Does e-Stewards really include NAID AAA?
Yes. e-Stewards Version 4.1 requires certified processors to hold NAID AAA for data security (in force since mid-2022), alongside ISO 14001 or RIOS as the environmental management system. An e-Stewards processor therefore holds NAID AAA by definition; the reverse is not true.
What happened to R2:2013?
Superseded. SERI released R2v3 in 2020 as the standard's third generation, and the industry transitioned off R2:2013 in the years after — current, valid R2 certification means R2v3. Marketing that still says “R2:2013” is a due-diligence flag; check SERI's directory.
Where does RIOS fit — is it a competitor?
No — RIOS is an integrated quality/environmental/health-and-safety management system standard for recyclers, playing the role ISO 9001/14001/45001 play. e-Stewards even accepts it as its EMS component. A processor holding RIOS alongside R2v3 and NAID AAA is stacking a management system under its certifications, not collecting a rival logo.
How do I verify a certification in practice?
Get the certificate, its number, and the certified facility address; confirm the listing in the issuing body's public directory (SERI, e-Stewards, i-SIGMA); check it's current, scoped to the services you're buying, and issued for the facility processing your material. Certification is per site — “our other location is certified” is not coverage.