When the key is required for signing it'll just derive the specific one(s) needed by the transaction.
This is assuming the address is within the gap limit or it has already been generated.
If your transaction includes a UTXO assosiated with the 21st address, the gap limit is 20 and you haven't generated more addresses, your cold wallet can't sign the transaction.
Correct me if I am wrong please.