Conformity assessment
Before placing a product with digital elements on the EU market, manufacturers must carry out a conformity assessment to demonstrate that the product meets the requirements of the Cyber Resilience Act (Regulation (EU) 2024/2847). Which procedure applies depends entirely on the product's category.
Info: Conformity assessment is the process that leads to CE marking. You cannot affix the CE marking until the appropriate assessment procedure has been completed and an EU declaration of conformity (EU DoC) has been drawn up.
Assessment procedure by product category
| Category | Assessment required | Self-assessment permitted? | Notified body required? |
|---|---|---|---|
| Default (not in Annex III or IV) | Module A: internal production control (Article 32) | Yes | No |
| Important, Class I (Annex III Class I) | Module A with harmonised standards OR third-party (Module B+C or H) | Yes (if harmonised standards applied) | Optional |
| Important, Class II (Annex III Class II) | Module B+C (EU-type examination + conformity to type) OR Module H (full quality assurance) | No | Yes |
| Critical (Annex IV) | EU-type examination (Module B+C or H) with additional requirements | No | Yes |
Tip: Do not know your category? See Understanding the CRA: product categories for a breakdown of Annex III and Annex IV product lists with examples.
Self-assessment: Module A (Article 32)
Module A is the minimum conformity assessment procedure available under the CRA. It is the standard path for Default products and one of two valid paths for Important Class I products.
What Module A requires
Under Module A, the manufacturer:
- Carries out a cybersecurity risk assessment (Annex VII) and maintains it as part of the technical file
- Designs and develops the product in conformity with Annex I (security requirements and vulnerability handling obligations)
- Maintains a technical file (Annex VII) for 10 years after the last unit is placed on the market, or until end of support, whichever is longer
- Draws up an EU declaration of conformity (Article 28, Annex VI) under its sole responsibility
- Affixes the CE marking to the product (Article 30)
Warning: Self-assessment is not a rubber stamp. The technical file must be substantive enough to withstand scrutiny from a market surveillance authority. A risk assessment that does not reflect the actual product, or an EU DoC that references inapplicable standards, will not survive an audit.
When Class I manufacturers choose Module A
For Important Class I products, Module A is only valid when the manufacturer applies harmonised standards that cover all relevant CRA requirements. If no applicable harmonised standards exist (or the manufacturer chooses not to follow them), the manufacturer must use a third-party procedure instead.
Info: As of early 2026, ENISA and CEN/CENELEC are actively developing harmonised standards for the CRA. EN 18031 (for internet-connected radio equipment) and several ETSI standards are candidates. Check the Official Journal of the EU for the latest list of published harmonised standards.
Third-party conformity assessment
When is a third party required?
| Situation | Third-party requirement |
|---|---|
| Important Class I, no applicable harmonised standards | Third-party required |
| Important Class I, manufacturer chooses not to apply harmonised standards | Third-party required |
| Important Class II, all cases | Third-party required |
| Critical, all cases | Third-party required |
Third-party assessments must be carried out by a notified body: an organisation accredited and designated by an EU member state to perform conformity assessments under the CRA.
Module B+C: EU-type examination and conformity to type
This two-module procedure is the most common third-party route:
Module B: EU-type examination
The notified body:
- Reviews the manufacturer's technical documentation
- Examines a representative sample of the product (the "type")
- Carries out appropriate tests to verify conformity with Annex I
- Issues an EU-type examination certificate valid for a defined period
- The certificate number and notified body details must appear in the EU DoC
Module C: conformity to type
The manufacturer:
- Ensures production units conform to the examined type
- Maintains quality controls to ensure ongoing conformity
- Affixes CE marking and draws up the EU DoC referencing the Module B certificate
Module H: full quality assurance
An alternative to Module B+C, Module H allows manufacturers with an approved quality management system (equivalent to ISO 9001 extended to include cybersecurity) to self-declare individual products, with the notified body auditing the system rather than individual products.
Module H may be more efficient for manufacturers who release frequent updates to a consistent product architecture, as it avoids re-examination for each release, provided changes fall within the scope of the approved QMS.
EU certification under the EU Cybersecurity Act (CSA)
For Critical products, manufacturers may additionally (or instead) pursue EU cybersecurity certification under the EU Cybersecurity Act (Regulation (EU) 2019/881). Where a relevant European cybersecurity certification scheme covers the CRA requirements, the certificate can be used as evidence for the CRA conformity assessment.
Info: The European Commission can make cybersecurity certification mandatory for specific product categories via delegated acts. No such act has been issued as of early 2026.
Engaging a notified body
What notified bodies do
A notified body:
- Reviews your technical documentation for completeness
- Tests the product (or its representative type) against Annex I requirements
- Issues certificates and opinions that form part of your technical file
- Monitors for compliance on an ongoing basis (under Module H)
- Can withdraw certificates if the product is found non-conforming
How to find a notified body
Notified bodies for the CRA will be published in the NANDO database (New Approach Notified and Designated Organisations) maintained by the European Commission. As of early 2026, the CRA designation process is underway; bodies are expected to be notified by 11 June 2027.
Manufacturers planning for third-party assessment in 2027 should:
- Monitor the NANDO database for CRA-designated bodies
- Identify bodies with technical competence in their product domain (IoT, ICS, enterprise software, etc.)
- Engage early. Assessment queues are expected to be long in 2027.
Timeline and cost considerations
Third-party conformity assessment adds lead time and cost:
- Lead time: initial assessments can take 3 to 6 months depending on product complexity and body availability
- Cost: varies widely by product complexity, body, and module selected
- Ongoing: Module H annual surveillance audits; Module B certificate renewal when product changes materially
Maintaining conformity after initial assessment
Placing a product on the market is not the end of the conformity obligation. The CRA requires manufacturers to:
- Address new vulnerabilities without undue delay (Annex I Part II)
- Provide security updates free of charge for the support period
- Update the technical file when product changes affect conformity
- Notify the notified body (for Module B+C or H) of significant changes that may affect the certificate
Danger: If you add a new network interface, change the authentication mechanism, or substantially modify the software architecture, assess whether the change falls within the scope of your existing EU-type examination certificate. If not, you must return to the notified body before placing the updated product on the market.
Key dates for conformity assessment
| Date | Milestone |
|---|---|
| 11 September 2026 | ENISA vulnerability notification obligations begin (Article 14) |
| 11 June 2027 | Deadline for member states to designate and notify conformity assessment bodies |
| 11 December 2027 | Full CRA requirements apply. All products placed on the market must be conformant. |
Warning: Products already on the market before 11 December 2027 are not automatically exempt. The transition provisions are specific. Review the CRA text (Article 71) for the exact treatment of products already available before the enforcement date.
Quick reference: which procedure do I use?
Quick reference decision table
| Question | Answer | Result |
|---|---|---|
| Is my product in Annex IV? | Yes | Critical. EU-type examination required (Module B+C or H with a notified body). |
| Is my product in Annex III? | No | Default. Module A self-assessment, no notified body required. |
| Annex III, which class? | Class II | Class II. Third-party required (Module B+C or H, notified body mandatory). |
| Annex III Class I, harmonised standards applied? | Yes | Class I. Module A self-assessment valid. |
| Annex III Class I, harmonised standards applied? | No | Class I. Third-party required (Module B+C or H). |
Next steps
- Required documents. Understand what documents are needed for your technical file.
- Understanding the CRA. Product category definitions and Annex III/IV product lists.
- Technical file export. Export your CRA Evidence documentation as a technical file.
Official resources
- CRA full text: Article 32 and Annexes V/VI/VII (EUR-Lex)
- NANDO database: notified bodies
- ENISA: CRA implementation guidance
Help us improve. What was missing or unclear?