CRA FAQ

Module A, set out in part I of Annex VIII, is a conformity assessment procedure in which the manufacturer verifies that the product with digital elements complies with the essential requirements of the CRA and declares compliance on its sole responsibility.

No notified bodies participate in this procedure.

The following categories of products are allowed to use module A:

• All products with digital elements that do not have the core functionality of a category of important or critical products (‘default category’).
• Important products with digital elements of class I, if a harmonised standard has been applied in accordance with Article 32(2);
• Important products with digital elements of class I or II, if they are free and open-source software provided that the technical documentation is made available to the public, in accordance with Article 32(5).

The manufacturer has to perform the following activities:

• Implement the necessary cybersecurity mitigation measures in the product following the risk assessment described in section 4.1 Risk-based approach and risk-assessment.
• Verify (via testing or other mechanism) that the product complies to the relevant essential requirements of the CRA. When applicable, see also section 6.5 Which evaluation methodology should a manufacturer apply?
• Draw up the technical documentation. See also section 6.6 What is the technical documentation?
• Once the manufacturer is in a position to demonstrate that the product with digital elements is compliant with the CRA essential requirements, affix the CE marking (see section 6.7 What is the CE marking?), draw up and sign a declaration of conformity (see section 6.8 What is the declaration of conformity?).
• Ensure that the production of the different units of the product with digital elements does not alter the compliance with the CRA essential requirements.

Module B+C, set out in Parts II and III of Annex VIII, is a conformity assessment procedure in which the manufacturer verifies that the product with digital elements complies with the essential requirements of the CRA, a notified body examines the design and development of the product, and the manufacturer declares compliance.

The manufacturer can undertake a conformity assessment procedure based on module B+C for all categories of products covered by the CRA. Module B+C or H are mandatory in the following cases^[1]:

• Important products with digital elements of class I if a harmonised standard has not been applied, in accordance with Article 32(2).
• Important products of class II.
• Critical products (unless the use of a European cybersecurity certification scheme is made mandatory in the future in accordance with Article 8(1).

Only one notified body participates in this procedure and examines the whole product and all relevant essential requirements in the terms described below.

The manufacturer and the notified body have to perform the following activities:

• The manufacturer implements the necessary cybersecurity mitigation measures in the product following the risk assessment described in section 4.1 Risk-based approach and risk-assessment.
• The manufacturer tests the product in order to verify that it complies with the relevant essential requirements of the CRA. See for further information section 6.5 Which evaluation methodology should a manufacturer apply?
• The manufacturer draws up the technical documentation. See for further information section 6.6 What is the technical documentation?
• The notified body assesses the design of the product, based on its technical documentation, and one specimen or sample. The notified body does not only

carry out a documentation-based assessment, but it additionally performs the necessary tests, either itself or via an external laboratory. The manufacturer might need to be involved in those tests. Once the notified body concludes that the product is compliant with the CRA, it issues an EU-type certificate, which is valid for a certain period of time, as defined by the notified body.

• Once the manufacturer obtains the EU-type certificate, it affixes the CE marking (see section 6.7 What is the CE marking?) together with the NANDO number of the notified body, draw up and sign a declaration of conformity (see section 6.8 What is the declaration of conformity?).
• The manufacturer ensures that the production of the different units of the product does not alter the compliance with the CRA essential requirements, as laid down in point 2 of module C. The production phase is not assessed by the notified body. In other words, the manufacturer cannot justify that a product whose design is compliant with the CRA is not, in the practice, compliant because of a defect in the production process.

Substantial modifications of the product require a new assessment by the same or a different notified body, that might lead to a potential revision of the issued EU-type certificate. Other modifications that do not affect the compliance with the CRA requirements are not subject to reassessment by the notified body. Additionally, in accordance with point 8 of module B, the notified body must carry out periodic audits to ensure that the vulnerability handing processes are properly implemented.

Information about EU-type certificates and their revisions has to be shared with other notified bodies and with the notifying authorities, according to point 9 of module B.

Module H, set out in Part IV of Annex VIII, is a conformity assessment procedure in which the manufacturer implements a full quality control system that ensures that the products subject to this system comply with the essential requirements of the CRA in both the design and the production phases. A notified body assesses the overall performance of the quality control system, including periodical tests and checks. The manufacturer declares compliance with the CRA requirements before placing the products on the market.

Only one notified body participates in this procedure and examines the whole quality control system in the terms described below.

This module might be particularly considered by manufacturers that place numerous product types on the market or products subject to frequent updates, since it streamlines the relevant conformity assessment procedures for each new or substantially modified product.

The manufacturer and the notified body have to perform the following activities:

• The manufacturer implements a full quality control system that covers a certain catalogue of products and all the relevant manufacturing phases, from design to production. The system can be based on international standards (for example, ISO 9000 series covering the specificities of the CRA). The fact that the manufacturer is accredited against the standard ISO 9000 does not automatically entitle it to perform conformity assessment activities under module H, since the involvement of a CRA notified body is needed.
• The notified body assesses the quality control system as a whole, including, among others, the technical design of the covered products, the standards or specifications to be applied (in particular, how the compliance with the essential requirements of the CRA is ensured), the tests to be performed, and the monitoring of the overall system. The notified body covers the whole manufacturing process.
• The manufacturer, based on the quality control system, implements the necessary cybersecurity mitigation measures in the product following the risk assessment described in section 4.1 What does the CRA require of the manufacturer’s cybersecurity risk assessment?.
• The manufacturer, based on the quality control system, tests the product in order to verify that it complies to the relevant essential requirements of the CRA. See for further information section 6.5 Which evaluation methodology should a manufacturer apply?
• The manufacturer, based on the quality control system, draws up the technical documentation. See for further information section 6.6 What is the technical documentation?
• The manufacturer affixes the CE marking (see section 6.7 What is the CE marking?) together with the NANDO number of the notified body, draws up and signs a declaration of conformity (see section 6.8 What is the declaration of conformity?).
• The manufacturer, based on the quality control system, ensures that the production of the different units of the product does not alter the compliance with the CRA essential requirements.

The manufacturer can extend the scope of the described quality system to new or substantially modified products. The quality system must be updated in order to properly document the new scope, and potential new standards might need to be applied or tests might need to be performed. Nevertheless, this extension is subject to a new assessment by the same notified body that performed the original assessment. In any case, and as indicated above, module H provides a more versatile and flexible framework compared to module B+C. Hence, the inclusion of new products constitutes a more streamlined process, since the notified body will only have to assess the potential new standards or tests applicable to the new products.

The CRA is applicable to products placed as individual units on the market as of its date of applicability. In other words, legacy types or models are not exempted from the application of the CRA if, after the aforementioned date, new units are placed on the market. The CRA provides a transition period between its entry into force (10 December 2024) and its date of application (11 December 2027 for the majority of the obligations) to ensure a smooth implementation. During this period, the manufacturer has to adapt the product to the CRA requirements, if needed, and perform the conformity assessment described in this chapter.

Module H might be helpful for manufacturers of important and critical products that place numerous types or models on the market since it provides a holistic system that streamlines the conformity assessment.

The CRA does not mandate the use of any specific evaluation methodology, potentially including testing. However, typically the application of an appropriate harmonised standard or technical specification is common practice by manufacturers.

The manufacturer can perform the relevant tests or testing procedures in their own laboratories, if available, or in external ones. The CRA does not lay down any specific requirements on laboratories performing the tests related to the conformity assessment procedures. The manufacturer assumes the sole responsibility for the conformity assessment.

The market surveillance authorities might perform tests or evaluation procedures during the relevant inspections. In this regard, they might consider applying the same methodology as the one used by the manufacturer, especially if that methodology is part of harmonised standard in support of the CRA. This being said, the market surveillance authority may apply a different methodology, on a justified basis. It must be highlighted that cybersecurity testing is not deterministic as in other NLF-regulated fields and the results might not be unique.

The technical documentation must contain the elements laid down in Annex VII of the CRA.

The manufacturer must take into consideration that the technical documentation is not only an internal deliverable but it might be requested by the market surveillance authorities. Therefore, it has to be comprehensive and clear. The manufacturer must be able to demonstrate that the product has been designed, developed and manufactured to comply with the essential requirements of the CRA. The latter includes specifications of vulnerability handling processes.

The technical documentation can be written in any language. Nevertheless, if it is required by a market surveillance authority, it needs to be provided in a language easily understood by this authority.

There is no obligation to make the technical documentation available to a manufacturer’s customers or to the public, with the exception of manufacturers of free and open-source software that fall under the categories set out in Annex III (important products of class I or II) that wish to self-attest their conformity, in accordance with Article 32(5).

The CE marking is a simple visual self-declaration of the manufacturer that the product is compliant with all the applicable NLF pieces of legislation and, in particular, with the CRA. It is addressed to consumers and market surveillance authorities. It is regulated in Articles 29 and 30. Further information can also be found in section 4.5.1. of the Blue Guide.

Products must bear the CE marking in a visible, legible and indelible way. As a general rule, it has to be larger than 5 mm. Exceptions can be accepted when the size of the product does not allow it, provided that it remains visible. The CE marking cannot have a size less than 5 mm on the grounds of aesthetic reasons.

The CE marking cannot be affixed in a part of the product that is not easily visible according to its intended use.

Software products also need to bear the CE marking. In accordance with Article 30(1), for software products the CE marking shall be affixed either to the EU declaration of conformity or on the website accompanying the software product. In the latter case, the relevant section of the website shall be easily and directly accessible to consumers.

The CE marking cannot be affixed if the manufacturer has not performed a conformity assessment procedure, with a positive result.

The declaration of conformity is a document in which the manufacturer declares that the product is compliant with the CRA, and assumes responsibility for that.

The declaration of conformity must accompany the product placed on the market. Two formats are allowed:

• The full declaration of conformity, following the template laid down in Annex V.
• A simplified declaration of conformity, which is a sentence whose template is laid down in Annex VI and that includes the internet address where the full declaration of conformity can be accessed.

The declaration of conformity is a document linked to the individual product and not only to the type or model. In this regard, it is not needed that it includes the unique identifier of the product. Nevertheless, a new version of the product might need a new declaration of conformity, especially when it implements a substantial modification.

The declaration of conformity cannot be signed if the manufacturer has not performed one of the relevant conformity assessment procedures, with a positive result.

In accordance with Article 28(3) and as stated in section 4.4 of the Blue Guide, where several pieces of Union harmonisation legislation apply to a product, the manufacturer or the authorised representative has to provide a single declaration of conformity in respect of all such Union acts. In order to reduce the administrative burden on economic operators and facilitate its adaptation to the modification of one of the applicable Union acts, the single declaration may be a dossier made up of relevant individual Declarations of conformity.

Notified bodies are private or public entities that examine products to ensure that they comply with the CRA. Their competence is assessed by notifying authorities of Member States and the list is available on the NANDO system.

Notified bodies have to be independent vis-à-vis the manufacturers and the market surveillance authorities, to avoid any conflict of interest.

The Commission standardisation request (M/606) addressed to CEN, CENELC and ETSI foresees the development of a set of harmonised standards to support CRA compliance, distinguishing between horizontal (product-agnostic) standards and vertical (product-specific) standards.

Horizontal standards are meant to provide a coherent generic framework, methodology and taxonomy to support the development of further, granular vertical harmonised standards for specific products or product types, as well as to support manufacturers in defining and implementing the security requirements applicable to their respective products. The Commission requested the development of 15 horizontal standards, which the European Standardisation Organisations (ESOs) have clustered in 3 deliverables:

• A harmonised European standard on designing, developing and producing products with digital elements in such a way that they ensure an appropriate level of cybersecurity based on the risks, to be adopted by the ESOs by 30 August 2026;
• A harmonised European standard covering the essential cybersecurity requirements relating to the properties of products with digital elements as set out in Part I of Annex I, to be adopted by the ESOs by 30 October 2027;
• A harmonised European standard on vulnerability handling for products with digital elements, to be adopted by the ESOs by 30 August 2026.

Vertical standards are meant to be product specific and to cover a specific set of risks appropriate to a particular intended purpose and reasonably foreseeable use. The Commission requested the development of 26 vertical standards (which the ESOs are addressing through 31 separate deliverables) to be adopted by the ESOs by 30 October 2026. The vertical standards under development cover the categories of important and critical products with digital elements set out in Annexes III and IV of CRA.

In accordance with Article 27(6), where a harmonised European standard is adopted by the ESOs, the Commission shall assess it in accordance with Regulation (EU) No 1025/2012 for the purpose of publishing its reference in the Official Journal of the European Union.