What is module B+C? How does it work?

Module B+C, set out in Parts II and III of Annex VIII, is a conformity assessment procedure in which the manufacturer verifies that the product with digital elements complies with the essential requirements of the CRA, a notified body examines the design and development of the product, and the manufacturer declares compliance.

The manufacturer can undertake a conformity assessment procedure based on module B+C for all categories of products covered by the CRA. Module B+C or H are mandatory in the following cases^[1]:

• Important products with digital elements of class I if a harmonised standard has not been applied, in accordance with Article 32(2).
• Important products of class II.
• Critical products (unless the use of a European cybersecurity certification scheme is made mandatory in the future in accordance with Article 8(1).

Only one notified body participates in this procedure and examines the whole product and all relevant essential requirements in the terms described below.

The manufacturer and the notified body have to perform the following activities:

• The manufacturer implements the necessary cybersecurity mitigation measures in the product following the risk assessment described in section 4.1 Risk-based approach and risk-assessment.
• The manufacturer tests the product in order to verify that it complies with the relevant essential requirements of the CRA. See for further information section 6.5 Which evaluation methodology should a manufacturer apply?
• The manufacturer draws up the technical documentation. See for further information section 6.6 What is the technical documentation?
• The notified body assesses the design of the product, based on its technical documentation, and one specimen or sample. The notified body does not only

carry out a documentation-based assessment, but it additionally performs the necessary tests, either itself or via an external laboratory. The manufacturer might need to be involved in those tests. Once the notified body concludes that the product is compliant with the CRA, it issues an EU-type certificate, which is valid for a certain period of time, as defined by the notified body.

• Once the manufacturer obtains the EU-type certificate, it affixes the CE marking (see section 6.7 What is the CE marking?) together with the NANDO number of the notified body, draw up and sign a declaration of conformity (see section 6.8 What is the declaration of conformity?).
• The manufacturer ensures that the production of the different units of the product does not alter the compliance with the CRA essential requirements, as laid down in point 2 of module C. The production phase is not assessed by the notified body. In other words, the manufacturer cannot justify that a product whose design is compliant with the CRA is not, in the practice, compliant because of a defect in the production process.

Substantial modifications of the product require a new assessment by the same or a different notified body, that might lead to a potential revision of the issued EU-type certificate. Other modifications that do not affect the compliance with the CRA requirements are not subject to reassessment by the notified body. Additionally, in accordance with point 8 of module B, the notified body must carry out periodic audits to ensure that the vulnerability handing processes are properly implemented.

Information about EU-type certificates and their revisions has to be shared with other notified bodies and with the notifying authorities, according to point 9 of module B.