What is module H? How does it work?

Module H, set out in Part IV of Annex VIII, is a conformity assessment procedure in which the manufacturer implements a full quality control system that ensures that the products subject to this system comply with the essential requirements of the CRA in both the design and the production phases. A notified body assesses the overall performance of the quality control system, including periodical tests and checks. The manufacturer declares compliance with the CRA requirements before placing the products on the market.

Only one notified body participates in this procedure and examines the whole quality control system in the terms described below.

This module might be particularly considered by manufacturers that place numerous product types on the market or products subject to frequent updates, since it streamlines the relevant conformity assessment procedures for each new or substantially modified product.

The manufacturer and the notified body have to perform the following activities:

• The manufacturer implements a full quality control system that covers a certain catalogue of products and all the relevant manufacturing phases, from design to production. The system can be based on international standards (for example, ISO 9000 series covering the specificities of the CRA). The fact that the manufacturer is accredited against the standard ISO 9000 does not automatically entitle it to perform conformity assessment activities under module H, since the involvement of a CRA notified body is needed.
• The notified body assesses the quality control system as a whole, including, among others, the technical design of the covered products, the standards or specifications to be applied (in particular, how the compliance with the essential requirements of the CRA is ensured), the tests to be performed, and the monitoring of the overall system. The notified body covers the whole manufacturing process.
• The manufacturer, based on the quality control system, implements the necessary cybersecurity mitigation measures in the product following the risk assessment described in section 4.1 What does the CRA require of the manufacturer’s cybersecurity risk assessment?.
• The manufacturer, based on the quality control system, tests the product in order to verify that it complies to the relevant essential requirements of the CRA. See for further information section 6.5 Which evaluation methodology should a manufacturer apply?
• The manufacturer, based on the quality control system, draws up the technical documentation. See for further information section 6.6 What is the technical documentation?
• The manufacturer affixes the CE marking (see section 6.7 What is the CE marking?) together with the NANDO number of the notified body, draws up and signs a declaration of conformity (see section 6.8 What is the declaration of conformity?).
• The manufacturer, based on the quality control system, ensures that the production of the different units of the product does not alter the compliance with the CRA essential requirements.

The manufacturer can extend the scope of the described quality system to new or substantially modified products. The quality system must be updated in order to properly document the new scope, and potential new standards might need to be applied or tests might need to be performed. Nevertheless, this extension is subject to a new assessment by the same notified body that performed the original assessment. In any case, and as indicated above, module H provides a more versatile and flexible framework compared to module B+C. Hence, the inclusion of new products constitutes a more streamlined process, since the notified body will only have to assess the potential new standards or tests applicable to the new products.