CRA FAQ

 Open Regulatory Compliance Working Group Orc mascott

Which evaluation methodology should a manufacturer apply?

The CRA does not mandate the use of any specific evaluation methodology, potentially including testing. However, typically the application of an appropriate harmonised standard or technical specification is common practice by manufacturers.

The manufacturer can perform the relevant tests or testing procedures in their own laboratories, if available, or in external ones. The CRA does not lay down any specific requirements on laboratories performing the tests related to the conformity assessment procedures. The manufacturer assumes the sole responsibility for the conformity assessment.

The market surveillance authorities might perform tests or evaluation procedures during the relevant inspections. In this regard, they might consider applying the same methodology as the one used by the manufacturer, especially if that methodology is part of harmonised standard in support of the CRA. This being said, the market surveillance authority may apply a different methodology, on a justified basis. It must be highlighted that cybersecurity testing is not deterministic as in other NLF-regulated fields and the results might not be unique.

© 2025 European Union • CC-BY 4.0 • “FAQs on the Cyber Resilience Act” p.60–61 (PDF) •
Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.