Conformity assessment

Article 3(27) of Regulation (EU) 2024/2847 defines conformity assessment as:

"the process demonstrating whether the essential cybersecurity requirements set out in Annex I of this Regulation relating to a product with digital elements have been fulfilled".

Article 32 sets out the available procedures.

Module A — Internal Production Control (self-assessment)

• Manufacturer draws up technical documentation and EU DoC
• No involvement of a notified body
• Available to: all default products, and Class I important products where harmonised standards are fully applied

Module B + Module C — EU-Type Examination + Conformity to Type

• Module B: Notified body examines technical documentation and tests a representative specimen
• Module C: Manufacturer declares conformity to the examined type
• Required for: Class I important products where harmonised standards are not fully applied; available for Class II

Module H — Full Quality Assurance

• Notified body audits and approves the manufacturer's entire quality management system covering design, production, and testing
• Available as an alternative to Module B+C for Class I and Class II products

EUCC — EU Cybersecurity Certification Scheme

• Formal certification by an accredited conformity assessment body under Regulation (EU) 2019/881 (the Cybersecurity Act)
• Required for: critical products (Annex IV) once relevant delegated act is in force; available as an alternative for important products

For procedures requiring a notified body (Module B+C, Module H), the manufacturer must select a notified body designated for the relevant product category and submit the technical documentation for assessment before CE marking is affixed.