Select and complete the correct conformity assessment procedure before placing the product on the market
- Applies to
- Manufacturer
- Source citations
- Art. 32(1)Art. 32(2)Art. 32(3)Art. 32(4)Annex VIII
- Product classes
- DefaultImportant — Class IImportant — Class IICritical
Plain language
Before you can ship your product in the EU, you must complete a conformity assessment — a formal verification that it meets the CRA's security requirements. For most products, you can self-assess using Module A. But if your product is an "important" (Annex III) or "critical" (Annex IV) product, stricter rules apply and you may need a notified body to certify your product. Getting the wrong route is a formal non-compliance under Art. 64.
Legal text
Article 32(1) of Regulation (EU) 2024/2847 requires the manufacturer to:
perform a conformity assessment of the product with digital elements and the processes put in place by the manufacturer to determine whether the essential cybersecurity requirements set out in Annex I are met.
Available procedures and when they apply
Default products (not listed in Annex III or IV)
The manufacturer may choose any of:
| Procedure | Module | Description |
|---|---|---|
| Internal control | Module A (Annex VIII Part I) | Manufacturer self-assesses, draws up tech docs, issues EU DoC |
| EU-type examination + internal production control | Module B+C (Annex VIII Parts II & III) | Notified body examines design; manufacturer controls production |
| Full quality assurance | Module H (Annex VIII Part IV) | Notified body approves full QMS covering design, production, and vulnerability handling |
| EUCC certification | Art. 27(9) scheme | Where identified by Commission implementing act |
Important products Class I (Annex III, Class I)
If the manufacturer has fully applied harmonised standards, common specifications, or EUCC at assurance level 'substantial': Module A is permitted.
If not: the manufacturer must use Module B+C or Module H.
Important products Class II (Annex III, Class II)
Always requires one of:
- Module B+C
- Module H
- EUCC certification at assurance level 'substantial' (where available and applicable)
Critical products (Annex IV)
Always requires one of:
- EUCC certification under Art. 8(1) delegated act (once in force)
- Until delegated act: Module B+C or Module H
Module A — Internal control summary
Under Module A (Annex VIII Part I):
- Draw up the technical documentation (Annex VII)
- Take all measures to ensure design, development, production, and vulnerability handling processes comply with Annex I
- Draw up the EU DoC (Annex V), affix CE marking
No notified body involvement is required under Module A.
Module B+C summary
- Module B (EU-type examination): A notified body examines the technical design, issues an EU-type examination certificate
- Module C (internal production control): Manufacturer declares each product conforms to the approved type
Module H summary
A notified body approves and audits the manufacturer's entire quality management system covering design, development, production, and vulnerability handling.
Ongoing obligation
After the product is placed on the market, manufacturers must maintain series conformity — ensuring changes to design, production, or harmonised standards are tracked and reassessed (Art. 13(14)).
Related obligations
- Product classification (important): OBL-ART7-01
- Product classification (critical): OBL-ART8-01
- Technical documentation: OBL-ART31-01
- EU DoC: OBL-ART28-01
- CE marking: OBL-ART13-12