← Back to Blogcompliance

Conformity Assessment Routes Under the CRA

The CRA defines three conformity assessment routes depending on product classification — self-assessment (Module A), enhanced self-assessment, and third-party notified body assessment. This post explains when each applies and what is involved.

CRAReady Team·

What Is a Conformity Assessment?

A conformity assessment is the process by which a manufacturer demonstrates that their product meets the CRA's essential cybersecurity requirements. The appropriate route depends on the product's risk classification.

Module A — Internal Production Control (Self-Assessment)

Module A is available to manufacturers of:

  • Default products (the majority of in-scope products)
  • Some Class I important products (where lower cybersecurity risk within Class I)

Under Module A, the manufacturer:

  1. Conducts an internal assessment against all Annex I requirements
  2. Compiles the technical file
  3. Draws up and signs the EU Declaration of Conformity
  4. Affixes CE marking

No third-party involvement is required. However, the manufacturer bears full legal responsibility for the accuracy of the assessment. The technical file must be comprehensive enough to withstand scrutiny from a market surveillance authority.

Enhanced Module A — Third-Party Technical Review (Class I)

Some Class I important products must use an enhanced version of Module A that includes third-party review of the technical file by a cybersecurity audit organisation (not necessarily an accredited notified body). This provides additional assurance without the full cost of a notified body assessment.

The enhanced approach is typically required when the product's cybersecurity risk within Class I is higher — for example, products that handle authentication for large user bases.

Third-Party Assessment — Notified Body (Class II)

Class II important products require assessment by an accredited notified body — an organisation formally designated by an EU member state and listed in the NANDO database. The notified body:

  1. Reviews the technical file
  2. Tests the product against Annex I requirements
  3. Issues a conformity assessment certificate if requirements are met
  4. Monitors ongoing conformity through periodic checks

The assessment adds time (typically 3–6 months) and cost (varies significantly by notified body and product complexity) to the compliance process. Manufacturers of Class II products should begin engagement with potential notified bodies well before the December 2027 deadline.

Choosing a Notified Body

Notified bodies for the CRA are listed in the NANDO database. When selecting one:

  • Verify they are notified specifically for the CRA (not just for other regulations)
  • Assess their technical competence in your product domain
  • Compare their timelines — demand will increase as the December 2027 deadline approaches
  • Consider their approach to ongoing surveillance and certificate renewal

After the Assessment

Once the conformity assessment is complete:

  • Update the technical file with assessment results and any certificates
  • Draw up the EU Declaration of Conformity
  • Affix CE marking
  • Implement a process to maintain conformity as the product evolves

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker