← Back to ResourcesCertification Guide

CRA Conformity Assessment: Module A, Notified Body, and EUCC

Before placing a product on the EU market after December 2027, you must complete a conformity assessment, compile a technical file, and draw up a Declaration of Conformity. The route you follow depends entirely on your product's risk class.

CRAReady Team··10 min read
Product classRouteTypical cost & time
DefaultModule A (self-assessment)Internal only — staff time
Important Class IHarmonised standard + self-cert, OR Module H€5k–€50k, 1–3 months
Important Class IINotified Body (mandatory)€30k–€150k, 3–9 months
CriticalEUCC Certification€100k–€500k+, 12–24 months

Module A — Internal Production Control

Default

CRA Annex VI, Module A

The manufacturer carries out the full conformity assessment internally. No third-party involvement is required unless a harmonised standard is not applied for Class I products. The manufacturer maintains all technical documentation and draws up a Declaration of Conformity.

Process

  1. Conduct internal risk assessment and gap analysis against Annex I requirements
  2. Implement all required security measures and document them
  3. Compile the Technical File (Annex VII) demonstrating conformity
  4. Draw up the EU Declaration of Conformity (Annex V)
  5. Affix CE marking
  6. Keep documentation for 10 years from placing on market

Suitable for: All Default-class products. Class I products where a harmonised standard is applied in full.

Module H — Full Quality Assurance

Important Class I

CRA Annex VI, Module H

The manufacturer implements and maintains a Quality Management System (QMS) covering design, development, production, and post-market activities. The QMS is assessed and certified by a Notified Body. Once certified, the manufacturer can self-certify individual products under the QMS.

Process

  1. Implement a QMS covering design, security testing, vulnerability management, and update processes
  2. Submit QMS documentation to an accredited Notified Body for assessment
  3. Notified Body conducts audit and issues QMS certificate
  4. Manufacturer applies QMS to each product and draws up Declaration of Conformity
  5. Notified Body may conduct periodic surveillance audits

Suitable for: Class I products where the manufacturer chooses QMS-based certification rather than applying a harmonised standard.

Notified Body Assessment

Important Class II

CRA Article 24 — Mandatory

For Class II products, involvement of a Notified Body (NB) is mandatory. The NB examines the technical file, tests the product against the essential requirements, and issues an EU-type examination certificate. The manufacturer then draws up the Declaration of Conformity referencing the NB certificate.

Process

  1. Compile full Technical File (Annex VII) — typically 200–500 pages for a complex product
  2. Select an accredited Notified Body that covers your product type
  3. Submit technical file and product samples to the NB
  4. NB conducts review and testing — typically 3–6 months
  5. NB issues EU-type examination certificate (if conforming)
  6. Manufacturer draws up Declaration of Conformity referencing the NB certificate number
  7. Affix CE marking with NB identification number

Suitable for: All Class II products — mandatory, no alternatives.

EUCC Certification

Critical

CRA Article 25 — via EU Cybersecurity Act

Critical products require certification under the EU Common Criteria-based Cybersecurity Certification (EUCC) scheme, managed by ENISA. EUCC is based on Common Criteria (ISO/IEC 15408) and is the most rigorous cybersecurity evaluation methodology available in the EU. Evaluation is performed by accredited IT Security Evaluation Facilities (ITSEFs).

Process

  1. Prepare a Security Target (ST) document defining the product's security objectives and claims
  2. Select an accredited ITSEF in an EU member state
  3. ITSEF conducts evaluation against applicable Common Criteria profile
  4. ITSEF submits evaluation report to the national Certification Body (e.g. BSI, ANSSI, NLNCSA)
  5. Certification Body issues EUCC certificate
  6. Manufacturer references EUCC certificate in Declaration of Conformity
  7. Certificate must be renewed periodically and when significant changes are made

Suitable for: All Critical products — mandatory. Expect 12–24 months and significant cost for a full EUCC evaluation.

CE Marking Under the CRA

CE marking under the CRA works the same way as other EU product legislation. Once conformity assessment is complete:

  • Affix the CE mark to the product, its packaging, or accompanying documentation (physical products)
  • For software-only products, include CE marking in accompanying documentation or on the product's website
  • If a Notified Body was involved, include their four-digit NB number alongside the CE mark
  • The CE mark must be visible, legible, and indelible
  • Do not affix CE marking before the Declaration of Conformity is drawn up
Product classification guide →Technical file requirements →Declaration of Conformity guide →Take the free CRA assessment →

CRAReady's assessment wizard determines your conformity route and generates the documentation you need to start the process.

Determine my conformity route
CRA Conformity Assessment Routes: Module A, Notified Body, EUCC | CRAReady