
Last updated: 2026-07-18
Before a product with digital elements (PDE) may be placed on the EU market under the Cyber Resilience Act (Regulation (EU) 2024/2847), the manufacturer must demonstrate that it meets the essential requirements of Annex I. This proof is provided through a conformity assessment under Article 32, followed by CE marking (Art. 30) and an EU declaration of conformity (Art. 28). A widespread misconception is that a notified body must always be involved. As a rule, that is not the case: the majority of products can assess themselves. Which route applies depends on the risk class. The following is general technical and organisational information and does not replace legal advice in an individual case; the final classification of a specific product depends on its functions and its particular context of use.
Timeline: The CRA entered into force on 10 December 2024. The reporting obligations under Art. 14 apply from 11 September 2026. General application – and with it the obligation to carry out conformity assessment and CE marking – begins on 11 December 2027. No CRA CE marking is mandatory before that date.
Four tiers, four routes
The CRA typically sorts products into four tiers. The classification determines whether self-assessment suffices or a third party must be involved. We cover the product classes separately under CRA product classes.
- Default / unclassified: all PDEs that are neither „important“ (Annex III) nor „critical“ (Annex IV). This is the general case.
- Important – Class I (Annex III, category I): e.g. identity and privileged-access management, browsers, password managers, anti-malware, VPNs, network-management software, SIEM, operating systems, routers/modems/switches, smart-home assistants or connected alarm systems.
- Important – Class II (Annex III, category II): e.g. hypervisors and container runtimes, firewalls/IDS/IPS, and tamper-resistant microprocessors and microcontrollers.
- Critical (Annex IV): e.g. hardware security modules (HSMs), smart-meter gateways with secure cryptoprocessors, and smart cards / secure elements.
To find out whether your product falls within scope at all, start with our applicability check.
The assessment modules (Annex VIII)
The specific assessment procedures – the „modules“ – are set out in Annex VIII. Three routes are relevant in practice:
Module A – internal control (self-assessment)
The manufacturer verifies and declares, under its sole responsibility, that the product meets the requirements of Annex I, draws up the technical documentation (Annex VII), and then affixes the CE marking. No third party is involved. This is the default route for unclassified products (Art. 32(1)).
Module B + C – EU-type examination plus conformity to type
A notified body examines the type (Module B, EU-type examination) and issues a certificate; the manufacturer then ensures that production conforms to the examined type (Module C).
Module H – full quality assurance
A notified body assesses and monitors the manufacturer’s quality-management system across the full lifecycle (design, development, production). Module H typically suits manufacturers who maintain a broad product range and want to apply one assessed system to several products rather than having each type examined individually.
In addition to these modules, a European cybersecurity certification scheme under Regulation (EU) 2019/881 can serve as a route of proof across all tiers. The category descriptions of important and critical products are further specified by Commission Implementing Regulation (EU) 2025/2392.
Which route for which tier?
| Tier | Permitted route (Art. 32) | Notified body required? |
|---|---|---|
| Default / unclassified | Module A (self-assessment); alternatively B+C, H or a certification scheme | No – self-assessment as a rule |
| Important – Class I | Module A only if harmonised standards, common specifications or a certification scheme are fully applied; otherwise Module B+C or H | No if standards fully applied, otherwise Yes |
| Important – Class II | Always via a third party: Module B+C, Module H or a certification scheme („substantial“ level) | Yes – no self-assessment |
| Critical | European cybersecurity certification scheme (Regulation (EU) 2019/881, at least „substantial“) where mandated; otherwise the Class II routes | Yes |
Key point: A notified body is, as a rule, mandatory only for important Class II products and for critical products. Class I products can self-assess provided the relevant standards are fully applied – and the large remainder of products can do so anyway. So „every product needs a notified body“ is simply wrong.
Critical products and the certification scheme
For critical products under Annex IV, the Commission may require conformity to be demonstrated through a European cybersecurity certification scheme under Regulation (EU) 2019/881 (Cybersecurity Act) at an assurance level of at least „substantial“. Where such a scheme is not (yet) mandated, the Class II routes are typically available.
CE marking and the accompanying documents
Once the conformity assessment is successfully completed, three formal steps follow:
- Technical documentation (Annex VII): product description; design, development and production processes; vulnerability-handling processes (architecture, SBOM, CVD policy, update distribution); the risk assessment mapped to Annex I; support-period information; standards applied and test reports. It must be retained for at least 10 years – or for the duration of the support period, whichever is longer.
- EU declaration of conformity (Art. 28, contents in Annex V): product identifier; details of the manufacturer or representative; declaration under sole responsibility; standards/specifications/schemes applied and – where applicable – the name, number and procedure of the notified body.
- CE marking (Art. 30): by affixing the CE mark, the manufacturer declares conformity with the requirements of the CRA.
Consequences of a missing or incorrect assessment
The conformity obligations carry the risk of fines. Breaches of the essential requirements in Annex I and of core manufacturer duties can be penalised with fines of up to EUR 15 million or 2.5% of total worldwide annual turnover (whichever is higher). For further obligations – including parts of the conformity assessment, the declaration of conformity and CE marking – the range is up to EUR 10 million or 2%. Incomplete or misleading information to notified bodies or market-surveillance authorities can be penalised with up to EUR 5 million or 1%. These ranges are lower than under the GDPR – the top tier is EUR 15 million or 2.5%.
What manufacturers should do now
Even though the CE obligation only takes effect from 11 December 2027, the lead time is short: standards mapping, risk assessment, technical documentation and – for Class II or critical products – the early scheduling of a notified body all take time. Note that the harmonised standards and common specifications that first open the self-assessment route for Class I are still partly under development; their full application presupposes that they are available in time. It makes sense to first determine the product class, then choose the appropriate assessment route, and build the documentation continuously – ideally so that it is ready for inspection by the deadline. Our page on the Cyber Resilience Act gives an overview of the whole legal act.
Frequently asked questions
Does every product under the CRA need a notified body?+
What do Modules A, B+C and H mean?+
From when is CE marking mandatory under the CRA?+
Which documents belong to CE marking?+
How are critical products assessed?+
Sources
- https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng
- https://digital-strategy.ec.europa.eu/en/policies/cra-summary
- https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html
- https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202402847
This content provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice (no legal services within the meaning of the German RDG).