Blackfort TechnologyBlackfort Technology

Conformity Assessment and CE Marking under the Cyber Resilience Act

Blackfort Technology · Cyber Resilience Act knowledge

Note: This article provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and is not legal advice. The applicable text of the Regulation always prevails; this article does not replace a binding assessment of your individual case. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services within the meaning of the German RDG.

Before a product with digital elements (PDE) may be placed on the EU market under the Cyber Resilience Act (Regulation (EU) 2024/2847), the manufacturer must demonstrate that it meets the essential requirements of Annex I. This proof is provided through a conformity assessment under Article 32, followed by CE marking (Art. 30) and an EU declaration of conformity (Art. 28). A widespread misconception is that a notified body must always be involved. As a rule, that is not the case: the majority of products can assess themselves. Which route applies depends on the risk class. The following is general technical and organisational information and does not replace legal advice in an individual case; the final classification of a specific product depends on its functions and its particular context of use.

Timeline: The CRA entered into force on 10 December 2024. The reporting obligations under Art. 14 apply from 11 September 2026. General application – and with it the obligation to carry out conformity assessment and CE marking – begins on 11 December 2027. No CRA CE marking is mandatory before that date.

Four tiers, four routes

The CRA typically sorts products into four tiers. The classification determines whether self-assessment suffices or a third party must be involved. We cover the product classes separately under CRA product classes.

  • Default / unclassified: all PDEs that are neither „important“ (Annex III) nor „critical“ (Annex IV). This is the general case.
  • Important – Class I (Annex III, category I): e.g. identity and privileged-access management, browsers, password managers, anti-malware, VPNs, network-management software, SIEM, operating systems, routers/modems/switches, smart-home assistants or connected alarm systems.
  • Important – Class II (Annex III, category II): e.g. hypervisors and container runtimes, firewalls/IDS/IPS, and tamper-resistant microprocessors and microcontrollers.
  • Critical (Annex IV): e.g. hardware security modules (HSMs), smart-meter gateways with secure cryptoprocessors, and smart cards / secure elements.

To find out whether your product falls within scope at all, start with our applicability check.

The assessment modules (Annex VIII)

The specific assessment procedures – the „modules“ – are set out in Annex VIII. Three routes are relevant in practice:

Module A – internal control (self-assessment)

The manufacturer verifies and declares, under its sole responsibility, that the product meets the requirements of Annex I, draws up the technical documentation (Annex VII), and then affixes the CE marking. No third party is involved. This is the default route for unclassified products (Art. 32(1)).

Module B + C – EU-type examination plus conformity to type

A notified body examines the type (Module B, EU-type examination) and issues a certificate; the manufacturer then ensures that production conforms to the examined type (Module C).

Module H – full quality assurance

A notified body assesses and monitors the manufacturer’s quality-management system across the full lifecycle (design, development, production). Module H typically suits manufacturers who maintain a broad product range and want to apply one assessed system to several products rather than having each type examined individually.

In addition to these modules, a European cybersecurity certification scheme under Regulation (EU) 2019/881 can serve as a route of proof across all tiers. The category descriptions of important and critical products are further specified by Commission Implementing Regulation (EU) 2025/2392.

Which route for which tier?

TierPermitted route (Art. 32)Notified body required?
Default / unclassifiedModule A (self-assessment); alternatively B+C, H or a certification schemeNo – self-assessment as a rule
Important – Class IModule A only if harmonised standards, common specifications or a certification scheme are fully applied; otherwise Module B+C or HNo if standards fully applied, otherwise Yes
Important – Class IIAlways via a third party: Module B+C, Module H or a certification scheme („substantial“ level)Yes – no self-assessment
CriticalEuropean cybersecurity certification scheme (Regulation (EU) 2019/881, at least „substantial“) where mandated; otherwise the Class II routesYes

Key point: A notified body is, as a rule, mandatory only for important Class II products and for critical products. Class I products can self-assess provided the relevant standards are fully applied – and the large remainder of products can do so anyway. So „every product needs a notified body“ is simply wrong.

Critical products and the certification scheme

For critical products under Annex IV, the Commission may require conformity to be demonstrated through a European cybersecurity certification scheme under Regulation (EU) 2019/881 (Cybersecurity Act) at an assurance level of at least „substantial“. Where such a scheme is not (yet) mandated, the Class II routes are typically available.

CE marking and the accompanying documents

Once the conformity assessment is successfully completed, three formal steps follow:

  1. Technical documentation (Annex VII): product description; design, development and production processes; vulnerability-handling processes (architecture, SBOM, CVD policy, update distribution); the risk assessment mapped to Annex I; support-period information; standards applied and test reports. It must be retained for at least 10 years – or for the duration of the support period, whichever is longer.
  2. EU declaration of conformity (Art. 28, contents in Annex V): product identifier; details of the manufacturer or representative; declaration under sole responsibility; standards/specifications/schemes applied and – where applicable – the name, number and procedure of the notified body.
  3. CE marking (Art. 30): by affixing the CE mark, the manufacturer declares conformity with the requirements of the CRA.

Consequences of a missing or incorrect assessment

The conformity obligations carry the risk of fines. Breaches of the essential requirements in Annex I and of core manufacturer duties can be penalised with fines of up to EUR 15 million or 2.5% of total worldwide annual turnover (whichever is higher). For further obligations – including parts of the conformity assessment, the declaration of conformity and CE marking – the range is up to EUR 10 million or 2%. Incomplete or misleading information to notified bodies or market-surveillance authorities can be penalised with up to EUR 5 million or 1%. These ranges are lower than under the GDPR – the top tier is EUR 15 million or 2.5%.

What manufacturers should do now

Even though the CE obligation only takes effect from 11 December 2027, the lead time is short: standards mapping, risk assessment, technical documentation and – for Class II or critical products – the early scheduling of a notified body all take time. Note that the harmonised standards and common specifications that first open the self-assessment route for Class I are still partly under development; their full application presupposes that they are available in time. It makes sense to first determine the product class, then choose the appropriate assessment route, and build the documentation continuously – ideally so that it is ready for inspection by the deadline. Our page on the Cyber Resilience Act gives an overview of the whole legal act.

Frequently asked questions

Does every product under the CRA need a notified body?
No. As a rule, a notified body is only mandatory for important Class II products (Annex III, category II) and for critical products (Annex IV). Unclassified products can self-assess via Module A, and Class I products can too, provided the relevant harmonised standards or a certification scheme are fully applied.
What do Modules A, B+C and H mean?
The modules are described in Annex VIII. Module A is internal control, i.e. self-assessment without a third party. Module B is EU-type examination by a notified body, combined with Module C (conformity to type in production). Module H is full quality assurance, in which a notified body assesses the quality-management system across the full lifecycle.
From when is CE marking mandatory under the CRA?
General application of the CRA – and with it the obligation to carry out conformity assessment and CE marking – begins on 11 December 2027. Although the CRA entered into force on 10 December 2024, no CRA CE marking is mandatory before 11 December 2027.
Which documents belong to CE marking?
Besides the CE marking itself (Art. 30), the manufacturer needs an EU declaration of conformity (Art. 28, contents per Annex V) and the technical documentation (Annex VII). The latter includes, among other things, the product description, risk assessment, SBOM, CVD policy and test reports, and must be retained for at least 10 years or for the duration of the support period.
How are critical products assessed?
For critical products under Annex IV, the Commission may require conformity to be demonstrated through a European cybersecurity certification scheme under Regulation (EU) 2019/881 at an assurance level of at least „substantial“. Where such a scheme is not mandated, the Class II routes (Module B+C or H) are typically available.

Let's talk about your CRA readiness

Unsure which CRA tier and assessment route apply to your product? Blackfort Technology classifies your products, helps you choose the right route under Art. 32, and prepares the technical documentation, EU declaration of conformity and CE marking. Get in touch.

Request a first call Check eligibility
The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.