Artifact GuideEU

Cyber Resilience Act conformity assessment and CE marking

A source-grounded guide for manufacturers deciding how to demonstrate CRA conformity before placing products with digital elements on the EU market.

Use it to align product classification, standards coverage, technical documentation, the EU declaration of conformity, and CE marking controls.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 4, 2026
Updated
May 25, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 4, 2026
Updated May 25, 2026
Overview

Under the Cyber Resilience Act, CE marking is the visible outcome of a completed conformity assessment. The route is not chosen by convenience alone: it depends on the product category, the coverage of harmonised standards or other recognised conformity bases, and whether the manufacturer can evidence both product cybersecurity requirements and vulnerability-handling processes.

Section 1

Start with the product category and core functionality

Classify the product before choosing a route. The CRA separates products with digital elements into the default category, important products of class I, important products of class II, and critical products. Commission FAQ grounding explains that important or critical classification turns on the product's core functionality, not merely on the presence of an important or critical component inside a larger product.

This distinction matters for finished-product systems. Integrating a browser, secure element, operating system component, or other listed component does not automatically pull the whole finished product into that component's conformity route. The finished product still needs its own classification and cybersecurity risk assessment.

  • Record the intended purpose, reasonably foreseeable use, deployment context, and product functions used for classification.
  • Map the product against Annex III important-product categories and Annex IV critical-product categories before deciding whether third-party assessment is required.
  • Use technical category descriptions and official guidance where available; avoid relying only on marketing names such as router, gateway, platform, agent, or app.
  • Keep the classification rationale in the technical documentation so the selected route can be defended to a notified body or market surveillance authority.
Section 2

Apply Article 32 route logic

Article 32 recognises internal control under Module A, EU-type examination under Module B followed by conformity to type under Module C, full quality assurance under Module H, and qualifying European cybersecurity certification schemes where the CRA makes them available for that purpose.

Default-category products can use Module A. Important class I products can use Module A only where the relevant harmonised standards, common specifications, or European cybersecurity certification schemes are applied for the relevant requirements. Where those instruments are missing, only partly applied, or do not cover the relevant requirements, the manufacturer needs Module B plus C or Module H for those requirements.

  • Module A: manufacturer draws up technical documentation, verifies conformity, affixes CE marking, and declares compliance on its own responsibility without notified body participation.
  • Module B plus C: a notified body examines design, development, technical documentation, supporting evidence, specimens, and vulnerability-handling processes; the manufacturer then controls conformity to the approved type in production.
  • Module H: a notified body assesses and surveils a full quality system covering design, development, production, final inspection, testing, and product cybersecurity controls.
  • Important class II products generally require Module B plus C, Module H, or a qualifying certification route; Article 32 also contains a specific free and open-source software rule where public technical documentation is provided.
  • Critical products depend first on whether a European cybersecurity certification scheme has been made mandatory under Article 8; otherwise, the Article 32 class II routes are the fallback route set.
Section 3

Build the technical file around evidence, not headings

Annex VII sets the minimum technical documentation content. It is the file that lets the manufacturer, a notified body, or a market surveillance authority assess conformity against Annex I product requirements and Annex I vulnerability-handling requirements.

The file should connect classification, risk assessment, requirements, standards coverage, tests, software versions, vulnerability processes, support-period reasoning, and the EU declaration of conformity. Where standards, common specifications, or certification schemes are not used in full, the file needs to identify what was applied and describe the alternative solutions used to meet the essential requirements.

  • Product description: intended purpose, relevant software versions, hardware or architecture information where applicable, and user instructions.
  • Lifecycle processes: design, development, production, maintenance, and vulnerability handling, including how third-party and open-source components are controlled.
  • Cybersecurity risk assessment: assumptions, threat model, intended and foreseeable use, risk treatment, tests, and justifications for any Annex I requirement treated as not applicable.
  • Standards and conformity basis: harmonised standards, common specifications, certification schemes, or other technical specifications applied in full or in part.
  • Evidence package: test reports, SBOM where applicable, support-period rationale, declaration copy, version history, and change-control records for modifications that may affect conformity.
Recommended next step

Turn CRA CE marking work into an operational assessment

Assessment Autopilot can turn Cyber Resilience Act conformity assessment and CE marking work into route decisions, evidence requests, review checkpoints, and release controls inside Sorena.

Assessment workflow
Open Assessment Autopilot for CRA CE marking

Turn the selected CRA conformity route into owners, technical-file evidence, declaration checks, and CE marking release controls.

Explore next step
Talk to Sorena
Talk through CRA CE marking implementation

Review product classification, standards coverage, notified-body needs, and evidence gaps before launch.

Explore next step
Section 4

Treat notified-body review as product and process review

For Module B plus C, the notified body does more than read a binder. Annex VIII expects assessment of the technical design and development of the product, supporting evidence, specimens of critical parts, and the manufacturer's vulnerability-handling processes.

For Module H, the notified body assesses the full quality system and checks whether the manufacturer can consistently identify applicable CRA requirements, perform the necessary examinations, and keep products compliant through design and production. That makes change control, release governance, and vulnerability-management evidence central to the assessment.

  • Maintain a route decision record that shows the category, route, applicable standards or schemes, and reasons why third-party assessment is or is not required.
  • Trace Annex I requirements to design controls, security tests, vulnerability-handling procedures, and release gates.
  • Escalate product changes that may affect conformity, the approved type, or certificate validity before release.
  • Keep evidence that production units, software releases, and updates remain aligned with the assessed design and documented controls.
Section 5

Issue the declaration before relying on CE marking

After a positive conformity assessment, the manufacturer draws up the EU declaration of conformity under Article 28 and affixes CE marking under Articles 29 and 30. The declaration is the manufacturer's responsibility statement that the product with digital elements complies with the CRA.

The CRA allows either the full declaration following Annex V or a simplified declaration following Annex VI that gives the internet address for the full declaration. Where several EU harmonisation acts require an EU declaration for the same product, Article 28 requires a single declaration covering the applicable acts.

  • Use Annex V content: product identification, manufacturer details, object of the declaration, statement of sole responsibility, applicable Union law, standards or specifications used, notified body details where applicable, and signature.
  • Keep the declaration and technical documentation available to national authorities for ten years after placing on the market or for the support period, whichever is longer.
  • Provide the declaration in the language or languages required by the Member State where the product is placed or made available on the market.
  • Do not sign the declaration or apply CE marking until the selected conformity route has produced a positive result.
Section 6

Control where and how CE marking appears

CRA CE marking must be visible, legible, and indelible. For software products, Article 30 allows CE marking either on the EU declaration of conformity or on the website accompanying the software product, provided the relevant section is easily and directly accessible to consumers.

If a notified body is involved in the conformity assessment route, Article 30 requires its identification number to appear after the CE marking. Market surveillance authorities can treat missing, wrongly affixed, or unsupported CE marking as formal non-compliance and require corrective action.

  • Define the CE marking location for hardware, packaging, instructions, declaration, website, or software distribution page before release approval.
  • Check size, visibility, legibility, and permanence against CRA and Blue Guide CE-marking rules.
  • Add the notified body's identification number where the selected CRA route requires notified body involvement.
  • Keep screenshots, artwork approvals, declaration versions, product labels, and release records showing the CE marking used for each placed-on-market version.
Primary sources

References and citations

Regulation (EU) 2024/2847, Cyber Resilience Act
data.europa.eu
Referenced sections
  • Supports the CRA route logic in Article 32, EU declaration rules in Article 28, CE marking rules in Articles 29 and 30, and technical documentation requirements in Article 31 and Annex VII.
"products with digital elements should bear the CE marking"
Related guides

Explore more topics

CRA Applicability Test for Products With Digital Elements
Check whether the EU Cyber Resilience Act applies to a hardware, software, firmware, open-source, or connected product before conformity planning.
CRA Article 14 Reporting Obligations for Vulnerabilities and Incidents
Article 14 guide to CRA reports for actively exploited vulnerabilities and severe product-security incidents, including deadlines, CSIRT routing, users, and evidence.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ explaining Blue Guide market-access concepts for products with digital elements: placing on the market, making available, imports, CE marking, operator roles, online sales, stock, and testing exceptions.
CRA CE Marking FAQ | Conformity Assessment, EU Declaration, Evidence
Practical CRA CE marking answers for products with digital elements: conformity assessment, EU declaration, technical documentation, standards, software placement, and launch evidence.
CRA Component Due Diligence FAQ | Third-Party Software, FOSS, SBOMs
Cyber Resilience Act FAQ on manufacturer due diligence for integrated components, third-party software, FOSS dependencies, SBOMs, vulnerability handling, and evidence records.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Important and Critical Products
Cyber Resilience Act FAQ on when manufacturers can use module A, when module B+C or module H is required, and how important and critical products affect the route.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Annex I, Updates
CRA FAQ on Article 13 cybersecurity risk assessments, Annex I applicability, intended purpose, foreseeable use, technical documentation, and update evidence.
CRA deadlines and compliance calendar | EU Cyber Resilience Act
Track the Cyber Resilience Act entry into force, staged application dates, Article 14 reporting deadlines, transitional rules, and review dates.
CRA Declaration of Conformity FAQ | Annex V, Simplified Declaration, CE Marking
FAQ on the Cyber Resilience Act EU Declaration of Conformity: Annex V contents, simplified Annex VI wording, CE marking link, technical documentation, retention, updates, and operator duties.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic-operator roles: manufacturers, importers, distributors, authorised representatives, substantial modification, traceability, and evidence controls.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on Annex I product cybersecurity requirements, vulnerability handling, secure-by-default design, risk assessment, documentation, lifecycle duties, and user information.
CRA Essential Cybersecurity Requirements in Annex I
A grounded guide to the Cyber Resilience Act Annex I requirements for product security, vulnerability handling, secure-by-design controls, documentation, and evidence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Components, RDPS
FAQ on Cyber Resilience Act hardware and software boundaries: combined products, standalone software, source code, components, remote data processing, SaaS and market-placement changes.
CRA Harmonised Standards FAQ | Presumption of Conformity, Common Specifications
Cyber Resilience Act FAQ on how harmonised standards, common specifications, certification schemes, and OJ publication affect CRA conformity evidence.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Conformity Assessment
FAQ on CRA important and critical products, Annex III and Annex IV classification, core functionality, and conformity assessment consequences.
CRA Integrated Components and Dependencies FAQ | Third-Party Software and SBOM Evidence
Cyber Resilience Act FAQ on integrated components, third-party software, remote data processing, SBOM-style evidence, upstream fixes, FOSS dependencies, and manufacturer responsibility.
CRA Interplay With EU Product Laws FAQ | RED, Machinery, Data Act
Grounded CRA FAQ on overlap with the Radio Equipment Directive, Machinery Regulation, GPSR, Data Act, exclusions, declarations, documentation, and existing certificates.
CRA Known Exploitable Vulnerabilities at Launch FAQ
FAQ for Cyber Resilience Act launch decisions: known exploitable vulnerabilities, CVEs, component flaws, secure-by-default settings, release gates, Article 14 reporting, and evidence.
CRA Legacy Products FAQ | Pre-11 December 2027 Products
Cyber Resilience Act FAQ on products placed on the market before 11 December 2027, Article 14 reporting, substantial modification, distributor stock, spare parts, and records.
CRA Manufacturer Obligations FAQ | Article 13, Annex I, CE Marking
FAQ for Cyber Resilience Act manufacturers covering Article 13 duties, risk assessment, Annex I, vulnerability handling, support periods, documentation, conformity assessment, reporting, CE marking, and evidence controls.
CRA Market Surveillance and Enforcement FAQ | Authorities, Corrective Action, Safeguards
Cyber Resilience Act FAQ on market-surveillance authorities, investigations, corrective action, withdrawal, recall, safeguards, sweeps, documentation access, and penalties.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA Module B+C FAQ explaining EU-type examination, conformity to type, notified-body evidence, production control, CE marking, declarations, and certificate changes.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA Module H FAQ explaining the full-quality-assurance route, notified-body assessment, quality-system scope, technical documentation, CE marking, declarations, and records.
CRA Notified Bodies FAQ | Scope, Modules B+C and H, Certificates
Practical CRA FAQ on when notified bodies are needed, how CRA bodies are designated, what their notified scope means, and how Module B+C and Module H assessments work.
CRA Open-Source Software FAQ | FOSS Scope, Stewards, Manufacturers
Cyber Resilience Act FAQ for free and open-source software: commercial activity, steward duties, manufacturer due diligence, vulnerability handling, public documentation, and user obligations.
CRA Over-the-Air Updates FAQ
Cyber Resilience Act FAQ on OTA updates, automatic security updates, secure update distribution, support-period evidence, and offline update paths.
CRA penalties and fines FAQ | Article 64 fine caps
FAQ on EU Cyber Resilience Act Article 64 penalties: maximum fine tiers, turnover caps, national enforcement, economic operators, reporting duties, and open-source steward carve-outs.
CRA Penalties and Fines: Article 64 Caps and Enforcement Context
Article 64 of the EU Cyber Resilience Act sets administrative fine ceilings for Annex I, manufacturer, reporting, economic-operator, notified-body, and information-request breaches.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families, variant grouping, shared technical documentation, conformity evidence, and when cybersecurity-relevant differences need separate assessment.
CRA Products with Digital Elements Scope | EU Cyber Resilience Act
Apply the EU Cyber Resilience Act scope test for software, hardware, remote data processing, components, open-source software, exclusions, and economic-operator roles.
CRA Products With Digital Elements Scope FAQ
EU Cyber Resilience Act FAQ on products with digital elements, software, firmware, remote data processing, components, exclusions, market placement, and CRA operator boundaries.
CRA Remote Data Processing Solutions FAQ | Product Scope, Cloud and Backend Boundaries
FAQ on how the EU Cyber Resilience Act treats remote data processing solutions, manufacturer-controlled backends, third-party cloud services, SaaS, risk assessment, documentation, and user information.
CRA Reporting Obligations FAQ | Article 14, CSIRTs, ENISA, User Notices
Cyber Resilience Act FAQ on Article 14 reporting for actively exploited vulnerabilities and severe incidents, including timing, CSIRT routing, ENISA access, user notices, and evidence.
CRA Requirements | Annex I, Manufacturer Duties and CE Evidence
Map Cyber Resilience Act requirements from Annex I to manufacturer duties, vulnerability handling, user information, technical documentation, declaration of conformity, and CE marking evidence.
CRA SBOM and Vulnerability Management Template
Build a CRA-ready SBOM and vulnerability handling record with component inventory, triage, remediation, disclosure, reporting, update, and technical documentation fields.
CRA Secure-by-Default FAQ | Default Configuration and Annex I Controls
Cyber Resilience Act FAQ on secure-by-default configuration, automatic security updates, attack surface reduction, authentication, data minimisation, user information, and tailor-made products.
CRA Security Updates vs Functionality Updates FAQ
Cyber Resilience Act FAQ on classifying security updates, functionality updates, support-period duties, automatic updates, user notices, and substantial-modification review.
CRA Substantial Modification FAQ | Updates, Repairs, Manufacturer Duties
Cyber Resilience Act FAQ on when software updates, repairs, spare parts, and post-market changes become substantial modifications and trigger CRA manufacturer, evidence, and conformity duties.
CRA Support Period FAQ | Expected Product Lifetime, Security Updates, User Information
Practical CRA FAQ on how manufacturers determine support periods, disclose support end dates, keep security updates available, and document support-period evidence.
CRA Tailor-Made Products FAQ | Bespoke Products, Market Placement, Evidence
FAQ on when a bespoke product may be treated as tailor-made under the EU Cyber Resilience Act, what the carve-out changes, and what manufacturers still need to document.
CRA Technical Documentation FAQ | Annex VII Evidence and Technical File
CRA FAQ explaining Annex VII technical documentation, risk assessment evidence, conformity assessment files, vulnerability handling records, product families, RDPS, language, and authority access.
CRA Transition Period FAQ | Entry Into Force, Application Dates, Reporting, Legacy Products
CRA FAQ on the transition period covering entry into force, 2026 reporting, 2027 application, legacy products, stock, customs timing, and software versions.
CRA Update Availability and Software Archives FAQ
FAQ on CRA security-update availability, support-period notices, optional public software archives, historical versions, and Article 13(10) software-version limits.
CRA User Information and Transparency FAQ | Annex II Instructions
Practical CRA FAQ on Annex II user instructions, support-period disclosure, vulnerability contacts, update notices, importer and distributor information.
CRA vs RED Cybersecurity Delegated Act
Compare the EU Cyber Resilience Act with the RED cybersecurity delegated act for connected and radio equipment, including scope, timing, evidence, and transition treatment.
CRA vs UK PSTI Act | Cyber Resilience Act Comparison
Compare grounded EU Cyber Resilience Act duties with UK PSTI planning points, with UK legal details clearly marked for separate source review.
CRA Vulnerability Handling and Disclosure | Article 14 Reporting and Security Updates
How EU Cyber Resilience Act manufacturers should run vulnerability intake, remediation, coordinated disclosure, Article 14 reporting, secure updates, and evidence records.
CRA Vulnerability Handling FAQ | Support Periods, Components, Reporting
Practical CRA FAQ on vulnerability handling: SBOMs, remediation, coordinated disclosure, component issues, security updates, support periods, Article 14 reporting, and user notices.
Cyber Resilience Act Module A FAQ | Internal Production Control
FAQ on when CRA Module A internal production control is available, when it is blocked, and what documentation, testing, standards, and evidence it still requires.
EU CRA Compliance Program for Manufacturers and Economic Operators
Build a Cyber Resilience Act compliance program around product scope, Annex I security requirements, conformity assessment, technical documentation, vulnerability reporting, and market surveillance.
EU Cyber Resilience Act Checklist for Product Security and CE Marking
A CRA checklist for products with digital elements: scope, Annex I security controls, vulnerability handling, Article 14 reporting, technical documentation, conformity assessment, CE marking, and support-period evidence.
EU Cyber Resilience Act Core Functionality FAQ | CRA Product Classification
CRA FAQ on core functionality, product boundaries, remote data processing, integrated components, ancillary functions, and software changes that affect product classification.
EU Cyber Resilience Act FAQ
Direct CRA FAQ answers on scope, economic-operator roles, essential requirements, vulnerability reporting, conformity assessment, CE marking, support periods, and market surveillance.
EU Cyber Resilience Act Repairs and Spare Parts FAQ
CRA FAQ for repairs, spare parts, legacy products, security updates, substantial modification, and responsibility after product changes.
EU Cyber Resilience Act Technical Documentation and Audit File
Build an audit-ready CRA technical file around Article 31 and Annex VII: product scope, risk assessment, vulnerability handling, conformity evidence, testing, and retention.