EU Cyber Resilience Act FAQ CE Marking

The CE marking is the manufacturer's visible self-declaration that the product with digital elements complies with the CRA and any other applicable EU harmonisation law that also requires CE marking.

It is not a standalone approval, security certificate, or authority-issued licence. The useful launch question is whether the evidence behind the mark is complete: conformity assessment, risk assessment, technical documentation, EU declaration of conformity, user information, and any required notified-body involvement.

Only after the applicable CRA conformity assessment procedure has been completed with a positive result. The mark must be affixed before the product with digital elements is placed on the market.

For a launch review, do not treat CE marking as a packaging-only task. The manufacturer should first confirm the selected Article 32 route, the product's classification, the risk assessment, the essential-requirement coverage, the vulnerability-handling evidence, and the EU declaration of conformity.

Article 32 recognises internal control under module A, EU-type examination followed by conformity to type under modules B+C, full quality assurance under module H, and, where available and applicable, specified European cybersecurity certification schemes.

Module A is self-assessment. Modules B+C and H involve a notified body. Important or critical products may have narrower route choices, especially where harmonised standards, common specifications, or qualifying certification schemes are not applied or do not exist for the relevant requirements.

Not always. Under the CRA, the notified body's identification number follows the CE marking where the notified body is involved in conformity assessment based on full quality assurance, module H.

For module B+C, a notified body examines the design and development and issues the relevant certificate, but Article 30(4) ties the identification number after the CE mark to module H. The launch evidence should therefore record both the route used and whether a notified-body number is legally expected next to the mark.

The CRA rule is product first: the CE marking must be visible, legible, and indelible on the product with digital elements. If that is not possible or not warranted because of the product's nature, it must be put on the packaging and on the EU declaration of conformity accompanying the product.

Aesthetics alone are not a sound reason to move the mark away from the product. For physical products, a website-only CE marking is not the CRA fallback; the website option is specific to software products.

For a product with digital elements in the form of software, the CRA allows the CE marking either on the EU declaration of conformity or on the website accompanying the software product.

If the website route is used, the relevant website section must be easily and directly accessible to consumers. Practical evidence should include the URL, the page content, the release or product version covered, and a way to prove that the page was live and accessible when the software was placed on the market.

The CE marking must follow the general CE-marking principles in Regulation (EC) No 765/2008 and the CRA's visible, legible, and indelible placement rule. The Commission FAQ states the general rule that the mark has to be larger than 5 mm, with exceptions only where the product's size does not allow it and visibility remains preserved.

A useful launch check is to review the final product, packaging, declaration, software website page, screenshots, labels, and manuals together. The mark should not be hidden in a location that is not easily visible in the product's intended use.

The EU declaration of conformity is the document where the manufacturer declares that the product complies with the CRA and takes responsibility for that conformity. It must use the CRA Annex V model structure, be updated as appropriate, and be available in the languages required where the product is placed or made available on the market.

Where several EU harmonisation acts apply, the CRA requires one EU declaration of conformity covering all those acts. The Commission FAQ also explains that the product may be accompanied by the full declaration or by the simplified declaration from Annex VI with an internet address where the full declaration can be accessed.

The technical documentation must contain the data and details needed to show that the product with digital elements and the manufacturer's processes comply with the CRA essential cybersecurity requirements. It must include at least the Annex VII elements.

In practice, the CE-marking evidence file should include the cybersecurity risk assessment, product description and versions, design and development evidence, vulnerability-handling process evidence, applied standards or technical specifications, test or evaluation results, user information, declaration materials, and records explaining why any essential requirement is not applicable.

No. Harmonised standards, common specifications, and qualifying certification schemes can help show conformity, but they do not replace the manufacturer's cybersecurity risk assessment. The manufacturer still has to identify the relevant risks and essential requirements, check which parts are actually covered, and document any gaps or alternative solutions.

A practical decision path is straightforward: first assess the risks, then decide whether a harmonised standard, common specification, or certification scheme covers them fully or only in part, and finally explain in the technical documentation how the remaining requirements are met. If none of those tools is used for a relevant requirement, the evidence file needs a clear technical explanation instead.

Yes, the CRA does not require manufacturers to integrate only CE-marked components. The final product manufacturer must exercise due diligence so third-party components, including free and open-source software components, do not compromise the cybersecurity of the product.

A CE-marked component can support the evidence file through its declaration and accompanying documentation, but it does not automatically make the finished product compliant. Component evidence should be tied back to the final product's risk assessment, vulnerability handling, and essential-requirement coverage.

Importers must check, before placing a product on the market, that the appropriate conformity assessment was carried out, the technical documentation was drawn up, the product bears the CE marking, and the product is accompanied by the EU declaration of conformity and required user information.

Distributors must verify, before making the product available, that it bears the CE marking and that the relevant manufacturer and importer obligations have been met. For practical evidence, keep supplier declarations, label or software-page screenshots, version identifiers, user-information checks, and escalation records for missing or inconsistent documentation.

The CRA allows non-compliant products, including prototypes, to be presented or used at trade fairs, exhibitions, demonstrations, or similar events if a visible sign clearly states that the product does not comply and will not be made available on the market until it does.

The CRA also has a specific unfinished-software testing exception. Software may be made available for the limited period required for testing if it carries a visible sign stating that it does not comply with the CRA and is not available for purposes other than testing. That exception is not a substitute for CE marking when the product is placed on the market.

No. CE marking is a pre-market conformity milestone, not the end of CRA responsibility. Manufacturers still have support-period, vulnerability-handling, corrective-action, documentation-retention, and update obligations.

For governance, keep a post-market evidence loop connected to the CE-marking file: vulnerability intake, security update decisions, risk-assessment updates, version history, user notices, third-party component remediation, and records showing when the declaration or technical documentation was updated.

Missing or incorrect CE marking is formal non-compliance under the CRA. Market surveillance authorities must require the manufacturer to end the non-compliance, and if the issue persists Member States must restrict or prohibit availability, or ensure withdrawal or recall.

The CRA also places non-compliance with Article 30(1) to (4) within the administrative-fine category in Article 64(3). The useful compliance response is to fix both the visible marking issue and the underlying evidence gap that caused it.