EU Cyber Resilience Act FAQ Conformity Assessment Routes

The CRA recognises four ways to demonstrate conformity with the essential cybersecurity requirements:

- internal control based on module A

- EU-type examination based on module B followed by conformity to EU-type based on module C

- full quality assurance based on module H

- where available and applicable, a European cybersecurity certification scheme specified under Article 27(9)

The starting point is the product's classification under the CRA.

Manufacturers first need to determine whether the product is in the default category, an important product of class I, an important product of class II, or a critical product. That depends on the product's core functionality, not simply on the fact that it includes components that are themselves important or critical products.

Products in the default category can always use module A.

They may also use module B+C or module H if the manufacturer chooses, because Article 32(1) makes those routes generally available. The key point is that the CRA does not require third-party conformity assessment for default-category products.

An important product of class I can use module A if, in assessing compliance, the manufacturer has applied relevant harmonised standards, common specifications, or European cybersecurity certification schemes at assurance level at least substantial.

If those instruments have not been applied, have been applied only in part, or do not exist, Article 32(2) requires the relevant essential cybersecurity requirements to be covered through module B+C or module H instead.

The draft Commission guidance takes the view that the manufacturer may still use internal control if the harmonised standard covers the product's core functionality.

But that does not mean the whole product automatically benefits from a full presumption of conformity. The guidance explains that the manufacturer still has to address additional risks presented by broader product scope or additional functions, and the presumption of conformity extends only to the parts covered by the standard.

Important products of class II must use one of these routes:

- module B+C

- module H

- where available and applicable, a European cybersecurity certification scheme specified under Article 27(9) at assurance level at least substantial

Outside the free and open-source software exception in Article 32(5), module A is not available for class II products.

Critical products listed in Annex IV must use:

- a European cybersecurity certification scheme where Article 8(1) requires one, or

- if the conditions in Article 8(1) are not met, one of the class II routes in Article 32(3)

So critical products do not automatically have to use the same third-party route in every case. The legal answer depends first on whether a certification scheme has been made mandatory under Article 8(1).

No.

The CRA and the Commission FAQ both say that integrating an important or critical product into another product does not by itself make the finished product subject to the conformity assessment regime for that component category. The decisive factor is the core functionality of the finished product as a whole.

Yes.

Manufacturers of products qualifying as free and open-source software that fall under Annex III categories may use any of the Article 32(1) procedures, including module A, provided that the technical documentation is made available to the public at the time of placing the product on the market.

Yes.

The CRA sets minimum route requirements for certain product categories, but the manufacturer can still choose a more demanding route. For example, a default-category product may still go through module B+C or module H, and a class I product that could rely on module A may still opt for third-party assessment.

Module A is the internal control route.

Under this route, the manufacturer verifies that the product complies with the CRA, draws up the technical documentation, performs the necessary testing or equivalent verification, and declares compliance on its sole responsibility. No notified body participates.

Module B+C combines notified-body examination of the design and development phase with manufacturer responsibility for conformity to the approved type in production.

The notified body examines the design, technical documentation, supporting evidence and specimens under module B. The manufacturer then ensures under module C that the manufactured units conform to the approved type and remains responsible for production conformity.

Module H is full quality assurance.

Under this route, the manufacturer operates an approved quality system covering design, development, production, final inspection and testing, and a notified body assesses and surveils that system. This is why module H can be attractive for manufacturers with larger product portfolios or products subject to frequent updates.

They assess both.

Article 32 requires conformity assessment of the product with digital elements and the processes put in place by the manufacturer. That is why the Annex VIII procedures also cover vulnerability handling processes and, depending on the route, production controls or quality-system controls.

As a rule, Article 12 says the relevant conformity assessment procedure under the AI Act applies to products that are both CRA products and high-risk AI systems, for the cybersecurity requirements addressed by the CRA.

But the CRA creates an important derogation. Important and critical CRA products that are also high-risk AI systems, and that would otherwise only be subject to AI Act internal control, must still follow the CRA conformity assessment procedures for the CRA cybersecurity requirements.

Yes, but only within limits.

Article 69(1) says EU-type examination certificates and approval decisions issued regarding cybersecurity requirements under other Union harmonisation legislation remain valid until 11 June 2028 unless they expire earlier or the other legislation says otherwise. The draft Commission guidance adds that manufacturers may rely on those certificates only for the cybersecurity risks and corresponding requirements they actually cover, and that even if the other legislation gives a longer validity period, reliance for CRA purposes does not continue beyond 11 June 2028.

Yes.

The CRA applies to individual products placed on the market from 11 December 2027 onward, not only to newly designed product types. The draft Commission guidance explains, however, that for products designed before the CRA applied, the manufacturer can demonstrate compliance through a current cybersecurity risk assessment and technical documentation and is not automatically expected to recreate historical design-phase evidence that would not improve the product's security.

No.

For CRA presumption of conformity and for the Article 32(2) route logic, a harmonised standard counts only once its reference has been published in the Official Journal of the European Union. The Commission FAQ also says that after the European standardisation organisations adopt a harmonised standard, the Commission still has to assess it before publication in the Official Journal. Until then, a manufacturer may still refer to it in its technical documentation as part of the technical solution it relies on, but it does not have the legal effect of a published harmonised standard under Article 27.

Broadly yes, where the CRA makes them available for that purpose.

Article 32(2) does not rely only on harmonised standards. It also refers to common specifications and European cybersecurity certification schemes at assurance level at least substantial as referred to in Article 27. The draft Commission guidance says that, although it discusses harmonised standards for brevity, the same logic extends to common specifications and to European cybersecurity certification schemes specified by the Commission under Article 27(9). That means they can support the internal control route for important class I products only to the extent that they cover the relevant requirements. For certification schemes, the CRA also says that a European cybersecurity certificate at assurance level at least substantial removes the need for third-party CRA assessment only for the corresponding requirements, not automatically for everything else.

No.

The core functionality determines which conformity assessment route applies, but the conformity assessment itself covers the product as a whole. The draft guidance says the manufacturer needs to ensure that the whole product undergoes the applicable conformity assessment procedure, taking into account integrated components or additional functions as appropriate. The Commission FAQ says the notified body in module B+C examines the whole product and all relevant essential requirements.

No.

Under Annex VIII, module B includes examination of the technical documentation and supporting evidence, but also examination of specimens of one or more critical parts of the product. The notified body must carry out appropriate examinations and tests, or have them carried out. The Commission FAQ also states that the notified body does not only perform a documentation-based assessment and may perform the necessary tests itself or through an external laboratory. Separately, the manufacturer may use its own laboratory or another laboratory on its behalf and under its responsibility for supporting evidence.

Changes that may affect conformity or the certificate's validity need notified-body involvement.

Annex VIII requires the manufacturer to inform the notified body of modifications to the approved type or vulnerability handling processes that may affect conformity with Annex I or the conditions for validity of the EU-type examination certificate. Those changes require additional approval as an addition to the original certificate. The Commission FAQ adds that substantial modifications require a new assessment by the same or a different notified body, while changes that do not affect CRA compliance are not subject to reassessment. Module B also includes periodic audits by the notified body to ensure the vulnerability handling processes are implemented adequately.

It can cover products or product categories, but it does not eliminate ongoing notified-body control.

Annex VIII says module H can apply to the products with digital elements or product categories concerned, and the application must include technical documentation for one model of each intended category. But the manufacturer still has to keep the notified body informed of intended changes to the quality system, and the notified body must decide whether the modified system remains acceptable or needs reassessment. The Commission FAQ also says the quality system can be extended to new or substantially modified products, but that extension remains subject to a new assessment by the same notified body.

Yes.

The CRA says fees for conformity assessment procedures must take account of the specific interests and needs of microenterprises and SMEs and be reduced proportionately. It also requires notified bodies to carry out conformity assessments proportionately and without unnecessary burden. Beyond fees, Member States are to support awareness, advice, testing and conformity assessment activities where appropriate, may establish cyber resilience regulatory sandboxes, and microenterprises and small enterprises may use a simplified technical documentation format once specified by the Commission.

Not necessarily.

If the Commission amends Annex III to add, move or withdraw an important-product category, the delegated act should, where appropriate, provide a minimum transitional period of 12 months before the new Article 32(2) or 32(3) routes apply, unless urgency justifies a shorter period. If the Commission makes European cybersecurity certification mandatory for a critical category under Article 8(1), the delegated act must provide a minimum transitional period of six months, unless imperative urgency justifies a shorter one.