Search every question across sub-FAQs

It must refuse to issue the EU-type examination certificate and give detailed reasons for the refusal. Annex VIII frames that refusal around both the type and the vulnerability-handling processes, so a process failure can block the certificate even if the product design evidence is otherwise strong.

It covers both.

Annex VIII Part II point 6 ties the certificate to both the approved type and the examined vulnerability-handling processes. That is why later modifications to either can matter for certificate validity.

Module C is the production-control step.

After obtaining the EU-type examination certificate, the manufacturer must ensure and declare that the products actually manufactured remain in conformity with the approved type and continue to satisfy the essential cybersecurity requirements.

Not in the way module H does.

Under module C, the manufacturer itself must take the necessary measures so that production and production monitoring ensure conformity with the approved type and the applicable essential cybersecurity requirements. Module C is therefore not a full-quality-assurance route supervised like Module H.

The manufacturer must:

- ensure that production conforms to the approved type

- affix the CE marking to each individual compliant product

- draw up a written declaration of conformity for the product model

It is for the product model.

Annex VIII Part III point 3.2 requires a written declaration of conformity for a product model. That differs from module A wording, which refers to each product with digital elements.

Yes.

Even though the declaration under module C is for the product model, the CE marking must still be affixed to each individual product with digital elements that conforms to the approved type.

The manufacturer must inform the notified body that holds the technical documentation relating to the certificate of any modifications that may affect conformity or the conditions for validity of the certificate.

Those modifications require additional approval in the form of an addition to the original EU-type examination certificate.

Not only for that label.

Annex VIII Part II point 7 is framed more broadly: the trigger is any modification to the approved type or the vulnerability-handling processes that may affect conformity with Annex I or the conditions for validity of the certificate.

Yes, but it is limited.

The notified body must carry out periodic audits to ensure that the vulnerability-handling processes in Part II of Annex I are implemented adequately. This is not the same as the broader quality-system surveillance under module H.

The notified body must inform its notifying authorities and the other notified bodies about those certificate outcomes.

The Commission and Member States can also obtain copies of the certificates and, on request, copies of the technical documentation and examination results.

The manufacturer must keep:

- the EU-type examination certificate, its annexes and additions, together with the technical documentation

- the declaration of conformity for the product model

Those records must be kept at the disposal of national authorities for 10 years after the product is placed on the market or for the support period, whichever is longer.

Yes, but only where the mandate expressly covers them.

Under Annex VIII Part II point 11, the authorised representative may lodge the module B application and fulfil the obligations relating to modifications and record retention. Under Annex VIII Part III point 4, the authorised representative may fulfil the declaration obligations in module C.

Yes.

Article 32(5) allows manufacturers of Annex III products qualifying as free and open-source software to use one of the procedures listed in Article 32(1), provided the technical documentation is made public at the time of placing on the market. That means they may use module A, but they may also choose Module B+C.

No.

Article 69(1) provides a transition rule: EU-type examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements under other Union harmonisation legislation remain valid until 11 June 2028, unless they expire earlier or that other legislation specifies otherwise.

A workable file is one that lets the notified body trace the compliance claim, the supporting design choice, the evidence, and the tested specimen without gaps.

Grounded in Annex VIII Part II and Annex VII, that usually means the application clearly identifies the applicable requirements, includes the risk analysis and assessment, explains any reliance on or departure from harmonised standards or technical specifications, and contains the supporting evidence and test results needed for the notified body's examination.

No.

Under Article 30(4), the CE marking is followed by the notified body's identification number only where that body is involved in the conformity assessment procedure based on module H. Under Module B+C, the manufacturer still affixes the CE marking to each individual compliant product under module C, but the CRA does not require a notified-body number next to that marking.

They must be in an official language of the Member State where the notified body is established, or in another language acceptable to that body.

That rule applies to the technical documentation and correspondence relating to any CRA conformity assessment procedure, including Module B+C.

No.

The legal trigger in Annex VIII Part II point 7 is any modification to the approved type or the vulnerability-handling processes that may affect conformity with Annex I or the conditions for validity of the certificate. Those changes require additional approval from the notified body in the form of an addition to the original certificate.

The practical split is evidence-based: changes that may affect Annex I conformity or certificate-validity conditions need notified-body approval; changes that do not affect those points should still be recorded internally so the manufacturer can explain why reassessment was not triggered.

Not necessarily.

Not necessarily. For the CRA certificate, the notified-body trigger remains whether the modification to the approved type or vulnerability-handling processes may affect Annex I conformity or certificate-validity conditions.

The Blue Guide gives the product-law evidence principle for modified products: when a modified product is treated as new, technical documentation has to be updated only as far as the modification affects applicable requirements, and tests or documentation need not be repeated for aspects not impacted by the modification. In practice, a Module B+C reassessment file should identify the changed parts, explain why any unchanged parts are still covered by existing evidence, and submit the affected type or process changes for approval where Annex VIII point 7 is triggered.