Search every question across sub-FAQs

No.

Under Annex VIII Part II point 8, the periodic audit duty is specifically to ensure that the vulnerability-handling processes in Part II of Annex I are implemented adequately. Module C separately leaves production conformity control to the manufacturer. So this is narrower than a module H full-quality-assurance assessment.

Module H is the conformity-assessment procedure based on full quality assurance.

Under this route, the manufacturer operates an approved quality system for design, development, final product inspection and testing, and vulnerability handling, and a notified body assesses and surveils that system.

Module H is available under Article 32(1) as one way to demonstrate CRA conformity for products with digital elements and the manufacturer's related processes.

It becomes one of the required third-party routes where Article 32(2) applies to an important class I product because harmonised standards, common specifications, or qualifying certification schemes are missing, unavailable, or only partly applied; where Article 32(3) applies to an important class II product; and where Article 32(4) applies to a critical product and the Article 8(1) certification route is not available.

Yes.

Where Article 32(1) is enough for the product, the manufacturer may choose Module H instead of Module A or Module B+C. That is a business and certification choice: it adds notified-body assessment and surveillance, but can support a broader approved quality-system route.

Module H can cover the products with digital elements, or product categories, included in the approved quality system.

It does not automatically cover the manufacturer's whole portfolio. The application and quality-system documentation need a defined scope, and new or substantially modified products need the quality system to be updated and reassessed before they are treated as covered.

Yes.

The quality system must be assessed by a notified body, and the manufacturer remains under notified-body surveillance after approval.

It must ensure compliance of the covered products with Part I of Annex I and compliance of the manufacturer's vulnerability-handling processes with Part II of Annex I.

It must also cover the relevant lifecycle controls, including design, development, production controls, final product inspection and testing, and vulnerability handling, and it must remain effective throughout the support period.

The application to the notified body must include:

- the manufacturer details and, where relevant, the authorised representative's details

- the technical documentation for one model of each category of products intended to be manufactured or developed

- the quality-system documentation

- a declaration that the same application has not been lodged with any other notified body

Yes.

Module H does not supersede the Article 31 and Annex VII documentation duties. The application must include technical documentation for one model of each covered product category, and the Commission FAQ notes that, where a quality-system route is used, the technical documentation may form part of the quality-system documentation.

The quality-system documentation must systematically describe, among other things:

- quality objectives and management responsibilities

- the standards and specifications to be applied

- the means used where relevant harmonised standards or technical specifications are not applied in full

- design and development controls and verification techniques

- production, quality-control, and quality-assurance techniques

- examinations and tests and how often they are carried out

- quality records

- how the manufacturer monitors the effective operation of the quality system

Yes.

Annex VIII Part IV point 3.2 distinguishes between the technical design and development specifications relevant to Part I of Annex I and the procedural specifications relevant to Part II of Annex I. In practice, Module H covers both product compliance and the manufacturer's vulnerability-handling processes.

The notified body assesses whether the quality system satisfies the CRA requirements in Annex VIII Part IV point 3.2.

The audit team must include at least one member experienced in the relevant product field and technology, and the audit must include an assessment visit to the manufacturer's premises where such premises exist. The audit team also reviews the submitted technical documentation to verify the manufacturer's ability to identify the applicable CRA requirements and carry out the necessary examinations.

No.

The CRA allows the notified body to presume conformity for elements of the quality system that comply with the corresponding specifications of the national standard implementing the relevant harmonised standard or technical specification. But the notified body still has to assess and approve the system under Module H.

The Commission FAQ also says that accreditation against the ISO 9000 series does not by itself entitle a manufacturer to use Module H without CRA notified-body involvement.

The manufacturer must undertake to fulfil the obligations arising from the approved quality system and maintain it so that it remains adequate and efficient.

The notified body's notification to the manufacturer must contain the conclusions of the audit and the reasoned assessment decision.

The manufacturer must keep the notified body informed of any intended change to the quality system.

The notified body then evaluates the proposed changes and decides whether the modified system still satisfies the requirements or whether reassessment is necessary.

Often yes, but only within an approved quality-system framework.

The Commission FAQ says Module H may be particularly considered by manufacturers that place numerous product types on the market or products subject to frequent updates, because it provides a more versatile framework than module B+C. That does not remove the need for notified-body assessment of the system and later changes to it.

The notified body must carry out surveillance to make sure the manufacturer fulfils the obligations arising from the approved quality system.

For that purpose, the manufacturer must allow access to the relevant design, development, production, inspection, testing, and storage sites and provide the quality-system documentation plus design and manufacturing quality records needed for assessment.

Yes.

The notified body must carry out periodic audits to make sure the manufacturer maintains and applies the quality system, and it must provide the manufacturer with an audit report.

No.

Even under Module H, the manufacturer ensures and declares on its sole responsibility that the covered products or product categories satisfy the applicable CRA requirements and that its vulnerability-handling processes meet Annex I Part II. The notified body assesses and surveils the quality system, but it does not take over the manufacturer's legal responsibility.

Under Module H, the manufacturer affixes the CE marking to each individual compliant product with digital elements, and the notified body's identification number must follow the CE marking.

The identification number is affixed by the notified body itself or, under its instructions, by the manufacturer or the manufacturer's authorised representative. For software, the CE marking location follows Article 30(1), so the number follows the CE marking on the declaration of conformity or accompanying website.