Search every question across sub-FAQs

It is tied to each product model for the Module H record duty.

Annex VIII Part IV point 5.2 requires a written declaration of conformity for each product model and requires the declaration to identify the product model for which it has been drawn up. Article 28 also says that, by drawing up the EU declaration of conformity, the manufacturer assumes responsibility for product compliance.

The manufacturer must keep Module H records at the disposal of national authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.

The retained file should include:

- the technical documentation

- the quality-system documentation

- approved changes to the quality system

- the notified body's decisions and reports

- the declaration of conformity for each product model

The notified body must inform its notifying authorities about quality-system approvals issued or withdrawn, and it must also inform other notified bodies about approvals it has refused, suspended, or withdrawn and, on request, about approvals it has issued.

Yes, but only where the mandate expressly covers them.

Under Annex VIII Part IV point 8, the authorised representative may fulfil the manufacturer's obligations relating to the application, quality-system changes, declaration, and record-retention steps on the manufacturer's behalf and under the manufacturer's responsibility.

Yes.

Article 32(5) allows manufacturers of Annex III products qualifying as free and open-source software to use one of the procedures in Article 32(1), provided that the technical documentation is made public at the time of placing on the market. That means Module H remains available for those products.

Yes.

Article 32(6) requires the specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups, to be taken into account when setting conformity-assessment fees, and those fees must be reduced proportionately.

A workable Module H system lets the notified body see, in a consistent and documented way, how the manufacturer controls the approved product scope from design and development through production, testing, vulnerability handling, CE marking, declarations, records, and later quality-system changes.

In practical terms, the quality-system documentation should show management responsibilities, standards and specifications used, how gaps from harmonised standards or technical specifications are covered, design and development verification, production and quality-assurance controls, examinations and tests with their frequency, quality records, and monitoring of quality-system effectiveness.

No.

Unlike module B+C, Module H is not built around an EU-type examination certificate for a representative specimen. Under the CRA, Module H is built around approval of the manufacturer's quality system, later decisions on changes to that system, and ongoing surveillance. That is why the retained records under Part IV are the quality-system documentation, approved changes, and notified-body decisions and reports, rather than an EU-type certificate.

No.

The notified body assesses and surveils the quality system, but the manufacturer still carries out the product-level compliance work within that system. The Commission FAQ says the manufacturer, based on the quality system, implements the necessary cybersecurity mitigation measures following the risk assessment, tests the product, draws up the technical documentation, and ensures that production of the different units does not alter compliance.

No.

The Commission FAQ says the manufacturer can extend the scope of the quality system to new or substantially modified products, but the quality system must be updated to document the new scope, new standards may need to be applied, and new tests may need to be performed. That extension is subject to a new assessment by the same notified body that performed the original assessment. Annex VIII Part IV point 3.5 also requires the manufacturer to keep that notified body informed of intended changes to the quality system.

They must be in an official language of the Member State where the notified body is established, or in another language acceptable to that body.

That rule applies to technical documentation and correspondence for any CRA conformity assessment procedure, including Module H.

It follows the CE marking wherever the CRA allows that CE marking to be placed for software.

For software products, Article 30(1) says the CE marking is affixed either to the EU declaration of conformity or on the website accompanying the software product. Article 30(4) then says that, where Module H is used, the CE marking is followed by the notified body's identification number. So the CRA does not create a separate location rule for software under Module H; the number follows the CE marking in the place where that marking is lawfully affixed.

A CRA notified body is a conformity assessment body that has been assessed, designated, and notified for CRA conformity assessment tasks. It may be public or private, but it must meet the CRA requirements for legal personality, independence, competence, impartiality, confidentiality, and operational capability.

A body does not become a CRA notified body just because it performs cybersecurity audits, penetration testing, certification, or assessments under another EU law. For CRA purposes, the notification procedure must be completed and the body's public notification must cover the relevant CRA activities.

Each Member State designates a notifying authority. That authority is responsible for the procedures used to assess, designate, notify, and monitor conformity assessment bodies, including their use of subsidiaries or subcontractors.

A Member State may use a national accreditation body for assessment and monitoring. If assessment, notification, or monitoring is delegated to a non-governmental body, the notifying authority remains fully responsible for the delegated tasks.

The body applies to the notifying authority in the Member State where it is established. The application must describe the conformity assessment activities, the conformity assessment procedure or procedures, and the products with digital elements for which the body claims competence.

Where available, the application includes an accreditation certificate from a national accreditation body. Without accreditation, the body must provide documentary evidence allowing the notifying authority to verify, recognise, and regularly monitor compliance with Article 39.

A body may perform CRA notified-body activities only after the Article 43 notification procedure is complete. If the notification relies on accreditation, the no-objection period is two weeks. If it does not rely on accreditation, the no-objection period is two months.

The notification must include full details of the conformity assessment activities, the module or modules, the products with digital elements concerned, and the relevant attestation of competence. That scope is central: a body can be notified for some CRA activities without being competent for every CRA module or product category.

The Commission assigns each CRA notified body an identification number and publishes an up-to-date list showing the bodies notified under the CRA, their numbers, and the activities for which they have been notified.

A listing should be read as a scope record, not as a blanket approval. Manufacturers should check whether the listed CRA notification covers the product with digital elements, the applicable conformity route, and the specific module needed for the assessment.

No. Where the CRA procedure requires a notified body, Annex VIII lets the manufacturer apply to a single notified body of its choice for the relevant Module B or Module H assessment.

The practical constraint is scope, not the manufacturer's location. The selected body must be notified for the CRA module and product scope that match the product and assessment route.

A notified body is part of the route when the product must use Module B+C or Module H. Module A, internal control, does not involve a notified body.

Article 32 allows several conformity routes. For important class I products, third-party assessment is triggered where qualifying harmonised standards, common specifications, or cybersecurity certification routes are not applied or do not exist for the relevant requirements. Important class II products use Module B+C, Module H, or an applicable certification route. Critical products use the Article 8 certification route where it applies, otherwise the CRA third-party routes in Article 32 apply.

Module B is the notified-body step. The notified body examines the technical design and development of the product and the manufacturer's vulnerability-handling processes, reviews technical documentation and supporting evidence, examines specimens of critical parts, and carries out or arranges appropriate examinations and tests.

Module C follows Module B and is not a second notified-body production approval. Under Module C, the manufacturer ensures and declares that production units conform to the type described in the EU-type examination certificate and satisfy the CRA requirements.