Search every question across CRA sub-FAQs

Module A is available for:

- products that are not important products or critical products

- important products of class I where Article 32(2) does not force a third-party route

- important products of class I or II that qualify as free and open-source software, if the technical documentation is made public at the time of placing on the market

Yes, where Article 32 does not make a stricter route mandatory.

For products covered by Article 32(1), the manufacturer may demonstrate conformity by using module A, module B+C, module H, or, where available and applicable, a qualifying European cybersecurity certification scheme.

Module A is no longer enough for the essential cybersecurity requirements for which the manufacturer has not applied, or has only partly applied, the relevant harmonised standards, common specifications, or qualifying European cybersecurity certification schemes, or where those tools do not exist.

In that situation, Article 32(2) requires module B+C or module H for those requirements.

Only in a limited sense.

Inference from Article 32(2): where a class I product relies only partly on the relevant harmonised standards, common specifications, or qualifying certification schemes, the remaining essential cybersecurity requirements must go through module B+C or module H. Article 32(2) is framed requirement-by-requirement, not as an automatic all-or-nothing ban on all use of module A.

Not as a general rule.

Important products of class II must use the procedures listed in Article 32(3), unless the product qualifies for the specific free-and-open-source-software exception in Article 32(5).

No.

Critical products listed in Annex IV must use the procedures in Article 32(4), which do not include module A.

It is a narrow exception for products qualifying as free and open-source software that fall under Annex III.

Article 32(5) allows those products to use one of the procedures listed in Article 32(1), including module A, provided that the technical documentation under Article 31 is made available to the public at the time the product is placed on the market.

Yes.

Under Annex VIII Part I point 2, the manufacturer must draw up the technical documentation described in Annex VII. More broadly, Article 31 requires technical documentation that shows how the product and the manufacturer's processes comply with Annex I.

Yes.

Module A is not a paperwork-only route. The manufacturer still has to verify that the product complies with the relevant essential cybersecurity requirements and be able to demonstrate that through technical documentation and supporting evidence.

The CRA does not mandate a single evaluation methodology. The Commission FAQ says manufacturers may verify conformity through testing or other mechanisms.

Yes.

The Commission FAQ says the manufacturer may perform the relevant tests in its own laboratories, if available, or in external laboratories. Under module A, the manufacturer still remains solely responsible for the conformity assessment.

It covers design, development, production, and vulnerability handling.

Annex VIII Part I point 3 is broader than a design-only check. It requires the manufacturer to take all measures necessary so that the relevant processes, and their monitoring, ensure compliance of both the product and the manufacturer's processes with Annex I.

Yes.

The Commission FAQ explains that, under module A, the manufacturer must ensure that production of the different units does not alter compliance with the CRA essential cybersecurity requirements.

The manufacturer must first be in a position to demonstrate that the product complies with the CRA.

After that, the manufacturer affixes the CE marking to each individual compliant product and draws up the written EU declaration of conformity.

Yes.

Annex VIII Part I point 4.2 requires a written EU declaration of conformity for each product with digital elements, and the declaration must identify the product for which it has been drawn up.

The manufacturer must keep the technical documentation and the EU declaration of conformity at the disposal of the authorities for at least 10 years after the product has been placed on the market or for the support period, whichever is longer.

No, not in general.

The Commission FAQ states that there is no general obligation to make the technical documentation public. The exception relevant here is the Article 32(5) rule for important free-and-open-source software using the Annex III exception.

No.

Under Annex VIII Part I point 5, the authorised representative may fulfil only the manufacturer's obligations under point 4, on the manufacturer's behalf and under the manufacturer's responsibility, if the mandate expressly covers those obligations. That means the CE-marking and declaration steps can be mandated, but the wider manufacturer obligations that underpin module A are not generally transferred.

Article 17(2) reinforces that the obligations in Article 13(1) to (11), Article 13(12) first subparagraph, and Article 13(14) cannot form part of the authorised representative's mandate.

No.

Products assessed under module A remain subject to market surveillance. Authorities may request the technical documentation and related internal documentation, evaluate compliance, and act if they find non-compliance or formal non-compliance.

A defensible file is one that clearly shows how the manufacturer reached its compliance conclusion.

Grounded in Article 31, Annex VII, and the Commission FAQ, that usually means the documentation clearly identifies the applicable essential cybersecurity requirements, explains any justified non-applicability, records the cybersecurity risk assessment, and shows the technical means, standards, specifications, tests, or other evidence used to demonstrate conformity.

Yes.

For default-category products, Article 32(1) makes module A available without conditioning it on the existence of harmonised standards, common specifications, or qualifying certification schemes. The stricter no-standard rule in Article 32(2) is specific to important products of class I. The Commission FAQ also says harmonised standards are voluntary and manufacturers may demonstrate conformity through other technical means, provided those means are documented in the technical documentation.