Search every question across CRA sub-FAQs

No.

Module A is only a conformity-assessment route. Presumption of conformity comes from the Article 27 tools, such as harmonised standards, common specifications, or qualifying European cybersecurity certification schemes, to the extent they cover the relevant requirements. If the manufacturer does not use those means, it may still use module A where the product is eligible, but it must explain in the technical documentation how compliance is reached otherwise.

No.

The Commission FAQ states that manufacturers are free to integrate important or critical components that were not designed in accordance with harmonised standards, regardless of whether such standards exist. It also explains that integrating an important or critical product into another product does not automatically render the finished product subject to the conformity-assessment procedures for that important or critical category. So the finished product's own core functionality still determines whether module A remains available.

No.

Making the technical documentation public is an extra condition for important class I or class II products qualifying as free and open-source software to keep access to the Article 32(1) routes, including module A. It does not replace the ordinary module A activities. The manufacturer still has to perform the risk-based compliance work, verify conformity, draw up the technical documentation, and only then affix the CE marking and sign the declaration of conformity.

Yes.

The March 2026 draft guidance says non-substantial updates do not trigger a new conformity assessment procedure or change the original placing-on-the-market date. But regardless of whether an update is substantial, manufacturers must keep the risk assessment and technical documentation accurate, complete, and continuously up to date. Article 31(2) also requires the technical documentation to be continuously updated where appropriate, at least during the support period.

Sometimes, yes.

The March 2026 draft guidance says a substantially modified product is treated as a new product and is newly placed on the market, so a new conformity assessment is required before that modified product is placed on the market. The same guidance also says existing documentation and tests may be re-used for unchanged parts. If the substantially modified product still falls in a category for which Article 32 allows module A, module A can be used again; if the modified product falls into a category that requires a stricter route, the applicable Article 32 route must be used instead.

Module B+C is a two-step conformity-assessment route.

Module B is EU-type examination by a notified body. Module C is conformity to the approved type based on the manufacturer's internal production control. Together, they cover both the examination of the product type and the manufacturer's obligation to keep actual production in line with that approved type.

Module B+C is one of the mandatory third-party routes for:

- important products of class I where Article 32(2) requires third-party assessment for the relevant requirements

- important products of class II

- critical products, unless the applicable certification route under Article 8(1) applies

Yes.

Article 32(1) allows manufacturers to use module B+C for products generally covered by paragraph 1, even where module A would also be available.

Yes.

Module B is the notified-body part of the route. Module C then follows with the manufacturer's own internal production control against the approved type.

Only one.

The manufacturer must lodge the EU-type examination application with a single notified body of its choice and must declare that the same application has not been lodged with any other notified body.

The application must include:

- the manufacturer details and, where relevant, the authorised representative's details

- a declaration that the same application has not been lodged with another notified body

- technical documentation that allows conformity to be assessed, including an adequate analysis and assessment of the risks

- supporting evidence for the adequacy of the technical design, development solutions, and vulnerability-handling processes

Where necessary, the supporting evidence must include test results from the manufacturer's own laboratory or another testing laboratory acting on its behalf and under its responsibility.

It covers both.

EU-type examination is not limited to the product's technical design and development. The notified body also examines the vulnerability-handling processes put in place by the manufacturer against Part II of Annex I.

It assesses both.

Annex VIII Part II requires examination of the technical documentation and supporting evidence, plus examination of specimens of one or more critical parts of the product. The notified body must also carry out appropriate examinations and tests, or have them carried out.

The notified body checks:

- whether the technical documentation and supporting evidence are adequate

- whether the examined specimens match the documentation

- which elements were designed and developed using relevant harmonised standards or technical specifications and which were not

- whether the manufacturer's chosen solutions satisfy the applicable essential cybersecurity requirements

Yes.

Annex VIII Part II point 4.5 says the notified body and the manufacturer agree on the location where the examinations and tests will be carried out.

The manufacturer receives an EU-type examination certificate.

The certificate identifies the approved type and the vulnerability-handling processes, and it records the conclusions of the examination and any validity conditions.

It must refuse to issue the EU-type examination certificate and give detailed reasons for the refusal.

It covers both.

Annex VIII Part II point 6 ties the certificate to both the approved type and the examined vulnerability-handling processes. That is why later modifications to either can matter for certificate validity.

Module C is the production-control step.

After obtaining the EU-type examination certificate, the manufacturer must ensure and declare that the products actually manufactured remain in conformity with the approved type and continue to satisfy the essential cybersecurity requirements.

Not in the way module H does.

Under module C, the manufacturer itself must take the necessary measures so that production and its monitoring ensure conformity with the approved type. The Commission FAQ makes the same point: the manufacturer cannot rely on an approved design if actual production drifts into non-compliance.