Search every question across CRA sub-FAQs

The manufacturer must:

- ensure that production conforms to the approved type

- affix the CE marking to each individual compliant product

- draw up a written declaration of conformity for the product model

It is for the product model.

Annex VIII Part III point 3.2 requires a written declaration of conformity for a product model. That differs from module A wording, which refers to each product with digital elements.

Yes.

Even though the declaration under module C is for the product model, the CE marking must still be affixed to each individual product with digital elements that conforms to the approved type.

The manufacturer must inform the notified body that holds the technical documentation relating to the certificate of any modifications that may affect conformity or the conditions for validity of the certificate.

Those modifications require additional approval in the form of an addition to the original EU-type examination certificate.

Not only for that label.

Annex VIII Part II point 7 is framed more broadly: the trigger is any modification to the approved type or the vulnerability-handling processes that may affect conformity with Annex I or the conditions for validity of the certificate.

Yes, but it is limited.

The notified body must carry out periodic audits to ensure that the vulnerability-handling processes in Part II of Annex I are implemented adequately. This is not the same as the broader quality-system surveillance under module H.

The notified body must inform its notifying authorities and the other notified bodies about those certificate outcomes.

The Commission and Member States can also obtain copies of the certificates and, on request, copies of the technical documentation and examination results.

The manufacturer must keep:

- the EU-type examination certificate, its annexes and additions, together with the technical documentation

- the declaration of conformity for the product model

Those records must be kept at the disposal of national authorities for 10 years after the product is placed on the market or for the support period, whichever is longer.

Yes, but only where the mandate expressly covers them.

Under Annex VIII Part II point 11, the authorised representative may lodge the module B application and fulfil the obligations relating to modifications and record retention. Under Annex VIII Part III point 4, the authorised representative may fulfil the declaration obligations in module C.

Yes.

Article 32(5) allows manufacturers of Annex III products qualifying as free and open-source software to use one of the procedures listed in Article 32(1), provided the technical documentation is made public at the time of placing on the market. That means they may use module A, but they may also choose module B+C.

No.

Article 69(1) provides a transition rule: EU-type examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements under other Union harmonisation legislation remain valid until 11 June 2028, unless they expire earlier or that other legislation specifies otherwise.

A workable file is one that lets the notified body trace the compliance claim, the supporting design choice, the evidence, and the tested specimen without gaps.

Grounded in Annex VIII Part II and Annex VII, that usually means the application clearly identifies the applicable requirements, includes the risk analysis and assessment, explains any reliance on or departure from harmonised standards or technical specifications, and contains the supporting evidence and test results needed for the notified body's examination.

No.

Under Article 30(4), the CE marking is followed by the notified body's identification number only where that body is involved in the conformity assessment procedure based on module H. Under module B+C, the manufacturer still affixes the CE marking to each individual compliant product under module C, but the CRA does not require a notified-body number next to that marking.

They must be in an official language of the Member State where the notified body is established, or in another language acceptable to that body.

That rule applies to the technical documentation and correspondence relating to any CRA conformity assessment procedure, including module B+C.

No.

The legal trigger in Annex VIII Part II point 7 is any modification to the approved type or the vulnerability-handling processes that may affect conformity with Annex I or the conditions for validity of the certificate. Those changes require additional approval from the notified body in the form of an addition to the original certificate.

The Commission FAQ adds a practical split: substantial modifications require a new assessment by the same or a different notified body and may lead to revision of the certificate, while modifications that do not affect compliance with the CRA requirements are not subject to reassessment by the notified body.

Not necessarily.

The March 2026 draft guidance says a substantially modified product is treated as a new product and is newly placed on the market. But it also says existing documentation and tests may be re-used for aspects not impacted by the substantial modification, and that where a third-party conformity assessment is performed it should focus on the substantially modified parts. The person placing the substantially modified product on the market still has to justify why unchanged parts can rely on the existing evidence.

No.

Under Annex VIII Part II point 8, the periodic audit duty is specifically to ensure that the vulnerability-handling processes in Part II of Annex I are implemented adequately. Module C separately leaves production conformity control to the manufacturer. So this is narrower than a module H full-quality-assurance assessment.

Module H is the conformity-assessment procedure based on full quality assurance.

Under this route, the manufacturer operates an approved quality system for design, development, final product inspection and testing, and vulnerability handling, and a notified body assesses and surveils that system.

Module H is available as one of the general Article 32(1) conformity-assessment procedures.

It is also one of the mandatory third-party options for important products of class I where Article 32(2) requires third-party assessment, for important products of class II, and for critical products where the Article 8(1) certification route does not apply.

Yes.

Where Article 32(1) applies, the manufacturer may choose module H instead of module A or module B+C.