Search every question across CRA sub-FAQs

Yes.

Article 32(5) allows manufacturers of Annex III products qualifying as free and open-source software to use one of the procedures in Article 32(1), provided that the technical documentation is made public at the time of placing on the market. That means module H remains available for those products.

Yes.

Article 32(6) requires the specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups, to be taken into account when setting conformity-assessment fees, and those fees must be reduced proportionately.

A workable module H system is one that lets the notified body see, in a consistent and documented way, how the manufacturer controls design, development, testing, production, vulnerability handling, and later changes across the approved scope.

Grounded in Annex VIII Part IV, that usually means the quality-system documentation is specific enough to show who is responsible, which standards and specifications are used, how non-full use of them is handled, what examinations and tests are performed, what records are kept, and how the effectiveness of the system is monitored.

No.

Unlike module B+C, module H is not built around an EU-type examination certificate for a representative specimen. Under the CRA, module H is built around approval of the manufacturer's quality system, later decisions on changes to that system, and ongoing surveillance. That is why the retained records under Part IV are the quality-system documentation, approved changes, and notified-body decisions and reports, rather than an EU-type certificate.

No.

The notified body assesses and surveils the quality system, but the manufacturer still carries out the product-level compliance work within that system. The Commission FAQ says the manufacturer, based on the quality system, implements the necessary cybersecurity mitigation measures following the risk assessment, tests the product, draws up the technical documentation, and ensures that production of the different units does not alter compliance.

No.

The Commission FAQ says the manufacturer can extend the scope of the quality system to new or substantially modified products, but the quality system must be updated to document the new scope, new standards may need to be applied, and new tests may need to be performed. That extension is subject to a new assessment by the same notified body that performed the original assessment. Annex VIII Part IV point 3.5 also requires the manufacturer to keep that notified body informed of intended changes to the quality system.

They must be in an official language of the Member State where the notified body is established, or in another language acceptable to that body.

That rule applies to technical documentation and correspondence for any CRA conformity assessment procedure, including module H.

It follows the CE marking wherever the CRA allows that CE marking to be placed for software.

For software products, Article 30(1) says the CE marking is affixed either to the EU declaration of conformity or on the website accompanying the software product. Article 30(4) then says that, where module H is used, the CE marking is followed by the notified body's identification number. So the CRA does not create a separate location rule for software under module H; the number follows the CE marking in the place where that marking is lawfully affixed.

A notified body is a conformity assessment body that has been designated and notified under the CRA to carry out notified-body conformity assessment activities.

The Commission assigns it an identification number and makes the list of notified bodies and their notified activities publicly available.

No.

A body becomes a notified body for CRA purposes only after it has been notified in accordance with Article 43 and the objection period has passed without objection.

A notified body is needed where the applicable CRA route is module B+C or module H.

That typically means important products of class I where Article 32(2) requires third-party assessment, important products of class II unless a qualifying certification route applies, and critical products where the Article 8(1) certification route does not apply. Module A does not involve a notified body.

Under module B, the notified body examines the product's technical design and development and the manufacturer's vulnerability-handling processes, reviews the technical documentation and supporting evidence, verifies specimens, and carries out or arranges the necessary examinations and tests.

If the outcome is positive, it issues the EU-type examination certificate. Under module C, the manufacturer remains responsible for production conformity.

Under module H, the notified body assesses and approves the manufacturer's quality system, reviews technical documentation for representative models, and then surveils the approved quality system through periodic audits.

Each Member State designates a notifying authority for that purpose.

The notifying authority is responsible for the assessment, designation, notification, and monitoring of conformity assessment bodies, including compliance with the CRA rules on subsidiaries and subcontracting.

Yes, under conditions.

Member States may decide that assessment and monitoring are carried out by a national accreditation body under Regulation (EC) No 765/2008. If the notifying authority delegates assessment, notification, or monitoring to a non-governmental body, that body must meet the CRA requirements applicable to notifying authorities and the notifying authority keeps full responsibility for the delegated tasks.

They must be organised to avoid conflicts of interest and preserve objectivity and impartiality.

The CRA also requires that decisions on notification are taken by competent persons different from those who carried out the assessment, and it prohibits the notifying authority from offering conformity-assessment activities or consultancy services on a commercial or competitive basis.

They must be third-party bodies independent from the organisation and the product with digital elements they assess.

They and their relevant personnel must not be the designer, developer, manufacturer, supplier, importer, distributor, installer, purchaser, owner, user, or maintainer of the assessed products, and they must not engage in activities that conflict with their independence of judgment or integrity. The CRA states expressly that this applies in particular to consultancy services.

Possibly, yes.

Article 39(3) allows a body belonging to a business association or professional federation to be treated as a third-party body if its independence and the absence of conflicts of interest are demonstrated.

It must be capable of carrying out all the conformity-assessment tasks for which it is notified and must have the necessary personnel, procedures, means, equipment, and facilities.

Its personnel must also have the required training, knowledge of the CRA requirements, harmonised standards and common specifications, and the ability to draw up certificates, records, and reports showing that assessments were carried out.

Yes.

The CRA requires impartiality, bans remuneration structures tied to assessment numbers or results, requires liability insurance unless public liability arrangements apply, and imposes professional secrecy obligations with documented procedures to protect confidential information.