Which routes apply to critical products with digital elements?
Critical products listed in Annex IV must use:
- a European cybersecurity certification scheme where Article 8(1) requires one, or
- if the conditions in Article 8(1) are not met, one of the class II routes in Article 32(3)
So critical products do not automatically have to use the same third-party route in every case. The legal answer depends first on whether a certification scheme has been made mandatory under Article 8(1).
Does integrating an important or critical component automatically force the finished product into the corresponding route?
No.
The CRA and the Commission FAQ both say that integrating an important or critical product into another product does not by itself make the finished product subject to the conformity assessment regime for that component category. The decisive factor is the core functionality of the finished product as a whole.
Does the CRA provide a special route for free and open-source software in Annex III categories?
Yes.
Manufacturers of products qualifying as free and open-source software that fall under Annex III categories may use any of the Article 32(1) procedures, including module A, provided that the technical documentation is made available to the public at the time of placing the product on the market.
Can a manufacturer choose a stricter CRA conformity assessment route than the minimum route required by law?
Yes.
The CRA sets minimum route requirements for certain product categories, but the manufacturer can still choose a more demanding route. For example, a default-category product may still go through module B+C or module H, and a class I product that could rely on module A may still opt for third-party assessment.
Under this route, the manufacturer verifies that the product complies with the CRA, draws up the technical documentation, performs the necessary testing or equivalent verification, and declares compliance on its sole responsibility. No notified body participates.
Module B+C combines notified-body examination of the design and development phase with manufacturer responsibility for conformity to the approved type in production.
The notified body examines the design, technical documentation, supporting evidence and specimens under module B. The manufacturer then ensures under module C that the manufactured units conform to the approved type and remains responsible for production conformity.
Under this route, the manufacturer operates an approved quality system covering design, development, production, final inspection and testing, and a notified body assesses and surveils that system. This is why module H can be attractive for manufacturers with larger product portfolios or products subject to frequent updates.
Do CRA conformity assessment routes assess only the product, or also the manufacturer's processes?
They assess both.
Article 32 requires conformity assessment of the product with digital elements and the processes put in place by the manufacturer. That is why the Annex VIII procedures also cover vulnerability handling processes and, depending on the route, production controls or quality-system controls.
How do high-risk AI systems affect CRA route selection?
As a rule, Article 12 says the relevant conformity assessment procedure under the AI Act applies to products that are both CRA products and high-risk AI systems, for the cybersecurity requirements addressed by the CRA.
But the CRA creates an important derogation. Important and critical CRA products that are also high-risk AI systems, and that would otherwise only be subject to AI Act internal control, must still follow the CRA conformity assessment procedures for the CRA cybersecurity requirements.
Can existing certificates issued under other EU product laws still be used during the CRA transition?
Yes, but only within limits.
Article 69(1) says EU-type examination certificates and approval decisions issued regarding cybersecurity requirements under other Union harmonisation legislation remain valid until 11 June 2028 unless they expire earlier or the other legislation says otherwise. The draft Commission guidance adds that manufacturers may rely on those certificates only for the cybersecurity risks and corresponding requirements they actually cover, and that even if the other legislation gives a longer validity period, reliance for CRA purposes does not continue beyond 11 June 2028.
Do products designed before 11 December 2027 still need a CRA conformity assessment if new units are placed on the market later?
Yes.
The CRA applies to individual products placed on the market from 11 December 2027 onward, not only to newly designed product types. The draft Commission guidance explains, however, that for products designed before the CRA applied, the manufacturer can demonstrate compliance through a current cybersecurity risk assessment and technical documentation and is not automatically expected to recreate historical design-phase evidence that would not improve the product's security.
Can an important product of class I rely on a harmonised standard before its reference is published in the Official Journal?
No.
For CRA presumption of conformity and for the Article 32(2) route logic, a harmonised standard counts only once its reference has been published in the Official Journal of the European Union. The Commission FAQ also says that after the European standardisation organisations adopt a harmonised standard, the Commission still has to assess it before publication in the Official Journal. Until then, a manufacturer may still refer to it in its technical documentation as part of the technical solution it relies on, but it does not have the legal effect of a published harmonised standard under Article 27.
Do common specifications and European cybersecurity certification schemes play the same role as harmonised standards for important class I route selection?
Broadly yes, where the CRA makes them available for that purpose.
Article 32(2) does not rely only on harmonised standards. It also refers to common specifications and European cybersecurity certification schemes at assurance level at least substantial as referred to in Article 27. The draft Commission guidance says that, although it discusses harmonised standards for brevity, the same logic extends to common specifications and to European cybersecurity certification schemes specified by the Commission under Article 27(9). That means they can support the internal control route for important class I products only to the extent that they cover the relevant requirements. For certification schemes, the CRA also says that a European cybersecurity certificate at assurance level at least substantial removes the need for third-party CRA assessment only for the corresponding requirements, not automatically for everything else.
For important or critical products, does the conformity assessment look only at the listed core functionality?
No.
The core functionality determines which conformity assessment route applies, but the conformity assessment itself covers the product as a whole. The draft guidance says the manufacturer needs to ensure that the whole product undergoes the applicable conformity assessment procedure, taking into account integrated components or additional functions as appropriate. The Commission FAQ says the notified body in module B+C examines the whole product and all relevant essential requirements.
Under Annex VIII, module B includes examination of the technical documentation and supporting evidence, but also examination of specimens of one or more critical parts of the product. The notified body must carry out appropriate examinations and tests, or have them carried out. The Commission FAQ also states that the notified body does not only perform a documentation-based assessment and may perform the necessary tests itself or through an external laboratory. Separately, the manufacturer may use its own laboratory or another laboratory on its behalf and under its responsibility for supporting evidence.
What happens to a module B+C certificate if the product changes after certification?
Changes that may affect conformity or the certificate's validity need notified-body involvement.
Annex VIII requires the manufacturer to inform the notified body of modifications to the approved type or vulnerability handling processes that may affect conformity with Annex I or the conditions for validity of the EU-type examination certificate. Those changes require additional approval as an addition to the original certificate. The Commission FAQ adds that substantial modifications require a new assessment by the same or a different notified body, while changes that do not affect CRA compliance are not subject to reassessment. Module B also includes periodic audits by the notified body to ensure the vulnerability handling processes are implemented adequately.
Can module H cover more than one product or product category, and does that remove future notified-body involvement?
It can cover products or product categories, but it does not eliminate ongoing notified-body control.
Annex VIII says module H can apply to the products with digital elements or product categories concerned, and the application must include technical documentation for one model of each intended category. But the manufacturer still has to keep the notified body informed of intended changes to the quality system, and the notified body must decide whether the modified system remains acceptable or needs reassessment. The Commission FAQ also says the quality system can be extended to new or substantially modified products, but that extension remains subject to a new assessment by the same notified body.
Are there CRA measures to reduce the conformity assessment burden for microenterprises and SMEs?
Yes.
The CRA says fees for conformity assessment procedures must take account of the specific interests and needs of microenterprises and SMEs and be reduced proportionately. It also requires notified bodies to carry out conformity assessments proportionately and without unnecessary burden. Beyond fees, Member States are to support awareness, advice, testing and conformity assessment activities where appropriate, may establish cyber resilience regulatory sandboxes, and microenterprises and small enterprises may use a simplified technical documentation format once specified by the Commission.
If the Commission later reclassifies a product or mandates certification for a critical category, does the new CRA conformity assessment route apply immediately?
Not necessarily.
If the Commission amends Annex III to add, move or withdraw an important-product category, the delegated act should, where appropriate, provide a minimum transitional period of 12 months before the new Article 32(2) or 32(3) routes apply, unless urgency justifies a shorter period. If the Commission makes European cybersecurity certification mandatory for a critical category under Article 8(1), the delegated act must provide a minimum transitional period of six months, unless imperative urgency justifies a shorter one.