Search every question across sub-FAQs

Broadly yes, where the CRA makes them available for that purpose.

Article 32(2) does not rely only on harmonised standards. It also refers to common specifications and European cybersecurity certification schemes at assurance level at least substantial as referred to in Article 27. The draft Commission guidance says that, although it discusses harmonised standards for brevity, the same logic extends to common specifications and to European cybersecurity certification schemes specified by the Commission under Article 27(9). That means they can support the internal control route for important class I products only to the extent that they cover the relevant requirements. For certification schemes, the CRA also says that a European cybersecurity certificate at assurance level at least substantial removes the need for third-party CRA assessment only for the corresponding requirements, not automatically for everything else.

No.

The core functionality determines which conformity assessment route applies, but the conformity assessment itself covers the product as a whole. The draft guidance says the manufacturer needs to ensure that the whole product undergoes the applicable conformity assessment procedure, taking into account integrated components or additional functions as appropriate. The Commission FAQ says the notified body in module B+C examines the whole product and all relevant essential requirements.

No.

Under Annex VIII, module B includes examination of the technical documentation and supporting evidence, but also examination of specimens of one or more critical parts of the product. The notified body must carry out appropriate examinations and tests, or have them carried out. The Commission FAQ also states that the notified body does not only perform a documentation-based assessment and may perform the necessary tests itself or through an external laboratory. Separately, the manufacturer may use its own laboratory or another laboratory on its behalf and under its responsibility for supporting evidence.

Changes that may affect conformity or the certificate's validity need notified-body involvement.

Annex VIII requires the manufacturer to inform the notified body of modifications to the approved type or vulnerability handling processes that may affect conformity with Annex I or the conditions for validity of the EU-type examination certificate. Those changes require additional approval as an addition to the original certificate. The Commission FAQ adds that substantial modifications require a new assessment by the same or a different notified body, while changes that do not affect CRA compliance are not subject to reassessment. Separately, Annex VIII Part II includes notified-body periodic audits focused on vulnerability-handling processes, while Module C leaves production conformity control with the manufacturer.

It can cover products or product categories, but it does not eliminate ongoing notified-body control.

Annex VIII says module H can apply to the products with digital elements or product categories concerned, and the application must include technical documentation for one model of each intended category. But the manufacturer still has to keep the notified body informed of intended changes to the quality system, and the notified body must decide whether the modified system remains acceptable or needs reassessment. The Commission FAQ also says the quality system can be extended to new or substantially modified products, but that extension remains subject to a new assessment by the same notified body.

Yes.

The CRA says fees for conformity assessment procedures must take account of the specific interests and needs of microenterprises and SMEs and be reduced proportionately. It also requires notified bodies to carry out conformity assessments proportionately and without unnecessary burden. Beyond fees, Member States are to support awareness, advice, testing and conformity assessment activities where appropriate, may establish cyber resilience regulatory sandboxes, and microenterprises and small enterprises may use a simplified technical documentation format once specified by the Commission.

Not necessarily.

If the Commission amends Annex III to add, move or withdraw an important-product category, the delegated act should, where appropriate, provide a minimum transitional period of 12 months before the new Article 32(2) or 32(3) routes apply, unless urgency justifies a shorter period. If the Commission makes European cybersecurity certification mandatory for a critical category under Article 8(1), the delegated act must provide a minimum transitional period of six months, unless imperative urgency justifies a shorter one.

Article 13 requires the manufacturer to assess the cybersecurity risks associated with a product with digital elements and use the outcome during planning, design, development, production, delivery, and maintenance.

The assessment should show how the manufacturer is minimising cybersecurity risks, preventing incidents, and reducing incident impact, including effects on user health and safety where relevant. It should connect product assumptions, threats, mitigations, tests, and residual risks to the essential requirements in Annex I.

Every in-scope product with digital elements needs one. Classification as an important or critical product affects conformity assessment routes and assurance expectations, but it does not supersede the Article 13 risk assessment.

The Commission FAQ is explicit that default-category, important, and critical products all require a comprehensive cybersecurity risk assessment. The depth of treatment should reflect the product's actual risk profile, intended use, deployment context, and expected exposure.

At minimum, Article 13(3) requires an analysis of cybersecurity risks based on the product's intended purpose, reasonably foreseeable use, conditions of use, and the length of time the product is expected to be in use.

The conditions of use can include the operational environment, the assets to be protected, user skill assumptions, connected systems, and deployment constraints. Those inputs should be specific enough to explain why particular Annex I requirements apply, why others do not, and how selected controls are proportionate to the risks.

They define the threat model and the level of risk treatment expected for the product. The same type of product may require different controls if one version is intended for a residential setting and another is intended for critical infrastructure or another high-exposure environment.

Reasonably foreseeable use is broader than the manufacturer's preferred use case. It covers uses likely to result from foreseeable human behaviour, technical operations, or interactions. The assessment should therefore record excluded assumptions, supported environments, user groups, and foreseeable integrations that materially affect cybersecurity.

Yes. The CRA user-information rules require disclosure of known or foreseeable circumstances linked to intended use or reasonably foreseeable misuse that may lead to significant cybersecurity risks.

For the assessment, that means manufacturers should not rely only on ideal secure deployment. If misuse, misconfiguration, insecure integration, unsupported environments, or predictable user behaviour could create significant cybersecurity risk, the file should show whether the risk is mitigated in the product, constrained by instructions, or treated as a residual risk communicated to users.

It is the document in which the manufacturer declares that the product with digital elements complies with the Cyber Resilience Act and takes responsibility for that compliance.

For CRA purposes, the declaration states that fulfilment of the applicable essential cybersecurity requirements in Annex I has been demonstrated. It should therefore be consistent with the conformity assessment route, the technical documentation, the cybersecurity risk assessment, and any harmonised standards, common specifications, cybersecurity certifications, or notified-body certificates relied on.

No. Before placing a product with digital elements on the market, the manufacturer must draw up technical documentation, complete or have completed the chosen conformity assessment procedure, and, where conformity has been demonstrated, draw up the EU Declaration of Conformity and affix the CE marking.

The product must also be accompanied by either a copy of the full EU Declaration of Conformity or a simplified EU Declaration of Conformity that points to the full text.

The CRA allows two customer-facing formats. The first is the full EU Declaration of Conformity, using the Annex V model structure. The second is the simplified EU Declaration of Conformity, using the Annex VI wording and giving the exact internet address where the full declaration can be accessed.

The simplified version reduces what accompanies the product, but it does not remove the obligation to create and maintain the full EU Declaration of Conformity.

Annex V requires enough information to identify the product and the compliance basis. The full declaration must include the product name, type, and identifying information; the manufacturer or authorised representative name and address; a sole-responsibility statement; the object of the declaration; and a statement that the product conforms with the relevant Union harmonisation legislation.

It must also list the relevant harmonised standards, common specifications, or cybersecurity certification used, and, where applicable, the notified body's name and number, the conformity assessment procedure performed, and the certificate issued. The signature block should identify the place and date of issue, name, function, and signature.

The simplified declaration must follow the Annex VI model. It names the manufacturer, identifies the product type, states that the product is in compliance with Regulation (EU) 2024/2847, and gives the internet address where the full EU Declaration of Conformity is available.

Teams using the simplified version should control that URL like a release artifact: it should resolve to the current full declaration for the product version being supplied, remain stable for authority checks, and be updated when the underlying declaration changes.

The CE marking and the declaration are linked outputs of the same market-access sequence. The manufacturer affixes the CE marking only after the relevant conformity assessment procedure has demonstrated conformity and the EU Declaration of Conformity has been drawn up.

For physical products, the CE marking must generally be placed visibly, legibly, and indelibly on the product. Where that is not possible or not warranted, it goes on the packaging and on the accompanying EU Declaration of Conformity. For software products, the CE marking may be placed either on the EU Declaration of Conformity or on the website accompanying the software product, with the relevant website section easily and directly accessible to consumers.

The declaration is the signed compliance statement; the technical documentation is the evidence file that shows how the product and the manufacturer's vulnerability-handling processes meet the applicable CRA requirements.

Annex VII requires the technical documentation to include, as applicable, the product description, software versions affecting compliance, design and development information, vulnerability-handling process specifications, the cybersecurity risk assessment, support-period rationale, applied standards or other solutions, test reports, and a copy of the EU Declaration of Conformity. A declaration that cites a standard, certification, or notified-body certificate should be traceable to the corresponding evidence in that technical file.

The manufacturer draws up the EU Declaration of Conformity and assumes responsibility for product compliance by doing so. A notified body, where involved, may issue certificates or approval decisions, but the declaration remains the manufacturer's responsibility statement.

An authorised representative can have declaration-related tasks only within the CRA mandate rules. At minimum, the mandate must allow the authorised representative to keep the EU Declaration of Conformity and technical documentation at the disposal of market surveillance authorities and provide information on request. The CRA does not let the authorised representative take over the manufacturer's core obligation to draw up the technical documentation before placement on the market.