EU Cyber Resilience Act FAQ Module A

Module A is the internal control conformity-assessment procedure.

Under this route, the manufacturer itself ensures and declares, on its sole responsibility, that the product satisfies the essential cybersecurity requirements in Part I of Annex I and that the manufacturer meets the vulnerability-handling requirements in Part II of Annex I.

No.

Module A is the CRA's self-assessment route. The Commission FAQ states expressly that no notified body participates in this procedure.

Yes, for products that are not pushed by Article 32 into a stricter route.

Article 32(1) lists module A as one of the CRA's general conformity-assessment procedures. In practice, it is the route available unless the product falls into the specific cases where Article 32(2), 32(3), or 32(4) require another procedure.

Module A is available for:

- products that are not important products or critical products

- important products of class I where Article 32(2) does not force a third-party route

- important products of class I or II that qualify as free and open-source software, if the technical documentation is made public at the time of placing on the market

Yes, where Article 32 does not make a stricter route mandatory.

For products covered by Article 32(1), the manufacturer may demonstrate conformity by using module A, module B+C, module H, or, where available and applicable, a qualifying European cybersecurity certification scheme.

Module A is no longer enough for the essential cybersecurity requirements for which the manufacturer has not applied, or has only partly applied, the relevant harmonised standards, common specifications, or qualifying European cybersecurity certification schemes, or where those tools do not exist.

In that situation, Article 32(2) requires module B+C or module H for those requirements.

Only in a limited sense.

Inference from Article 32(2): where a class I product relies only partly on the relevant harmonised standards, common specifications, or qualifying certification schemes, the remaining essential cybersecurity requirements must go through module B+C or module H. Article 32(2) is framed requirement-by-requirement, not as an automatic all-or-nothing ban on all use of module A.

Not as a general rule.

Important products of class II must use the procedures listed in Article 32(3), unless the product qualifies for the specific free-and-open-source-software exception in Article 32(5).

No.

Critical products listed in Annex IV must use the procedures in Article 32(4), which do not include module A.

It is a narrow exception for products qualifying as free and open-source software that fall under Annex III.

Article 32(5) allows those products to use one of the procedures listed in Article 32(1), including module A, provided that the technical documentation under Article 31 is made available to the public at the time the product is placed on the market.

Yes.

Under Annex VIII Part I point 2, the manufacturer must draw up the technical documentation described in Annex VII. More broadly, Article 31 requires technical documentation that shows how the product and the manufacturer's processes comply with Annex I.

Yes.

Module A is not a paperwork-only route. The manufacturer still has to verify that the product complies with the relevant essential cybersecurity requirements and be able to demonstrate that through technical documentation and supporting evidence.

The CRA does not mandate a single evaluation methodology. The Commission FAQ says manufacturers may verify conformity through testing or other mechanisms.

Yes.

The Commission FAQ says the manufacturer may perform the relevant tests in its own laboratories, if available, or in external laboratories. Under module A, the manufacturer still remains solely responsible for the conformity assessment.

It covers design, development, production, and vulnerability handling.

Annex VIII Part I point 3 is broader than a design-only check. It requires the manufacturer to take all measures necessary so that the relevant processes, and their monitoring, ensure compliance of both the product and the manufacturer's processes with Annex I.

Yes.

The Commission FAQ explains that, under module A, the manufacturer must ensure that production of the different units does not alter compliance with the CRA essential cybersecurity requirements.

The manufacturer must first be in a position to demonstrate that the product complies with the CRA.

After that, the manufacturer affixes the CE marking to each individual compliant product and draws up the written EU declaration of conformity.

Yes.

Annex VIII Part I point 4.2 requires a written EU declaration of conformity for each product with digital elements, and the declaration must identify the product for which it has been drawn up.

The manufacturer must keep the technical documentation and the EU declaration of conformity at the disposal of the authorities for at least 10 years after the product has been placed on the market or for the support period, whichever is longer.

No, not in general.

The Commission FAQ states that there is no general obligation to make the technical documentation public. The exception relevant here is the Article 32(5) rule for important free-and-open-source software using the Annex III exception.

No.

Under Annex VIII Part I point 5, the authorised representative may fulfil only the manufacturer's obligations under point 4, on the manufacturer's behalf and under the manufacturer's responsibility, if the mandate expressly covers those obligations. That means the CE-marking and declaration steps can be mandated, but the wider manufacturer obligations that underpin module A are not generally transferred.

Article 17(2) reinforces that the obligations in Article 13(1) to (11), Article 13(12) first subparagraph, and Article 13(14) cannot form part of the authorised representative's mandate.

No.

Products assessed under module A remain subject to market surveillance. Authorities may request the technical documentation and related internal documentation, evaluate compliance, and act if they find non-compliance or formal non-compliance.

A defensible file is one that clearly shows how the manufacturer reached its compliance conclusion.

Grounded in Article 31, Annex VII, and the Commission FAQ, that usually means the documentation clearly identifies the applicable essential cybersecurity requirements, explains any justified non-applicability, records the cybersecurity risk assessment, and shows the technical means, standards, specifications, tests, or other evidence used to demonstrate conformity.

Yes.

For default-category products, Article 32(1) makes module A available without conditioning it on the existence of harmonised standards, common specifications, or qualifying certification schemes. The stricter no-standard rule in Article 32(2) is specific to important products of class I. The Commission FAQ also says harmonised standards are voluntary and manufacturers may demonstrate conformity through other technical means, provided those means are documented in the technical documentation.

No.

Module A is only a conformity-assessment route. Presumption of conformity comes from the Article 27 tools, such as harmonised standards, common specifications, or qualifying European cybersecurity certification schemes, to the extent they cover the relevant requirements. If the manufacturer does not use those means, it may still use module A where the product is eligible, but it must explain in the technical documentation how compliance is reached otherwise.

No.

The Commission FAQ states that manufacturers are free to integrate important or critical components that were not designed in accordance with harmonised standards, regardless of whether such standards exist. It also explains that integrating an important or critical product into another product does not automatically render the finished product subject to the conformity-assessment procedures for that important or critical category. So the finished product's own core functionality still determines whether module A remains available.

No.

Making the technical documentation public is an extra condition for important class I or class II products qualifying as free and open-source software to keep access to the Article 32(1) routes, including module A. It does not replace the ordinary module A activities. The manufacturer still has to perform the risk-based compliance work, verify conformity, draw up the technical documentation, and only then affix the CE marking and sign the declaration of conformity.

Yes.

The March 2026 draft guidance says non-substantial updates do not trigger a new conformity assessment procedure or change the original placing-on-the-market date. But regardless of whether an update is substantial, manufacturers must keep the risk assessment and technical documentation accurate, complete, and continuously up to date. Article 31(2) also requires the technical documentation to be continuously updated where appropriate, at least during the support period.

Sometimes, yes.

The March 2026 draft guidance says a substantially modified product is treated as a new product and is newly placed on the market, so a new conformity assessment is required before that modified product is placed on the market. The same guidance also says existing documentation and tests may be re-used for unchanged parts. If the substantially modified product still falls in a category for which Article 32 allows module A, module A can be used again; if the modified product falls into a category that requires a stricter route, the applicable Article 32 route must be used instead.