EU Cyber Resilience Act FAQ Module B+C

Module B+C is a two-step conformity-assessment route.

Module B is EU-type examination by a notified body. Module C is conformity to the approved type based on the manufacturer's internal production control. Together, they cover both the examination of the product type and the manufacturer's obligation to keep actual production in line with that approved type.

Module B+C is one of the mandatory third-party routes for:

- important products of class I where Article 32(2) requires third-party assessment for the relevant requirements

- important products of class II, such as hypervisors and container runtime systems, firewalls, intrusion detection and prevention systems, and tamper-resistant microprocessors or microcontrollers

- critical products listed in Annex IV, unless the applicable certification route under Article 8(1) applies

Yes.

Article 32(1) allows manufacturers to use Module B+C for products generally covered by paragraph 1, even where module A would also be available.

Yes.

Module B is the notified-body part of the route. Module C then follows with the manufacturer's own internal production control against the approved type.

Only one.

The manufacturer must lodge the EU-type examination application with a single notified body of its choice and must declare that the same application has not been lodged with any other notified body.

The application must include:

- the manufacturer details and, where relevant, the authorised representative's details

- a declaration that the same application has not been lodged with another notified body

- technical documentation that allows conformity to be assessed, including an adequate analysis and assessment of the risks

- supporting evidence for the adequacy of the technical design, development solutions, and vulnerability-handling processes

Where necessary, the supporting evidence must include test results from the manufacturer's own laboratory or another testing laboratory acting on its behalf and under its responsibility.

It covers both.

EU-type examination is not limited to the product's technical design and development. The notified body also examines the vulnerability-handling processes put in place by the manufacturer against Part II of Annex I.

It assesses both.

Annex VIII Part II requires examination of the technical documentation and supporting evidence, plus examination of specimens of one or more critical parts of the product. The notified body must also carry out appropriate examinations and tests, or have them carried out.

The notified body checks:

- whether the technical documentation and supporting evidence are adequate

- whether the examined specimens match the documentation

- which elements were designed and developed using relevant harmonised standards or technical specifications and which were not

- whether the manufacturer's chosen solutions satisfy the applicable essential cybersecurity requirements

Yes.

Annex VIII Part II point 4.5 says the notified body and the manufacturer agree on the location where the examinations and tests will be carried out.

The manufacturer receives an EU-type examination certificate.

The certificate identifies the approved type and the vulnerability-handling processes, and it records the conclusions of the examination and any validity conditions.

It must refuse to issue the EU-type examination certificate and give detailed reasons for the refusal. Annex VIII frames that refusal around both the type and the vulnerability-handling processes, so a process failure can block the certificate even if the product design evidence is otherwise strong.

It covers both.

Annex VIII Part II point 6 ties the certificate to both the approved type and the examined vulnerability-handling processes. That is why later modifications to either can matter for certificate validity.

Module C is the production-control step.

After obtaining the EU-type examination certificate, the manufacturer must ensure and declare that the products actually manufactured remain in conformity with the approved type and continue to satisfy the essential cybersecurity requirements.

Not in the way module H does.

Under module C, the manufacturer itself must take the necessary measures so that production and production monitoring ensure conformity with the approved type and the applicable essential cybersecurity requirements. Module C is therefore not a full-quality-assurance route supervised like Module H.

The manufacturer must:

- ensure that production conforms to the approved type

- affix the CE marking to each individual compliant product

- draw up a written declaration of conformity for the product model

It is for the product model.

Annex VIII Part III point 3.2 requires a written declaration of conformity for a product model. That differs from module A wording, which refers to each product with digital elements.

Yes.

Even though the declaration under module C is for the product model, the CE marking must still be affixed to each individual product with digital elements that conforms to the approved type.

The manufacturer must inform the notified body that holds the technical documentation relating to the certificate of any modifications that may affect conformity or the conditions for validity of the certificate.

Those modifications require additional approval in the form of an addition to the original EU-type examination certificate.

Not only for that label.

Annex VIII Part II point 7 is framed more broadly: the trigger is any modification to the approved type or the vulnerability-handling processes that may affect conformity with Annex I or the conditions for validity of the certificate.

Yes, but it is limited.

The notified body must carry out periodic audits to ensure that the vulnerability-handling processes in Part II of Annex I are implemented adequately. This is not the same as the broader quality-system surveillance under module H.

The notified body must inform its notifying authorities and the other notified bodies about those certificate outcomes.

The Commission and Member States can also obtain copies of the certificates and, on request, copies of the technical documentation and examination results.

The manufacturer must keep:

- the EU-type examination certificate, its annexes and additions, together with the technical documentation

- the declaration of conformity for the product model

Those records must be kept at the disposal of national authorities for 10 years after the product is placed on the market or for the support period, whichever is longer.

Yes, but only where the mandate expressly covers them.

Under Annex VIII Part II point 11, the authorised representative may lodge the module B application and fulfil the obligations relating to modifications and record retention. Under Annex VIII Part III point 4, the authorised representative may fulfil the declaration obligations in module C.

Yes.

Article 32(5) allows manufacturers of Annex III products qualifying as free and open-source software to use one of the procedures listed in Article 32(1), provided the technical documentation is made public at the time of placing on the market. That means they may use module A, but they may also choose Module B+C.

No.

Article 69(1) provides a transition rule: EU-type examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements under other Union harmonisation legislation remain valid until 11 June 2028, unless they expire earlier or that other legislation specifies otherwise.

A workable file is one that lets the notified body trace the compliance claim, the supporting design choice, the evidence, and the tested specimen without gaps.

Grounded in Annex VIII Part II and Annex VII, that usually means the application clearly identifies the applicable requirements, includes the risk analysis and assessment, explains any reliance on or departure from harmonised standards or technical specifications, and contains the supporting evidence and test results needed for the notified body's examination.

No.

Under Article 30(4), the CE marking is followed by the notified body's identification number only where that body is involved in the conformity assessment procedure based on module H. Under Module B+C, the manufacturer still affixes the CE marking to each individual compliant product under module C, but the CRA does not require a notified-body number next to that marking.

They must be in an official language of the Member State where the notified body is established, or in another language acceptable to that body.

That rule applies to the technical documentation and correspondence relating to any CRA conformity assessment procedure, including Module B+C.

No.

The legal trigger in Annex VIII Part II point 7 is any modification to the approved type or the vulnerability-handling processes that may affect conformity with Annex I or the conditions for validity of the certificate. Those changes require additional approval from the notified body in the form of an addition to the original certificate.

The practical split is evidence-based: changes that may affect Annex I conformity or certificate-validity conditions need notified-body approval; changes that do not affect those points should still be recorded internally so the manufacturer can explain why reassessment was not triggered.

Not necessarily.

Not necessarily. For the CRA certificate, the notified-body trigger remains whether the modification to the approved type or vulnerability-handling processes may affect Annex I conformity or certificate-validity conditions.

The Blue Guide gives the product-law evidence principle for modified products: when a modified product is treated as new, technical documentation has to be updated only as far as the modification affects applicable requirements, and tests or documentation need not be repeated for aspects not impacted by the modification. In practice, a Module B+C reassessment file should identify the changed parts, explain why any unchanged parts are still covered by existing evidence, and submit the affected type or process changes for approval where Annex VIII point 7 is triggered.

No.

Under Annex VIII Part II point 8, the periodic audit duty is specifically to ensure that the vulnerability-handling processes in Part II of Annex I are implemented adequately. Module C separately leaves production conformity control to the manufacturer. So this is narrower than a module H full-quality-assurance assessment.