EU Cyber Resilience Act FAQ Module H

Module H is the conformity-assessment procedure based on full quality assurance.

Under this route, the manufacturer operates an approved quality system for design, development, final product inspection and testing, and vulnerability handling, and a notified body assesses and surveils that system.

Module H is available under Article 32(1) as one way to demonstrate CRA conformity for products with digital elements and the manufacturer's related processes.

It becomes one of the required third-party routes where Article 32(2) applies to an important class I product because harmonised standards, common specifications, or qualifying certification schemes are missing, unavailable, or only partly applied; where Article 32(3) applies to an important class II product; and where Article 32(4) applies to a critical product and the Article 8(1) certification route is not available.

Yes.

Where Article 32(1) is enough for the product, the manufacturer may choose Module H instead of Module A or Module B+C. That is a business and certification choice: it adds notified-body assessment and surveillance, but can support a broader approved quality-system route.

Module H can cover the products with digital elements, or product categories, included in the approved quality system.

It does not automatically cover the manufacturer's whole portfolio. The application and quality-system documentation need a defined scope, and new or substantially modified products need the quality system to be updated and reassessed before they are treated as covered.

Yes.

The quality system must be assessed by a notified body, and the manufacturer remains under notified-body surveillance after approval.

It must ensure compliance of the covered products with Part I of Annex I and compliance of the manufacturer's vulnerability-handling processes with Part II of Annex I.

It must also cover the relevant lifecycle controls, including design, development, production controls, final product inspection and testing, and vulnerability handling, and it must remain effective throughout the support period.

The application to the notified body must include:

- the manufacturer details and, where relevant, the authorised representative's details

- the technical documentation for one model of each category of products intended to be manufactured or developed

- the quality-system documentation

- a declaration that the same application has not been lodged with any other notified body

Yes.

Module H does not supersede the Article 31 and Annex VII documentation duties. The application must include technical documentation for one model of each covered product category, and the Commission FAQ notes that, where a quality-system route is used, the technical documentation may form part of the quality-system documentation.

The quality-system documentation must systematically describe, among other things:

- quality objectives and management responsibilities

- the standards and specifications to be applied

- the means used where relevant harmonised standards or technical specifications are not applied in full

- design and development controls and verification techniques

- production, quality-control, and quality-assurance techniques

- examinations and tests and how often they are carried out

- quality records

- how the manufacturer monitors the effective operation of the quality system

Yes.

Annex VIII Part IV point 3.2 distinguishes between the technical design and development specifications relevant to Part I of Annex I and the procedural specifications relevant to Part II of Annex I. In practice, Module H covers both product compliance and the manufacturer's vulnerability-handling processes.

The notified body assesses whether the quality system satisfies the CRA requirements in Annex VIII Part IV point 3.2.

The audit team must include at least one member experienced in the relevant product field and technology, and the audit must include an assessment visit to the manufacturer's premises where such premises exist. The audit team also reviews the submitted technical documentation to verify the manufacturer's ability to identify the applicable CRA requirements and carry out the necessary examinations.

No.

The CRA allows the notified body to presume conformity for elements of the quality system that comply with the corresponding specifications of the national standard implementing the relevant harmonised standard or technical specification. But the notified body still has to assess and approve the system under Module H.

The Commission FAQ also says that accreditation against the ISO 9000 series does not by itself entitle a manufacturer to use Module H without CRA notified-body involvement.

The manufacturer must undertake to fulfil the obligations arising from the approved quality system and maintain it so that it remains adequate and efficient.

The notified body's notification to the manufacturer must contain the conclusions of the audit and the reasoned assessment decision.

The manufacturer must keep the notified body informed of any intended change to the quality system.

The notified body then evaluates the proposed changes and decides whether the modified system still satisfies the requirements or whether reassessment is necessary.

Often yes, but only within an approved quality-system framework.

The Commission FAQ says Module H may be particularly considered by manufacturers that place numerous product types on the market or products subject to frequent updates, because it provides a more versatile framework than module B+C. That does not remove the need for notified-body assessment of the system and later changes to it.

The notified body must carry out surveillance to make sure the manufacturer fulfils the obligations arising from the approved quality system.

For that purpose, the manufacturer must allow access to the relevant design, development, production, inspection, testing, and storage sites and provide the quality-system documentation plus design and manufacturing quality records needed for assessment.

Yes.

The notified body must carry out periodic audits to make sure the manufacturer maintains and applies the quality system, and it must provide the manufacturer with an audit report.

No.

Even under Module H, the manufacturer ensures and declares on its sole responsibility that the covered products or product categories satisfy the applicable CRA requirements and that its vulnerability-handling processes meet Annex I Part II. The notified body assesses and surveils the quality system, but it does not take over the manufacturer's legal responsibility.

Under Module H, the manufacturer affixes the CE marking to each individual compliant product with digital elements, and the notified body's identification number must follow the CE marking.

The identification number is affixed by the notified body itself or, under its instructions, by the manufacturer or the manufacturer's authorised representative. For software, the CE marking location follows Article 30(1), so the number follows the CE marking on the declaration of conformity or accompanying website.

It is tied to each product model for the Module H record duty.

Annex VIII Part IV point 5.2 requires a written declaration of conformity for each product model and requires the declaration to identify the product model for which it has been drawn up. Article 28 also says that, by drawing up the EU declaration of conformity, the manufacturer assumes responsibility for product compliance.

The manufacturer must keep Module H records at the disposal of national authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.

The retained file should include:

- the technical documentation

- the quality-system documentation

- approved changes to the quality system

- the notified body's decisions and reports

- the declaration of conformity for each product model

The notified body must inform its notifying authorities about quality-system approvals issued or withdrawn, and it must also inform other notified bodies about approvals it has refused, suspended, or withdrawn and, on request, about approvals it has issued.

Yes, but only where the mandate expressly covers them.

Under Annex VIII Part IV point 8, the authorised representative may fulfil the manufacturer's obligations relating to the application, quality-system changes, declaration, and record-retention steps on the manufacturer's behalf and under the manufacturer's responsibility.

Yes.

Article 32(5) allows manufacturers of Annex III products qualifying as free and open-source software to use one of the procedures in Article 32(1), provided that the technical documentation is made public at the time of placing on the market. That means Module H remains available for those products.

Yes.

Article 32(6) requires the specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups, to be taken into account when setting conformity-assessment fees, and those fees must be reduced proportionately.

A workable Module H system lets the notified body see, in a consistent and documented way, how the manufacturer controls the approved product scope from design and development through production, testing, vulnerability handling, CE marking, declarations, records, and later quality-system changes.

In practical terms, the quality-system documentation should show management responsibilities, standards and specifications used, how gaps from harmonised standards or technical specifications are covered, design and development verification, production and quality-assurance controls, examinations and tests with their frequency, quality records, and monitoring of quality-system effectiveness.

No.

Unlike module B+C, Module H is not built around an EU-type examination certificate for a representative specimen. Under the CRA, Module H is built around approval of the manufacturer's quality system, later decisions on changes to that system, and ongoing surveillance. That is why the retained records under Part IV are the quality-system documentation, approved changes, and notified-body decisions and reports, rather than an EU-type certificate.

No.

The notified body assesses and surveils the quality system, but the manufacturer still carries out the product-level compliance work within that system. The Commission FAQ says the manufacturer, based on the quality system, implements the necessary cybersecurity mitigation measures following the risk assessment, tests the product, draws up the technical documentation, and ensures that production of the different units does not alter compliance.

No.

The Commission FAQ says the manufacturer can extend the scope of the quality system to new or substantially modified products, but the quality system must be updated to document the new scope, new standards may need to be applied, and new tests may need to be performed. That extension is subject to a new assessment by the same notified body that performed the original assessment. Annex VIII Part IV point 3.5 also requires the manufacturer to keep that notified body informed of intended changes to the quality system.

They must be in an official language of the Member State where the notified body is established, or in another language acceptable to that body.

That rule applies to technical documentation and correspondence for any CRA conformity assessment procedure, including Module H.

It follows the CE marking wherever the CRA allows that CE marking to be placed for software.

For software products, Article 30(1) says the CE marking is affixed either to the EU declaration of conformity or on the website accompanying the software product. Article 30(4) then says that, where Module H is used, the CE marking is followed by the notified body's identification number. So the CRA does not create a separate location rule for software under Module H; the number follows the CE marking in the place where that marking is lawfully affixed.