Your CRA conformity assessment route determines cost, timeline, and external dependencies. Choose wrong and you'll waste months and thousands of euros. Choose right and you'll have a clear path to CE marking.
This guide helps you select the correct conformity assessment module and understand what each involves.
Summary
- Module A (Self-Assessment): Available for Default products and for Important Class I only when the relevant harmonised standards, common specifications, or European cybersecurity certification schemes are fully applied
- Module B+C (Third-Party): Required for Important Class II, optional for others
- Module H (Full QA): Alternative to B+C for organizations with multiple products
- Product classification determines which options are available
- Cost difference: Module A (~EUR 5–20K internal), B+C (~EUR 30–100K+), H (~EUR 50K+ setup + ongoing)
Sources: CRA Article 13(13) (retention period); NANDO database, the EU Notified Body registry (designation status); figures stated in this guide. The "~90%" Default-products figure is an estimate based on the narrowness of Annex III/Annex IV, not a CRA-stated value.
Conformity assessment overview
Conformity assessment is how you demonstrate your product meets CRA requirements. The EU Declaration of Conformity (DoC) you sign declares your product conforms, but you must have evidence to back that claim.
The CRA offers three conformity assessment modules. The decision tree above maps each product category to its permitted routes. Module A is a manufacturer self-assessment. Module B+C combines a Notified Body type examination (B) with a production-conformity phase you run (C). Module H is a single route where a Notified Body approves your quality management system and surveils it on an ongoing basis.
When can you use Module A self-assessment?
Self-assessment. You evaluate your own product against CRA requirements.
When Module A is available
- Default products: Always available
- Important Class I: Only if the relevant harmonised standards, common specifications, or European cybersecurity certification schemes are fully applied
What full coverage means
For Important Class I self-assessment, Module A remains available only where the relevant harmonised standards, common specifications, or European cybersecurity certification schemes:
- Cover the essential requirements in Annex I
- Are available for the product and route
- Are applied completely, not partially
If that coverage does not exist or is only partly applied, use Module B+C or Module H for the affected requirements.
CRA harmonised standards are still being developed. Monitor OJEU publications.
Module A process
| Phase | What to do | Why CRA teams care | Anchor |
|---|---|---|---|
| Design phase | Apply security-by-design principles, run the risk assessment, document the security architecture, and apply harmonised standards where relevant. | This is where you create the evidence base instead of trying to reconstruct it at the end. | Annex I requirements. |
| Documentation | Create the technical file covering product description, risk assessment results, design documentation, standards applied, test results, and SBOM. Prepare the EU Declaration of Conformity. | Module A still needs evidence. Self-assessment does not mean no file. | Annex VII file. |
| Production controls | Ensure production maintains conformity, document quality controls, and verify each unit where applicable. | The signed declaration must stay true for the run of products you place on the market. | Series production. |
| Finalisation | Sign the EU Declaration of Conformity, affix the CE marking, and retain the documentation for 10 years. | This is the handoff from evidence creation to market placement. | DoC, CE, retention. |
Module A documentation requirements
Your Annex VII technical file under Module A must cover these six areas.
| Area | What the file should contain | Why CRA teams care | Anchor |
|---|---|---|---|
| General description | Product identification, intended purpose, versions covered, and user instructions provided. | Authorities need to see exactly which product and release the evidence covers. | Product scope. |
| Risk assessment | Cybersecurity risks identified, threats and attack scenarios considered, and risk treatment decisions. | This is the logic connecting your threat model to your controls. | Risk evidence. |
| Design documentation | System architecture, security measures implemented, and how each requirement is met. | The file must show how the product design satisfies the cybersecurity requirements. | Annex I mapping. |
| Standards and testing | Standards, specifications or certification scheme applied with version details, test plans and results, and proof of full application for Important Class I. | Partial coverage can change the available conformity route. | Route evidence. |
| SBOM | Components included and vulnerabilities known at the time of assessment. | The SBOM links component inventory to vulnerability handling. | Component inventory. |
| Production | How production maintains conformity and which quality control measures apply. | Conformity has to survive beyond the assessed prototype. | Series controls. |
They draw on analogue CE-marking regimes (Radio Equipment Directive, Medical Device Regulation) and early CRA consultancy pricing. They are not a CRA-specific market survey. No Notified Body has published a CRA rate card: NANDO shows zero CRA designations as of June 2026. Use the numbers for planning. Confirm against real quotes once designations happen.
Module A costs
| Cost Element | Typical Range | Notes |
|---|---|---|
| Risk assessment | EUR 5,000–15,000 | Internal or consultant |
| Technical documentation | EUR 5,000–20,000 | Depends on complexity |
| Testing | EUR 2,000–10,000 | Internal or lab |
| SBOM tooling | EUR 0–5,000 | Tools may already exist |
| Internal staff time | Variable | Often the largest cost |
Total typical range: EUR 15,000–50,000 (internal costs)
Module A timeline
| Phase | Duration |
|---|---|
| Risk assessment | 2-4 weeks |
| Documentation | 4-8 weeks |
| Testing | 2-4 weeks |
| Review and finalization | 1-2 weeks |
Total typical timeline: 2-4 months
When does the CRA require a Notified Body?
Third-party assessment. A Notified Body examines your product design.
When a Notified Body is required
- Important Class II: use Module B+C, Module H, or an approved European cybersecurity certification scheme at "substantial" assurance.
- Critical products: use the European cybersecurity certification route once the Commission has switched it on for that product category. Until then, use the same third-party fallback routes: Module B+C, Module H, or an approved scheme.
- Important Class I: use Module B+C or Module H only when the relevant harmonised standards, common specifications, or certification scheme are unavailable or not fully applied.
Module B: EU-type examination
A Notified Body examines a representative sample (type) of your product and issues a certificate.
| Item | Details |
|---|---|
| Application | Select a Notified Body and submit your application with product samples, technical documentation, and the application form. Pay the initial fees. |
| Examination | The Notified Body reviews documentation, tests the product sample, verifies compliance with the essential cybersecurity requirements, and may request additional information or tests. |
| Decision | If compliant, the Notified Body issues the EU-Type Examination Certificate. If deficiencies are found, you remediate and re-submit. |
| Certificate | Valid for the assessed type, with any conditions stated on the certificate. Modifications that may affect compliance need certificate follow-up with the Notified Body. The CRA does not prescribe a fixed re-examination interval. |
Module C: conformity to type
After Module B, you ensure production conforms to the certified type.
| Item | Details |
|---|---|
| Production controls | Ensure each unit conforms to the certified type, document production processes, and maintain quality controls. |
| Declaration | Reference the EU-Type Examination Certificate, sign the EU Declaration of Conformity, and affix the CE marking. |
| Ongoing | Maintain conformity to the certified type, report changes that affect the type to the Notified Body, and recertify if substantial changes occur. |
Notified Body selection
Considerations when choosing a Notified Body:
| Factor | Consideration |
|---|---|
| Scope | Is NB designated for CRA and your product type? |
| Capacity | Do they have availability? (Early CRA = limited capacity) |
| Location | Easier logistics if nearby |
| Experience | Familiarity with your product type |
| Cost | Fees vary significantly |
| Timeline | How quickly can they schedule examination? |
Finding NBs: Check NANDO database (EU's official Notified Body registry) once CRA designations are published.
Notified Body fees typically range from EUR 30,000 to EUR 100,000 or more, and queue times can reach 4 to 16 weeks. Budget and plan accordingly.
Module B+C costs
| Cost Element | Typical Range | Notes |
|---|---|---|
| NB application fee | EUR 2,000–5,000 | Non-refundable |
| NB examination fee | EUR 15,000–50,000 | Depends on complexity |
| Sample preparation | EUR 1,000–5,000 | Product samples for testing |
| Technical documentation | EUR 10,000–30,000 | Must meet NB requirements |
| Travel/logistics | EUR 1,000–5,000 | If on-site visits required |
| Remediation (if needed) | Variable | Re-testing, documentation fixes |
Total typical range: EUR 30,000–100,000+
Module B+C timeline
| Phase | Duration |
|---|---|
| NB selection and application | 2-4 weeks |
| Documentation preparation | 4-8 weeks |
| NB queue time | 4-16 weeks (varies significantly) |
| Examination | 4-8 weeks |
| Certificate issuance | 2-4 weeks |
Total typical timeline: 4-10 months
Module H: full quality assurance
Quality management system approach. NB approves your QMS for design, production, and testing.
When Module H makes sense
Module H is advantageous when:
- You have multiple products requiring third-party assessment
- You already have a mature QMS (ISO 9001, ISO 27001)
- You want ongoing NB relationship rather than per-product examination
- You release frequent product updates
Module H process
| Item | Details |
|---|---|
| QMS establishment | Design a quality system covering your design process, production controls, testing procedures, and documentation management, aligned with CRA requirements. |
| Notified Body assessment | Submit QMS documentation, host the Notified Body audit, verify CRA alignment, and receive the QMS approval certificate. |
| Product design (per product) | Follow the approved QMS for design, conduct a design examination, document compliance, and allow Notified Body audits of the design process. |
| Production | Follow the approved QMS for production, document conformity, and accept Notified Body surveillance audits. |
| Declaration (per product) | Sign the EU Declaration of Conformity, reference the QMS certificate, and affix the CE marking. |
| Ongoing | Maintain the QMS and submit to periodic surveillance audits by the Notified Body. The CRA does not prescribe surveillance frequency or a recertification cycle; cadence is set in the audit plan. |
Module H QMS requirements
Your quality management system must cover four areas in parallel. Gaps in any one area will block certification.
| Item | Details |
|---|---|
| Design quality |
|
| Production quality |
|
| Documentation quality |
|
| Cybersecurity integration |
|
Module H costs
| Cost Element | Typical Range | Notes |
|---|---|---|
| QMS development/upgrade | EUR 20,000–50,000 | If starting from scratch |
| NB initial audit | EUR 15,000–30,000 | QMS certification |
| Annual surveillance | EUR 5,000–15,000 | Ongoing |
| Per-product design review | EUR 5,000–15,000 | Varies by complexity |
Initial setup: EUR 40,000–100,000 Annual ongoing: EUR 10,000–30,000
Module H vs B+C decision
| Factor | Module B+C | Module H |
|---|---|---|
| Number of products | 1-3 products | 4+ products |
| Existing QMS | No mature QMS | Mature QMS exists |
| Update frequency | Infrequent updates | Frequent releases |
| Organization size | Small/medium | Medium/large |
| Upfront cost | Lower | Higher |
| Per-product cost | Higher | Lower |
| Ongoing cost | Lower | Higher (surveillance) |
Module H becomes cost-effective at 4 or more products. If you have a mature QMS (ISO 9001, ISO 27001), it is often the better long-term investment.
Rule of thumb: Module H becomes cost-effective at 4+ products or when you'd need re-examination frequently.
Decision framework
Step 1: determine product classification
Use the product classification guide to determine: Default, Important Class I, Important Class II, or Critical.
Step 2: identify available options
The decision tree at the top of this guide shows the full mapping. The table below summarises the same routes in text form.
| Category | Available modules | Recommended route |
|---|---|---|
| Default | A, B+C, H | Module A unless you want third-party validation |
| Important Class I, relevant standards, specifications, or scheme fully applied | A, B+C, H | Module A with full coverage |
| Important Class I, missing or partial coverage | B+C, H | Module B+C unless multiple products |
| Important Class II | B+C, H | Module B+C unless multiple products or mature QMS |
| Critical | EUCC or another required European cybersecurity certification route or B+C / H / approved scheme fallback | Depends on whether the Commission has switched on the certification route for that category |
Step 3: consider business factors
Step 3 only helps you choose among the modules Step 2 left available. The route rules make Module A unavailable for Important Class I when the relevant standards, specifications, or scheme are missing or only partly applied, for Important Class II, and for Critical products. The two tables below split on that gate so every row has a reachable answer on your path.
When Modules A, B+C, and H are all available
Applies to Default products, and to Important Class I when the relevant standards, specifications, or scheme are fully applied.
| Factor | Module A | Module B+C | Module H |
|---|---|---|---|
| Budget constrained | ✓ | ||
| Time constrained | ✓ | ||
| Need external validation | ✓ | ✓ | |
| Single product | ✓ | ✓ | |
| Many products | ✓ | ||
| Frequent updates | ✓ | ||
| No existing QMS | ✓ | ✓ | |
| Mature QMS (ISO 9001, ISO 27001) | ✓ | ||
| Customer requires Notified Body | ✓ | ✓ |
When only Modules B+C and H are available
Applies to Important Class I when the relevant standards, specifications, or scheme are missing or only partly applied, Important Class II, and Critical products. Module A is not a legal option for these categories regardless of budget or timeline pressure.
| Factor | Module B+C | Module H |
|---|---|---|
| Single product | ✓ | |
| Many products | ✓ | |
| Frequent updates | ✓ | |
| No existing QMS | ✓ | |
| Mature QMS (ISO 9001, ISO 27001) | ✓ |
This second branch mirrors the "Module H vs B+C Decision" table earlier in the guide. Where the two overlap, treat them as the same decision from two angles: the earlier table is cost-weighted, this one is operational-fit-weighted.
Step 4: calculate costs
Scenario: 5 Important Class II products, no existing QMS, 5-year horizon with 2 updates per product.
| Cost item | Module B+C | Module H |
|---|---|---|
| One-time setup QMS build-out and initial NB certification | n/a | EUR 75,000 EUR 50,000 QMS + EUR 25,000 NB cert |
| Per-product assessment (× 5) EU type examination (B+C) or design review (H) | EUR 250,000 EUR 50,000 × 5 | EUR 50,000 EUR 10,000 × 5 |
| Per-update assessment (× 10) Full re-examination (B+C) or design review delta (H) | EUR 250,000 EUR 25,000 × 10 | EUR 50,000 EUR 5,000 × 10 |
| Annual surveillance (× 5 years) | n/a | EUR 60,000 EUR 12,000 × 5 |
| 5-year total | EUR 500,000 | EUR 235,000 |
Module H saves EUR 265,000 over 5 years in this scenario. The crossover point is the combination of product count and update frequency. The per-product and per-update inputs are illustrative (see the estimates note near the Module A Costs table). Run the calculation with your own quotes before committing to a budget.
EU declaration of conformity
Regardless of module chosen, you must issue an EU Declaration of Conformity.
DoC required contents
The EU Declaration of Conformity for the Cyber Resilience Act is Regulation (EU) 2024/2847. Every DoC must contain the eight fields below, followed by the signatory block.
| Item | Details |
|---|---|
| Product identification | Product name, type, batch, and serial number(s), in detail sufficient for traceability. |
| Manufacturer name and address | Legal entity responsible for the declaration. Authorised representative details, if applicable. |
| Responsibility statement | "This declaration of conformity is issued under the sole responsibility of the manufacturer." |
| Object of the declaration | Product description sufficient for traceability, including photograph or drawing if the product is physical. |
| Applicable Union legislation | List every regulation the product conforms to, starting with Regulation (EU) 2024/2847 (Cyber Resilience Act) and adding any other horizontal legislation (RED, EMC, Machinery, and so on) that applies. |
| Harmonised standards or specifications applied | List each standard with version number. If no harmonised standard covers part of Annex I, reference the specification or common specification used instead. |
| Notified Body block (Module B+C or H) | Notified Body name, four-digit identification number, certificate reference, the module performed, and the certificate number issued. Omit this field entirely for Module A. |
| Additional information | Support period end date, contact point for vulnerability reports, and any other information the CRA or the applicable legislation requires. |
Close the DoC with the signatory name and function, the place and date of issue, and a signature. A DoC without a dated signature from a person identified by name and role is not a valid DoC.
CE marking
After conformity assessment, affix the CE marking. The visual form of the mark is fixed. What changes is whether a four-digit Notified Body number travels with it.
CE marking requirements
| Topic | What changes | Why CRA teams care | Anchor |
|---|---|---|---|
| Visibility | Visible, legible, and indelible once affixed. | A mark that cannot be read or verified can fail the product check. | Readable CE mark. |
| Min height | 5 mm general minimum, measured from the bottom to the top of the C glyph. Art 30(2) allows a smaller mark where the product's nature warrants. | Applies whatever conformity route you use, though small products may carry a sub-5 mm mark under Art 30(2). | 5 mm general minimum; Art 30(2) derogation. |
| Proportions | Use the fixed CE proportions. | Do not redraw, stretch, or restyle the mark for packaging or UI convenience. | Regulation (EC) No 765/2008 Annex II. |
| Location | On the product. On packaging only if product marking is not feasible. | Packaging-only marking is a fallback, not the default. | Product first. |
| NB number | Required next to the mark only if Module H (full quality assurance) was used. | The number shows which Notified Body was involved in the assessed route. | CE plus four digits. |
CE marking placement
| Item | Details |
|---|---|
| Physical product |
|
| Software |
|
| With Notified Body |
|
Common mistakes
Self-assessing (Module A) when your product is Important Class II is an invalid conformity assessment. The product cannot be legally placed on the EU market.
Each of the five mistakes below has the same anatomy: a tempting shortcut, a serious consequence, and a specific preventive habit.
| Item | Details |
|---|---|
| 1 · Self-assessing when not allowed | Problem. Choosing Module A for an Important Class II product. Consequence. Invalid conformity assessment. The product cannot be legally placed on the market. Prevention. Always verify product classification before choosing the assessment route. |
| 2 · Partial standard application | Problem. Claiming Module A for Important Class I while the relevant standards, specifications, or scheme are only partly applied. Consequence. Module A is not available without full coverage. Prevention. If you cannot fully apply the relevant route, use Module B+C or H. |
| 3 · Inadequate documentation | Problem. Technical file lacks required content for the chosen module. Consequence. You cannot demonstrate conformity. The DoC is not valid. Prevention. Use checklists. Review the documentation requirements for your specific module before signing. |
| 4 · Notified Body surprise | Problem. Discovering late that the product requires NB assessment. Consequence. Delayed market entry. NB queue times can be months. Prevention. Classify products early. Engage Notified Bodies proactively. |
| 5 · DoC before assessment | Problem. Signing the DoC before completing conformity assessment. Consequence. False declaration. Legal liability. Prevention. The DoC is the final step, after all assessment activities complete. |
Conformity assessment checklist
Work through the pre-assessment card first. Then complete only the cards for the module your product uses. Every product finishes on the Finalisation card.
| Item | Details |
|---|---|
| Pre-assessment |
|
| Module A · Self-assessment |
|
| Module B · EU-Type exam |
|
| Module C · Conformity to type |
|
| Module H · Full QA |
|
| Finalisation · All modules |
|
Frequently asked questions
Can a Default category product always use Module A self-assessment?
Yes. Default products may always use Module A self-assessment. You conduct the assessment yourself, document it in the technical file, sign the EU Declaration of Conformity, and affix the CE mark. No Notified Body is involved. The "roughly 90%" share is an estimate based on the narrowness of the Important and Critical product scope, not a CRA-stated figure.
When is a Notified Body mandatory for Important Class I products?
Only when you cannot fully apply the relevant harmonised standards, common specifications, or a European cybersecurity certification scheme at "substantial" assurance. If one of those routes covers your product type's essential cybersecurity requirements and you apply it completely, Module A self-assessment remains available. If no applicable route exists, or you apply one partially, you must use Module B+C or H.
Are there any Notified Bodies designated for CRA yet?
As of June 2026, zero Notified Bodies have been designated for the CRA. Designations are published in the NANDO database. Manufacturers of Important Class II and Critical products cannot complete third-party assessment until designations happen. Plan for this delay.
What does Module B+C conformity assessment involve?
Module B is the product type examination performed by a Notified Body, which reviews your technical documentation, tests a representative specimen, and issues an EU-Type Examination Certificate. Module C is the production-conformity phase you run: each unit must conform to the certified type, and the EU Declaration of Conformity references the certificate number.
Can harmonised standards substitute for a Notified Body assessment?
For Important Class I products only. If you fully apply the relevant harmonised standards, common specifications, or European cybersecurity certification scheme covering every essential cybersecurity requirement, you may self-assess under Module A without a Notified Body. For Important Class II products, third-party assessment is mandatory regardless of standards. Critical products follow a separate route: certification once the Commission has switched it on, or the Module B+C / H / approved scheme fallback.
What is the cost of a Notified Body conformity assessment?
Plan for EUR 30,000 to EUR 100,000 or more in NB examination fees, plus EUR 2,000 to EUR 5,000 application fee and EUR 1,000 to EUR 5,000 sample preparation. Queue times currently run 4 to 16 weeks, so factor in schedule risk on top of cost. (Figures are estimates from analogue regimes (RED, MDR) and early CRA consultancy pricing, not values stated in the CRA.)