CRA Conformity Assessment: Module A vs B+C vs H Decision Guide

Your CRA conformity assessment route determines cost, timeline, and external dependencies. Choose wrong and you'll waste months and thousands of euros. Choose right and you'll have a clear path to CE marking.

This guide helps you select the correct conformity assessment module and understand what each involves.

Conformity Assessment Overview

Conformity assessment is how you demonstrate your product meets CRA requirements. The EU Declaration of Conformity (DoC) you sign declares your product conforms, but you must have evidence to back that claim.

The CRA offers three conformity assessment modules:

MODULE OPTIONS BY PRODUCT CATEGORY

┌─────────────────────────────────────────────────────────────┐
│                    DEFAULT PRODUCTS                          │
│                   (~90% of products)                         │
├─────────────────────────────────────────────────────────────┤
│   Module A (Self-Assessment)     ✓ Allowed                  │
│   Module B+C (Third-Party)       ✓ Allowed (optional)       │
│   Module H (Full QA)             ✓ Allowed (optional)       │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│              IMPORTANT CLASS I PRODUCTS                      │
│              (Annex III, Part I)                             │
├─────────────────────────────────────────────────────────────┤
│   Module A (Self-Assessment)     ✓ IF harmonized standards  │
│   Module B+C (Third-Party)       ✓ Allowed                  │
│   Module H (Full QA)             ✓ Allowed                  │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│              IMPORTANT CLASS II PRODUCTS                     │
│              (Annex III, Part II)                            │
├─────────────────────────────────────────────────────────────┤
│   Module A (Self-Assessment)     ✗ NOT Allowed              │
│   Module B+C (Third-Party)       ✓ REQUIRED                 │
│   Module H (Full QA)             ✓ Allowed                  │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│                  CRITICAL PRODUCTS                           │
│                    (Annex IV)                                │
├─────────────────────────────────────────────────────────────┤
│   Module A (Self-Assessment)     ✗ NOT Allowed              │
│   Module B+C (Third-Party)       ✓ REQUIRED + EUCC          │
│   Module H (Full QA)             ✓ Allowed + EUCC           │
└─────────────────────────────────────────────────────────────┘

Module A: Internal Production Control

Self-assessment. You evaluate your own product against CRA requirements.

When Module A Is Available

• Default products: Always available
• Important Class I: Only if you fully apply relevant harmonized standards

What "Harmonized Standards" Means

For Important Class I self-assessment, you must apply harmonized standards that:

• Cover the essential requirements in Annex I
• Are published in the Official Journal of the EU
• Are applied completely (not partially)

If no harmonized standard exists for your product type, Important Class I products must use Module B+C or H.

VERIFY WITH PRIMARY SOURCE: Harmonized standards for CRA are still being developed. Monitor OJEU publications.

Module A Process

MODULE A CONFORMITY ASSESSMENT

1. DESIGN PHASE
   ├── Apply security-by-design principles
   ├── Conduct risk assessment (Annex I requirements)
   ├── Document security architecture
   └── Apply harmonized standards (if Class I)

2. DOCUMENTATION
   ├── Create technical file (Annex VII)
   │   ├── Product description
   │   ├── Risk assessment results
   │   ├── Design documentation
   │   ├── Standards applied
   │   ├── Test results
   │   └── SBOM
   └── Prepare EU Declaration of Conformity

3. PRODUCTION CONTROLS
   ├── Ensure production maintains conformity
   ├── Document quality controls
   └── Verify each unit (where applicable)

4. FINALIZATION
   ├── Sign EU Declaration of Conformity
   ├── Affix CE marking
   └── Retain documentation (10 years)

Module A Documentation Requirements

Your technical file under Module A must include:

General Description:

• Product identification and intended purpose
• Versions covered
• User instructions provided

Risk Assessment:

• Cybersecurity risks identified
• Threats and attack scenarios considered
• Risk treatment decisions

Design Documentation:

• System architecture
• Security measures implemented
• How each Annex I requirement is met

Standards and Testing:

• Standards applied (with version numbers)
• Test plans and results
• Verification that standards are fully applied (for Class I)

SBOM:

• Components included
• Vulnerabilities known at time of assessment

Production:

• How production maintains conformity
• Quality control measures

Module A Costs

Total typical range: $15,000-50,000 (internal costs)

Module A Timeline

Total typical timeline: 2-4 months

Module B+C: EU-Type Examination

Third-party assessment. A Notified Body examines your product design.

When Module B+C Is Required

• Important Class II: Mandatory
• Critical products: Mandatory (plus EUCC)
• Important Class I: If not using harmonized standards

Module B: EU-Type Examination

A Notified Body examines a representative sample (type) of your product and issues a certificate.

MODULE B PROCESS

1. APPLICATION
   ├── Select Notified Body
   ├── Submit application with:
   │   ├── Product sample(s)
   │   ├── Technical documentation
   │   └── Application form
   └── Pay initial fees

2. EXAMINATION
   ├── NB reviews documentation
   ├── NB tests product sample
   ├── NB verifies Annex I compliance
   └── NB may request additional info/tests

3. DECISION
   ├── Compliant → EU-Type Examination Certificate
   ├── Non-compliant → Deficiency report
   └── If deficiencies: remediate and re-submit

4. CERTIFICATE
   ├── Valid for assessed product type
   ├── Lists conditions and limitations
   └── Subject to review (typically 5 years)

Module C: Conformity to Type

After Module B, you ensure production conforms to the certified type.

MODULE C PROCESS

1. PRODUCTION CONTROLS
   ├── Ensure each unit conforms to certified type
   ├── Document production processes
   └── Maintain quality controls

2. DECLARATION
   ├── Reference EU-Type Examination Certificate
   ├── Sign EU Declaration of Conformity
   └── Affix CE marking

3. ONGOING
   ├── Maintain conformity to certified type
   ├── Report changes that affect type to NB
   └── Recertify if substantial changes

Notified Body Selection

Considerations when choosing a Notified Body:

Finding NBs: Check NANDO database (EU's official Notified Body registry) once CRA designations are published.

Module B+C Costs

Total typical range: $30,000-100,000+

Module B+C Timeline

Total typical timeline: 4-10 months

Module H: Full Quality Assurance

Quality management system approach. NB approves your QMS for design, production, and testing.

When Module H Makes Sense

Module H is advantageous when:

• You have multiple products requiring third-party assessment
• You already have a mature QMS (ISO 9001, ISO 27001)
• You want ongoing NB relationship rather than per-product examination
• You release frequent product updates

Module H Process

MODULE H PROCESS

1. QMS ESTABLISHMENT
   ├── Design quality system covering:
   │   ├── Design process
   │   ├── Production controls
   │   ├── Testing procedures
   │   └── Documentation management
   └── Align with CRA requirements

2. NB ASSESSMENT
   ├── Submit QMS documentation
   ├── NB audits your QMS
   ├── NB verifies CRA alignment
   └── NB issues QMS approval certificate

3. PRODUCT DESIGN (per product)
   ├── Follow approved QMS for design
   ├── Conduct design examination
   ├── Document compliance
   └── NB may audit design process

4. PRODUCTION
   ├── Follow approved QMS for production
   ├── Document conformity
   └── NB conducts surveillance audits

5. DECLARATION (per product)
   ├── Sign EU Declaration of Conformity
   ├── Reference QMS certificate
   └── Affix CE marking

6. ONGOING
   ├── Maintain QMS
   ├── NB surveillance audits (typically annual)
   └── Recertify QMS (typically every 3-5 years)

Module H QMS Requirements

Your quality management system must cover:

Design Quality:

• Design process controls
• Risk assessment methodology
• Design review procedures
• Configuration management
• Design verification and validation

Production Quality:

• Production process controls
• Quality control testing
• Non-conformity handling
• Traceability
• Equipment calibration

Documentation Quality:

• Technical file requirements
• Document control
• Record retention
• Change management

Cybersecurity Integration:

• Secure development lifecycle
• Vulnerability management
• Update processes
• Incident response

Module H Costs

Initial setup: $40,000-100,000 Annual ongoing: $10,000-30,000

Module H vs B+C Decision

Rule of thumb: Module H becomes cost-effective at 4+ products or when you'd need re-examination frequently.

Decision Framework

Step 1: Determine Product Classification

Use the product classification guide to determine: Default, Important Class I, Important Class II, or Critical.

Step 2: Identify Available Options

IF Default:
    Options: A, B+C, H
    Recommendation: Module A (unless you want third-party validation)

IF Important Class I:
    IF harmonized standards exist AND you apply them fully:
        Options: A, B+C, H
        Recommendation: Module A (with standards)
    ELSE:
        Options: B+C, H
        Recommendation: B+C (unless multiple products)

IF Important Class II:
    Options: B+C, H
    Recommendation: B+C (unless multiple products or mature QMS)

IF Critical:
    Options: B+C + EUCC, H + EUCC
    Recommendation: Depends on organization capabilities

Step 3: Consider Business Factors

Step 4: Calculate Costs

COST COMPARISON EXAMPLE

Scenario: 5 Important Class II products, no existing QMS

OPTION 1: Module B+C for each
├── Per product: $50,000 average
├── 5 products: $250,000
├── Re-examination (updates): $25,000/product/update
└── 5-year cost (assuming 2 updates/product): $500,000

OPTION 2: Module H
├── QMS setup: $50,000
├── Initial certification: $25,000
├── Per-product design review: $10,000 × 5 = $50,000
├── Annual surveillance: $12,000 × 5 years = $60,000
├── Update reviews: $5,000/product/update × 10 = $50,000
└── 5-year cost: $235,000

Decision: Module H saves $265,000 over 5 years

EU Declaration of Conformity

Regardless of module chosen, you must issue an EU Declaration of Conformity.

DoC Required Contents

EU DECLARATION OF CONFORMITY
(Cyber Resilience Act - Regulation (EU) 2024/2847)

1. Product identification:
   [Product name, type, batch, serial number(s)]

2. Name and address of the manufacturer:
   [Your company details]

3. This declaration of conformity is issued under the sole
   responsibility of the manufacturer.

4. Object of the declaration:
   [Product description, sufficient for traceability]

5. The object of the declaration described above is in conformity
   with the relevant Union harmonisation legislation:
   - Regulation (EU) 2024/2847 (Cyber Resilience Act)
   - [Other applicable legislation]

6. References to the relevant harmonised standards used, or
   references to the specifications in relation to which conformity
   is declared:
   [List standards applied, with version numbers]

7. Where applicable, the notified body:
   [NB name, number, certificate reference]
   performed: [Module B/H examination]
   and issued: [certificate number]

8. Additional information:
   [Support period, contact for vulnerability reports, etc.]

Signed for and on behalf of:
[Name, function]
[Place and date of issue]
[Signature]

CE Marking

After conformity assessment, affix the CE marking.

CE Marking Requirements

• Visible, legible, indelible
• Minimum 5mm height
• Correct proportions (as specified in legislation)
• On product or packaging (if product marking not feasible)
• Accompanied by Notified Body number if Module B or H used

CE Marking Placement

CE MARKING EXAMPLES

Physical product:
├── On product itself (preferred)
├── On rating plate/label
├── On packaging (if product too small)
└── In documentation (if physical marking impossible)

Software:
├── In about/info screen
├── In documentation
└── On packaging (if physical media)

With Notified Body (Module B or H):
CE marking + NB number
e.g., CE 1234 (where 1234 is NB identification number)

Common Mistakes

Self-Assessing When Not Allowed

Problem: Choosing Module A for Important Class II product.

Consequence: Invalid conformity assessment. Product cannot be legally placed on market.

Prevention: Always verify product classification before choosing assessment route.

Partial Standard Application

Problem: Claiming Module A for Important Class I while only partially applying harmonized standards.

Consequence: Module A is not available without full standard application.

Prevention: If you can't fully apply standards, use Module B+C or H.

Inadequate Documentation

Problem: Technical file lacks required content for chosen module.

Consequence: Cannot demonstrate conformity. DoC not valid.

Prevention: Use checklists. Review documentation requirements for your specific module.

Notified Body Surprise

Problem: Discovering late that product requires NB assessment.

Consequence: Delayed market entry (NB queue times can be months).

Prevention: Classify products early. Engage NBs proactively.

DoC Before Assessment

Problem: Signing DoC before completing conformity assessment.

Consequence: False declaration. Legal liability.

Prevention: DoC is the final step, after all assessment activities complete.

Conformity Assessment Checklist

CONFORMITY ASSESSMENT CHECKLIST

PRE-ASSESSMENT:
[ ] Product classification determined
[ ] Available modules identified
[ ] Module selected based on requirements and business factors
[ ] Timeline established
[ ] Budget allocated

MODULE A (Self-Assessment):
[ ] Risk assessment completed
[ ] Annex I requirements addressed
[ ] Harmonized standards applied (if Class I)
[ ] Technical file prepared
[ ] Testing completed
[ ] Production controls documented
[ ] DoC prepared

MODULE B (EU-Type Examination):
[ ] Notified Body selected
[ ] Application submitted
[ ] Technical documentation provided
[ ] Product sample(s) provided
[ ] Examination completed
[ ] Certificate received
[ ] Deficiencies addressed (if any)

MODULE C (Conformity to Type):
[ ] Production controls established
[ ] Type conformity verified
[ ] Documentation maintained
[ ] DoC references certificate

MODULE H (Full QA):
[ ] QMS developed/updated
[ ] NB audit scheduled
[ ] QMS certificate received
[ ] Per-product design review completed
[ ] Surveillance audit schedule established

FINALIZATION (All Modules):
[ ] EU Declaration of Conformity signed
[ ] CE marking affixed
[ ] Technical file archived (10-year retention)
[ ] Market placement ready

How CRA Evidence Helps

CRA Evidence supports all conformity assessment routes:

• Module selection guidance: Based on your product classification
• Documentation templates: Technical file structure per module
• Checklist tracking: Module-specific requirements
• DoC generation: Compliant declaration templates
• Notified Body coordination: Track examination status and certificates

Plan your conformity assessment at app.craevidence.com.

Related Guides

Classification: First, determine your product category with our classification guide.

Technical File: Build your evidence package with our Annex VII technical file guide.

Costs: Estimate your total compliance costs with our CRA cost estimation guide.

Declaration: Prepare your EU Declaration of Conformity.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.