CRA Conformity Assessment: Module A vs B+C vs H Decision Guide
How to choose the right conformity assessment route for your product. Covers self-assessment eligibility, Notified Body requirements, and practical implementation for each module.
In this article
Your CRA conformity assessment route determines cost, timeline, and external dependencies. Choose wrong and you'll waste months and thousands of euros. Choose right and you'll have a clear path to CE marking.
This guide helps you select the correct conformity assessment module and understand what each involves.
Summary
- Module A (Self-Assessment): Available for Default products and Important Class I (if using harmonized standards)
- Module B+C (Third-Party): Required for Important Class II, optional for others
- Module H (Full QA): Alternative to B+C for organizations with multiple products
- Product classification determines which options are available
- Cost difference: Module A (~$5-20K internal), B+C (~$30-100K+), H (~$50K+ setup + ongoing)
Tip: About 90% of products are Default category and can use Module A (self-assessment). This is the fastest and cheapest path to CE marking.
Conformity Assessment Overview
Conformity assessment is how you demonstrate your product meets CRA requirements. The EU Declaration of Conformity (DoC) you sign declares your product conforms, but you must have evidence to back that claim.
The CRA offers three conformity assessment modules:
MODULE OPTIONS BY PRODUCT CATEGORY
+-------------------------------------------------------------+
| DEFAULT PRODUCTS |
| (~90% of products) |
+-------------------------------------------------------------+
| Module A (Self-Assessment) ✓ Allowed |
| Module B+C (Third-Party) ✓ Allowed (optional) |
| Module H (Full QA) ✓ Allowed (optional) |
\-------------------------------------------------------------+
+-------------------------------------------------------------+
| IMPORTANT CLASS I PRODUCTS |
| (Annex III, Part I) |
+-------------------------------------------------------------+
| Module A (Self-Assessment) ✓ IF harmonized standards |
| Module B+C (Third-Party) ✓ Allowed |
| Module H (Full QA) ✓ Allowed |
\-------------------------------------------------------------+
+-------------------------------------------------------------+
| IMPORTANT CLASS II PRODUCTS |
| (Annex III, Part II) |
+-------------------------------------------------------------+
| Module A (Self-Assessment) ✗ NOT Allowed |
| Module B+C (Third-Party) ✓ REQUIRED |
| Module H (Full QA) ✓ Allowed |
\-------------------------------------------------------------+
+-------------------------------------------------------------+
| CRITICAL PRODUCTS |
| (Annex IV) |
+-------------------------------------------------------------+
| Module A (Self-Assessment) ✗ NOT Allowed |
| Module B+C (Third-Party) ✓ REQUIRED + EUCC |
| Module H (Full QA) ✓ Allowed + EUCC |
\-------------------------------------------------------------+
When Can You Use Module A Self-Assessment?
Self-assessment. You evaluate your own product against CRA requirements.
When Module A Is Available
- Default products: Always available
- Important Class I: Only if you fully apply relevant harmonized standards
What "Harmonized Standards" Means
For Important Class I self-assessment, you must apply harmonized standards that:
- Cover the essential requirements in Annex I
- Are published in the Official Journal of the EU
- Are applied completely (not partially)
If no harmonized standard exists for your product type, Important Class I products must use Module B+C or H.
Harmonized standards for CRA are still being developed. Monitor OJEU publications.
Module A Process
MODULE A CONFORMITY ASSESSMENT
1. DESIGN PHASE
+-- Apply security-by-design principles
+-- Conduct risk assessment (Annex I requirements)
+-- Document security architecture
\-- Apply harmonized standards (if Class I)
2. DOCUMENTATION
+-- Create technical file (Annex VII)
| +-- Product description
| +-- Risk assessment results
| +-- Design documentation
| +-- Standards applied
| +-- Test results
| \-- SBOM
\-- Prepare EU Declaration of Conformity
3. PRODUCTION CONTROLS
+-- Ensure production maintains conformity
+-- Document quality controls
\-- Verify each unit (where applicable)
4. FINALIZATION
+-- Sign EU Declaration of Conformity
+-- Affix CE marking
\-- Retain documentation (10 years)
Module A Documentation Requirements
Your technical file under Module A must include:
General Description:
- Product identification and intended purpose
- Versions covered
- User instructions provided
- Cybersecurity risks identified
- Threats and attack scenarios considered
- Risk treatment decisions
Design Documentation:
- System architecture
- Security measures implemented
- How each Annex I requirement is met
Standards and Testing:
- Standards applied (with version numbers)
- Test plans and results
- Verification that standards are fully applied (for Class I)
SBOM:
- Components included
- Vulnerabilities known at time of assessment
Production:
- How production maintains conformity
- Quality control measures
Module A Costs
| Cost Element | Typical Range | Notes |
|---|---|---|
| Risk assessment | $5,000-15,000 | Internal or consultant |
| Technical documentation | $5,000-20,000 | Depends on complexity |
| Testing | $2,000-10,000 | Internal or lab |
| SBOM tooling | $0-5,000 | Tools may already exist |
| Internal staff time | Variable | Often the largest cost |
Total typical range: $15,000-50,000 (internal costs)
Module A Timeline
| Phase | Duration |
|---|---|
| Risk assessment | 2-4 weeks |
| Documentation | 4-8 weeks |
| Testing | 2-4 weeks |
| Review and finalization | 1-2 weeks |
Total typical timeline: 2-4 months
When Does CRA Require a Notified Body?
Third-party assessment. A Notified Body examines your product design.
When Module B+C Is Required
- Important Class II: Mandatory
- Critical products: Mandatory (plus EUCC)
- Important Class I: If not using harmonized standards
Module B: EU-Type Examination
A Notified Body examines a representative sample (type) of your product and issues a certificate.
MODULE B PROCESS
1. APPLICATION
+-- Select Notified Body
+-- Submit application with:
| +-- Product sample(s)
| +-- Technical documentation
| \-- Application form
\-- Pay initial fees
2. EXAMINATION
+-- NB reviews documentation
+-- NB tests product sample
+-- NB verifies Annex I compliance
\-- NB may request additional info/tests
3. DECISION
+-- Compliant → EU-Type Examination Certificate
+-- Non-compliant → Deficiency report
\-- If deficiencies: remediate and re-submit
4. CERTIFICATE
+-- Valid for assessed product type
+-- Lists conditions and limitations
\-- Subject to review (typically 5 years)
Module C: Conformity to Type
After Module B, you ensure production conforms to the certified type.
MODULE C PROCESS
1. PRODUCTION CONTROLS
+-- Ensure each unit conforms to certified type
+-- Document production processes
\-- Maintain quality controls
2. DECLARATION
+-- Reference EU-Type Examination Certificate
+-- Sign EU Declaration of Conformity
\-- Affix CE marking
3. ONGOING
+-- Maintain conformity to certified type
+-- Report changes that affect type to NB
\-- Recertify if substantial changes
Notified Body Selection
Considerations when choosing a Notified Body:
| Factor | Consideration |
|---|---|
| Scope | Is NB designated for CRA and your product type? |
| Capacity | Do they have availability? (Early CRA = limited capacity) |
| Location | Easier logistics if nearby |
| Experience | Familiarity with your product type |
| Cost | Fees vary significantly |
| Timeline | How quickly can they schedule examination? |
Finding NBs: Check NANDO database (EU's official Notified Body registry) once CRA designations are published.
Warning: Notified Body fees typically range from €30,000-100,000+, and queue times can reach 4-16 weeks. Budget and plan accordingly.
Module B+C Costs
| Cost Element | Typical Range | Notes |
|---|---|---|
| NB application fee | $2,000-5,000 | Non-refundable |
| NB examination fee | $15,000-50,000 | Depends on complexity |
| Sample preparation | $1,000-5,000 | Product samples for testing |
| Technical documentation | $10,000-30,000 | Must meet NB requirements |
| Travel/logistics | $1,000-5,000 | If on-site visits required |
| Remediation (if needed) | Variable | Re-testing, documentation fixes |
Total typical range: $30,000-100,000+
Module B+C Timeline
| Phase | Duration |
|---|---|
| NB selection and application | 2-4 weeks |
| Documentation preparation | 4-8 weeks |
| NB queue time | 4-16 weeks (varies significantly) |
| Examination | 4-8 weeks |
| Certificate issuance | 2-4 weeks |
Total typical timeline: 4-10 months
Module H: Full Quality Assurance
Quality management system approach. NB approves your QMS for design, production, and testing.
When Module H Makes Sense
Module H is advantageous when:
- You have multiple products requiring third-party assessment
- You already have a mature QMS (ISO 9001, ISO 27001)
- You want ongoing NB relationship rather than per-product examination
- You release frequent product updates
Module H Process
MODULE H PROCESS
1. QMS ESTABLISHMENT
+-- Design quality system covering:
| +-- Design process
| +-- Production controls
| +-- Testing procedures
| \-- Documentation management
\-- Align with CRA requirements
2. NB ASSESSMENT
+-- Submit QMS documentation
+-- NB audits your QMS
+-- NB verifies CRA alignment
\-- NB issues QMS approval certificate
3. PRODUCT DESIGN (per product)
+-- Follow approved QMS for design
+-- Conduct design examination
+-- Document compliance
\-- NB may audit design process
4. PRODUCTION
+-- Follow approved QMS for production
+-- Document conformity
\-- NB conducts surveillance audits
5. DECLARATION (per product)
+-- Sign EU Declaration of Conformity
+-- Reference QMS certificate
\-- Affix CE marking
6. ONGOING
+-- Maintain QMS
+-- NB surveillance audits (typically annual)
\-- Recertify QMS (typically every 3-5 years)
Module H QMS Requirements
Your quality management system must cover:
Design Quality:
- Design process controls
- Risk assessment methodology
- Design review procedures
- Configuration management
- Design verification and validation
Production Quality:
- Production process controls
- Quality control testing
- Non-conformity handling
- Traceability
- Equipment calibration
Documentation Quality:
- Technical file requirements
- Document control
- Record retention
- Change management
Cybersecurity Integration:
- Secure development lifecycle
- Vulnerability management
- Update processes
- Incident response
Module H Costs
| Cost Element | Typical Range | Notes |
|---|---|---|
| QMS development/upgrade | $20,000-50,000 | If starting from scratch |
| NB initial audit | $15,000-30,000 | QMS certification |
| Annual surveillance | $5,000-15,000 | Ongoing |
| Per-product design review | $5,000-15,000 | Varies by complexity |
Initial setup: $40,000-100,000 Annual ongoing: $10,000-30,000
Module H vs B+C Decision
| Factor | Module B+C | Module H |
|---|---|---|
| Number of products | 1-3 products | 4+ products |
| Existing QMS | No mature QMS | Mature QMS exists |
| Update frequency | Infrequent updates | Frequent releases |
| Organization size | Small/medium | Medium/large |
| Upfront cost | Lower | Higher |
| Per-product cost | Higher | Lower |
| Ongoing cost | Lower | Higher (surveillance) |
Tip: Module H becomes cost-effective at 4+ products. If you have a mature QMS (ISO 9001, ISO 27001), it's often the better long-term investment.
Rule of thumb: Module H becomes cost-effective at 4+ products or when you'd need re-examination frequently.
Decision Framework
Step 1: Determine Product Classification
Use the product classification guide to determine: Default, Important Class I, Important Class II, or Critical.
Step 2: Identify Available Options
IF Default:
Options: A, B+C, H
Recommendation: Module A (unless you want third-party validation)
IF Important Class I:
IF harmonized standards exist AND you apply them fully:
Options: A, B+C, H
Recommendation: Module A (with standards)
ELSE:
Options: B+C, H
Recommendation: B+C (unless multiple products)
IF Important Class II:
Options: B+C, H
Recommendation: B+C (unless multiple products or mature QMS)
IF Critical:
Options: B+C + EUCC, H + EUCC
Recommendation: Depends on organization capabilities
Step 3: Consider Business Factors
| Factor | Favors Module A | Favors B+C | Favors H |
|---|---|---|---|
| Budget constrained | ✓ | ||
| Time constrained | ✓ | ||
| Need external validation | ✓ | ✓ | |
| Single product | ✓ | ✓ | |
| Many products | ✓ | ||
| Frequent updates | ✓ | ||
| No existing QMS | ✓ | ✓ | |
| Mature QMS | ✓ | ||
| Customer requires NB | ✓ | ✓ |
Step 4: Calculate Costs
COST COMPARISON EXAMPLE
Scenario: 5 Important Class II products, no existing QMS
OPTION 1: Module B+C for each
+-- Per product: $50,000 average
+-- 5 products: $250,000
+-- Re-examination (updates): $25,000/product/update
\-- 5-year cost (assuming 2 updates/product): $500,000
OPTION 2: Module H
+-- QMS setup: $50,000
+-- Initial certification: $25,000
+-- Per-product design review: $10,000 × 5 = $50,000
+-- Annual surveillance: $12,000 × 5 years = $60,000
+-- Update reviews: $5,000/product/update × 10 = $50,000
\-- 5-year cost: $235,000
Decision: Module H saves $265,000 over 5 years
EU Declaration of Conformity
Regardless of module chosen, you must issue an EU Declaration of Conformity.
DoC Required Contents
EU DECLARATION OF CONFORMITY
(Cyber Resilience Act - Regulation (EU) 2024/2847)
1. Product identification:
[Product name, type, batch, serial number(s)]
2. Name and address of the manufacturer:
[Your company details]
3. This declaration of conformity is issued under the sole
responsibility of the manufacturer.
4. Object of the declaration:
[Product description, sufficient for traceability]
5. The object of the declaration described above is in conformity
with the relevant Union harmonisation legislation:
- Regulation (EU) 2024/2847 (Cyber Resilience Act)
- [Other applicable legislation]
6. References to the relevant harmonised standards used, or
references to the specifications in relation to which conformity
is declared:
[List standards applied, with version numbers]
7. Where applicable, the notified body:
[NB name, number, certificate reference]
performed: [Module B/H examination]
and issued: [certificate number]
8. Additional information:
[Support period, contact for vulnerability reports, etc.]
Signed for and on behalf of:
[Name, function]
[Place and date of issue]
[Signature]
CE Marking
After conformity assessment, affix the CE marking.
CE Marking Requirements
- Visible, legible, indelible
- Minimum 5mm height
- Correct proportions (as specified in legislation)
- On product or packaging (if product marking not feasible)
- Accompanied by Notified Body number if Module B or H used
CE Marking Placement
CE MARKING EXAMPLES
Physical product:
+-- On product itself (preferred)
+-- On rating plate/label
+-- On packaging (if product too small)
\-- In documentation (if physical marking impossible)
Software:
+-- In about/info screen
+-- In documentation
\-- On packaging (if physical media)
With Notified Body (Module B or H):
CE marking + NB number
e.g., CE 1234 (where 1234 is NB identification number)
Common Mistakes
Important: Self-assessing (Module A) when your product is Important Class II is an invalid conformity assessment. The product cannot be legally placed on the EU market.
Self-Assessing When Not Allowed
Problem: Choosing Module A for Important Class II product.
Consequence: Invalid conformity assessment. Product cannot be legally placed on market.
Prevention: Always verify product classification before choosing assessment route.
Partial Standard Application
Problem: Claiming Module A for Important Class I while only partially applying harmonized standards.
Consequence: Module A is not available without full standard application.
Prevention: If you can't fully apply standards, use Module B+C or H.
Inadequate Documentation
Problem: Technical file lacks required content for chosen module.
Consequence: Cannot demonstrate conformity. DoC not valid.
Prevention: Use checklists. Review documentation requirements for your specific module.
Notified Body Surprise
Problem: Discovering late that product requires NB assessment.
Consequence: Delayed market entry (NB queue times can be months).
Prevention: Classify products early. Engage NBs proactively.
DoC Before Assessment
Problem: Signing DoC before completing conformity assessment.
Consequence: False declaration. Legal liability.
Prevention: DoC is the final step, after all assessment activities complete.
Conformity Assessment Checklist
CONFORMITY ASSESSMENT CHECKLIST
PRE-ASSESSMENT:
[ ] Product classification determined
[ ] Available modules identified
[ ] Module selected based on requirements and business factors
[ ] Timeline established
[ ] Budget allocated
MODULE A (Self-Assessment):
[ ] Risk assessment completed
[ ] Annex I requirements addressed
[ ] Harmonized standards applied (if Class I)
[ ] Technical file prepared
[ ] Testing completed
[ ] Production controls documented
[ ] DoC prepared
MODULE B (EU-Type Examination):
[ ] Notified Body selected
[ ] Application submitted
[ ] Technical documentation provided
[ ] Product sample(s) provided
[ ] Examination completed
[ ] Certificate received
[ ] Deficiencies addressed (if any)
MODULE C (Conformity to Type):
[ ] Production controls established
[ ] Type conformity verified
[ ] Documentation maintained
[ ] DoC references certificate
MODULE H (Full QA):
[ ] QMS developed/updated
[ ] NB audit scheduled
[ ] QMS certificate received
[ ] Per-product design review completed
[ ] Surveillance audit schedule established
FINALIZATION (All Modules):
[ ] EU Declaration of Conformity signed
[ ] CE marking affixed
[ ] Technical file archived (10-year retention)
[ ] Market placement ready
Frequently Asked Questions
Can a Default category product always use Module A self-assessment?
Yes. Default products (roughly 90% of all products) may always use Module A. You conduct the assessment yourself, document it in a technical file, sign the EU Declaration of Conformity, and affix the CE mark. No Notified Body is involved.
When is a Notified Body mandatory for Important Class I products?
Only when you can't fully apply relevant harmonized standards. If a harmonized standard covering your product type's Annex I requirements exists in the OJEU and you apply it completely, Module A self-assessment remains available. If no applicable standard exists, or you apply one partially, you must use Module B+C or H.
Are there any Notified Bodies designated for CRA yet?
As of April 2026, zero Notified Bodies have been designated for the CRA. Designations are published in the NANDO database. Manufacturers of Important Class II and Critical products cannot complete third-party assessment until designations happen. Plan for this delay.
What does Module B+C conformity assessment involve?
Module B is a product type examination. A Notified Body reviews your technical documentation, tests a product sample, and issues an EU-Type Examination Certificate. Module C follows: you confirm each production unit conforms to the certified type, then sign the EU Declaration of Conformity referencing the certificate number.
Can harmonised standards substitute for a Notified Body assessment?
For Important Class I products only. If you fully apply harmonized standards covering all Annex I essential requirements, you may self-assess under Module A without a Notified Body. For Important Class II and Critical products, a Notified Body is mandatory regardless of which standards you apply.
What is the cost of a Notified Body conformity assessment?
Notified Body fees for Module B+C typically run EUR 30,000 to EUR 100,000 or more, depending on product complexity. Add EUR 2,000 to EUR 5,000 for the application fee and EUR 1,000 to EUR 5,000 for sample preparation. Queue times currently run 4 to 16 weeks, so factor in schedule risk on top of cost.
Next Steps
Managing CRA conformity across multiple products? CRA Evidence tracks your assessment module per product, stores technical file documentation, and monitors Notified Body designation status as NANDO updates.
Once you've confirmed your module, build your evidence package with our Annex VII technical file guide. Check the product classification guide if your category is still uncertain.
This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.
Related Articles
ECSMAF v3.0 Explained: How ENISA Maps the EU Cybersecurity Market
Does the CRA apply to your product?
Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.
Ready to achieve CRA compliance?
Start managing your SBOMs and compliance documentation with CRA Evidence.