Your CRA conformity assessment route determines cost, timeline, and external dependencies. Choose wrong and you'll waste months and thousands of euros. Choose right and you'll have a clear path to CE marking.
This guide helps you select the correct conformity assessment module and understand what each involves.
Sources: CRA Article 13(13) (retention period); NANDO database, the EU Notified Body registry (designation status); figures stated in this guide. The "~90%" Default-products figure is an estimate based on the narrowness of Annex III/IV, not a CRA-stated value.
Summary
- Module A (Self-Assessment): Available for Default products and Important Class I (if using harmonized standards)
- Module B+C (Third-Party): Required for Important Class II, optional for others
- Module H (Full QA): Alternative to B+C for organizations with multiple products
- Product classification determines which options are available
- Cost difference: Module A (~EUR 5–20K internal), B+C (~EUR 30–100K+), H (~EUR 50K+ setup + ongoing)
Conformity assessment overview
Conformity assessment is how you demonstrate your product meets CRA requirements. The EU Declaration of Conformity (DoC) you sign declares your product conforms, but you must have evidence to back that claim.
The CRA offers three conformity assessment modules. The decision tree above maps each product category to its permitted routes. Module A is a manufacturer self-assessment. Module B+C combines a Notified Body type examination (B) with a production-conformity phase you run (C). Module H is a single route where a Notified Body approves your quality management system and surveils it on an ongoing basis.
When can you use Module A self-assessment?
Self-assessment. You evaluate your own product against CRA requirements.
When Module A is available
- Default products: Always available
- Important Class I: Only if you fully apply relevant harmonized standards
What "harmonised standards" means
For Important Class I self-assessment, you must apply harmonized standards that:
- Cover the essential requirements in Annex I
- Are published in the Official Journal of the EU
- Are applied completely (not partially)
If no harmonized standard exists for your product type, Important Class I products must use Module B+C or H.
Harmonized standards for CRA are still being developed. Monitor OJEU publications.
Module A process
- Design phase. Apply security-by-design principles, conduct a risk assessment against Annex I, document the security architecture, and apply harmonised standards if your product is Important Class I.
- Documentation. Create the Annex VII technical file covering product description, risk assessment results, design documentation, standards applied, test results, and SBOM. Prepare the EU Declaration of Conformity.
- Production controls. Ensure production maintains conformity, document quality controls, and verify each unit where applicable.
- Finalisation. Sign the EU Declaration of Conformity, affix the CE marking, and retain the documentation for 10 years.
Module A documentation requirements
Your Annex VII technical file under Module A must cover these six areas.
- Product identification and intended purpose
- Versions covered
- User instructions provided
- Cybersecurity risks identified
- Threats and attack scenarios considered
- Risk treatment decisions
- System architecture
- Security measures implemented
- How each Annex I requirement is met
- Standards applied (with version numbers)
- Test plans and results
- Verification that standards are fully applied (for Class I)
- Components included
- Vulnerabilities known at time of assessment
- How production maintains conformity
- Quality control measures
They draw on analogue CE-marking regimes (Radio Equipment Directive, Medical Device Regulation) and early CRA consultancy pricing. They are not a CRA-specific market survey. No Notified Body has published a CRA rate card: NANDO shows zero CRA designations as of May 2026. Use the numbers for planning. Confirm against real quotes once designations happen.
Module A costs
| Cost Element | Typical Range | Notes |
|---|---|---|
| Risk assessment | EUR 5,000–15,000 | Internal or consultant |
| Technical documentation | EUR 5,000–20,000 | Depends on complexity |
| Testing | EUR 2,000–10,000 | Internal or lab |
| SBOM tooling | EUR 0–5,000 | Tools may already exist |
| Internal staff time | Variable | Often the largest cost |
Total typical range: EUR 15,000–50,000 (internal costs)
Module A timeline
| Phase | Duration |
|---|---|
| Risk assessment | 2-4 weeks |
| Documentation | 4-8 weeks |
| Testing | 2-4 weeks |
| Review and finalization | 1-2 weeks |
Total typical timeline: 2-4 months
When does the CRA require a Notified Body?
Third-party assessment. A Notified Body examines your product design.
When a Notified Body is required
- Important Class II: B+C, H, or an Article 27(9) scheme at "substantial" assurance (Article 32(3)).
- Critical products (Annex IV): Either a European cybersecurity certification scheme under Article 8(1) once a Commission delegated act applies (e.g. EUCC at "substantial" assurance), or, where no such delegated act applies, the Article 32(3) procedures (B+C, H, or Article 27(9) scheme). EUCC is not stacked on top of B+C / H; it is a parallel route.
- Important Class I: B+C or H if harmonised standards, common specifications, or Article 27 schemes are not applied or only partially applied (Article 32(2)).
Module B: EU-type examination
A Notified Body examines a representative sample (type) of your product and issues a certificate.
- Application. Select a Notified Body and submit your application with product samples, technical documentation, and the application form. Pay the initial fees.
- Examination. The Notified Body reviews documentation, tests the product sample, verifies Annex I compliance, and may request additional information or tests.
- Decision. If compliant, the Notified Body issues the EU-Type Examination Certificate. If deficiencies are found, you remediate and re-submit.
- Certificate. Valid for the assessed type, with any conditions stated on the certificate. Modifications that may affect compliance require an addition to the original certificate (Annex VIII Part II, points 6–7). The CRA does not prescribe a fixed re-examination interval.
Module C: conformity to type
After Module B, you ensure production conforms to the certified type.
- Production controls. Ensure each unit conforms to the certified type, document production processes, and maintain quality controls.
- Declaration. Reference the EU-Type Examination Certificate, sign the EU Declaration of Conformity, and affix the CE marking.
- Ongoing. Maintain conformity to the certified type, report changes that affect the type to the Notified Body, and recertify if substantial changes occur.
Notified Body selection
Considerations when choosing a Notified Body:
| Factor | Consideration |
|---|---|
| Scope | Is NB designated for CRA and your product type? |
| Capacity | Do they have availability? (Early CRA = limited capacity) |
| Location | Easier logistics if nearby |
| Experience | Familiarity with your product type |
| Cost | Fees vary significantly |
| Timeline | How quickly can they schedule examination? |
Finding NBs: Check NANDO database (EU's official Notified Body registry) once CRA designations are published.
Notified Body fees typically range from EUR 30,000 to EUR 100,000 or more, and queue times can reach 4 to 16 weeks. Budget and plan accordingly.
Module B+C costs
| Cost Element | Typical Range | Notes |
|---|---|---|
| NB application fee | EUR 2,000–5,000 | Non-refundable |
| NB examination fee | EUR 15,000–50,000 | Depends on complexity |
| Sample preparation | EUR 1,000–5,000 | Product samples for testing |
| Technical documentation | EUR 10,000–30,000 | Must meet NB requirements |
| Travel/logistics | EUR 1,000–5,000 | If on-site visits required |
| Remediation (if needed) | Variable | Re-testing, documentation fixes |
Total typical range: EUR 30,000–100,000+
Module B+C timeline
| Phase | Duration |
|---|---|
| NB selection and application | 2-4 weeks |
| Documentation preparation | 4-8 weeks |
| NB queue time | 4-16 weeks (varies significantly) |
| Examination | 4-8 weeks |
| Certificate issuance | 2-4 weeks |
Total typical timeline: 4-10 months
Module H: full quality assurance
Quality management system approach. NB approves your QMS for design, production, and testing.
When Module H makes sense
Module H is advantageous when:
- You have multiple products requiring third-party assessment
- You already have a mature QMS (ISO 9001, ISO 27001)
- You want ongoing NB relationship rather than per-product examination
- You release frequent product updates
Module H process
- QMS establishment. Design a quality system covering your design process, production controls, testing procedures, and documentation management, aligned with CRA requirements.
- Notified Body assessment. Submit QMS documentation, host the Notified Body audit, verify CRA alignment, and receive the QMS approval certificate.
- Product design (per product). Follow the approved QMS for design, conduct a design examination, document compliance, and allow Notified Body audits of the design process.
- Production. Follow the approved QMS for production, document conformity, and accept Notified Body surveillance audits.
- Declaration (per product). Sign the EU Declaration of Conformity, reference the QMS certificate, and affix the CE marking.
- Ongoing. Maintain the QMS and submit to periodic surveillance audits by the Notified Body (Annex VIII Part IV, points 4.1–4.3). The CRA does not prescribe surveillance frequency or a recertification cycle; cadence is set in the audit plan.
Module H QMS requirements
Your quality management system must cover four areas in parallel. Gaps in any one area will block certification.
- Design process controls
- Risk assessment methodology
- Design review procedures
- Configuration management
- Design verification and validation
- Production process controls
- Quality control testing
- Non-conformity handling
- Traceability
- Equipment calibration
- Technical file requirements
- Document control
- Record retention
- Change management
- Secure development lifecycle
- Vulnerability management
- Update processes
- Incident response
Module H costs
| Cost Element | Typical Range | Notes |
|---|---|---|
| QMS development/upgrade | EUR 20,000–50,000 | If starting from scratch |
| NB initial audit | EUR 15,000–30,000 | QMS certification |
| Annual surveillance | EUR 5,000–15,000 | Ongoing |
| Per-product design review | EUR 5,000–15,000 | Varies by complexity |
Initial setup: EUR 40,000–100,000 Annual ongoing: EUR 10,000–30,000
Module H vs B+C decision
| Factor | Module B+C | Module H |
|---|---|---|
| Number of products | 1-3 products | 4+ products |
| Existing QMS | No mature QMS | Mature QMS exists |
| Update frequency | Infrequent updates | Frequent releases |
| Organization size | Small/medium | Medium/large |
| Upfront cost | Lower | Higher |
| Per-product cost | Higher | Lower |
| Ongoing cost | Lower | Higher (surveillance) |
Module H becomes cost-effective at 4 or more products. If you have a mature QMS (ISO 9001, ISO 27001), it is often the better long-term investment.
Rule of thumb: Module H becomes cost-effective at 4+ products or when you'd need re-examination frequently.
Decision framework
Step 1: determine product classification
Use the product classification guide to determine: Default, Important Class I, Important Class II, or Critical.
Step 2: identify available options
The decision tree at the top of this guide shows the full mapping. The table below summarises the same routes in text form.
| Category | Available modules | Recommended route |
|---|---|---|
| Default | A, B+C, H | Module A unless you want third-party validation |
| Important Class I, harmonised standards fully applied | A, B+C, H | Module A with standards |
| Important Class I, no harmonised standards | B+C, H | Module B+C unless multiple products |
| Important Class II | B+C, H | Module B+C unless multiple products or mature QMS |
| Critical (Annex IV) | EUCC scheme (Art. 8(1)) or B+C / H / Art. 27(9) scheme (Art. 32(3) fallback) | Depends on whether a Commission delegated act under Article 8(1) applies |
Step 3: consider business factors
Step 3 only helps you choose among the modules Step 2 left available. CRA Annex VIII makes Module A legally unreachable for Important Class I without harmonised standards, for Important Class II, and for Critical products. The two tables below split on that gate so every row has a reachable answer on your path.
When Modules A, B+C, and H are all available
Applies to Default products, and to Important Class I with harmonised standards fully applied.
| Factor | Module A | Module B+C | Module H |
|---|---|---|---|
| Budget constrained | ✓ | ||
| Time constrained | ✓ | ||
| Need external validation | ✓ | ✓ | |
| Single product | ✓ | ✓ | |
| Many products | ✓ | ||
| Frequent updates | ✓ | ||
| No existing QMS | ✓ | ✓ | |
| Mature QMS (ISO 9001, ISO 27001) | ✓ | ||
| Customer requires Notified Body | ✓ | ✓ |
When only Modules B+C and H are available
Applies to Important Class I without harmonised standards, Important Class II, and Critical products. Module A is not a legal option for these categories regardless of budget or timeline pressure.
| Factor | Module B+C | Module H |
|---|---|---|
| Single product | ✓ | |
| Many products | ✓ | |
| Frequent updates | ✓ | |
| No existing QMS | ✓ | |
| Mature QMS (ISO 9001, ISO 27001) | ✓ |
This second branch mirrors the "Module H vs B+C Decision" table earlier in the guide. Where the two overlap, treat them as the same decision from two angles: the earlier table is cost-weighted, this one is operational-fit-weighted.
Step 4: calculate costs
Scenario: 5 Important Class II products, no existing QMS, 5-year horizon with 2 updates per product.
| Cost item | Module B+C | Module H |
|---|---|---|
| One-time setup QMS build-out and initial NB certification | n/a | EUR 75,000 EUR 50,000 QMS + EUR 25,000 NB cert |
| Per-product assessment (× 5) EU type examination (B+C) or design review (H) | EUR 250,000 EUR 50,000 × 5 | EUR 50,000 EUR 10,000 × 5 |
| Per-update assessment (× 10) Full re-examination (B+C) or design review delta (H) | EUR 250,000 EUR 25,000 × 10 | EUR 50,000 EUR 5,000 × 10 |
| Annual surveillance (× 5 years) | n/a | EUR 60,000 EUR 12,000 × 5 |
| 5-year total | EUR 500,000 | EUR 235,000 |
Module H saves EUR 265,000 over 5 years in this scenario. The crossover point is the combination of product count and update frequency. The per-product and per-update inputs are illustrative (see the estimates note near the Module A Costs table). Run the calculation with your own quotes before committing to a budget.
EU declaration of conformity
Regardless of module chosen, you must issue an EU Declaration of Conformity.
DoC required contents
The EU Declaration of Conformity for the Cyber Resilience Act is Regulation (EU) 2024/2847. Every DoC must contain the eight fields below, followed by the signatory block.
- Product identification. Product name, type, batch, and serial number(s), in detail sufficient for traceability.
- Manufacturer name and address. Legal entity responsible for the declaration. Authorised representative details, if applicable.
- Responsibility statement. "This declaration of conformity is issued under the sole responsibility of the manufacturer."
- Object of the declaration. Product description sufficient for traceability, including photograph or drawing if the product is physical.
- Applicable Union legislation. List every regulation the product conforms to, starting with Regulation (EU) 2024/2847 (Cyber Resilience Act) and adding any other horizontal legislation (RED, EMC, Machinery, and so on) that applies.
- Harmonised standards or specifications applied. List each standard with version number. If no harmonised standard covers part of Annex I, reference the specification or common specification used instead.
- Notified Body block (Module B+C or H). Notified Body name, four-digit identification number, certificate reference, the module performed, and the certificate number issued. Omit this field entirely for Module A.
- Additional information. Support period end date, contact point for vulnerability reports, and any other information the CRA or the applicable legislation requires.
Close the DoC with the signatory name and function, the place and date of issue, and a signature. A DoC without a dated signature from a person identified by name and role is not a valid DoC.
CE marking
After conformity assessment, affix the CE marking. The visual form of the mark is fixed. What changes is whether a four-digit Notified Body number travels with it.
CE marking requirements
CE marking placement
- On the product itself (preferred)
- On a rating plate or permanent label
- On packaging if the product is too small
- In documentation if physical marking is impossible
- In the about or information screen
- In the accompanying documentation
- On packaging if the software ships on physical media
- CE mark followed by the NB identification number
- Example: CE 1234 where 1234 is the NB number
- Applies to Module B+C and Module H
Common mistakes
Self-assessing (Module A) when your product is Important Class II is an invalid conformity assessment. The product cannot be legally placed on the EU market.
Each of the five mistakes below has the same anatomy: a tempting shortcut, a serious consequence, and a specific preventive habit.
Problem. Choosing Module A for an Important Class II product.
Consequence. Invalid conformity assessment. The product cannot be legally placed on the market.
Prevention. Always verify product classification before choosing the assessment route.
Problem. Claiming Module A for Important Class I while only partially applying harmonised standards.
Consequence. Module A is not available without full standard application.
Prevention. If you cannot fully apply the standards, use Module B+C or H.
Problem. Technical file lacks required content for the chosen module.
Consequence. You cannot demonstrate conformity. The DoC is not valid.
Prevention. Use checklists. Review the documentation requirements for your specific module before signing.
Problem. Discovering late that the product requires NB assessment.
Consequence. Delayed market entry. NB queue times can be months.
Prevention. Classify products early. Engage Notified Bodies proactively.
Problem. Signing the DoC before completing conformity assessment.
Consequence. False declaration. Legal liability.
Prevention. The DoC is the final step, after all assessment activities complete.
Conformity assessment checklist
Work through the pre-assessment card first. Then complete only the cards for the module your product uses. Every product finishes on the Finalisation card.
- Product classification determined
- Available modules identified
- Module selected against requirements and business factors
- Timeline established
- Budget allocated
- Risk assessment completed
- Annex I requirements addressed
- Harmonised standards applied (if Class I)
- Technical file prepared
- Testing completed
- Production controls documented
- DoC prepared
- Notified Body selected
- Application submitted
- Technical documentation provided
- Product sample(s) provided
- Examination completed
- Certificate received
- Deficiencies addressed (if any)
- Production controls established
- Type conformity verified
- Documentation maintained
- DoC references the EU-Type certificate
- QMS developed or updated
- Notified Body audit scheduled
- QMS certificate received
- Per-product design review completed
- Surveillance audit schedule established
- EU Declaration of Conformity signed
- CE marking affixed
- Technical file archived (10-year retention)
- Market placement ready
Frequently asked questions
Can a Default category product always use Module A self-assessment?
Yes. Default products may always use Module A self-assessment. You conduct the assessment yourself, document it in the Annex VII technical file, sign the EU Declaration of Conformity, and affix the CE mark. No Notified Body is involved. (The "roughly 90%" share is an estimate based on Annex III/IV scope, not a CRA-stated figure.) (Article 32(1)(a); Annex VIII Part I.)
When is a Notified Body mandatory for Important Class I products?
Only when you cannot fully apply relevant harmonised standards, common specifications, or an Article 27 European cybersecurity certification scheme at "substantial" assurance. If a harmonised standard covering your product type's Annex I requirements exists in the OJEU and you apply it completely, Module A self-assessment remains available. If no applicable standard exists, or you apply one partially, you must use Module B+C or H. (Article 32(2); Annex VIII Part II and IV.)
Are there any Notified Bodies designated for CRA yet?
As of May 2026, zero Notified Bodies have been designated for the CRA. Designations are published in the NANDO database. Manufacturers of Important Class II and Critical products cannot complete third-party assessment until designations happen. Plan for this delay. (Article 43; NANDO database.)
What does Module B+C conformity assessment involve?
Module B is the product type examination performed by a Notified Body, which reviews your technical documentation, tests a representative specimen, and issues an EU-Type Examination Certificate. Module C is the production-conformity phase you run: each unit must conform to the certified type, and the EU Declaration of Conformity references the certificate number. (Annex VIII Part II and Part III; Article 32(1)(b).)
Can harmonised standards substitute for a Notified Body assessment?
For Important Class I products only. If you fully apply harmonised standards covering all Annex I essential requirements, you may self-assess under Module A without a Notified Body. For Important Class II products, third-party assessment (B+C, H, or an Article 27(9) scheme) is mandatory regardless of standards. Critical products are governed by Article 32(4) (Article 8(1) scheme or Article 32(3) fallback). (Article 32(1)(a) and 32(2); Annex VIII Part I.)
What is the cost of a Notified Body conformity assessment?
Plan for EUR 30,000 to EUR 100,000 or more in NB examination fees, plus EUR 2,000 to EUR 5,000 application fee and EUR 1,000 to EUR 5,000 sample preparation. Queue times currently run 4 to 16 weeks, so factor in schedule risk on top of cost. (Figures are estimates from analogue regimes (RED, MDR) and early CRA consultancy pricing, not values stated in the CRA.)