The EU Cyber Resilience Act (CRA) does not prescribe a single compliance path. It defines a tiered system of conformity assessment procedures, where the route a manufacturer must follow depends on how their product is classified, and the difference between classes is not just procedural. Misidentifying that classification, or misapplying the relevant procedure, creates legal exposure that no Declaration of Conformity can adequately cover.
This post sets out the four conformity assessment routes, the product classification tiers that determine which applies, and the practical implications for manufacturers preparing for CRA compliance.
The Foundation: Presumption of Conformity
Before examining the assessment routes, one concept must be clearly understood: presumption of conformity.
When the European Commission cites a harmonized standard in the Official Journal of the EU, it is formally conveying that a manufacturer who fully applies that standard can presume they are meeting the corresponding requirements of the CRA. This is a legal bridge between the regulation and the technical standards ecosystem, not an approximation or a safe harbour based on best effort.
Not every standard will receive this status. For those that do, it provides the strongest available foundation for self-assessment and declaration. For Important Class 1 products specifically, applying a harmonized standard with presumption of conformity is not optional: it is a condition of permissible self-assessment.
Product Classification: Four Tiers, Four Different Obligations
Default Class
Any product with digital elements that does not qualify as Important Class 1, Important Class 2, or Critical falls into the default class. This is estimated to cover approximately 80% of products with digital elements. Self-assessment (Module A, or internal control) is fully permitted. The manufacturer selects relevant standards at their discretion and bears complete responsibility for the declaration of conformity.
Important Class 1
Self-assessment remains available, but under a stricter condition: the manufacturer must fully apply a harmonized standard that carries presumption of conformity. Partial application does not satisfy the requirement. The standard must be applied in full.
Important Class 2
Third-party assessment is mandatory. A notified body (an officially designated third-party organisation) must conduct an EU Type Examination. Under the CRA, the notified body's scope extends beyond product properties to include process requirements. Specifically, the manufacturer's vulnerability handling process must be assessed and is subject to periodic audits as part of ongoing compliance. This is a material difference from the Radio Equipment Directive and most other EU product regulations, where notified body assessment focuses solely on product characteristics.
Critical Products
Certification under an approved EU cybersecurity scheme is required. Delegated regulations in specific member states may impose additional requirements. Currently, the only approved scheme is the EUCC (the European Cybersecurity Certification Scheme based on Common Criteria), accepted at a minimum ‘substantial’ assurance level. ENISA is tasked with developing further schemes; a revision of the Cybersecurity Act is anticipated to expand available options.
The Assessment Procedures in Detail
Module A: Internal Control (Self-Assessment)
The manufacturer demonstrates, on their own responsibility, that the product satisfies the CRA's essential cybersecurity requirements as set out in Annex I, Parts 1 and 2. A Declaration of Conformity is issued by the manufacturer. For default-class products, standard selection is at the manufacturer's discretion. For Important Class 1, a harmonized standard with presumption of conformity must be fully applied.
Module B: EU Type Examination (Notified Body)
A notified body examines the technical design of a product type (not each individual unit) and issues an EU Type Examination certificate. This is the strongest independently verified proof of compliance a manufacturer can hold. The notified body assesses both product and process requirements, with periodic audits of vulnerability handling built into the ongoing compliance cycle. This certificate is available voluntarily for default-class products, and mandated for Important Class 2.
Module C: Internal Production Control (Product Variants)
Used alongside Module B, this procedure is designed for product families and variants. Where products share the same cybersecurity baseline but differ in non-digital characteristics such as housing, colour, power class, or other physical attributes, a similarity declaration can cover the family without requiring individual assessments for each variant. Under the CRA, which focuses on the digital rather than the analogue space, this can be a practical tool for manufacturers managing broad product portfolios.
Module H: Full Quality Assurance
Rather than assessing a specific product type, the notified body assesses the manufacturer's quality management system. A confirmed quality assurance system allows the manufacturer to declare products compliant across their range, including in higher-risk classes. This module is less commonly used in practice; its uptake under the Radio Equipment Directive has been limited, and it remains to be seen how attractive it proves under the CRA.
Certification Schemes: EUCC
For critical products, certification under a scheme approved by ENISA under the Cybersecurity Act is required. The EUCC is currently the sole approved scheme. A revision of the Cybersecurity Act is underway that should expand the number of available schemes in the coming years.
Open Source Software
Open source software is not exempt from CRA conformity assessment. However, its available procedures are analogous to those of the default class, reflecting the distinct nature of open source development and distribution models.
Why Some Manufacturers Pursue Voluntary Third-Party Assessment
Even where self-assessment is legally sufficient (for example, for default-class products), there is growing manufacturer interest in voluntarily pursuing EU Type Examination. The resulting certificate provides independently auditable proof of compliance. In customer procurement processes, regulated supply chains, and public sector tendering, that level of assurance can carry significant practical weight, even where it is not a regulatory requirement.
Key Takeaways for Manufacturers
- Identify which classification tier each of your products falls into before selecting a conformity assessment route.
- For Important Class 1, using a harmonized standard is not sufficient: the standard must carry presumption of conformity and must be fully applied.
- For Important Class 2, budget for periodic notified body audits of your vulnerability handling process. This is an ongoing obligation, not a one-time assessment.
- Voluntary EU Type Examination for default-class products provides the strongest available proof of compliance and is increasingly sought in B2B and procurement contexts.
- Open source software has flexibility similar to the default class, but is not exempt from conformity obligations.
Vulnerability Handling: The Process Requirement That Runs Through Every Tier
One thread that runs through every classification tier is vulnerability handling. For Important Class 2 and above, the notified body will audit it directly on a periodic basis. For default-class products, it is part of the essential requirements the manufacturer self-declares against. Across the board, the CRA treats vulnerability handling not as an optional best practice but as a core product compliance requirement.
The reporting obligations that sit on top of that process, under Article 14, come into force on 11 September 2026. That deadline applies to products already on the market, regardless of where a manufacturer stands on the broader conformity assessment timeline.