Module A guide

CRA Self-Assessment, Step by Step

Most products with digital elements qualify for self-assessment under Module A. That makes the conformity work an internal project: classify, assess, document, declare, mark. This guide covers who qualifies, the sequence, and the evidence market surveillance expects to find behind a self-assessed CE mark.

Who qualifies

Article 32 assigns the conformity route by product class. Default-class products, the large majority of software and connected hardware, may use Module A internal control without conditions. Important products in Class I under Annex III may self-assess only when the relevant harmonised standards, common specifications, or European cybersecurity certification schemes are applied in full. Class II and critical products need a notified body or certification. The classification decision itself is therefore the first artifact of the assessment, and it belongs in the technical file with its justification.

What self-assessment changes, and what it does not

Module A changes who verifies conformity. It does not change what conformity means. The Annex I essential requirements, the documented risk assessment, the Annex VII technical file, the EU Declaration of Conformity, and CE marking apply in full. The practical consequence is that your records carry the entire verification burden. A notified body never checks the work, so the first external reader of your technical file is likely to be a market surveillance authority.

The six steps of a defensible self-assessment

Run them in order. Each step consumes the output of the one before it, and the sequence is what makes the resulting file internally consistent.

1

Classify the product

Answer the Annex III and IV questions to determine whether the product is default, important (Class I or II), or critical. The classification drives everything after it, so record the decision and its justification. Most products with digital elements land in the default class.

2

Confirm the conformity route

Article 32 converts the classification into a route. Default products may use Module A internal control, which is self-assessment. Important Class I products may self-assess only when they apply the relevant harmonised standards, common specifications, or European cybersecurity certification schemes in full. Class II and critical products need third-party involvement.

3

Run and document the risk assessment

Article 13 requires a documented cybersecurity risk assessment per product, covering planning, design, development, and maintenance, and kept up to date. Its output determines which Annex I Part I essential requirements apply to your product and why.

4

Close the Annex I position

Work through the essential requirements: the Part I product requirements the risk assessment made applicable, and the Part II vulnerability handling requirements that apply to every product. Each requirement needs evidence that it is met or a reasoned position on why it does not apply.

5

Assemble the technical documentation

Annex VII prescribes the technical file: product description, the risk assessment, the Annex I positions with evidence, vulnerability handling documentation, the support period determination, standards applied, and test results. The file must exist before placing the product on the market and be kept for ten years or the support period, whichever is longer.

6

Declare and mark

Draw up and sign the EU Declaration of Conformity per Annex V, then affix the CE marking per Article 30. Under Module A the mark carries no notified body number. Both artifacts must match the technical file exactly.

How CRA Portal supports each step

The Compliance plan turns the sequence into a per-product workspace: the Annex III and IV classification questions with the Article 32 route derived automatically, STRIDE threat modelling with likelihood and impact scoring, the Annex I checklist with gap analysis and remediation guidance, evidence collection per requirement, and generated drafts of the Annex VII technical documentation and the EU Declaration of Conformity, with point-in-time snapshots per release. The platform supports the assessment and keeps its evidence organised. The conformity responsibility stays with the manufacturer, as Module A requires.

Frequently asked

What is CRA self-assessment?
Self-assessment, formally Module A internal control, is the conformity assessment procedure in which the manufacturer verifies conformity with the Cyber Resilience Act's essential requirements itself, without a notified body. The manufacturer runs the risk assessment, closes the Annex I requirements, assembles the Annex VII technical documentation, signs the EU Declaration of Conformity, and affixes the CE marking under its sole responsibility.
Which products qualify for self-assessment?
Products in the default class, which is the large majority of products with digital elements, qualify for Module A without conditions. Important products in Class I under Annex III qualify only when the manufacturer applies the relevant harmonised standards, common specifications, or European cybersecurity certification schemes in full. Class II and critical products do not qualify.
When is self-assessment not allowed?
Class I important products that do not fully apply harmonised standards, all Class II important products, and critical products designated under Annex IV cannot use Module A. Those products need a notified body procedure or, for critical products, a European cybersecurity certification at assurance level substantial or higher.
What evidence does market surveillance expect from a self-assessed product?
The Annex VII technical file, retrievable on request: the documented risk assessment, the applicability position for each Annex I requirement with supporting evidence, the vulnerability handling documentation, the support period determination, the standards applied, and the signed EU Declaration of Conformity. Self-assessment shifts the verification burden onto your own records, so the file is the whole defence.
Does self-assessment mean lower requirements?
No. The essential requirements of Annex I apply identically on every route. Module A changes who verifies conformity, the manufacturer instead of a notified body. The Article 64 penalty regime, with fines up to 15 million euros or 2.5 percent of worldwide annual turnover, applies to self-assessed products the same way.
When do the conformity obligations apply?
The reporting obligations under Article 14 apply from 11 September 2026. The full conformity regime, including the risk assessment, Annex I, technical documentation, the Declaration of Conformity, and CE marking, applies from 11 December 2027 to products placed on the EU market from that date.

Start your self-assessment today

Every new account includes 14 days of the Compliance plan, the full self-assessment workspace from classification to the Declaration of Conformity. The disclosure portal stays free.