CRA Self-Assessment, Step by Step
Most products with digital elements qualify for self-assessment under Module A. That makes the conformity work an internal project: classify, assess, document, declare, mark. This guide covers who qualifies, the sequence, and the evidence market surveillance expects to find behind a self-assessed CE mark.
Who qualifies
Article 32 assigns the conformity route by product class. Default-class products, the large majority of software and connected hardware, may use Module A internal control without conditions. Important products in Class I under Annex III may self-assess only when the relevant harmonised standards, common specifications, or European cybersecurity certification schemes are applied in full. Class II and critical products need a notified body or certification. The classification decision itself is therefore the first artifact of the assessment, and it belongs in the technical file with its justification.
What self-assessment changes, and what it does not
Module A changes who verifies conformity. It does not change what conformity means. The Annex I essential requirements, the documented risk assessment, the Annex VII technical file, the EU Declaration of Conformity, and CE marking apply in full. The practical consequence is that your records carry the entire verification burden. A notified body never checks the work, so the first external reader of your technical file is likely to be a market surveillance authority.
The six steps of a defensible self-assessment
Run them in order. Each step consumes the output of the one before it, and the sequence is what makes the resulting file internally consistent.
Classify the product
Answer the Annex III and IV questions to determine whether the product is default, important (Class I or II), or critical. The classification drives everything after it, so record the decision and its justification. Most products with digital elements land in the default class.
Confirm the conformity route
Article 32 converts the classification into a route. Default products may use Module A internal control, which is self-assessment. Important Class I products may self-assess only when they apply the relevant harmonised standards, common specifications, or European cybersecurity certification schemes in full. Class II and critical products need third-party involvement.
Run and document the risk assessment
Article 13 requires a documented cybersecurity risk assessment per product, covering planning, design, development, and maintenance, and kept up to date. Its output determines which Annex I Part I essential requirements apply to your product and why.
Close the Annex I position
Work through the essential requirements: the Part I product requirements the risk assessment made applicable, and the Part II vulnerability handling requirements that apply to every product. Each requirement needs evidence that it is met or a reasoned position on why it does not apply.
Assemble the technical documentation
Annex VII prescribes the technical file: product description, the risk assessment, the Annex I positions with evidence, vulnerability handling documentation, the support period determination, standards applied, and test results. The file must exist before placing the product on the market and be kept for ten years or the support period, whichever is longer.
Declare and mark
Draw up and sign the EU Declaration of Conformity per Annex V, then affix the CE marking per Article 30. Under Module A the mark carries no notified body number. Both artifacts must match the technical file exactly.
How CRA Portal supports each step
The Compliance plan turns the sequence into a per-product workspace: the Annex III and IV classification questions with the Article 32 route derived automatically, STRIDE threat modelling with likelihood and impact scoring, the Annex I checklist with gap analysis and remediation guidance, evidence collection per requirement, and generated drafts of the Annex VII technical documentation and the EU Declaration of Conformity, with point-in-time snapshots per release. The platform supports the assessment and keeps its evidence organised. The conformity responsibility stays with the manufacturer, as Module A requires.
Frequently asked
What is CRA self-assessment?
Which products qualify for self-assessment?
When is self-assessment not allowed?
What evidence does market surveillance expect from a self-assessed product?
Does self-assessment mean lower requirements?
When do the conformity obligations apply?
Start your self-assessment today
Every new account includes 14 days of the Compliance plan, the full self-assessment workspace from classification to the Declaration of Conformity. The disclosure portal stays free.