← CRA Guide
Article 25

Conformity Assessment Procedures: Module A vs Third-Party Assessment

Article 25 specifies which conformity assessment procedure applies to different categories of products with digital elements. Default-class products can use Module A (manufacturer self-assessment and declaration), while higher-risk Class I and Class II products listed in Annex III require third-party involvement through a notified body. Understanding which procedure applies to your product is the starting point for planning your CRA conformity pathway.

Effective: September 2026Applies to: All manufacturers assessing CRA conformity assessment requirements
Free compliance portal →

The Three-Tier Product Classification

Article 25 operates within the CRA's three-tier product classification system. Products are classified as:

Default class: All products with digital elements not listed in Annex III or Annex IV. This is the largest category, covering the majority of consumer and commercial products.

Class I (Important Products): Products listed in Annex III Class I — including smart home products with security functions, password managers, network monitoring tools, VPNs, and general-purpose operating systems. These present elevated cybersecurity risks due to their network-facing functions or their use in critical infrastructure.

Class II (Critical Products): Products listed in Annex III Class II — including hypervisors, firewalls, tamper-resistant hardware, industrial control systems, and other products that are particularly critical to cybersecurity. These carry the highest assessment requirements.

The Annex IV 'highly critical' list includes products subject to European cybersecurity certification schemes, which may require European certification rather than the standard CRA conformity assessment.

CRA reference:Article 25(1)

Module A: Self-Declaration for Default-Class Products

For default-class products, Article 25 allows manufacturers to use Module A — the internal control conformity assessment procedure. Under Module A:

  1. The manufacturer carries out the risk assessment and designs the product to meet the essential requirements
  2. The manufacturer prepares and maintains the technical documentation under Annex VII
  3. The manufacturer draws up the EU Declaration of Conformity
  4. The manufacturer affixes the CE marking

No external or third-party involvement is required under Module A. The manufacturer takes sole responsibility for the declaration of conformity and for maintaining the supporting technical evidence.

Module A is available regardless of whether harmonised standards are used — however, using harmonised standards creates the presumption of conformity under Article 8, which strengthens the manufacturer's compliance position.

CRA reference:Article 25(2), Annex VI Module A

Third-Party Assessment for Annex III Class I Products

For Class I products, Article 25 requires third-party involvement in the conformity assessment. Manufacturers of Class I products have three options:

Option 1 — EU-type examination (Module B + Module D/E/F): The manufacturer submits a representative product model to a notified body for type examination. The notified body assesses the product against the essential requirements and issues a type examination certificate. The manufacturer then uses an additional module (D, E, or F) covering production quality assurance.

Option 2 — Quality management system assessment (Module H): The manufacturer establishes a quality management system covering design, manufacture, and post-market activities, and has this system assessed and certified by a notified body.

Option 3 — Technical documentation review: For Class I products where harmonised standards are applied, a notified body reviews and validates the technical documentation, providing additional assurance beyond the manufacturer's self-declaration.

The manufacturer chooses which option to use, but must complete the chosen procedure fully before affixing the CE marking.

CRA reference:Article 25(3), Annex VI

Third-Party Assessment for Annex III Class II Products

Class II products face the most stringent assessment requirements. For these products, Article 25 requires EU-type examination (Module B) combined with a production quality assurance module (Module D or F) or a full quality assurance system assessment (Module H).

For Class II products, there is no option for a simplified technical documentation review — a full third-party type examination of the product by a notified body is mandatory. This means the notified body must physically assess a representative product unit, including technical testing against the essential requirements.

Manufacturers of Class II products face significantly longer assessment timelines and higher costs than default-class manufacturers. Products in this category include hardware security modules (HSMs), smart card readers, firewalls for critical infrastructure, industrial control system components, and hypervisors used in critical environments.

Given the assessment requirements, manufacturers of Class II products should engage notified bodies very early — 18 to 24 months before planned market launch is not excessive.

CRA reference:Article 25(4), Annex VI

European Cybersecurity Certification as an Alternative

Article 25 also addresses the interaction between CRA conformity assessment and European cybersecurity certification under Regulation (EU) 2019/881 (the Cybersecurity Act). Where the European Commission designates a European cybersecurity certification scheme as equivalent to or providing a higher level of assurance than CRA conformity assessment, compliance with that scheme may be used as an alternative or complementary conformity assessment pathway.

This provision is particularly relevant for products falling under Annex IV of the CRA, which lists highly critical products that may be subject to mandatory certification. As European cybersecurity certification schemes are developed under ENISA's coordination, manufacturers of the most critical products should monitor scheme developments that may apply to their product categories.

For most manufacturers of standard products, European cybersecurity certification is an optional enhancement to compliance, not a substitute for the CRA conformity assessment procedures.

CRA reference:Article 25(5)

CVD Portal helps you comply with Article 25 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.

Start your free portal

Frequently asked

How do I determine whether my product is default class, Class I, or Class II?+

Review Annex III of the CRA, which lists Class I and Class II products. If your product is not listed there, it is default class. The list uses both general product categories and specific product types — check both the category headings and the specific examples. If your product falls into a borderline category, seek legal advice and consider whether the functionality matches the Annex III description, not just the product name.

Can I voluntarily use a third-party notified body for a default-class product?+

Yes. The CRA sets minimum requirements — manufacturers can exceed them. Using a notified body for a default-class product provides additional assurance and may be required by certain customers (particularly in B2B and public procurement contexts). Many enterprise customers include conformity assessment requirements in procurement specifications that go beyond what the CRA mandates.

What is the expected timeline for a notified body assessment of a Class II product?+

Full type examination for Class II products can take 6 to 18 months depending on the complexity of the product, the notified body's workload, and the quality of the manufacturer's documentation. Manufacturers with comprehensive, well-organised technical documentation submitted before the formal assessment process begins will typically experience faster turnaround times.

What happens if I modify a product after it has received a notified body certificate?+

Significant modifications that affect the product's compliance must be assessed before the modified product is placed on the market. For Class I and II products, this may require a new or updated notified body assessment. Minor modifications that do not affect security-relevant aspects of the product may not require a new assessment, but this should be documented and justified in the technical file.

Does the conformity assessment for a software product work the same way as for hardware?+

The same assessment modules apply, but the specific technical assessment activities differ. For software-only products, the assessment focuses on software architecture, code review, penetration testing, and vulnerability management processes rather than physical hardware characteristics. Notified bodies with software assessment expertise are the appropriate choice for software product assessments.

Related CRA Articles

Article 22EU Declaration of Conformity: Content and RequirementsArticle 23CE Marking Rules: Affixing and Format RequirementsArticle 24Notification of Conformity Assessment BodiesAnnex VIConformity Assessment Procedures: Module A and Third-Party ModulesArticle 7Harmonised Standards and Presumption of Conformity

Need a CVD policy that satisfies Article 25?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →