Rules and Conditions for Affixing the CE Marking

Article 30(1) sets out a clear hierarchy for where the CE marking must appear:

1. Primary location — visibly, legibly, and indelibly on the product itself.
2. Secondary location, if the product nature does not allow or warrant primary affixing — on the packaging and on the EU Declaration of Conformity referred to in Article 28.
3. For software products — either on the EU Declaration of Conformity or on the website accompanying the software product. If the marking is on the website, the relevant section must be easily and directly accessible to consumers.

In practice this means physical hardware products carry a CE mark on the product surface or label. Embedded firmware or integrated software inherits the marking of the host hardware. Standalone applications and downloadable software products use the digital channel — DoC or website — because affixing a physical marking is not possible.

The hierarchy is not optional: a hardware manufacturer cannot choose to display the CE marking only on a website if it could reasonably be affixed to the product or its packaging.

Article 30(2) addresses the physical size of the CE marking. Under the EU's general New Legislative Framework rules and Regulation (EC) No 765/2008 — which Article 16 of the CRA explicitly imports — the CE marking is normally at least 5 mm high. Article 30(2) provides flexibility: the height may be lower than 5 mm where the nature of the product warrants it, provided the marking remains visible and legible.

This matters most for small IoT devices, embedded sensors, and miniature hardware where 5 mm exceeds available surface area. The test is whether the marking can be read in normal product use. A marking smaller than 5 mm that requires magnification to read does not meet the legibility requirement, even if the size reduction is otherwise justified by the product's nature.

Article 30(3) establishes a strict timing rule: the CE marking must be affixed before the product is placed on the market. 'Placing on the market' is defined in Article 3 and refers to the first making available of a specific product on the Union market in the course of a commercial activity.

The practical consequence is that the entire compliance chain must be complete before market placement: conformity assessment, technical documentation, EU Declaration of Conformity, registration where applicable, and then — only after all of these are done — the CE marking. Affixing the marking prematurely, before the conformity assessment is complete, is a violation regardless of whether the product would have been compliant after the assessment.

Article 30(3) also permits the CE marking to be followed by a pictogram or other mark indicating a special cybersecurity risk or use, where such marks are set out in Commission implementing acts under Article 30(6). These pictograms are a forward-looking provision: at the date of writing, the Commission has not yet specified them.

Article 30(4) addresses the marking requirements for products whose conformity assessment involved a notified body. Where the conformity assessment procedure is based on full quality assurance (Module H) under Article 32, the CE marking must be followed by the identification number of the notified body that conducted the assessment.

Who physically affixes the number is also specified: either the notified body itself, or — under the notified body's instructions — the manufacturer or the manufacturer's authorised representative. The instruction-based delegation is essential in practice, because notified bodies do not typically operate on manufacturer production lines; the delegation allows the manufacturer to apply the number while the notified body retains responsibility for its correct use.

Note the scope: Article 30(4) applies specifically to Module H assessments. Other conformity assessment modules under Article 32 do not require the notified body number to follow the CE marking. For Default class products using Module A self-assessment, no notified body number is involved.

Article 30(5) directs Member States to build on existing mechanisms — those already established for the CE marking regime under Regulation (EC) No 765/2008 and other product legislation — to ensure correct application of the CE marking under the CRA, and to take appropriate action against improper use.

Improper use covers a range of scenarios: affixing the CE marking to a non-compliant product, affixing it before the conformity assessment is complete, using a CE-resembling mark on a product that is not subject to CE marking legislation, omitting the notified body identification number where Module H was used, or applying a CE marking that is not visible, legible, or indelible.

Member States typically rely on their national market surveillance authorities to enforce these rules, using the powers set out in Regulation (EU) 2019/1020 as applied by Article 52 of the CRA. Penalties for incorrect CE marking fall under Article 64 of the CRA (Penalties) and can reach the fines applicable to other obligations — up to €10 million or 2% of global annual turnover.

Many products with digital elements are also subject to other Union harmonisation legislation requiring CE marking — for example, the Radio Equipment Directive (RED), the Low Voltage Directive, the Machinery Regulation, or the Medical Device Regulation. Article 30 does not require multiple CE markings on the same product; a single CE marking suffices, and it indicates conformity with all applicable Union harmonisation legislation simultaneously.

Manufacturers must, however, ensure the EU Declaration of Conformity and technical documentation reference each applicable regulation. A CE marking on a product subject to both the CRA and the RED must be backed by a DoC that addresses both regulations and a technical file demonstrating conformity with both sets of essential requirements.

Article 30(6) empowers the European Commission to adopt implementing acts laying down technical specifications for labels, pictograms, or other marks related to:

• the security of products with digital elements;
• their support periods; and
• mechanisms to promote the use of such marks and to increase public awareness about product security.

Before drafting an implementing act, the Commission must consult relevant stakeholders and — once it has been established under Article 52(15) — the Administrative Cooperation Group on Cyber Resilience (ADCO). At the date of writing, no such implementing acts have been adopted, but they are anticipated as the CRA application date approaches. Manufacturers should track Commission consultations in this area, particularly any consultation related to a 'support period' indication that may need to appear alongside the CE marking.

Article 30 is the last step in a sequence — not a standalone obligation. Before reaching Article 30, manufacturers must complete:

1. Confirmation that the product is a 'product with digital elements' within scope (Articles 2 and 3).
2. Classification of the product as Default, Important Class I, Important Class II, or Critical (Annex III, Annex IV).
3. Completion of the cybersecurity risk assessment and Annex I conformity (Articles 6 and 13).
4. Selection and completion of the applicable conformity assessment procedure under Article 32 (self-assessment, Module B+C, or Module H).
5. Compilation of the technical documentation under Article 30 and Annex VII.
6. Drafting and signing the EU Declaration of Conformity under Article 28.
7. Compliance with the general principles of the CE marking set out in Article 16 — which itself imports the general CE marking principles of Regulation (EC) No 765/2008.

Only when all of these are complete does the manufacturer affix the CE marking under Article 30 and place the product on the market.

Article 30 establishes a strict sequencing requirement: the CE marking must only be affixed after the manufacturer has completed all applicable conformity assessment procedures. For default-class products, this means completing the Module A self-certification process, preparing the technical documentation under Annex VII, and drawing up the EU Declaration of Conformity. For Annex III products, the relevant notified body involvement must also be complete.

Affixing the CE marking before completing these steps - even if the manufacturer intends to complete them later - is a violation. The CE marking is a declaration that conformity has been achieved, not an aspiration or a work-in-progress indicator.

Manufacturers should build the conformity assessment process into their product launch timeline, treating it as a mandatory pre-launch gate rather than a parallel or post-launch activity.

Article 30 requires the CE marking to be visible, legible, and indelible. These three requirements have specific practical implications:

Visible: The CE marking must be placed in a position where it can be seen by the user without disassembly or special tools. On physical products, this typically means placement on the product casing, its packaging, or an accompanying label. For digital products, the marking must be accessible in a readily accessible location in the product's interface or documentation.

Legible: The marking must be clear and easy to read. The CE marking has a minimum height of 5mm under EU product regulation conventions. It must be printed or affixed with sufficient contrast against its background to be readable.

Indelible: The marking must not be easily removed or defaced during normal product use, transport, or storage. Adhesive labels that peel off easily may not satisfy the indelibility requirement for physical products - the marking should be engraved, moulded, printed, or otherwise permanently affixed.

Where the nature of the product makes it impossible to affix the CE marking on the product itself (for example, a software-only product distributed electronically, or a very small component), Article 30 allows the marking to appear on the packaging, on a label attached to the product, or in the accompanying documentation.

For purely digital software products, the CE marking can be included in the installation interface, the product's 'about' section, the product's user interface, or in documentation provided with the product. The key requirement is that it is accessible to the user and clearly associated with the product.

For products sold with multiple items (for example, a device with accessories and documentation), the CE marking must be visible on the primary product - placing it only on a box insert that users may discard is not sufficient.

Article 30 prohibits the affixing of any marking, sign, or inscription that could be confused with the CE marking or that could mislead users about the product's compliance status. This prohibition targets spurious markings designed to give the impression of compliance when none exists.

Specific examples of prohibited markings include imitations of the CE marking format (the two-letter stylised logo), claims of 'EU cybersecurity certified' without a formal certification process, or third-party security seals that imply regulatory compliance without a proper basis.

Manufacturers using legitimate third-party security certifications - such as Common Criteria, SOC 2, or sector-specific security labels - may display those certifications alongside the CE marking, but must ensure they are clearly distinguished from the CE marking and do not create confusion about the regulatory basis of compliance.

For Annex III products where a notified body has been involved in the conformity assessment, the notified body's identification number must appear alongside the CE marking. The number must be in the same field of vision as the CE marking and must be visible without any disassembly.

The notified body number is a four-digit identifier assigned to the body at the time of its notification and listed in the NANDO database. Including this number signals to market surveillance authorities and users that a third-party assessment was conducted, enabling them to identify the assessing body and retrieve the assessment records.

For default-class products (no notified body involvement), the CE marking appears alone without any notified body number - the absence of a number is not an error but rather the correct presentation for self-certified products.