← CRA Glossary
CRA Legal Terms

CE Marking (Cybersecurity)

The CE mark is the mandatory conformity marking that manufacturers must affix to products with digital elements before placing them on the EU market under the CRA. It indicates that the product meets the CRA's essential cybersecurity requirements and has passed the applicable conformity assessment procedure.

The CE mark is the mandatory conformity marking that manufacturers must affix to products with digital elements before placing them on the EU market under the CRA. It indicates that the product meets the CRA's essential cybersecurity requirements and has passed the applicable conformity assessment procedure.

CRA Legal Terms
Free CVD portal →

What Is CE Marking Under the CRA?

The CE mark ('Conformité Européenne') is a mandatory product marking used across EU product safety legislation to indicate that a product meets applicable EU requirements. Under the CRA, manufacturers of products with digital elements must affix the CE mark before placing their product on the EU market — it serves as a declaration that the product meets the Annex I essential cybersecurity requirements and that the appropriate conformity assessment procedure has been completed. The CE mark does not indicate EU government approval or third-party certification in all cases; for Default and Class I products under harmonised standards, it represents the manufacturer's own declaration backed by technical documentation.

CRA reference:Article 28, Article 30

Prerequisites for CE Marking

Before affixing the CE mark for CRA compliance, a manufacturer must:

  1. Confirm the product is a product with digital elements within the CRA's scope.
  2. Determine the product's Annex III classification (Default, Class I, Class II, Critical).
  3. Complete the applicable conformity assessment procedure (self-assessment for Default and Class I with harmonised standards; notified body for Class II and Critical).
  4. Compile technical documentation demonstrating compliance with Annex I requirements.
  5. Sign an EU Declaration of Conformity (EU DoC).
  6. Register the product in the EU database (required for Important and Critical class products).

Only after steps 1–6 may the CE mark be affixed.

CRA reference:Article 28, Article 30, Article 32

CE Marking and Ongoing Obligations

CE marking under the CRA is not a one-time certification — the manufacturer's ongoing compliance obligations continue after the mark is affixed. Key post-marking obligations:

  • Vulnerability monitoring — the manufacturer must continue monitoring for vulnerabilities in the product and patching them.
  • Advisory publication — security advisories must be published when patches are released.
  • ENISA notification — actively exploited vulnerabilities must be reported within 24 hours.
  • Technical documentation updates — documentation must be kept current as the product evolves.
  • Significant modifications — if the product is substantially modified after CE marking, the conformity assessment must be repeated and a new DoC signed.

Market surveillance authorities can require withdrawal of the CE mark if ongoing obligations are not met.

CRA reference:Article 28, Article 30, Article 14

CE Marking for CRA vs. Other Directives

Many products are subject to multiple EU regulatory frameworks, each with its own CE marking requirements. For example, a connected consumer device may need to satisfy both the Radio Equipment Directive (RED) and the CRA. Where multiple frameworks apply:

  • A single CE mark is used, but the product must meet the requirements of all applicable frameworks.
  • The technical documentation must address all applicable requirements.
  • The DoC must reference all applicable EU legislation.
  • If frameworks conflict, the more specific regulation takes precedence.

From August 2025, the Radio Equipment Directive's cybersecurity delegated regulation (EU 2022/30) applied — CRA compliance will largely supersede this for in-scope products, but manufacturers must track the transition carefully.

CVD Portal makes CE Marking (Cybersecurity) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

When can we start affixing the CE mark for CRA compliance?+

The CRA's application date for most obligations is 11 December 2027. Products placed on the market before that date are not required to carry a CRA CE mark. From 11 December 2027, all new products within scope must be CE marked under the CRA before market placement. Manufacturers should complete conformity assessment and technical documentation in advance of this date, not at the last moment.

Does a CE mark from another directive (e.g. RED or LVD) satisfy CRA requirements?+

No. CE marking under the Radio Equipment Directive or Low Voltage Directive satisfies those directives' requirements but does not demonstrate CRA compliance. The CRA introduces new, specific cybersecurity requirements that were not previously part of RED or LVD. Manufacturers must complete CRA conformity assessment independently and update their Declaration of Conformity to reference the CRA.

Can we sell in the EU without a CE mark after December 2027?+

No. From 11 December 2027, products with digital elements within the CRA's scope cannot be lawfully placed on the EU market without a CE mark indicating CRA conformity. Products already on the market before that date may continue to be sold during a transitional period, but new units entering the market must comply. Market surveillance authorities can order withdrawal and recall of non-CE-marked products.

Related terms

Conformity AssessmentConformity assessment is the process by which a manufacturer demonstrates that its product meets the CRA's essential cybersecurity requirements. The process required depends on the product's classification: Default and Class I products can self-assess; Class II and Critical products require third-party assessment by a notified body.EU Declaration of Conformity (DoC)The EU Declaration of Conformity is a formal document signed by the manufacturer (or authorised representative) declaring that a product meets the essential requirements of all applicable EU regulations, including the CRA. It must be drawn up before the CE mark is affixed and kept available for market surveillance authorities for at least 10 years.Technical Documentation (CRA)Technical documentation under the CRA is the comprehensive set of records a manufacturer must compile and maintain to demonstrate that a product with digital elements meets the Annex I essential cybersecurity requirements. It must be retained for at least 10 years and made available to market surveillance authorities on request.Annex III Important Product ClassificationAnnex III of the EU Cyber Resilience Act lists product categories classified as 'Important' (Class I or Class II) or 'Critical', which are subject to stricter conformity assessment requirements than the Default class. Most products not listed in Annex III fall into the Default class and can self-certify.

CRA articles using this term

Article 20EU Declaration of Conformity and CE Marking RequirementsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how CE Marking (Cybersecurity) fits into your complete CRA compliance programme.

View checklists →