← CRA Glossary
CRA Legal Terms

Conformity Assessment

Conformity assessment is the process by which a manufacturer demonstrates that its product meets the CRA's essential cybersecurity requirements. The process required depends on the product's classification: Default and Class I products can self-assess; Class II and Critical products require third-party assessment by a notified body.

Conformity assessment is the process by which a manufacturer demonstrates that its product meets the CRA's essential cybersecurity requirements. The process required depends on the product's classification: Default and Class I products can self-assess; Class II and Critical products require third-party assessment by a notified body.

CRA Legal Terms
Free CVD portal →

What Is Conformity Assessment?

Conformity assessment is the structured process through which a manufacturer demonstrates to itself and to regulators that its product complies with the applicable legal requirements — in the CRA's case, the Annex I essential cybersecurity requirements. The CRA defines multiple conformity assessment routes in Article 32, ranging from manufacturer self-assessment to mandatory third-party evaluation by an accredited notified body. The chosen route must be documented in technical documentation and the outcome is a signed EU Declaration of Conformity. Products that pass conformity assessment and have technical documentation in order may bear a CE mark.

CRA reference:Article 32

Self-Assessment (Module A)

The internal production control module (Module A) allows manufacturers to self-assess conformity without a third party. This route is available to:

  • Default class products — all products not listed in Annex III.
  • Important Class I products — only when a harmonised European standard covering the CRA requirements is applied.
  1. Perform and document security testing against the essential requirements.
  2. Maintain technical documentation.
  3. Establish quality management procedures for ongoing conformity.
  4. Sign the EU Declaration of Conformity.
  5. Affix the CE mark.

Self-assessment does not mean self-certification without evidence — the manufacturer must hold substantive technical documentation and be able to produce it on request.

CRA reference:Article 32, Annex VIII

Third-Party Assessment (Notified Bodies)

Important Class II products require mandatory third-party conformity assessment. Manufacturers must engage an EU-notified body — an accredited independent organisation designated by a national authority — to assess compliance. Two third-party module options are available:

  • Module B+C (EU Type-Examination + Production conformity): The notified body examines the product design and a representative unit; the manufacturer self-certifies production conformity.
  • Module H (Full Quality Assurance): The notified body assesses the manufacturer's entire quality management system.

For Critical products (Annex IV), assessment must be based on a European Cybersecurity Certification Scheme where one exists. Given limited notified body capacity, manufacturers should begin engagement at least 12–18 months before the December 2027 application date.

CRA reference:Article 32, Annex IX, Annex X

Preparing for Conformity Assessment

Manufacturers preparing for conformity assessment should compile:

  • Product description and classification rationale — why the product is classified at its assigned level.
  • Threat model and risk assessment — documented analysis of the attack surface and security risks.
  • Security architecture documentation — how Part I requirements are met (cryptography, access control, update mechanism).
  • SBOM — full component inventory.
  • Penetration test reports — independent testing results.
  • CVD policy and advisory archive — evidence of Part II process compliance.
  • Patch history — record of vulnerabilities identified and remediated.
  • Declaration of Conformity — signed by an authorised representative.

Notified bodies will assess the completeness and accuracy of this documentation package.

CVD Portal makes Conformity Assessment compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

How long does conformity assessment take for a Class II product?+

Third-party conformity assessment by a notified body typically takes 3–9 months depending on product complexity, documentation readiness, and notified body capacity. With the December 2027 deadline, and given that notified bodies across the EU are already scheduling CRA assessments, manufacturers of Class II products should initiate the process no later than early 2026. Preparation of complete technical documentation before engaging the notified body is critical to avoiding delays.

Does conformity assessment need to be repeated if we update our product?+

Significant changes to a product — particularly changes that affect security-relevant functions (cryptographic implementation, update mechanism, network interfaces) — require reassessment. The manufacturer must determine whether the change constitutes a 'substantial modification' under the CRA, which would require a new or updated Declaration of Conformity. Minor bug fixes and security patches typically do not require reassessment, but must still be reflected in updated technical documentation.

Can we self-certify a Class I Important Product?+

Yes, but only if you apply a harmonised European standard that covers the CRA's essential requirements for your product type. Without a harmonised standard, Class I products require an EU-type examination by a notified body (Module B). Once harmonised standards are formally designated by the European Commission, manufacturers who comply with them gain a presumption of conformity and may self-certify. Until then, Class I manufacturers without a harmonised standard should plan for notified body engagement.

Related terms

CE Marking (Cybersecurity)The CE mark is the mandatory conformity marking that manufacturers must affix to products with digital elements before placing them on the EU market under the CRA. It indicates that the product meets the CRA's essential cybersecurity requirements and has passed the applicable conformity assessment procedure.EU Declaration of Conformity (DoC)The EU Declaration of Conformity is a formal document signed by the manufacturer (or authorised representative) declaring that a product meets the essential requirements of all applicable EU regulations, including the CRA. It must be drawn up before the CE mark is affixed and kept available for market surveillance authorities for at least 10 years.Technical Documentation (CRA)Technical documentation under the CRA is the comprehensive set of records a manufacturer must compile and maintain to demonstrate that a product with digital elements meets the Annex I essential cybersecurity requirements. It must be retained for at least 10 years and made available to market surveillance authorities on request.Annex III Important Product ClassificationAnnex III of the EU Cyber Resilience Act lists product categories classified as 'Important' (Class I or Class II) or 'Critical', which are subject to stricter conformity assessment requirements than the Default class. Most products not listed in Annex III fall into the Default class and can self-certify.

CRA articles using this term

Article 20EU Declaration of Conformity and CE Marking RequirementsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital ElementsAnnex IVCritical Products with Digital Elements — Highest-Risk Classification

Browse the full CRA Compliance Checklist

See how Conformity Assessment fits into your complete CRA compliance programme.

View checklists →