← CRA Glossary
CRA Regulatory

Conformity Assessment Procedure

A Conformity Assessment Procedure is the formal process by which a manufacturer demonstrates that a product meets applicable EU essential requirements before affixing the CE mark and placing it on the market. Under the Cyber Resilience Act, the required procedure depends on the product's risk classification.

A Conformity Assessment Procedure is the formal process by which a manufacturer demonstrates that a product meets applicable EU essential requirements before affixing the CE mark and placing it on the market. Under the Cyber Resilience Act, the required procedure depends on the product's risk classification.

CRA Regulatory
Free CVD portal →

What Is a Conformity Assessment Procedure?

A Conformity Assessment Procedure is the systematic process by which a manufacturer evaluates whether a product complies with the essential requirements of applicable EU legislation before placing it on the market. The New Legislative Framework (NLF) defines a set of standardised assessment modules (A through H) that EU regulations can select from. Each module specifies who performs the assessment (the manufacturer alone, or a Notified Body), what is examined (design, production, or both), and what evidence is produced (technical documentation, test reports, quality system certificates). The chosen module determines the rigour and cost of the compliance path. Under the CRA, the applicable procedure is determined by the product's risk class.

CRA reference:Article 31, Article 32, Article 33

CRA Conformity Assessment Routes by Product Class

The CRA establishes three assessment routes linked to product classification:

Default-class products (the majority of products with digital elements): Manufacturers may use internal production control (analogous to Module A). They produce technical documentation per Annex VII, conduct their own conformity assessment against Annex I essential requirements, issue a declaration of conformity, and affix the CE mark. No third-party involvement is required.

Important Class I products (higher-risk but not the highest tier): Manufacturers may self-certify by applying harmonised standards or common technical specifications. Alternatively, they may involve a Notified Body.

Important Class II products (highest-risk categories): Third-party assessment by a Notified Body is mandatory unless the product fully complies with published harmonised standards. Available routes are EU Type-Examination (Module B + C/D/H) or full quality assurance (Module H).

CRA reference:Article 31, Article 32, Article 33

Documentation Requirements for All Procedures

Regardless of which assessment route is followed, the CRA requires manufacturers to produce and retain technical documentation that demonstrates conformity. This documentation must include: a general product description and intended use; design and development records including threat models and risk assessments; a list of applied harmonised standards or common technical specifications; a description of the secure development lifecycle processes; vulnerability handling policies and procedures; test reports; and the declaration of conformity itself. This documentation must be retained for ten years after the product is placed on the market and made available to market surveillance authorities on request. CVD Portal's compliance module generates many of the vulnerability-handling documentation components required for the technical file.

CRA reference:Annex VII

Common Pitfalls in Conformity Assessment

Manufacturers frequently encounter the following problems when preparing for conformity assessment:

  • Misclassifying product risk: Assigning a product to default class when it meets Important Class criteria invalidates the entire conformity assessment.
  • Incomplete technical documentation: Missing threat models, absent SBOM, or undocumented vulnerability handling processes are the most common gaps found during assessment.
  • Stale documentation: Technical files that have not been updated after significant product changes no longer reflect the assessed product.
  • Missing declaration of conformity: Products must not be placed on the market without a signed, version-specific declaration of conformity.
  • No update mechanism: Failing to document how security updates will be delivered throughout the support period is a mandatory Annex I requirement often overlooked.

CVD Portal makes Conformity Assessment Procedure compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Can I self-certify all products under the CRA?+

No. Self-certification (internal production control without a Notified Body) is available for default-class products and for Important Class I products that apply relevant harmonised standards. Important Class II products require Notified Body involvement unless full harmonised standards compliance can be demonstrated. Even for self-certified products, the manufacturer must produce complete technical documentation and a signed declaration of conformity.

Does conformity assessment need to be repeated for software updates?+

Not necessarily. Minor updates that do not affect the security-relevant design or essential requirement compliance of a product typically do not require a new assessment. However, significant changes — such as adding new network interfaces, changing the authentication mechanism, or substantially altering the update mechanism — may require the technical documentation and assessment to be revisited. For Notified Body assessments, the body must be notified of changes and will determine whether re-assessment is needed.

How does conformity assessment differ from penetration testing?+

Conformity assessment is a formal compliance verification process that covers documentation, processes, and product characteristics. Penetration testing is one technical input that may be used as evidence within a conformity assessment, but it is not the same thing. A product can have a penetration test report without completing a full conformity assessment, and a conformity assessment can be conducted without commissioning a new penetration test if other sufficient evidence exists.

Related terms

Conformity AssessmentConformity assessment is the process by which a manufacturer demonstrates that its product meets the CRA's essential cybersecurity requirements. The process required depends on the product's classification: Default and Class I products can self-assess; Class II and Critical products require third-party assessment by a notified body.Notified BodyA Notified Body is an independent third-party organisation accredited by an EU member state to conduct conformity assessments on behalf of manufacturers. Under the Cyber Resilience Act, Notified Bodies are required for Class II and certain Class I products that cannot self-certify compliance.EU Type-ExaminationEU Type-Examination is a conformity assessment procedure in which a Notified Body examines a representative sample (the 'type') of a product and issues a certificate confirming it meets the applicable EU essential requirements. It is one of the mandatory routes for Important Class II products under the Cyber Resilience Act.EU Declaration of Conformity (DoC)The EU Declaration of Conformity is a formal document signed by the manufacturer (or authorised representative) declaring that a product meets the essential requirements of all applicable EU regulations, including the CRA. It must be drawn up before the CE mark is affixed and kept available for market surveillance authorities for at least 10 years.

CRA articles using this term

Annex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 13Coordinated Vulnerability Disclosure Obligations for Manufacturers

Browse the full CRA Compliance Checklist

See how Conformity Assessment Procedure fits into your complete CRA compliance programme.

View checklists →