CRA conformity

CRA conformity assessment: which route applies to your product

The Cyber Resilience Act (Regulation (EU) 2024/2847) makes conformity assessment mandatory before a product with digital elements is placed on the EU market — but it does not apply one procedure to everything. The route depends on how critical the product is, and that is fixed by whether the product appears in Annex III (important products, Classes I and II) or Annex IV (critical products).

This page explains the three product classes, the conformity-assessment route each one takes, and how to find your product's class.

First: is your product even in scope?

Conformity assessment only matters if the CRA applies at all. The Act covers products with digital elements — software or firmware that can connect to a device or network — made available on the EU market. Some products are carved out because other Union law already covers them:

  • Medical devices (covered by MDR / IVDR).
  • Motor vehicles (covered by type-approval law).
  • Civil aviation (covered by aviation-security law).
  • Standalone hosted SaaS that is not a product placed on the market — only remote-data-processing solutions integral to a product are in scope.

The three product classes and their routes

The CRA's conformity-assessment procedures (Article 32) attach a route to each class:

  • Default — Module A (self-assessment)no Annex III or Annex IV match. Conformity based on internal control, no notified body. The largest population of in-scope products.
  • Important, Class I — Module A or notified bodyAnnex III, Class I. Self-assessment is available only where harmonised standards, common specifications or a cybersecurity certificate fully cover the essential requirements; otherwise a notified body (Module B+C or Module H) is required.
  • Important, Class II — notified bodyAnnex III, Class II. A notified body (Module B+C or Module H) is required; self-assessment is not available.
  • Critical — notified body (+ possible EUCC)Annex IV. A notified body is required, and a European cybersecurity certificate (EUCC, assurance level "substantial") may be mandated under a future delegated act.

Annex III, Class I — important products (19 categories)

These products may still self-assess under Module A where the essential requirements are fully covered by standards, common specifications or a certificate; otherwise they go to a notified body. The full Class I list:

  • Identity & privileged-access management (incl. authentication/access-control readers, biometric readers)
  • Standalone and embedded browsers
  • Password managers
  • Software that searches for, removes or quarantines malicious software
  • Virtual private network (VPN) products
  • Network management systems
  • Security information and event management (SIEM) systems
  • Boot managers
  • Public key infrastructure and digital-certificate issuance software
  • Physical and virtual network interfaces
  • Operating systems
  • Routers, modems intended for internet connection, and switches
  • Microprocessors with security-related functionalities
  • Microcontrollers with security-related functionalities
  • ASICs and FPGAs with security-related functionalities
  • Smart-home general-purpose virtual assistants
  • Smart-home products with security functionalities (smart locks, security cameras, baby monitors, alarm systems)
  • Internet-connected toys (Dir. 2009/48/EC) with social-interactive or location-tracking features
  • Personal wearables with health-monitoring purpose (outside MDR/IVDR), or wearables intended for children

Annex III, Class II — important products (4 categories)

A notified body is always required for these — self-assessment is off the table:

  • Hypervisors and container-runtime systems supporting virtualised OS execution
  • Firewalls, intrusion detection and prevention systems
  • Tamper-resistant microprocessors
  • Tamper-resistant microcontrollers

Annex IV — critical products (3 categories)

The highest tier: a notified body is required, and a European cybersecurity certificate may additionally be mandated under a future delegated act.

  • Hardware devices with security boxes
  • Smart-meter gateways (Dir. (EU) 2019/944) and other devices for secure cryptoprocessing
  • Smartcards or similar devices, including secure elements

Self-assessment vs notified body — what changes

  • Module A (internal control)you assess the product yourself, assemble the Annex VII technical documentation, and sign the EU Declaration of Conformity under your sole responsibility. No external body, no third-party fee.
  • Notified-body routes (Module B+C or Module H)an independent, accredited conformity-assessment body is involved before you can declare conformity. The Declaration of Conformity then additionally names the notified body, its number and the certificate.

After the route: the same core dossier

Whatever the route, the product ends with the same core deliverables: the Annex VII technical documentation, the EU Declaration of Conformity (Annex V) stating conformity with Regulation (EU) 2024/2847, and the CE marking. The notified-body routes simply add the body's certificate to that file.

Not sure which CRA route is yours?

The free scope checker walks the Annex III / Annex IV categories and returns your product class and conformity route in a minute.

Frequently asked questions

What is conformity assessment under the CRA?

It is the procedure by which a product with digital elements is shown to meet the Cyber Resilience Act's essential requirements before being placed on the EU market. The CRA sets different procedures by product class: self-assessment (Module A) for most products, and a notified-body route (Module B+C or Module H) for higher-risk classes.

When do I need a notified body under the CRA?

For important products in Annex III Class II and for critical products in Annex IV. Important Class I products need one only where harmonised standards, common specifications or a cybersecurity certificate do not fully cover the essential requirements. Default products never need one.

What is the difference between Module A, Module B+C and Module H?

Module A is self-assessment based on internal control — the manufacturer alone. Module B+C and Module H are notified-body routes, where an accredited third party is involved before conformity can be declared. The class of the product (Annex III or IV) decides which is available.

How do I know my product's class?

Check it against Annex III (important products, Classes I and II) and Annex IV (critical products). If it matches none of those categories it is a "default" product and self-assesses under Module A. Reglyze's free CRA scope checker walks the categories and returns the route.

Are critical products treated differently?

Yes. Annex IV critical products always require a notified body, and a European cybersecurity certificate (EUCC at assurance level "substantial") may be mandated for them under a future delegated act.

Is SaaS in scope of the CRA?

Standalone hosted SaaS is generally not a "product placed on the market" and is outside CRA scope; only remote-data-processing solutions that are integral to a product with digital elements are in scope.

Get CRA-ready, without the consultancy bill

Start with the free scope check, then let Reglyze guide the self-assessment and assemble your Annex VII file and Declaration of Conformity.