First: is your product even in scope?
Conformity assessment only matters if the CRA applies at all. The Act covers products with digital elements — software or firmware that can connect to a device or network — made available on the EU market. Some products are carved out because other Union law already covers them:
- Medical devices (covered by MDR / IVDR).
- Motor vehicles (covered by type-approval law).
- Civil aviation (covered by aviation-security law).
- Standalone hosted SaaS that is not a product placed on the market — only remote-data-processing solutions integral to a product are in scope.
The three product classes and their routes
The CRA's conformity-assessment procedures (Article 32) attach a route to each class:
- Default — Module A (self-assessment) — no Annex III or Annex IV match. Conformity based on internal control, no notified body. The largest population of in-scope products.
- Important, Class I — Module A or notified body — Annex III, Class I. Self-assessment is available only where harmonised standards, common specifications or a cybersecurity certificate fully cover the essential requirements; otherwise a notified body (Module B+C or Module H) is required.
- Important, Class II — notified body — Annex III, Class II. A notified body (Module B+C or Module H) is required; self-assessment is not available.
- Critical — notified body (+ possible EUCC) — Annex IV. A notified body is required, and a European cybersecurity certificate (EUCC, assurance level "substantial") may be mandated under a future delegated act.
Annex III, Class I — important products (19 categories)
These products may still self-assess under Module A where the essential requirements are fully covered by standards, common specifications or a certificate; otherwise they go to a notified body. The full Class I list:
- Identity & privileged-access management (incl. authentication/access-control readers, biometric readers)
- Standalone and embedded browsers
- Password managers
- Software that searches for, removes or quarantines malicious software
- Virtual private network (VPN) products
- Network management systems
- Security information and event management (SIEM) systems
- Boot managers
- Public key infrastructure and digital-certificate issuance software
- Physical and virtual network interfaces
- Operating systems
- Routers, modems intended for internet connection, and switches
- Microprocessors with security-related functionalities
- Microcontrollers with security-related functionalities
- ASICs and FPGAs with security-related functionalities
- Smart-home general-purpose virtual assistants
- Smart-home products with security functionalities (smart locks, security cameras, baby monitors, alarm systems)
- Internet-connected toys (Dir. 2009/48/EC) with social-interactive or location-tracking features
- Personal wearables with health-monitoring purpose (outside MDR/IVDR), or wearables intended for children
Annex III, Class II — important products (4 categories)
A notified body is always required for these — self-assessment is off the table:
- Hypervisors and container-runtime systems supporting virtualised OS execution
- Firewalls, intrusion detection and prevention systems
- Tamper-resistant microprocessors
- Tamper-resistant microcontrollers
Annex IV — critical products (3 categories)
The highest tier: a notified body is required, and a European cybersecurity certificate may additionally be mandated under a future delegated act.
- Hardware devices with security boxes
- Smart-meter gateways (Dir. (EU) 2019/944) and other devices for secure cryptoprocessing
- Smartcards or similar devices, including secure elements
Self-assessment vs notified body — what changes
- Module A (internal control) — you assess the product yourself, assemble the Annex VII technical documentation, and sign the EU Declaration of Conformity under your sole responsibility. No external body, no third-party fee.
- Notified-body routes (Module B+C or Module H) — an independent, accredited conformity-assessment body is involved before you can declare conformity. The Declaration of Conformity then additionally names the notified body, its number and the certificate.
After the route: the same core dossier
Whatever the route, the product ends with the same core deliverables: the Annex VII technical documentation, the EU Declaration of Conformity (Annex V) stating conformity with Regulation (EU) 2024/2847, and the CE marking. The notified-body routes simply add the body's certificate to that file.