CRA Module A

CRA Module A self-assessment: the internal-control route to conformity

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) makes the manufacturer responsible for proving that a product with digital elements meets the Act's essential cybersecurity requirements before it is placed on the EU market. For the large majority of products — those that fall in no Annex III or Annex IV category — that proof is produced by the manufacturer alone, with no notified body involved. That route is Module A: conformity assessment based on internal control.

Module A is the default route and the lowest-cost one. You assess the product against the essential requirements, assemble the technical documentation, and issue the EU Declaration of Conformity under your own sole responsibility. This page explains exactly what Module A covers, when you are allowed to use it, and what the resulting dossier must contain.

What "internal control" actually means

Under the CRA's conformity-assessment procedures (Article 32), a product that matches none of the Annex III or Annex IV categories — a "default" product — uses Module A. For any such product the route is self-assessment, no third party is required, and it is the largest population of in-scope products.

Internal control means you, the manufacturer, carry out the assessment in-house. You do not engage a notified body, you do not pay for an external audit, and you decide when the product conforms. In exchange, you carry full legal responsibility for that judgement. Concretely, the route asks you to:

  • Assess against Annex Ievaluate the product against the CRA essential requirements — both the product-property requirements in Annex I Part I and the vulnerability-handling requirements in Part II.
  • Draw up the technical documentationcompile and keep the Annex VII technical file that evidences how each requirement is met.
  • Issue the Declaration of Conformitysign the EU Declaration of Conformity (Annex V), which is issued "under the sole responsibility of the manufacturer".

When Module A is available — and when it is not

Module A is not available for every product. The CRA reserves it for lower-risk products and removes it as criticality rises. Classify the product first:

  • Default productsno Annex III or Annex IV match — Module A self-assessment, always available. This is the bulk of in-scope products.
  • Important products, Class I (19 categories)Annex III, Class I. Self-assessment is available only if harmonised standards, common specifications or a cybersecurity certificate fully cover the essential requirements; otherwise a notified body (Module B+C or Module H) is required.
  • Important products, Class II (4 categories)Annex III, Class II. A notified body is required — self-assessment is not available.
  • Critical products (3 categories)Annex IV. A notified body is required, and a European cybersecurity certificate (EUCC, assurance level "substantial") may be mandated under a future delegated act.

What the self-assessment has to cover

The essential requirements live in CRA Annex I. A complete self-assessment works through three parts that map onto how the Act is written, and together they cover all 22 points of Annex I:

  • Secure-development lifecyclehow you build and maintain the product — security management, security requirements, secure-by-design, secure implementation, verification and validation testing, handling of reported vulnerabilities (including coordinated vulnerability disclosure), security-update management, and user security guidance.
  • Product security propertieswhat the product itself does — secure-by-default configuration, access control, confidentiality (encryption at rest and in transit), integrity protection, availability and resilience, no harm to other networks, security logging, and secure data removal.
  • CRA-specific dutiesdata minimisation, automatic security updates with an easy opt-out, and the Annex II user-information set (manufacturer identity and contact, intended use and known limitations, the support/end-of-life date, secure-setup instructions, and where to report a vulnerability).

The standards you assess against

Module A does not mean assessing against nothing — you argue conformity against recognised technical standards. The standards in scope today are:

  • IEC 62443-4-1Secure product development lifecycle requirements
  • IEC 62443-4-2Technical security requirements for IACS components
  • EN 18031Common security requirements for radio equipment (RED)

Harmonised standards: an important nuance

The CRA's harmonised standards (developed by CEN/CENELEC) are still being finalised. Until the EU cites a standard in the Official Journal as a harmonised standard, applying it does not give you a formal presumption of conformity. In that interim you cite it in your technical documentation and Declaration of Conformity as an "other technical solution", not as a harmonised standard. The substance of the assessment is the same; the legal weight of the citation is what differs.

What Module A produces — the dossier

Completing Module A produces a specific, auditable set of artefacts. A market-surveillance authority can ask for any of them, so the file has to be real and retrievable:

  • Technical documentation (Annex VII)the eight-element file, from the general product description through the per-requirement risk assessment to the software bill of materials.
  • EU Declaration of Conformity (Annex V)your signed statement that the product is in conformity with Regulation (EU) 2024/2847.
  • CE markingaffixed once conformity is established, signalling that the product meets the applicable Union requirements.

Not sure which CRA route is yours?

The free scope checker walks the Annex III / Annex IV categories and returns your product class and conformity route in a minute.

Frequently asked questions

Can I self-assess my product under the CRA?

If your product matches none of the Annex III or Annex IV categories — a "default" product — yes: it uses Module A, conformity assessment based on internal control, with no notified body. Important Class I products can also self-assess, but only where harmonised standards, common specifications or a cybersecurity certificate fully cover the essential requirements. Class II and critical products cannot self-assess.

What is Module A under the Cyber Resilience Act?

Module A is "conformity assessment based on internal control". The manufacturer assesses the product against the CRA essential requirements (Annex I), draws up the technical documentation (Annex VII), and issues the EU Declaration of Conformity (Annex V) under its sole responsibility — without engaging a notified body.

Do I need a notified body for the CRA?

Not for default products, and not for Important Class I products where harmonised standards, common specifications or a cybersecurity certificate fully cover the essential requirements. You do need a notified body for Important Class II products and for critical (Annex IV) products.

What documents does a CRA self-assessment produce?

The technical documentation set in Annex VII (eight elements) and the EU Declaration of Conformity in Annex V, plus the CE marking once conformity is established.

Which standards do I assess against?

Today, IEC 62443-4-1, IEC 62443-4-2 and EN 18031. None is yet cited as a CRA harmonised standard, so applying them is treated as an "other technical solution" rather than giving an automatic presumption of conformity.

Is Module A cheaper than a notified-body route?

Yes. Internal control involves no third-party assessment fee and no external audit. The cost is the manufacturer's own time to assess the product and assemble the dossier — plus full legal responsibility for the conformity decision.

Get CRA-ready, without the consultancy bill

Start with the free scope check, then let Reglyze guide the self-assessment and assemble your Annex VII file and Declaration of Conformity.