What "internal control" actually means
Under the CRA's conformity-assessment procedures (Article 32), a product that matches none of the Annex III or Annex IV categories — a "default" product — uses Module A. For any such product the route is self-assessment, no third party is required, and it is the largest population of in-scope products.
Internal control means you, the manufacturer, carry out the assessment in-house. You do not engage a notified body, you do not pay for an external audit, and you decide when the product conforms. In exchange, you carry full legal responsibility for that judgement. Concretely, the route asks you to:
- Assess against Annex I — evaluate the product against the CRA essential requirements — both the product-property requirements in Annex I Part I and the vulnerability-handling requirements in Part II.
- Draw up the technical documentation — compile and keep the Annex VII technical file that evidences how each requirement is met.
- Issue the Declaration of Conformity — sign the EU Declaration of Conformity (Annex V), which is issued "under the sole responsibility of the manufacturer".
When Module A is available — and when it is not
Module A is not available for every product. The CRA reserves it for lower-risk products and removes it as criticality rises. Classify the product first:
- Default products — no Annex III or Annex IV match — Module A self-assessment, always available. This is the bulk of in-scope products.
- Important products, Class I (19 categories) — Annex III, Class I. Self-assessment is available only if harmonised standards, common specifications or a cybersecurity certificate fully cover the essential requirements; otherwise a notified body (Module B+C or Module H) is required.
- Important products, Class II (4 categories) — Annex III, Class II. A notified body is required — self-assessment is not available.
- Critical products (3 categories) — Annex IV. A notified body is required, and a European cybersecurity certificate (EUCC, assurance level "substantial") may be mandated under a future delegated act.
What the self-assessment has to cover
The essential requirements live in CRA Annex I. A complete self-assessment works through three parts that map onto how the Act is written, and together they cover all 22 points of Annex I:
- Secure-development lifecycle — how you build and maintain the product — security management, security requirements, secure-by-design, secure implementation, verification and validation testing, handling of reported vulnerabilities (including coordinated vulnerability disclosure), security-update management, and user security guidance.
- Product security properties — what the product itself does — secure-by-default configuration, access control, confidentiality (encryption at rest and in transit), integrity protection, availability and resilience, no harm to other networks, security logging, and secure data removal.
- CRA-specific duties — data minimisation, automatic security updates with an easy opt-out, and the Annex II user-information set (manufacturer identity and contact, intended use and known limitations, the support/end-of-life date, secure-setup instructions, and where to report a vulnerability).
The standards you assess against
Module A does not mean assessing against nothing — you argue conformity against recognised technical standards. The standards in scope today are:
- IEC 62443-4-1 — Secure product development lifecycle requirements
- IEC 62443-4-2 — Technical security requirements for IACS components
- EN 18031 — Common security requirements for radio equipment (RED)
Harmonised standards: an important nuance
The CRA's harmonised standards (developed by CEN/CENELEC) are still being finalised. Until the EU cites a standard in the Official Journal as a harmonised standard, applying it does not give you a formal presumption of conformity. In that interim you cite it in your technical documentation and Declaration of Conformity as an "other technical solution", not as a harmonised standard. The substance of the assessment is the same; the legal weight of the citation is what differs.
What Module A produces — the dossier
Completing Module A produces a specific, auditable set of artefacts. A market-surveillance authority can ask for any of them, so the file has to be real and retrievable:
- Technical documentation (Annex VII) — the eight-element file, from the general product description through the per-requirement risk assessment to the software bill of materials.
- EU Declaration of Conformity (Annex V) — your signed statement that the product is in conformity with Regulation (EU) 2024/2847.
- CE marking — affixed once conformity is established, signalling that the product meets the applicable Union requirements.