CE Marking for Software Under the CRA: A Step-by-Step Guide

CE marking has traditionally been associated with physical products — toys, machinery, medical devices. Under the EU Cyber Resilience Act, it now applies to software and all products with digital elements. If you sell software to EU customers, you will need to understand CE marking for the first time.

This guide walks you through the entire process, from determining whether you need CE marking to drafting your EU Declaration of Conformity.

What Is CE Marking?

The CE mark is a declaration by the manufacturer that the product meets all applicable EU requirements. It is not a quality mark or a certification issued by a third party — it is the manufacturer's own assertion, backed by technical documentation and conformity assessment.

Under the CRA (Regulation 2024/2847), the CE mark signifies that your product meets the essential cybersecurity requirements in Annex I and that you have followed the appropriate conformity assessment procedure.

When Is CE Marking Required?

CE marking is required before placing any product with digital elements on the EU market, starting December 11, 2027. This includes:

• Standalone software applications distributed to EU customers
• Firmware and embedded software in hardware devices
• Software libraries and SDKs distributed as standalone products
• IoT devices and connected hardware
• Desktop and mobile applications

If your product is purely SaaS with no on-device component, CE marking under the CRA does not apply. But any downloadable component — an agent, a CLI tool, a mobile app — triggers the requirement.

Step 1: Classify Your Product

Your product classification determines which conformity assessment path you follow:

• Default category: self-assessment (Module A) is sufficient
• Important Class I: self-assessment is allowed if you fully apply a harmonized standard that covers all essential requirements. Otherwise, third-party assessment is required.
• Important Class II: third-party assessment by a notified body is always required
• Critical (Annex IV): European cybersecurity certification or third-party assessment is required

Most software products fall in the default category, meaning self-assessment is the path forward. See our conformity assessment guide for detailed information on each path.

Step 2: Meet the Essential Requirements

Before you can CE-mark your product, you must meet the essential cybersecurity requirements in Annex I. This includes both the security requirements (Section 1) and the vulnerability handling requirements (Section 2):

• Product delivered without known exploitable vulnerabilities
• Secure default configuration
• Access control and authentication mechanisms
• Data protection (confidentiality and integrity)
• SBOM created and maintained
• Vulnerability disclosure policy in place
• Security update mechanism implemented
• Support period defined and communicated

Step 3: Compile Technical Documentation

You must prepare a technical documentation package that demonstrates compliance. This includes:

• General product description and intended use
• Design and development documentation
• Risk assessment and how risks are addressed
• SBOM in CycloneDX or SPDX format
• Test reports from security testing
• Description of vulnerability handling processes
• Support period and update policy
• User instructions for secure installation and use

Technical documentation must be kept for 10 years after the product is placed on the market, or for the duration of the support period, whichever is longer.

Step 4: Perform Conformity Assessment

For default category products (self-assessment under Module A):

1. Review your technical documentation against each Annex I requirement
2. Verify that your product meets every applicable essential requirement
3. Ensure your vulnerability handling processes are operational
4. Confirm your SBOM is current and complete
5. Document your assessment conclusions

For Important or Critical products requiring third-party assessment:

1. Identify an accredited notified body (the EU will publish a list of notified bodies for CRA conformity assessment starting June 2026)
2. Submit your technical documentation and product for examination
3. Address any findings from the notified body
4. Obtain the assessment certificate

Step 5: Draft the EU Declaration of Conformity

The EU Declaration of Conformity is a formal document in which the manufacturer declares that the product meets all CRA requirements. It must include:

• Manufacturer name and address
• Product identification (name, type, version, batch or serial number)
• Statement that the declaration is issued under the sole responsibility of the manufacturer
• Reference to the CRA (Regulation 2024/2847)
• Reference to any harmonized standards or European cybersecurity certification schemes applied
• Where applicable, name and identification number of the notified body
• Place and date of issue
• Signature of an authorized person

The Declaration must be available in the language(s) required by the member state(s) where the product is placed on the market.

Step 6: Apply the CE Mark

For physical products, the CE mark is affixed to the product itself or its packaging. For software, the CE mark must be included in the digital documentation that accompanies the product — your website, download page, or product interface.

The CE mark must be visible, legible, and indelible. For software distributed digitally, include it prominently in your product documentation and on the product page.

After CE Marking: Ongoing Obligations

CE marking is not a one-time event. The CRA requires ongoing compliance:

• Keep your SBOM updated with every release
• Continue monitoring for vulnerabilities in your components
• Provide security updates throughout the support period
• Report actively exploited vulnerabilities to ENISA within 24 hours
• Update your technical documentation when the product changes materially
• If a non-conformity is identified, take corrective action and, if necessary, withdraw the CE mark until resolved

Common Mistakes to Avoid

• Treating CE marking as just a logo. It is a legal declaration. Applying it without meeting requirements exposes you to Tier 2 penalties (up to EUR 10 million or 2% of turnover).
• Forgetting the Declaration of Conformity. The CE mark without a Declaration is incomplete. Both are required.
• Not updating documentation. Major product changes require an updated conformity assessment and updated technical documentation.
• Ignoring the support period. Once you CE-mark a product, you commit to providing security updates for the defined support period.

For a complete preparation plan, see our CRA compliance checklist.

Complaro helps you manage the technical side of CRA compliance — from SBOM generation and vulnerability monitoring to generating the documentation you need for CE marking. Get started free.