CRA Conformity Assessment: Self-Assessment vs Third-Party Certification

Conformity assessment is the process that proves your product meets the EU Cyber Resilience Act requirements. The path you take — self-assessment or third-party certification — depends on how your product is classified. Getting this right is essential: using the wrong assessment path can invalidate your CE marking and expose you to penalties.

This guide explains each conformity assessment path defined in Regulation 2024/2847, when each applies, and how to prepare.

Understanding the Assessment Modules

The CRA references conformity assessment modules from the EU's New Legislative Framework. Each module defines a different level of rigor:

Module A — Internal Control (Self-Assessment): The manufacturer assesses conformity internally. No external body is involved. You review your own product against the essential requirements, compile technical documentation, and declare conformity.

Module B — EU-Type Examination: A notified body examines the product type (the design and representative sample) and certifies that it meets the essential requirements. This is an examination of the product design, not ongoing production.

Module C — Conformity to Type: Used in conjunction with Module B. The manufacturer ensures that production units conform to the type approved in Module B. Can include testing of production samples.

Module H — Full Quality Assurance: A notified body approves the manufacturer's quality management system and monitors its application. This covers design, production, and final inspection under a single quality framework.

Which Path for Which Product?

Default Category Products — Module A (Self-Assessment)

The vast majority of products with digital elements fall in the default category. For these products, Module A self-assessment is the required path.

What self-assessment involves:

1. Review essential requirements. Go through each requirement in Annex I (both Section 1 security requirements and Section 2 vulnerability handling requirements) and document how your product meets each one.
2. Compile technical documentation. Prepare the full documentation package including product description, design docs, risk assessment, SBOM, test reports, and more.
3. Issue the EU Declaration of Conformity. A formal statement declaring your product meets CRA requirements.
4. Apply the CE mark. Once all steps are complete, affix the CE mark to your product or its documentation.

Self-assessment does not mean no assessment. It means the assessment is conducted by the manufacturer rather than an external body. You must still rigorously evaluate compliance and maintain documentation that proves it.

Important Class I Products — Module A with Harmonized Standards, or Module B+C / Module H

Important Class I products (VPNs, SIEM systems, identity management, network tools, operating systems, browsers, password managers — see full list in our classification guide) have two options:

Option 1: Self-assessment (Module A) — but only if you fully apply a harmonized standard that covers all essential cybersecurity requirements of the CRA. Harmonized standards are European standards (EN) published in the Official Journal of the EU. As of April 2026, the European standardization organizations (CEN, CENELEC, ETSI) are developing these standards, and they are expected to be published by late 2027.

Option 2: Third-party assessment (Module B+C or Module H) — if no harmonized standard exists or you choose not to apply one, a notified body must examine your product. This is currently the more likely path for Class I products, since harmonized standards are not yet finalized.

Important Class II Products — Module B+C or Module H

Important Class II products (hypervisors, container runtimes, firewalls, IDS/IPS, industrial control systems) always require third-party assessment. Self-assessment is not available regardless of whether harmonized standards exist.

Critical Products (Annex IV) — European Cybersecurity Certification or Module B+C / Module H

Critical products (HSMs, smart cards, smart meter gateways) require the highest level of assurance. Where a European cybersecurity certification scheme covers the product category, it must be used. Otherwise, Module B+C or Module H through a notified body applies.

What Are Notified Bodies?

Notified bodies are organizations accredited by EU member states to perform conformity assessment for specific regulations. For the CRA, member states will designate notified bodies starting June 11, 2026.

When selecting a notified body:

• Verify they are listed in the NANDO database for the CRA
• Check their technical competence in your product domain (software, IoT, industrial systems)
• Ask about their assessment timeline — demand will likely exceed capacity in the early years
• Understand their fees and process upfront

Start identifying potential notified bodies early. Organizations like TUV, BSI, and national cybersecurity agencies are likely candidates.

Harmonized Standards: The Current Landscape

The European Commission has issued standardization requests to CEN, CENELEC, and ETSI to develop harmonized standards for the CRA. Key standards in development include:

• Standards mapping to Annex I essential requirements (security and vulnerability handling)
• Standards for SBOM format and content
• Standards for vulnerability disclosure processes (building on ISO 29147 and ISO 30111)
• Standards for conformity assessment procedures

Until harmonized standards are published, Important Class I manufacturers will likely need third-party assessment. Monitor the European Commission's standards page for updates.

Preparing for Assessment

Regardless of your assessment path, preparation is similar:

1. Complete your technical documentation. This is the foundation of any assessment. Without it, neither self-assessment nor third-party assessment can proceed.
2. Generate and maintain your SBOM. Your SBOM is a required component of technical documentation and will be reviewed during assessment.
3. Implement vulnerability handling processes. Your vulnerability disclosure policy, monitoring pipeline, and ENISA reporting readiness will be evaluated.
4. Run a readiness assessment. Use cra-scanner to identify gaps before your formal assessment.
5. Address gaps. Fix identified issues before formal assessment. For third-party assessment, resolving findings during the process takes longer and costs more than resolving them beforehand.

For a complete timeline and checklist, see our CRA compliance checklist.

Complaro helps teams prepare for CRA conformity assessment by automating SBOM management, tracking compliance against Annex I requirements, and generating the documentation needed for both self-assessment and third-party certification. Get started free.