The conformity assessment is the formal proof that a product meets the requirements of the Cyber Resilience Act (CRA). Only after successful assessment may the manufacturer affix the CE marking and make the product available on the EU market. But which assessment procedure applies to your product? What must you document? And when do you need a notified body?
The Three Assessment Procedures at a Glance
The CRA provides different conformity assessment procedures depending on product category. Your product's classification determines which procedure you must follow.
Standard products (default category): The vast majority of products with digital elements fall into this category. Manufacturers can demonstrate conformity through internal control – a self-assessment according to Annex VIII of the CRA. No external body needs to be involved. This does not mean the requirements are lower – the security requirements apply identically. Only the proof is provided internally.
Important products (Class I): This category includes identity management systems, browsers, password managers, antivirus software, VPN products, network management tools, and certain smart home devices such as smart locks. For Class I products, self-assessment is possible, but only if the manufacturer fully applies harmonized European standards (hEN) covering all essential requirements. If no suitable standards exist or are not fully applied, a notified body must be involved.
Important products (Class II) and critical products: These include operating systems, hypervisors, firewalls, microcontrollers with security-relevant functions, and hardware security modules. These products mandatorily require involvement of a notified body. The manufacturer can choose between EU type-examination (Module B + C) or quality assurance (Module H).
Internal Control: How Self-Assessment Works
For most manufacturers, internal control is the relevant path. The procedure comprises the following steps.
First, create complete technical documentation. This encompasses a general product description with intended use, the security architecture and design concept, the risk assessment and its results, the complete SBOM, a description of the vulnerability management process, test results and examination reports, and a description of the update mechanism.
Then assess conformity against the essential requirements from Annex I of the CRA. For each requirement, document how your product fulfills it and reference the corresponding evidence in the technical documentation.
Next, create the EU declaration of conformity – a document confirming that the product meets all applicable requirements. The declaration must contain the manufacturer's name and address, unique product identification, reference to applied standards, and the signature of a responsible person.
Finally, affix the CE marking to the product. The marking must be visible, legible, and permanent. If the product is too small, the marking can be placed on the packaging or accompanying documents.
The Role of Notified Bodies
Notified bodies are independent assessment organizations accredited by EU member states for CRA conformity assessment. Their involvement is mandatory for Class II and critical products.
At the time of this article, the designation of notified bodies for the CRA is still being established. Manufacturers of products requiring a notified body should make early contact, as capacity will be limited initially. Assessment by a notified body can take several months – factor this into your timeline.
The notified body reviews the technical documentation, evaluates the security architecture, and may conduct its own testing. After successful examination, it issues a certificate that the manufacturer needs for the declaration of conformity.
Harmonized Standards: The Key to Simplification
Harmonized European standards (hEN) play a central role in CRA conformity assessment. Manufacturers who fully apply a harmonized standard benefit from a presumption of conformity: it is assumed that the requirements covered by the standard are met.
Several harmonized standards for the CRA are currently being developed, including those based on existing standards such as EN 303 645 (for consumer IoT security), IEC 62443 (for industrial automation), and ISO/IEC 27001 (for information security management). Manufacturers already working with these standards have a head start on CRA implementation.
Important: Until harmonized standards for the CRA are finalized and published, manufacturers must demonstrate conformity directly against CRA requirements. This demands particularly thorough technical documentation.
Gap Analysis: Where Do You Stand Today?
Before entering the conformity assessment process, conduct a gap analysis. First clarify which product category your product falls into and which assessment procedure applies. Then systematically check each essential CRA requirement against your product's current state. Identify gaps and prioritize measures.
Kunnus supports manufacturers in structuring the entire conformity assessment process – from the initial gap analysis through SBOM creation to compiling technical documentation. This keeps you organized and lets you navigate the assessment efficiently.
Start now with our free CRA readiness assessment: In just a few minutes, you will learn where your product stands in the conformity assessment process and what steps come next.