All comparisons

Cyber Resilience Act (CRA)

VS

CE Marking

Cyber Resilience Act and CE Marking

Cybersecurity becomes a mandatory prerequisite for EU market access

New CE Prerequisite

Adds cybersecurity as a new requirement to the existing CE conformity process — not a separate framework

Existing Conformity System

The CE marking indicates that a product meets all applicable EU harmonization legislation — the CRA is now added to this

This is not an either-or. From December 2027, CRA conformity is a prerequisite for CE marking of products with digital elements.

0 Covered3 Partial6 Not covered

You already have CE marking — what changes with the CRA?

If you already place CE-marked products on the market, you know the conformity assessment process. The CRA adds a new dimension: cybersecurity. Your existing CE experience is valuable — but the substantive requirements are fundamentally new.

036
CRA RequirementCoverage by CE Marking
Conformity assessment process
Partial

You know modules and notified bodies. The CRA uses similar procedures (Annex VIII), but with entirely new assessment criteria for cybersecurity.

Technical documentation
Partial

You have experience with EU-compliant documentation. CRA documentation (Annex VII) requires additional cybersecurity-specific content: security architecture, risk assessment, test reports.

EU Declaration of Conformity
Partial

You already prepare EU Declarations of Conformity. For the CRA, an additional or extended declaration per Annex V must be created.

Cybersecurity requirements (Annex I)
Not covered

Previous CE directives contain no cybersecurity requirements. CRA Annex I defines comprehensive technical requirements: security by design, access control, data integrity, secure default configuration.

Software Bill of Materials (SBOM)
Not covered

No existing CE framework requires an SBOM. The CRA makes machine-readable listing of all software dependencies mandatory.

Vulnerability management
Not covered

Previous CE products require no ongoing vulnerability management. The CRA demands systematic detection, assessment, and remediation of vulnerabilities throughout the entire support period.

ENISA reporting obligations
Not covered

No existing CE directive includes reporting obligations to ENISA. The CRA requires reporting actively exploited vulnerabilities within 24 hours.

Support period obligation
Not covered

Previous CE conformity ends at placing on the market. The CRA obliges ongoing security updates throughout the declared support period (minimum 5 years).

Ongoing security updates
Not covered

CE products previously had no update obligation. The CRA requires free security updates 'without undue delay' throughout the entire support period.

01

How the CRA and CE Marking Work Together

CE marking is a conformity system, not a standalone law. From December 2027, the CRA becomes an additional prerequisite for CE marking of products with digital elements.

  • Example: An industrial robot must meet the Machinery Regulation, Low Voltage Directive, EMC Directive, and now also the CRA
  • Art. 28 CRA: CRA declaration of conformity (Annex V) is part of the overall CE documentation
  • Principle: CE mark may only be affixed when all applicable legal acts are fulfilled
02

CRA Conformity Assessment: Annex VIII in Detail

Annex VIII of the CRA defines three conformity assessment paths depending on product classification. The modular system follows the New Legislative Framework.

Module A: Internal Production ControlFor default products (not listed in Annex III or IV): the manufacturer conducts the conformity assessment independently. They prepare the technical documentation, perform the risk assessment, and ensure compliance with the essential requirements of Annex I. No involvement of external bodies is required.
Modules B+C: EU-Type ExaminationFor Class I products (Annex III CRA): a notified body examines a type specimen of the product for conformity (Module B) and confirms that production corresponds to the examined type (Module C). Alternatively, the manufacturer can demonstrate conformity based on harmonized standards.
Module H: Full Quality AssuranceFor Class II products (Annex IV CRA, e.g., operating systems, firewalls, HSMs): the notified body examines and monitors the manufacturer's entire quality management system. This is the most stringent procedure and applies to the most critical product categories.
03

Impact on Existing CE Markings

Already CE-marked products with digital elements must additionally meet CRA requirements from 11 December 2027. Without CRA conformity, a product can lose its CE mark.

  • Expand existing assessments: Update technical documentation with CRA-specific content
  • RED superseded: Delegated Regulation (EU) 2022/30 on cybersecurity is replaced by the CRA
  • Documentation: EU declaration of conformity must reference (EU) 2024/2847, CRA declaration per Annex V must be included
Machinery Regulation (EU) 2023/1230Industrial machinery with embedded software will need both machinery conformity and CRA conformity assessment for cybersecurity. Both procedures must be conducted in parallel.
Radio Equipment Directive (RED) 2014/53/EUDelegated Regulation (EU) 2022/30 on cybersecurity under the RED will be superseded by the CRA. Manufacturers of Wi-Fi routers, IoT devices, and radio equipment must transition to CRA conformity assessment.
Medical Devices Regulation (MDR)Medical devices are exempt from the CRA (Art. 2(2)). CE marking for medical devices continues to be governed exclusively by the MDR (EU) 2017/745.
04

Timeline: When Does CRA Conformity Become a CE Requirement?

The CRA provides a phased timeline. The critical date is 11 December 2027 — from then, no CE without CRA conformity.

  • 11 June 2024: Regulation entered into force
  • 11 September 2026: Reporting obligations (Art. 14) and notified body requirements (Art. 35-51) apply
  • 11 December 2027: Full CRA applicability — conformity assessment, CE marking, and all Annex I requirements mandatory

Synergies for Manufacturers with Existing CE Experience

Companies already conducting CE conformity assessments for other legal acts can build on existing processes and infrastructure.

Proven Assessment Procedures

The modular system (Modules A, B+C, H) is familiar from other harmonization legislation. Manufacturers already working with notified bodies can leverage these relationships for CRA conformity assessment — provided the notified body is also notified for the CRA.

Technical Documentation

CRA technical documentation (Annex VII) follows a similar structure to documentation for other CE legal acts. Existing documentation structures can be extended with CRA-specific content such as SBOMs, vulnerability assessments, and security testing.

Quality Management System

Companies with a QMS per ISO 9001 already used for CE assessments can extend it with CRA-specific processes. Module H (full quality assurance) in particular builds on a systematic QMS.

Market Surveillance and Post-Market Processes

Experience with market surveillance and post-market monitoring from other CE domains is directly transferable to the CRA obligation for vulnerability handling and update management.

Your Next Steps

1High priority

Integrate cybersecurity into existing CE process

Extend your existing CE conformity process with CRA-specific cybersecurity requirements from Annex I. Use your existing documentation structure as a foundation.

2High priority

Implement SBOM creation

Integrate automated Software Bill of Materials generation into your development and build process.

3High priority

Build vulnerability management

Establish a process for continuous vulnerability monitoring, assessment, and remediation for all products with digital elements.

4Medium priority

Prepare ENISA reporting process

Define internal workflows for timely reporting of actively exploited vulnerabilities to the central ENISA platform.

Frequently Asked Questions

Do I need a separate CE marking for the CRA?
No. The CE mark is affixed only once to the product and confirms conformity with all applicable EU harmonization legislation. The CRA adds a further dimension to the existing CE requirements — cybersecurity. However, manufacturers must prepare a separate CRA declaration of conformity per Annex V, which becomes part of the overall documentation. The EU declaration of conformity must be supplemented with a reference to Regulation (EU) 2024/2847.
How does the CRA affect my existing CE marking?
If your already CE-marked product contains digital elements (software, firmware, network capability), you must also complete the CRA conformity assessment by 11 December 2027. From that date, CRA conformity is a prerequisite for CE marking. Products placed on the market after that date without CRA conformity violate EU law — even if they meet all other CE requirements. It is advisable to conduct an early gap analysis and integrate CRA-specific measures into the existing conformity process.
When does the CRA requirement for CE marking take effect?
Full CRA applicability begins on 11 December 2027 (Art. 71 CRA). From that date, all products with digital elements placed on the EU market must meet CRA requirements. Reporting obligations for actively exploited vulnerabilities already apply from 11 September 2026. Manufacturers should use the transition period to adjust their conformity assessment processes, create SBOMs, and implement vulnerability handling.
Which conformity assessment module applies to my product?
This depends on the product classification: Default products (not listed in Annex III or IV) can use Module A (self-assessment). Class I products (Annex III, e.g., identity management systems, browsers, password managers, VPNs) require Modules B+C or alternatively demonstration via harmonized standards. Class II products (Annex IV, e.g., operating systems, hardware security modules, firewalls) require Modules B+C or Module H, each involving a notified body. Early product classification is critical for planning the conformity assessment procedure.
What happens to Delegated Regulation (EU) 2022/30 under the RED?
Delegated Regulation (EU) 2022/30, which introduced cybersecurity requirements under the Radio Equipment Directive (RED), will be superseded by the CRA. Art. 68 CRA contains a corresponding transitional provision. Manufacturers of radio equipment that previously complied with the delegated regulation must transition to CRA conformity assessment. CRA requirements go beyond the RED cybersecurity requirements — particularly through the SBOM obligation, more comprehensive reporting obligations, and the specific conformity assessment modules.
Are medical devices affected by the CRA and the new CE requirement?
No. Medical devices falling under Regulation (EU) 2017/745 (MDR) or Regulation (EU) 2017/746 (IVDR) are expressly exempt from the CRA (Art. 2(2) CRA). CE marking for medical devices continues to be governed exclusively by the MDR/IVDR requirements. The same applies to in vitro diagnostics. However, accessories or software that do not fall under the MDR/IVDR but interact with medical devices may well be subject to the CRA.
Which products are exempt from the CRA?
Not all products with digital elements fall under the CRA. Explicitly exempt are: medical devices and in vitro diagnostics (MDR/IVDR), motor vehicles and their type-approval (UN ECE R155/R156), aviation products, products for national security or defense, and certain open-source software not made available in the course of a commercial activity. If your product falls under one of these exemptions, the respective sector-specific cybersecurity requirements apply instead of the CRA.

Further Reading

Official Sources

CRA Full Text (EUR-Lex)

Regulation (EU) 2024/2847 — Cyber Resilience Act in the Official Journal of the European Union

CE Marking (EU Commission)

Official EU Commission information page on CE marking: guides, legal acts, and requirements

Blue Guide to CE Marking

EU Commission guide on the implementation of EU product rules (Blue Guide 2022) — the standard reference for CE conformity assessment

More on Kunnus

CRA Knowledge Base

Complete legal text with explanations, articles, and annexes of the Cyber Resilience Act

Annex VIII: Conformity Assessment

Detailed explanation of the CRA conformity assessment Modules A, B+C, and H

CRA Explained

Accessible introduction to the Cyber Resilience Act for decision-makers and product managers

CRA Compliance Assessment

Free initial assessment: Determine which conformity assessment applies to your product

CRA vs. Radio Equipment Directive (RED)

How the CRA replaces the cybersecurity requirements of the Radio Equipment Directive

CRA vs. Machinery Regulation

Dual conformity for connected industrial machinery: cybersecurity and machine safety

CE-ready for the CRA — with Kunnus

Kunnus helps you integrate CRA requirements into your existing CE conformity process. From product classification to technical documentation.

Discover Features