Summary

The EU Cyber Resilience Act (CRA) mandates conformity assessment procedures for products with digital elements to ensure compliance with essential cybersecurity requirements. These procedures vary in complexity based on the product’s classification and risk level, involving either internal manufacturer assessments or third-party evaluations by notified bodies.

Relevant CRA Provisions

• Recital 90, Recital 91, Recital 100, Recital 102
• Article 32, Article 35, Article 43, Article 47
• Annexes: VIII

Detailed Explanation

The CRA establishes conformity assessment procedures to verify that products with digital elements meet essential cybersecurity requirements throughout their lifecycle. These procedures are based on modules outlined in Decision No 768/2008/EC, adapted to the specific needs of digital products. The choice of procedure depends on the product’s classification (important, critical) and whether it complies with harmonised standards or European cybersecurity certification schemes.

For products not classified as important or critical, manufacturers can conduct an internal control assessment (module A). For important products, additional assurance is required, involving either EU-type examination (module B) followed by internal production control (module C) or full quality assurance (module H). Critical products must undergo a European cybersecurity certification scheme or, if unavailable, one of the procedures for important products.

Notified bodies play a crucial role in conducting conformity assessments, ensuring that products meet the required cybersecurity standards. These bodies must be accredited and notified by Member States, with their activities monitored to maintain the necessary level of protection.

Obligations for Stakeholders

• Manufacturers: Must perform conformity assessments using the appropriate procedure, maintain technical documentation, and affix CE marking and declarations of conformity to products.
• Notified Bodies: Responsible for carrying out conformity assessments, ensuring compliance with cybersecurity requirements, and maintaining the integrity of the certification process.
• Member States: Required to notify the Commission and other Member States of authorised conformity assessment bodies and ensure a sufficient number of notified bodies are available.