The Cyber Resilience Act sets the essential cybersecurity requirements in Annex I, but the route a manufacturer takes to demonstrate compliance depends on the product's classification. The CRA borrows the conformity assessment module structure familiar from the New Legislative Framework — Decision 768/2008/EC — and combines it with the product categorisation in Annexes III and IV. Three modules are available under Article 32: Module A (internal control, self-assessment), Module B + Module C (EU-type examination followed by production conformity), and Module H (full quality assurance based on conformity assessment of the manufacturer's quality management system). The choice is not always free: certain product categories force a third-party route. With Notified Body designation opening on 11 June 2026 and substantive obligations applying from 11 December 2027, manufacturers need to commit to a route during 2026.
What is Module A?
Module A is internal production control, also known as self-assessment. The manufacturer performs the conformity assessment without involving a Notified Body. The manufacturer is responsible for compiling the technical documentation listed in Annex VII of the CRA, applying the design and manufacturing processes that ensure conformity with the essential cybersecurity requirements of Annex I, drawing up an EU Declaration of Conformity, affixing the CE marking, and keeping the technical documentation available for market surveillance authorities for ten years after the last unit has been placed on the market. Module A is available for the default tier — all products with digital elements that are not classified as important under Annex III Class II or as critical under Annex IV. For Annex III Class I important products, Module A is available if the manufacturer has applied the relevant harmonised standards in full.
What is Module B + Module C?
Module B + Module C is a two-stage process. Module B is EU-type examination performed by a Notified Body: the manufacturer submits a representative specimen of the product (or, for software, complete technical documentation and source-level access where required by the Notified Body) for examination against Annex I essential requirements. The Notified Body issues an EU-type examination certificate that is valid for up to five years. Module C is conformity to type based on internal production control: the manufacturer, following the issued certificate, applies the design and production processes that ensure each unit conforms to the approved type, and continues internal monitoring. Module C alone is not available for the CRA — it must be paired with Module B. The two-module pairing is common in product safety regimes and translates well to software where the "type" examined is the build artefact plus its hardening configuration.
What is Module H?
Module H is full quality assurance based on conformity assessment of the manufacturer's quality management system (QMS). A Notified Body audits the manufacturer's QMS against the requirements of Annex VIII and, if it satisfies the requirements, issues a QMS approval that lasts up to five years subject to surveillance audits at least every twelve months. Once Module H is in place, the manufacturer self-declares conformity for each product line covered by the approved QMS without requiring per-product Notified Body involvement. Module H is operationally attractive for manufacturers with many product variants because it scales: one QMS audit covers an indefinite number of in-scope products developed under the system. The trade-off is the ongoing audit relationship and the need to maintain the QMS at the documented standard.
Which products can use which module?
# CRA conformity assessment route table
Default tier (no Annex III/IV match)
Available routes: Module A
Note: simplest path; ~90% of all PDEs
Annex III Class I (Important)
Available routes:
Module A (only if harmonised standards applied in full)
Module B+C (with Notified Body)
Module H (with Notified Body)
Note: if standards not yet published or not applied, third-party required
Annex III Class II (Important)
Available routes:
Module B+C (with Notified Body)
Module H (with Notified Body)
Note: Module A NOT available; third-party always required
Annex IV (Critical)
Available routes:
Module B+C (with Notified Body) plus EU cybersecurity certification under Article 8
Module H (with Notified Body) plus EU cybersecurity certification under Article 8
Note: cybersecurity certification required in addition to module
Open-source software steward (Article 24)
Light-touch obligations only; no conformity assessment, no CE marking
What documentation does each module require?
Annex VII of the CRA specifies the technical documentation that must be maintained, regardless of conformity assessment module. Required content includes a general description of the product with digital elements, a description of the design, development, production, and vulnerability handling processes, an assessment of the cybersecurity risks against which the product is designed, a list of harmonised standards or other technical specifications applied, results of design and development calculations performed, and test reports showing how the product meets the essential cybersecurity requirements. For Module B+C, additional documentation supporting EU-type examination must be submitted to the Notified Body. For Module H, the QMS documentation under Annex VIII must demonstrate that the manufacturer has procedures for design control, document control, monitoring of effectiveness, audit, corrective action, and vulnerability handling.
What about Notified Body capacity?
Member States designate Notified Bodies under Articles 47-50. As of early 2026, no Notified Body had been designated for the CRA. Designation under Article 47 begins from 11 June 2026 and the Commission expects an initial cohort by late 2026, with capacity building through 2027. Manufacturers planning a Module B+C or Module H route must factor in lead time for engagement: a Notified Body cannot begin assessment until it is designated, and capacity for the first wave of assessments will be constrained. Manufacturers with products that fall into Annex III Class II or Annex IV — where third-party assessment is mandatory — should be in conversation with prospective Notified Bodies during 2026 to secure scheduling for assessments that must complete before the 11 December 2027 application date.
How do harmonised standards interact with the route?
Article 27 provides a presumption of conformity for products that comply with harmonised standards published in the Official Journal. The standardisation request was accepted by CEN, CENELEC, and ETSI in April 2025, with deliverables expected through Q3 2026. The harmonised standards under development cover horizontal cybersecurity requirements (CEN-CLC JTC 13/WG 9) and product-specific requirements for several Annex III categories. Where a harmonised standard exists and is applied in full, an Annex III Class I product can use Module A. Where the standard is not yet available or is only partially applied, the product falls back to Module B+C or Module H even if it would otherwise have been eligible for self-assessment.
How should a manufacturer decide?
Three considerations dominate the choice. First, classification: if the product is in Annex III Class II or Annex IV, only Module B+C or Module H are available. Second, product portfolio scale: a manufacturer with many product variants benefits from Module H because the QMS audit amortises across the portfolio, while a manufacturer with one or two product lines may find Module B+C cheaper per product. Third, release cadence: Module B+C requires re-examination on material change to the type, which can become operationally expensive for rapidly evolving software products. Module H accommodates change within the approved QMS, making it the preferred route for SaaS-style products with frequent releases. Open-source software stewards are subject to neither conformity assessment nor CE marking under Article 24 of the CRA.
How Safeguard Helps
Safeguard generates the Annex VII technical documentation directly from CI/CD telemetry — design and development descriptions, vulnerability handling records, cybersecurity risk assessments, applied standards, and test evidence — in a form that supports both Module A self-assessment and Module B+C or Module H Notified Body engagement. The platform's QMS evidence module aligns with Annex VIII, capturing design control, monitoring, audit, and corrective action records that a Notified Body needs for a Module H audit. For manufacturers with mixed portfolios, Safeguard tracks classification and conformity route per product variant, so the categorisation memorandum and the corresponding conformity evidence pack remain synchronised. Integrations with prospective Notified Bodies will streamline assessment intake as designation begins from June 2026.