CRA Conformity Assessment: Which Procedure Applies?

Conformity assessment at a glance

conformity assessment paths: Module A, Module B+C, Module H, European cybersecurity certification

Art. 32

defines the decision logic — classification + harmonised standards = path

Annex VII

technical documentation is required as input to every conformity assessment path

How to determine your conformity assessment path

The classification determines whether you need only documentation or both documentation and external assessment.

Classify your product

CRACheck's Product Classifier determines whether your product is default (not in Annex III or IV), Important Class I (Annex III — 19 categories), Important Class II (Annex III — 4 categories), or Critical (Annex IV — 3 categories).

Decision branch 1: Default product

Article 32(1): you may use any of four procedures: (a) Module A internal control, (b) Module B+C EU-type examination, (c) Module H full quality assurance, or (d) European cybersecurity certification. Module A is the most efficient — no notified body.

Decision branch 2: Important Class I

Article 32(2): if you have fully applied harmonised standards, common specifications, or a European cybersecurity certification scheme at assurance level "substantial," Module A is available. If not, Module B+C or Module H — notified body required.

Decision branch 3: Important Class II

Article 32(3): regardless of harmonised standards, you must use Module B+C, Module H, or European cybersecurity certification at assurance level "substantial." Module A is never available for Class II.

Decision branch 4: Critical product

Article 32(4): you must use a European cybersecurity certification scheme per Article 8(1). If no such scheme is available, the Class II procedures (Module B+C or H) apply.

Prepare the documentation

Every branch requires the technical documentation per Article 31 and Annex VII. For Module A, you keep it in-house. For Module B, you submit it to the notified body.

Complete the assessment and declare

After completing the applicable procedure, draw up the EU declaration of conformity per Article 28 and affix CE marking per Article 30.

Common conformity assessment mistakes

❌

DECISION TREE

Choosing Module A for a Class I product without verifying harmonised standard coverage

Article 32(2) of Regulation (EU) 2024/2847 makes Module A conditional for Important Class I products: it is only available when harmonised standards, common specifications, or European cybersecurity certification schemes at assurance level "substantial" have been applied in full. If you have applied them partially or not at all, Module A is not available.

❌

CLASS II MISUNDERSTANDING

Searching for a way to use Module A for a Class II product

Article 32(3) does not include Module A as an option for Class II products. The available procedures are Module B+C, Module H, or European cybersecurity certification at assurance level "substantial." There is no harmonised-standards carve-out that unlocks Module A for Class II.

❌

CRITICAL

Assuming all products need a European cybersecurity certification scheme

Article 32(4) requires European cybersecurity certification only for Critical products listed in Annex IV. For all other products — default, Class I, and Class II — the certification scheme is an option but not a requirement.

What the 8-document dossier contains

Every conformity assessment path starts with the same documentation. CRACheck generates the complete 8-document package.

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No data is transmitted to any server.

What you pay to determine the right path and document it

🧾 REGULATORY ASSESSMENT TO DETERMINE CONFORMITY PATH

€3,000–€8,000

From a consultant just to determine which Art. 32 paragraph applies. 2-4 weeks. Separate engagement for documentation.

✓ CRACHECK

€149

Product Classifier determines the path. Then generates documentation for that path. 15-25 minutes total.

Classification + documentation vs. external assessment

● LAYER 1

Classification + documentation in one session

CRACheck first classifies your product (default / Class I / Class II / Critical) and identifies the applicable Article 32 paragraph. Then it generates the Annex VII documentation that the applicable procedure requires as input. Whether you self-assess under Module A or submit to a notified body under Module B, the documentation is the same structure.

∅ LAYER 2

Notified body examination and certification

For Class I without harmonised standards, Class II, and Critical products, the conformity assessment includes steps that only a notified body or certification body can perform: EU-type examination (Module B), quality system assessment (Module H), or European cybersecurity certification. CRACheck does not substitute these external assessments.

CRACheck classifies and documents. The notified body examines and certifies. The classification determines whether you need only the first step or both.

CRA penalty regime — Article 64 of Regulation (EU) 2024/2847

Article 64 establishes three tiers of administrative fines.

🇪🇺

Non-compliance with essential cybersecurity requirements (Annex I) and Art. 13/14 obligations

€15M / 2.5%

Art. 64.2. Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.

🇪🇺

Non-compliance with technical documentation (Art. 31), authorised representative (Art. 18), conformity assessment (Art. 32)

€10M / 2%

Art. 64.3. Includes failure to produce Annex VII documentation.

🇪🇺

Supply of incorrect, incomplete or misleading information to authorities

€5M / 1%

Art. 64.4.

Using an incorrect conformity assessment procedure does not just invalidate the procedure — it invalidates the CE marking, the declaration of conformity, and the market placement. Article 64(3) applies to violations of Articles 28, 31, and 32.

Conformity assessment paths comparison

Product category	Module A available?	Notified body required?
Default (not in Annex III/IV)	Yes	No — CRACheck is the complete solution
Important Class I (with harmonised standards)	Yes	No — CRACheck is the complete solution
Important Class I (without harmonised standards)	No	Yes (Module B+C or H) — CRACheck generates input to NB
Important Class II	No	Yes (Module B+C, H, or certification) — CRACheck generates input
Critical (Annex IV)	No	Yes (certification or B+C/H fallback) — CRACheck generates input

Products in different classification categories?

Each product may require a different conformity assessment path. CRACheck classifies and documents each one independently. Pack of 10: €99 per product.

Request volume pricing

Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document based on Article 31 and Annex VII of Regulation (EU) 2024/2847 from the data you provide, including the product classification that determines the applicable conformity assessment procedure. The accuracy of the product description and classification inputs is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII, that the Product Classifier maps against the categories in Annexes III and IV, and that all cited legal references are correct. We do not guarantee that a notified body will accept the classification or that a market surveillance authority will confirm the applicable procedure in a specific case.

CRACheck is not legal advice. For products near the boundary between categories (e.g., a device with VPN functionality that may trigger Annex III Class I, point 5), consult a qualified regulatory specialist.

Frequently asked questions — conformity assessment

How do I know if harmonised standards exist for my product category?

Harmonised standards under the CRA are published in the Official Journal of the European Union. As of the date of this landing, no CRA-specific harmonised standards have been formally published. Once published, they will be referenced in the Commission's implementing decisions. Until then, Article 27 common specifications and existing standards such as ETSI EN 303 645 or IEC 62443 may serve as reference but do not automatically unlock the harmonised-standards carve-out in Article 32(2).

What is the difference between Module B+C and Module H?

Module B (EU-type examination, Annex VIII Part II) involves a notified body examining your technical documentation and product specimens, and issuing an EU-type examination certificate. Module C (conformity to EU-type, Annex VIII Part III) then requires the manufacturer to ensure production conformity. Module H (full quality assurance, Annex VIII Part IV) involves a notified body assessing and approving the manufacturer's entire quality management system.

Can I switch conformity assessment procedures later?

Article 32 allows the manufacturer to choose from the available procedures for their product category. You may switch procedures before completing the assessment, but you would need to restart the process. Once the EU declaration of conformity has been issued, changing the underlying procedure would require re-assessment.

What if my product has features that span multiple Annex III categories?

The product is classified based on its functions. If a single product falls under multiple Annex III categories, the strictest applicable classification applies. If any function triggers Class II, the entire product is Class II.

Does CRACheck's Product Classifier determine the definitive classification?

The Product Classifier provides a structured determination based on the Annex III and IV category definitions and the product data you input. The definitive classification may be subject to interpretation by market surveillance authorities. CRACheck's classification is a documented self-assessment rationale, not a binding legal determination.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.