CRA Self-Assessment Module A Default China

Key numbers

Module A

Internal control procedure. Annex VIII. Manufacturer self-assesses.

No NB

No notified body required for Default products. You assess, you document, you declare.

€149

Complete Module A documentation package. 8 documents. 15 minutes.

Module A self-assessment: step-by-step for a Chinese manufacturer

Module A is self-assessment. The documentation is the evidence. CRACheck generates it.

Confirm Default classification

Your product is not in Annex III (Important) or Annex IV (Critical). Use CRACheck classifier.

Assess against Annex I

Review your product against the essential cybersecurity requirements of Annex I Part I (product requirements) and Part II (vulnerability handling). CRACheck's Risk Assessment (Doc 3) structures this review.

Produce technical documentation

Annex VII defines 8 sections. CRACheck generates the Technical Documentation (Doc 2) covering all sections.

Draft Declaration of Conformity

Annex V defines the content. CRACheck generates it as Doc 5.

Affix CE marking

Art. 30. Visible, legible, indelible. On the product or packaging.

Retain documentation

Art. 13.19: keep for 10 years or the support period, whichever is longer.

Module A is self-assessment. The documentation is the evidence. CRACheck generates it.

Module A mistakes

❌

MODULE A

Module A means no documentation is needed — we just self-declare

Module A requires the manufacturer to draw up technical documentation per Annex VII and keep it at the disposal of market surveillance authorities. Self-assessment does not mean self-declaration without evidence. The documentation is the evidence of your assessment.

❌

ANNEX VIII

We can do Module A without the Risk Assessment

Annex VII point 3 requires a cybersecurity risk assessment per Art. 13. This is a mandatory element of the technical documentation. Module A requires the complete Annex VII documentation, including the risk assessment.

❌

ART. 13.19

We produce the documentation, ship the product and delete the files

Article 13.19 requires manufacturers to keep technical documentation and the Declaration of Conformity at the disposal of market surveillance authorities for at least 10 years after the product is placed on the market, or for the support period, whichever is longer. Deleting documentation is non-compliance.

What each CRACheck dossier contains: 8 documents

Module A requires exactly these documents. CRACheck generates all 8.

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What Module A documentation costs

🧾 COMPLIANCE CONSULTANT FOR MODULE A DOCUMENTATION

€3,000–€8,000

Per product. 2-4 weeks.

✓ CRACHECK

€149

Complete Module A package. 8 documents. 15 min.

Documentation vs. conformity assessment

● LAYER 1

What CRACheck does

Generates the complete documentation package for Module A self-assessment: Technical Documentation, Risk Assessment, Declaration of Conformity and 5 supporting documents.

∅ LAYER 2

What CRACheck does NOT do

CRACheck does not perform the conformity assessment for you. Module A requires the manufacturer to assess whether the product meets Annex I requirements. CRACheck documents your assessment. You are responsible for the accuracy of the assessment itself.

We generate documentation. You perform the assessment.

CRA penalty regime — Article 64 of Regulation (EU) 2024/2847

Article 64 establishes three tiers of administrative fines. Penalties are calculated per undertaking — but non-compliance on a single product can trigger inspection of your entire portfolio.

🇪🇺

Non-compliance with essential cybersecurity requirements (Annex I) and Art. 13/14 obligations

€15M / 2.5%

Art. 64.2. Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.

🇪🇺

Non-compliance with technical documentation (Art. 31), authorised representative (Art. 18), conformity assessment (Art. 32)

€10M / 2%

Art. 64.3. Up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Includes failure to produce Annex VII documentation.

🇪🇺

Supply of incorrect, incomplete or misleading information to authorities

€5M / 1%

Art. 64.4. Up to €5 million or 1% of total worldwide annual turnover, whichever is higher.

Art. 64.5 accounts for the nature, gravity and duration of the infringement, and gives consideration to microenterprises, small and medium-sized enterprises, including start-ups.

Alternatives

Alternative	Cost	What you get
Consultant for Module A documentation	€3,000–€8,000	2-4 weeks.
Self-declare without documentation	€0	Non-compliant. Module A requires Annex VII documentation.
Wait for harmonised standards	€0 now	Module A for Default products does not require harmonised standards. Available now.
CRACheck	€149	Complete Module A package. 8 docs. 15 min.

Multiple Default products in your catalogue?

Each Default product follows Module A independently. Volume pricing: €99/product (10-pack), €79/product (30-pack).

Request volume pricing

Response within one business day.

What CRACheck guarantees and what it does not

CRACheck generates a structured document according to Article 31 and Annex VII of Regulation (EU) 2024/2847 from the information you provide. The accuracy, completeness and truthfulness of that information is your responsibility as the manufacturer.

We guarantee that the document structure follows Article 31 and Annex VII of Regulation (EU) 2024/2847 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a specific case or by a commercial buyer in a procurement process.

CRACheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.

Frequently asked questions

Does Module A require any external validation?

No. Module A (internal control procedure) is entirely the manufacturer's responsibility. No notified body, no external lab, no third-party audit is required for Default products under Art. 32.1(a).

Can we use Module A even if harmonised standards exist?

Yes. For Default products, Module A is always available regardless of harmonised standard availability. Harmonised standards are optional evidence — you can use alternative solutions and document them under Annex VII point 5.

What if market surveillance disagrees with our self-assessment?

Market surveillance authorities can request your documentation, test the product and determine non-compliance. If they find your product does not meet Annex I requirements despite your self-assessment, they can order corrective action under Art. 58 and impose fines under Art. 64. The quality of your documentation matters.

Is Module A available for Important Class I products?

Yes, if harmonised standards are fully applied. Art. 32.2 allows Module A for Class I products when the manufacturer has applied harmonised standards, common specifications or European cybersecurity certification schemes. Without them, notified body assessment is required.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Official legal sources

⚠️ Important notice: CRACheck is a self-assessment documentation tool, not legal advice and not a third-party audit. The document under Article 31 and Annex VII of Regulation (EU) 2024/2847 is generated from your input data. You are responsible for the accuracy of the data you provide. CRACheck does not replace a qualified professional assessment.