Does Module A require any external validation?

No. Module A (internal control procedure) is entirely the manufacturer's responsibility. No notified body, no external lab, no third-party audit is required for Default products under Art. 32.1(a).

Can we use Module A even if harmonised standards exist?

Yes. For Default products, Module A is always available regardless of harmonised standard availability. Harmonised standards are optional evidence — you can use alternative solutions and document them under Annex VII point 5.

What if market surveillance disagrees with our self-assessment?

Market surveillance authorities can request your documentation, test the product and determine non-compliance. If they find your product does not meet Annex I requirements despite your self-assessment, they can order corrective action under Art. 58 and impose fines under Art. 64. The quality of your documentation matters.

Is Module A available for Important Class I products?

Yes, if harmonised standards are fully applied. Art. 32.2 allows Module A for Class I products when the manufacturer has applied harmonised standards, common specifications or European cybersecurity certification schemes. Without them, notified body assessment is required.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Your product is a Default product under Regulation (EU) 2024/2847 — not listed in Annex III or Annex IV. Article 32.1(a) allows conformity assessment through the internal control procedure based on Module A, set out in Annex VIII. This means you assess conformity yourself, produce technical documentation, draft the Declaration of Conformity, affix CE marking and place the product on the market. No notified body. No external audit. CRACheck generates the documentation Module A requires.

Module A is the lightest conformity assessment route under the CRA. Annex VIII defines the procedure: the manufacturer carries out an internal assessment ensuring the product and the processes put in place comply with Annex I essential cybersecurity requirements. The manufacturer draws up technical documentation per Annex VII, draws up the EU Declaration of Conformity per Annex V, and affixes CE marking per Article 30. The documentation must be kept for at least 10 years (Art. 13.19). CRACheck generates all 8 documents required. 15-25 minutes. €149. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15-25 minutes · Browser-side

Key numbers

Module A

Internal control procedure. Annex VIII. Manufacturer self-assesses.

No NB

No notified body required for Default products. You assess, you document, you declare.

€149

Complete Module A documentation package. 8 documents. 15 minutes.

Module A self-assessment: step-by-step for a Chinese manufacturer

Module A is self-assessment. The documentation is the evidence. CRACheck generates it.

Confirm Default classification

Your product is not in Annex III (Important) or Annex IV (Critical). Use CRACheck classifier.

Assess against Annex I

Review your product against the essential cybersecurity requirements of Annex I Part I (product requirements) and Part II (vulnerability handling). CRACheck's Risk Assessment (Doc 3) structures this review.

Produce technical documentation

Annex VII defines 8 sections. CRACheck generates the Technical Documentation (Doc 2) covering all sections.

Draft Declaration of Conformity

Annex V defines the content. CRACheck generates it as Doc 5.

Affix CE marking

Art. 30. Visible, legible, indelible. On the product or packaging.

Retain documentation

Art. 13.19: keep for 10 years or the support period, whichever is longer.

Module A is self-assessment. The documentation is the evidence. CRACheck generates it.

Module A mistakes

❌

MODULE A

Module A means no documentation is needed — we just self-declare

Module A requires the manufacturer to draw up technical documentation per Annex VII and keep it at the disposal of market surveillance authorities. Self-assessment does not mean self-declaration without evidence. The documentation is the evidence of your assessment.

❌

ANNEX VIII

We can do Module A without the Risk Assessment

Annex VII point 3 requires a cybersecurity risk assessment per Art. 13. This is a mandatory element of the technical documentation. Module A requires the complete Annex VII documentation, including the risk assessment.

❌

ART. 13.19

We produce the documentation, ship the product and delete the files

Article 13.19 requires manufacturers to keep technical documentation and the Declaration of Conformity at the disposal of market surveillance authorities for at least 10 years after the product is placed on the market, or for the support period, whichever is longer. Deleting documentation is non-compliance.

What each CRACheck dossier contains: 8 documents

Module A requires exactly these documents. CRACheck generates all 8.

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What Module A documentation costs

🧾 COMPLIANCE CONSULTANT FOR MODULE A DOCUMENTATION

€3,000–€8,000

Per product. 2-4 weeks.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history