What does Module A (internal control) actually require the manufacturer to do?

Annex VIII Part I describes Module A. The manufacturer must: (1) draw up the technical documentation per Annex VII, (2) ensure that design, development, production, and vulnerability handling processes comply with Annex I, (3) affix the CE marking to each product, and (4) draw up the EU Declaration of Conformity per Article 28. All of these steps are internal — no notified body is involved. CRACheck generates the documentation for steps 1 and 4.

If I apply harmonised standards in full for my Class I product, do I still need to document why?

Yes. Annex VII point (5) requires the technical documentation to list the harmonised standards applied and specify whether they were applied in full or in part. Applying them in full is what unlocks Module A under Article 32(2) — but the application must be documented.

Can I switch from Module A to Module B+C later?

The conformity assessment procedure is determined at the time the product is placed on the market. If your classification or standards situation changes (e.g., harmonised standards are withdrawn), you may need to apply a different procedure. This would require updating the technical documentation and the Declaration of Conformity. CRACheck allows 10 regenerations within the 30-day licence window for such updates.

Are notified bodies for the CRA already designated?

Article 39 sets out the designation process. Article 33(1) requires Member States to organise awareness-raising and training. The Commission must establish an implementing act for notified body designation. As of the date of this page, the designation process is ongoing. Check the NANDO database for current designations.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Article 32 of Regulation (EU) 2024/2847 sets out 4 conformity assessment procedures: Module A (internal control), Module B+C (EU-type examination + internal production control), Module H (full quality assurance), and European cybersecurity certification. Which ones are available to your product depends on its classification — Default, Important Class I, Important Class II, or Critical — and, for Class I products, whether harmonised standards have been applied in full. CRACheck identifies the correct module and generates the documentation for it.

The conformity assessment is the procedure by which the manufacturer demonstrates that the product meets the essential cybersecurity requirements of Annex I. Module A (Annex VIII Part I) is self-assessment: the manufacturer draws up the technical documentation, ensures compliance, and declares it. No external involvement. Module B (Annex VIII Part II) is EU-type examination by a notified body examining the design and development. Module C (Annex VIII Part III) is internal production control following a successful Module B. Module H (Annex VIII Part IV) is full quality assurance with a notified body overseeing the manufacturer's quality system. For Default products, all four procedures are available. For Class I products without harmonised standards, only B+C and H. For Class II and Critical, only B+C, H, or European cybersecurity certification. CRACheck generates the Article 31 + Annex VII documentation for whichever module your product requires. €149. 15–25 minutes.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Conformity assessment options in Article 32 (A, B+C, H, certification)

Art. 32

Legal basis for the conformity assessment procedure selection

Annex VIII

Detailed procedures for Module A, B, C, and H

How CRACheck identifies and documents your conformity path

Product classification

CRACheck determines Default / Important Class I / Class II / Critical by cross-referencing Annex III and Annex IV.

Standards check

For Class I products, CRACheck asks whether harmonised standards, common specifications, or European cybersecurity certification schemes have been applied in full. This determines whether Module A is available under Article 32(2).

Module identification

CRACheck maps the classification + standards status to the available conformity assessment procedures under Article 32.

Documentation generation

CRACheck generates the Annex VII technical documentation, risk assessment, and Declaration of Conformity with the applicable module referenced throughout.

Notified body preparation

For products requiring Module B+C or H, CRACheck generates the documentation that the notified body will review. The notified body engagement is separate.

Common mistakes

❌

ART. 32(2)

Assuming Module A is always available for Class I products

Article 32(2) restricts Module A for Class I products to cases where the manufacturer has applied harmonised standards, common specifications, or European cybersecurity certification schemes in full. If applied only in part — or not at all — Module B+C or Module H with a notified body is mandatory.

❌

ART. 32(3)

Attempting Module A for a Class II product

Article 32(3) limits Class II products to Module B+C, Module H, or European cybersecurity certification at assurance level "substantial." Module A is never available for Class II products, regardless of whether harmonised standards exist.

❌

ART. 32(5)

Overlooking the open-source exception

Article 32(5) allows manufacturers of free and open-source software classified as Important (Annex III) to use Module A if they make the technical documentation publicly available at the time of placing on the market. This exception applies only if the product is genuinely FOSS.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies the classification and the conformity assessment module(s) available under Article 32.

Technical Documentation

Annex VII file with the conformity assessment module embedded and documented.

Risk Assessment

Cybersecurity risk assessment per Article 13(2)–(3).

User Information

Annex II information sheet.

Declaration of Conformity

EU Declaration per Article 28 and Annex V, citing the applicable conformity assessment module.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I Part II point (5).

Notification Template

ENISA/CSIRT notification template per Article 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Key dates including conformity assessment deadlines and notified body engagement windows.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Conformity assessment path analysis

€2,000–5,000 just for the assessment path analysis

Does not include the documentation or the notified body engagement

2–4 weeks

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history