EU Cyber Resilience Act (CRA)
Cyber Resilience Act Compliance Services
Supporting manufacturers throughout the CRA compliance journey, from initial understanding to conformity assessment.
The Cyber Resilience Act is not yet fully mandatory, but its obligations will apply progressively. Manufacturers are at different levels of cybersecurity maturity, and preparation depends on when CRA obligations will apply and how ready products and organisations already are.
CRA compliance checklist: key steps for manufacturers
- ✓ Identify the applicable product classification (Default, Important Class I/II, Critical)
- ✓ Determine the appropriate conformity assessment route (Module A, B+C, H, or CSA scheme)
- ✓ Check availability of harmonised standards (hEN), for Important products
- ✓ Prepare technical documentation
- ✓ Perform self-assessment or engage a 3rd party assessment body
- ✓ Ensure compliance with cybersecurity and regulatory requirements
- ✓ Maintain documentation and conformity evidence
Understand the CRA regulation
Read the CRA Essential Guide Start by understanding the scope, objectives and structure of the Cyber Resilience Act, including which products and economic operators are affected.
CRA carries compliance requires specific obligations across the full product lifecycle are supported by essential cybersecurity requirements that define what products with digital elements must meet in practice. CRA Manufacturer Obligations
Although full CRA compliance will not be mandatory until December 2027, the reporting of exploited vulnerabilities and severe indicents will become mandatory on Septemer 2026. CRA Reporting Obligations (Sept 2026)
Identify you applicable product classification and potential compliance routes
Under the Cyber Resilience Act, manufacturers have several conformity assessment routes available. However, this choice is not fully discretionary.The CRA clearly defines which compliance routes are applicable depending on the product category.
Before selecting a CRA compliance path, manufacturers must first determine whether their product falls within the CRA scope and how it is classified. This initial classification directly limits or enables the available conformity assessment modules.
Consumer Electronics, General-purpose software, etc.
Self-Assessment
- Module A
- Voluntary options: Module B+C or Module H
Networing, athentication, smart home solutions, etc.
Self-Assessment if hEN or 3rd Party Assessment
- Module A (if available hEN)
- Module B+C
- Module H
Tamper resistant chips, firewalls, hypervisors, etc
3rd Party Assessment
- Module B+C
- Module H
- CSA scheme, if available and applicable (Substantial)
Security Boxes, Smart Meters, Smartcards, SE.
3rd Party Assessment
- Module B+C
- Module H
- CSA scheme (EUCC)
Paths towards CRA Compliance
- Module A – Internal control: The manufacturer is solely responsible for ensuring compliance with the essential cybersecurity requirements in Annex I. It prepares technical documentation and ensures proper design, development, production, and vulnerability handling processes. The declaration of conformity is issued and the CE marking affixed, with documentation retained for at least ten years or the support period.
- Module B – EU-type examination: A notified body assesses the product’s technical design and vulnerability-handling processes based on the submitted documentation. It verifies compliance with the essential requirements and, if successful, issues an EU-type examination certificate for the approved product type.
- Module C – Conformity to type based on internal production control: The manufacturer ensures that produced units conform to the type approved under Module B and continue meeting cybersecurity requirements. Production controls are implemented, CE marking is affixed, and the declaration of conformity is issued and retained for the required period.
- Module H – Conformity based on full quality assurance: The manufacturer operates a notified-body-approved quality management system covering the full product lifecycle. The notified body evaluates the system and conducts ongoing surveillance to ensure continued compliance. Products bear the CE marking and a declaration of conformity.
- CSA scheme: ICT products, services, or processes can be certified under EU cybersecurity certification schemes defined in the Cybersecurity Act. Certification is performed by accredited bodies or national authorities and confirms compliance with defined requirements. Certificates are valid across all EU Member States.
Evaluate your Cyber Resilience Act readiness
Complete our CRA scoping and readiness questionnaire to confirm whether your products fall within the scope of the CRA and understand your current level of cybersecurity maturity against key requirements across the product lifecycle.
When cybersecurity maturity is still low, CRA training sessions can be a useful first step, before moving to a structured readiness and gap analysis.
CRA compliance route considerations considerations
Before choosing a CRA compliance route, manufacturers should consider the status of harmonised standards and the interplay with existing cybersecurity certifications.
For companies with multiple products or Important and Critical categories, these factors can affect the applicability of self‑assessment and enable reuse of evidence or alignment with quality‑based approaches such as Module H.
Align for CRA compliance now, with a future notified body
Applus+ Laboratories is progressing through the Notified Body (NB) accreditation and notification process under the Cyber Resilience Act. In the meantime, manufacturers can already start preparing their products and technical documentation for CRA conformity assessment, particularly for routes involving third‑party evaluation such as Modules B+C and Module H.
Early preparation allows manufacturers to assess product design, vulnerability handling processes, and supporting evidence in advance, reducing uncertainty and avoiding rework once formal notified‑body evaluations begin.
CRA Readiness Assessment
Identification of gaps against CRA essential cybersecurity requirements and definition of a roadmap towards compliance.
Recommended for the Default category and for companies with limited experience in cybersecurity regulatory requirements.
Evaluate your Product for CRA Compliance
Preparation of products and documentation for Module B+C, enabling reuse of tests and evidence during formal evaluation.
A product based approach, suitable for all categories, and for companies seeking to reduce the regulatory risk of an internal self-assessment.
Evaluate you Quality System for CRA Compliance
Prepare your organization and quality system for Module H audit with a future Notified Body.
Recommended for the Class II and critical products, and for companies seeking a scalable alernative to Module B+C.
EUCC Conformity Assessment
EU cybersecurity certification for Important and Critical products requiring independent third‑party assessment.
EUCC provides recognised assurance levels across the EU and can support CRA compliance where applicable.
Why Applus+ Laboratories as your partner in your CRA Compliance journey?
CRA compliance is complex, evolving, and highly dependent on product category, assurance level, and standardisation status. It is not a one‑size‑fits‑all process.
- Act now, prepare early: CRA obligations apply progressively, and early preparation reduces risk and cost.
- Product‑focused cybersecurity expertise: Deep experience assessing complex products.
- Preparation aligned with Modules B+C and Module H.
- EUCC already available: Immediate support for high‑assurance certification routes.
- Interplay and reuse: Proven alignment across CRA, EUCC, CC and Certification frameworks.
- One partner, end‑to‑end: From readiness to conformity assessment and certification.
Talk to our CRA experts and define your CRA compliance strategy