Module H explained: cybersecurity management system certification under the CRA

Assessment and future certification of the product cybersecurity management system in accordance with the Cyber Resilience Act.

The Cyber Resilience Act (CRA) Module H defines a conformity pathway based on full assurance of the product cybersecurity management system, covering its entire lifecycle—from design and development to post-market activities.

Unlike other conformity routes focused on product-by-product assessments, Module H enables organizations to demonstrate CRA compliance through a robust and centralized management system, consistently integrating:

• Organizational processes
• Technical controls
• Documentation requirements

This approach is particularly suitable for manufacturers with multiple products, higher technical complexity, or stringent assurance requirements, as it allows for consistent and scalable regulatory compliance management. Module H is expected to become one of the preferred pathways for CRA compliance, especially for products classified as Important and Critical. However, its effective implementation will depend on the European accreditation and notification framework, which is currently under development. 

How CRA module H will be assessed and Applus+ Laboratories’ approach

CRA Module H requires organizations to demonstrate that they have mature, effective, and consistent processes capable of ensuring ongoing compliance with CRA requirements. Applus+ Laboratories is currently in the process of accreditation and notification as a Notified Body.

Once the scheme is fully operational, the Module H assessment will be based on a combination of services, including: 

Cybersecurity management system assessment

Comprehensive evaluation of the processes and controls supporting product cybersecurity, including:

• Quality Management System (QMS) ensuring that products are designed, developed, and manufactured in compliance with essential cybersecurity requirements
• Secure design, development, and production lifecycle (SDLC)
• Vulnerability management and risk treatment

This evaluation verifies alignment between quality processes and both horizontal and vertical requirements for each product type within the CRA scope. 

Process audits against the CRA regulation

Process audits conducted against:

• General requirements of the CRA Regulation
• Applicable vertical requirements depending on the product category
• Organizational, technical, and documentation controls required under Module H

The approach focuses on demonstrating the actual maturity and effectiveness of the management system, not just the existence of documentation. 

Technical review and CRA technical documentation

Structured review of:

• Product cybersecurity architecture
• Risk analysis and treatment
• CRA technical documentation, including design and development evidence

This review ensures traceability between identified risks, implemented controls, and assessment outcomes. 

Sampling of representative products

Structured sampling of products to verify the correct implementation of the management system in real products representative of the certified family or product line. 

Evaluation of key cybersecurity processes

In-depth analysis of critical processes required under the CRA, including:

• Security update and patch management
• Software Bill of Materials (SBOM)
• Supply chain management, due diligence, and third-party dependencies
• PSIRT operation and coordinated vulnerability disclosure

Annual surveillance

Once certification is issued and the scheme is officially available:

• Annual surveillance audits
• Verification of ongoing effectiveness and improvement of the management system
• Review of significant changes in products or processes 

Target audience

The CRA Module H service—Cybersecurity Management System Assessment—is intended for organizations requiring a structural, scalable, and long-term approach to Cyber Resilience Act compliance, particularly:

• Manufacturers of products with digital elements classified as:
  • Important Class I
  • Important Class II
  • Critical products
• Manufacturers of Important Class I products where cybersecurity is particularly relevant due to function, connectivity, or impact
• Organizations with broad product portfolios seeking a centralized conformity approach instead of product-by-product schemes (e.g., Module B + C)
• Companies with established management systems seeking to integrate CRA requirements into existing frameworks, such as:
  • ISO 9001
  • ISO/IEC 27001
  • IEC 62443-4-1 and 4-2 

Current status of CRA module H and why choose Applus+ Laboratories

While the European accreditation and notification framework for CRA Module H is still under definition, Applus+ Laboratories offers a set of progressive preparation services tailored to each organization’s maturity level.

For organizations at earlier stages:

• Readiness assessments to identify gaps against CRA requirements and define a compliance roadmap
• Training courses for technical, compliance, and management teams to enable practical understanding and integration of CRA requirements into existing processes

For organizations with a higher level of readiness or established management systems:

• Evaluation of quality systems can begin, with certification to be issued once Applus+ Laboratories is officially notified