CRA Cyber Resilience Act External Audits

External conformity assessment under the Cyber Resilience Act is mandatory for two product categories: Important products of Class II (e.g., firewalls, intrusion detection systems, operating systems) must be assessed under either Module B+C or Module H. Critical products under Annex IV (e.g., smartcards, hardware security modules) require a European cybersecurity certificate or assessment by a notified body. For approximately 90% of all connected standard products, self-assessment under Module A is sufficient.

During the EU type examination under Module B, notified bodies review the technical design, development processes, and defined procedures for vulnerability handling. Specifically, the assessment covers: compliance with essential cybersecurity requirements per Annex I, technical documentation including Software Bill of Materials (SBOM), risk assessment and vulnerability management, and processes for security updates. Upon successful completion, an EU type examination certificate is issued.

Module B+C and Module H are two alternative paths to CRA conformity: Under Module B+C, the notified body first examines the product design (Module B), then the manufacturer ensures production conformity independently (Module C). Under Module H, the manufacturer implements a comprehensive quality assurance system that is continuously monitored by the notified body. Module H is particularly suited for organizations with many CRA-regulated products, as a certified QA system can cover all products.

The CRA timeline includes three key milestones: From September 2026, initial reporting obligations for actively exploited vulnerabilities take effect. By June 2026, member states must establish procedures for designating conformity assessment bodies. From December 2027, all CRA requirements apply in full, including external conformity assessment. Manufacturers should begin audit preparation now, as notified body availability will be limited.

Our audit preparation follows a structured 5-phase approach: 1) Gap analysis against CRA Annex I requirements and identification of the appropriate conformity module. 2) Development of technical documentation including SBOM, risk assessment, and vulnerability management. 3) Implementation of required processes for security updates and vulnerability handling. 4) Mock audit to identify remaining gaps. 5) Accompaniment during the actual audit by the notified body and support with any follow-up requirements.

A failed external CRA audit has severe consequences: The product cannot be sold on the EU market without CE marking. Market surveillance authorities can recall products or prohibit sales. Additionally, fines of up to EUR

15 million or 2.5% of global annual turnover may apply. ADVISORI minimizes this risk through thorough pre-audit assessments and mock audits that identify and address typical findings in advance.

Selecting the right notified body requires evaluating multiple criteria: Accreditation for the CRA scope in the EU Commission NANDO database, industry experience with comparable product categories, availability and lead times (expected to tighten from 2026), geographic proximity for on-site inspections, and language capabilities. ADVISORI supports strategic selection and maintains contacts with leading notified bodies across the EU.