CRA Cyber Resilience Act Self-Assessment

The CRA self-assessment under Module A (internal production control) is a conformity assessment procedure where the manufacturer independently verifies that their digital product meets all cybersecurity requirements of the Cyber Resilience Act. This procedure applies to standard products — i.e. all products with digital elements not listed in Annex III (important products) or Annex IV (critical products). Typical examples include smart home devices, simple IoT sensors, mobile apps and computer games. The self-assessment involves creating technical documentation, a complete risk analysis and issuing the EU declaration of conformity.

The internal conformity assessment under Module A involves several structured steps: First, product classification — determining whether the product qualifies as a standard product. Second, risk analysis — systematic assessment of all cybersecurity risks per CRA Annex I. Third, technical documentation — creating evidence of design, development, manufacturing and security measures. Fourth, conformity verification against the essential requirements of the CRA. Fifth, issuing the EU declaration of conformity per Annex V. Sixth, CE marking the product. And seventh, establishing processes for security updates and vulnerability reporting throughout the product lifecycle.

In self-assessment (Module A), the manufacturer independently carries out the conformity assessment without involving a notified body. This procedure is only permitted for standard products. In third-party assessment (Modules B+C or H), an independent EU-notified conformity assessment body is involved. This is mandatory for important products Class II (e.g. firewalls, intrusion detection systems) and critical products (e.g. smart cards, HSMs). Important products Class I (e.g. password managers, VPNs) may use self-assessment provided they apply harmonised standards or hold an EU cybersecurity certification.

The EU declaration of conformity per CRA Annex V requires: product identification (name, type, serial number), manufacturer details (name, address, contact), reference to the harmonised standards or technical specifications applied, a declaration that the product meets the essential requirements of Annex I, and the place, date and legally binding signature. Additionally, complete technical documentation must be prepared, covering the risk analysis, design specifications, test reports and software bill of materials (SBOM). These records must be retained for

10 years after placing the product on the market and made available to market surveillance authorities on request.

The Cyber Resilience Act enters into force in stages: From

11 September 2026, reporting obligations for security incidents and actively exploited vulnerabilities apply. From

11 June 2026, the rules for notified bodies must be implemented. The full requirements — including conformity assessment and Module A self-assessment — apply from

11 December 2027. However, manufacturers should start preparing early, as creating technical documentation, conducting risk analysis and implementing security-by-design processes typically takes several months.

CRA Annex I defines the essential cybersecurity requirements for all products with digital elements. These include: protection against unauthorised access through appropriate access controls, ensuring confidentiality of stored and transmitted data, integrity protection of all relevant data and functions, availability of essential functions even during attacks, minimisation of the attack surface, secure default configuration, protection against known vulnerabilities through regular updates, and the ability to log security-relevant events. Additionally, manufacturers must provide vulnerability management processes and security updates throughout the entire support period.

ADVISORI guides manufacturers through the entire self-assessment process: We start with product classification and verify whether your product is correctly categorised as a standard product or falls under Annex III/IV. We then conduct a structured gap analysis against the Annex I requirements. On this basis, we prepare the complete technical documentation and risk analysis. We draft the EU declaration of conformity and support CE marking. We also implement processes for continuous vulnerability management and security updates so your product remains CRA-compliant after placing it on the market. Our experience from numerous CRA projects accelerates the process and minimises compliance risks.