CADABLE
LoginBook a demo
EU CRACRA conformity assessmentNotified bodyComplianceCE marking

CRA conformity assessment, self-assessment or notified body

How CRA conformity assessment works. The three product classes, when you can self-assess, when you need a notified body, and what the assessment actually checks before your product reaches the EU market.

Ali Rahbar3 min read

Conformity assessment is the step that turns "we built it securely" into "we can place it on the EU market." Under the CRA, how you do that depends on your product class: most products self-assess, but products in the important and critical classes need a notified body. Working out which bucket you are in is the first decision, because it changes how much lead time you need.

This post covers the classes, the routes, and what the assessment actually looks at. For the broader picture of the CRA and the deadlines, see our Cyber Resilience Act framework page and the CRA timeline.

What is a CRA conformity assessment?

A conformity assessment is the procedure that demonstrates your product with digital elements meets the CRA essential requirements before it goes on the EU market. It is the basis for the CE marking and the EU declaration of conformity. Regulation (EU) 2024/2847 sets out which procedure applies based on how the product is classified.

How do I know my CRA product class?

The CRA sorts products with digital elements into three tiers, and the tier sets the assessment burden.

  1. Default class. The large majority of products. Self-assessment is allowed.
  2. Important class. Products whose core function carries higher cybersecurity risk, such as password managers, network management tools, or certain industrial components. Third-party routes come into play.
  3. Critical class. The highest-risk categories, which face the most stringent requirements.

Determining your class is not optional and it is not something to leave to the end. If you land in important or critical, you need to engage external parties, and their availability is a real scheduling constraint as the deadlines approach.

When can I self-assess?

If your product is default class, you can self-assess. That means you, the manufacturer, evaluate conformity against the essential requirements, compile the technical documentation, and issue the EU declaration of conformity yourself. No notified body is involved. The work does not disappear, you still have to produce and stand behind the evidence, but you control the timeline.

When do I need a notified body?

For important-class products, the CRA expects either application of harmonised standards or involvement of a notified body, depending on the route. For critical-class products, third-party assessment is the most stringent. A notified body is an independent organisation designated to assess conformity, and you can find designated bodies through the EU NANDO database. The practical takeaway is the same as the timeline post: classify early, because notified-body capacity is finite and the December 2027 date will create demand.

What does the assessment actually check?

Whatever the route, the assessment is checking that the product meets the CRA essential requirements and that you can prove it. In practice that means:

  1. Secure by design and shipped with no known exploitable vulnerabilities.
  2. A Software Bill of Materials in the technical documentation, so the components are known. Our SBOM walkthrough and the CycloneDX vs SPDX decision matrix cover producing one.
  3. Vulnerability handling and coordinated disclosure, including the ability to act on an actively exploited vulnerability quickly.
  4. Security updates through the defined support period.
  5. Technical documentation that ties it together: the SBOM, the disclosure policy, the update history, and the conformity evidence.

The assessment is a checkpoint, but the requirements are continuous. A product that was conformant at assessment and then stopped receiving updates is not conformant anymore.

How do I prepare for the assessment?

Build the evidence as you go, not the week before. Keep the SBOM current, run the disclosure process for real, log your fix history, and determine your product class early enough to book a notified body if you need one. The CRA readiness checklist is the order of operations.

Where Scadable fits

Scadable produces and maintains much of what an assessment asks for as a by-product of keeping you compliant: the live SBOM, the mapping from components to vulnerabilities, the fix and backport history, and the report trail. When you are ready, you click enroll and we line up the assessment with a vetted partner. Book a walkthrough to scope it to your products.

Frequently asked questions

What is a CRA conformity assessment? It is the procedure that demonstrates a product with digital elements meets the CRA essential requirements before it is placed on the EU market. Depending on the product class it is either a self-assessment by the manufacturer or a third-party assessment by a notified body, and it underpins the CE marking.

When can I self-assess under the CRA? Default-class products, which is most products with digital elements, can use a self-assessment. The manufacturer evaluates conformity, compiles the technical documentation, and issues the EU declaration of conformity without a third party.

When do I need a notified body for the CRA? Products in the important and critical classes require third-party involvement. Important-class products can use a notified body or harmonised-standards routes, and critical-class products face the most stringent assessment. Determine your class early because it changes your lead time.

What does the assessment check? That the product meets the essential requirements: secure by design, no known exploitable vulnerabilities, an SBOM in the technical documentation, vulnerability handling and coordinated disclosure, and security updates through the support period, with documentation that proves it.

Read next

← All posts