EU Cyber Resilience Act

How does CE marking work under the CRA?

Under the Cyber Resilience Act, the CE marking signals that a product with digital elements meets the EU’s cybersecurity essential requirements. You may affix it only after completing conformity assessment and signing the EU Declaration of Conformity.

The path to CE

The sequence is: meet the Annex I essential requirements; compile the Annex VII technical documentation (with SBOM and vulnerability-handling process); carry out conformity assessment (internal control for default-category products); and issue the EU Declaration of Conformity. The CE marking then follows.

CE is not a one-off: you maintain the evidence and updates across the support period, and re-assess when the product or its risk profile changes.

Key points

  • CE marking requires a signed EU Declaration of Conformity.
  • Default-category products use internal-control conformity assessment.
  • Backed by Annex VII technical documentation and an SBOM.
  • Maintain conformity across the support period.

Frequently asked questions

Can I CE-mark my software under the CRA myself?
For default-category products you can: complete internal-control conformity assessment, sign the EU Declaration of Conformity, and affix the CE marking — without a notified body.

Related

General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.

See exactly what the CRA requires for your product.

Run the free readiness check — your category, obligations, and deadlines in 60 seconds.