EU Cyber Resilience Act

CRA self-assessment: can you do it yourself?

For default-category products, the Cyber Resilience Act allows conformity assessment by internal control (Module A, Annex VIII) — you assess your own product against the essential requirements and declare conformity, without a notified body.

What self-assessment requires

Under internal control you must meet the Annex I essential requirements (product cybersecurity properties and a vulnerability-handling process), compile the Annex VII technical documentation, and issue an EU Declaration of Conformity before affixing the CE marking.

The work is largely evidence: an accurate SBOM, a record that known exploitable vulnerabilities are handled, a secure-update mechanism, and a coordinated vulnerability-disclosure process — kept current over the support period.

Key points

  • Route: conformity assessment by internal control (Module A, CRA Annex VIII).
  • No notified body required for default-category products.
  • You compile Annex VII technical documentation and sign the EU Declaration of Conformity.
  • Compliance is continuous — re-evaluate on new vulnerabilities and product versions.

Frequently asked questions

Can I self-assess under the CRA?
Yes — for the default category (~90% of products) the CRA permits conformity assessment by internal control, with no notified body. Important and critical products follow stricter routes.
Do I need a notified body for the CRA?
Not for default-category products under internal control. Certain important (Annex III) and critical (Annex IV) products require third-party assessment or certification.

Related

General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.

See exactly what the CRA requires for your product.

Run the free readiness check — your category, obligations, and deadlines in 60 seconds.