EU Cyber Resilience Act
CRA self-assessment: can you do it yourself?
For default-category products, the Cyber Resilience Act allows conformity assessment by internal control (Module A, Annex VIII) — you assess your own product against the essential requirements and declare conformity, without a notified body.
What self-assessment requires
Under internal control you must meet the Annex I essential requirements (product cybersecurity properties and a vulnerability-handling process), compile the Annex VII technical documentation, and issue an EU Declaration of Conformity before affixing the CE marking.
The work is largely evidence: an accurate SBOM, a record that known exploitable vulnerabilities are handled, a secure-update mechanism, and a coordinated vulnerability-disclosure process — kept current over the support period.
Key points
- Route: conformity assessment by internal control (Module A, CRA Annex VIII).
- No notified body required for default-category products.
- You compile Annex VII technical documentation and sign the EU Declaration of Conformity.
- Compliance is continuous — re-evaluate on new vulnerabilities and product versions.
Frequently asked questions
- Can I self-assess under the CRA?
- Yes — for the default category (~90% of products) the CRA permits conformity assessment by internal control, with no notified body. Important and critical products follow stricter routes.
- Do I need a notified body for the CRA?
- Not for default-category products under internal control. Certain important (Annex III) and critical (Annex IV) products require third-party assessment or certification.
Related
General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.