CRA Annex III

Do You Need a Third-Party Audit?

Under the EU Cyber Resilience Act, 90% of connected devices can be self-assessed. Find out if your product is in the 10% that requires a Notified Body.

Enforcement begins: December 2027

What type of product are you building?

Reference: Not listed in Annex III

Self-Assessment Allowed

Your product falls under the Default Category. You can perform a Module A self-assessment without external auditor involvement.

Conformity: Module A (Internal Production Control)

Generate your technical verification evidence now.

Start Free Design Audit

Disclaimer: This tool provides general guidance based on CRA Annex III. Final classification depends on specific product features and intended use. Consult the official CRA text and legal counsel for definitive compliance advice.

Understanding CRA Categories

The CRA classifies products into four risk-based categories, each with different conformity assessment requirements.

Default Category

Most consumer electronics: smart bulbs, fridges, toys, wearables, generic IoT.

Self-Assessment (Module A)

~90% of products

Important - Class I

Routers, browsers, password managers, VPNs, smart cameras, general-purpose OS.

Conditional

Self-assess if you apply Harmonised Standards

Important - Class II

Firewalls, hypervisors, tamper-resistant chips, industrial OS, PKI systems.

Mandatory Notified Body

Always requires third-party audit

Critical

Smart meters, HSMs, and other critical infrastructure components.

EUCC Certification

Requires European Cybersecurity Certification

What Does This Mean For You?

Self-Assessment (Module A)

You declare conformity yourself without external auditor involvement. However, you must still:

• Create and maintain Technical Documentation
• Perform risk assessment and vulnerability testing
• Issue EU Declaration of Conformity
• Affix CE marking
• Provide 5+ years of security updates

Notified Body Audit

An accredited third-party auditor examines your product and processes. This involves:

• Module B: Type examination of design and documentation
• Module C: Production conformity verification
• Typical timeline: 3-6 months
• Cost: €15,000 - €50,000+ depending on complexity
• Issued certificate valid for 5 years

Important: The technical work is the same

Whether you self-assess or hire a Notified Body, the underlying technical requirements (Annex I) are identical. The difference is only who verifies your compliance. This is why a thorough technical audit is essential before either path.

Frequently Asked Questions

What is CRA Annex III?

Annex III of the Cyber Resilience Act defines the list of "Important" and "Critical" product categories that require enhanced conformity assessment. Products matching Annex III criteria cannot simply self-declare compliance - they must involve a Notified Body or apply harmonised standards.

What is a Notified Body?

A Notified Body is an accredited third-party organization designated by an EU Member State to assess product conformity. They perform Type Examination (Module B) and verify your product meets CRA Annex I requirements. Engagement typically costs €15,000-€50,000+ and takes 3-6 months.

Can I self-certify if I'm Class II?

No. Class II products (firewalls, hypervisors, tamper-resistant chips, PKI systems) always require a Notified Body audit. Unlike Class I products, there is no "harmonised standard" escape route for Class II - third-party verification is mandatory.

Ready to Prove Compliance?

Whether you self-assess or need a Notified Body, you first need a technical gap analysis against CRA Annex I requirements.

Start Free Design Audit Calculate Regulatory Liability