11 July 2026 · 6 min read

EU CRA: when you can self-assess, when you can't

The Cyber Resilience Act splits products into default, important, and critical classes. Which ones allow self-assessment, and which require a notified body.

The Cyber Resilience Act doesn't use one conformity-assessment route for every connected product — it scales the rigor to how much damage a security failure could cause. For most hardware startups the good news is straightforward: the default category, which covers the bulk of ordinary consumer connected devices, can generally be self-assessed. Where it gets harder is the moment your product falls into the CRA's "important" or "critical" categories.

Three tiers, three different rules

The CRA sorts products with digital elements into a default category (most consumer connected devices), Important products (split into Class I and Class II), and Critical products (a narrow list — think hardware security modules, smart-meter gateways, and similar high-assurance categories).

  • Default category — self-assessment (the internal control procedure, "module A") is generally available.
  • Important, Class I — self-assessment is available, but only if you've applied harmonised standards, common specifications, or an approved European cybersecurity certification scheme where one exists. If none of those apply to your product, you're pushed into third-party assessment via a notified body.
  • Important, Class II, and Critical — third-party assessment via a notified body (or an applicable European cybersecurity certification scheme) is required outright; self-assessment isn't an option regardless of standards used.

Why Class I is the trap

Class I is the tier most likely to catch a hardware startup off guard, because it looks like self-assessment is available — until you check whether a harmonised standard actually exists yet for your product category. The CRA's supporting standards landscape is still being built out; a product that would qualify for self-assessment once the relevant standard is published may currently have no route to self-assess simply because the standard doesn't exist yet, forcing an unplanned trip to a notified body.

The open-source carve-out

Manufacturers of Important products (Class I and Class II) that are free and open-source software can still use self-assessment, on the condition that they make their technical documentation publicly available. This is a meaningful exception if your product's software stack is genuinely open source — it's worth confirming your specific component qualifies rather than assuming the whole device does.

What a notified body actually does

A notified body is a private conformity-assessment organisation that's been formally assessed, designated and monitored by an EU member state before it's authorised to issue CRA conformity certificates. Engaging one means submitting to third-party testing and documentation review rather than declaring conformity yourself — plan for longer lead times and a materially different budget line than a self-assessed product.

First step: classify your product correctly

Before anything else, work out which of the three tiers your product actually falls into — the CRA's classification rules (and the specific product-category lists for Important and Critical) determine everything downstream, including whether you need a notified body at all. Run your product through the free requirements checker to get a starting point.

Sources

  1. 01European Commission — Cyber Resilience Act: Conformity assessment
  2. 02cyberresilienceact.eu — The Cyber Resilience Act Explained: Scope, Classes & Deadlines

Not sure which rules apply to you?

Answer a few honest questions about your product and see every applicable regulation for the EU, UK and US, each linked to its official source.

Check your requirements

Related reading