Back to Cyber Resilience ActCyber Resilience Act · Article 32

Conformity assessment procedures

Plain-English explainer

Article 32 sets out the conformity assessment routes available depending on the product class. Standard products may use internal control (Module A). Important Class I products may use internal control if harmonised standards are applied in full, otherwise EU type-examination plus internal production control (Modules B+C). Important Class II products require third-party assessment by a notified body. Critical products require certification under an applicable European cybersecurity scheme.

What you must do

→ Identify the right module before designing the technical file.
→ If choosing internal control, document full application of harmonised standards.
→ Engage notified bodies early — capacity is limited.

Official text

The authoritative text of Article 32 is published by the Publications Office of the European Union on EUR-Lex. We link directly to it rather than mirror it, so you always read the current consolidated version straight from the source.

Read Article 32 on EUR-Lex

Source: Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act). The only authentic version is the one published in the Official Journal of the European Union.

Tools that help you comply with this article

CRA Classification Checker

Regulation (EU) 2024/2847 (the Cyber Resilience Act) classifies products with digital elements into three bands — standard, Important (Class I/II), and Critical — each with different conformity assessment burdens. Misclassification is the most common CRA pitfall; most digital products qualify for CRA even when the team thinks only hardware does.