Conformity Assessment

CRA Conformity Assessment Procedures

Overview

Conformity assessment demonstrates that products meet CRA essential requirements before market placement.

Assessment Procedures by Product Class

Module A: Internal Production Control (Class I)

• Self-Assessment: Manufacturer conducts internal evaluation
• Documentation: Technical documentation preparation
• Declaration: EU Declaration of Conformity
• CE Marking: Affixing conformity marking
• No Third-Party: No notified body involvement required

Module B + C: Type Examination + Conformity to Type (Class II)

• Type Examination: Notified body evaluates product design
• Certificate: EU Type Examination Certificate issued
• Production Conformity: Ongoing compliance verification
• Surveillance: Periodic notified body oversight

Assessment Process

Phase 1: Pre-Assessment

1. Product Classification: Determine Class I or Class II
2. Standards Selection: Identify applicable harmonized standards
3. Gap Analysis: Compare current state with requirements
4. Documentation Planning: Prepare required documentation

Phase 2: Technical Documentation

1. Product Description: Detailed product specifications
2. Risk Assessment: Comprehensive security risk analysis
3. Security Architecture: Design documentation
4. Test Results: Conformity testing evidence
5. Instructions: User and installation guidance

Phase 3: Testing and Evaluation

1. Conformity Testing: Verify standard compliance
2. Penetration Testing: Security validation
3. Vulnerability Assessment: Identify weaknesses
4. Documentation Review: Verify completeness

Phase 4: Certification (Class II Only)

1. Notified Body Selection: Choose accredited assessor
2. Application Submission: Provide complete documentation
3. Technical Review: Expert evaluation
4. Certificate Issuance: Formal compliance confirmation

Notified Bodies

Selection Criteria

• Accreditation: National authority designation
• Competence: Technical expertise in product area
• Independence: Impartial assessment capability
• Resources: Adequate testing facilities

Working with Notified Bodies

• Early Engagement: Discuss approach and requirements
• Documentation Submission: Provide complete technical files
• Technical Meetings: Clarify requirements and findings
• Ongoing Cooperation: Maintain certification validity

Documentation Requirements

Technical Documentation Contents

1. General Description: Product functionality and purpose
2. Conceptual Design: Architecture and components
3. Risk Assessment: Security analysis and findings
4. Technical Specifications: Detailed requirements
5. Standards Applied: Harmonized standards compliance
6. Test Reports: Conformity testing results
7. Instructions: Installation and user guidance

Quality Requirements

• Completeness: All required elements included
• Accuracy: Technically correct information
• Clarity: Clear and unambiguous content
• Traceability: Version control and change management
• Maintenance: Regular updates and reviews

EU Declaration of Conformity

Required Elements

• Product identification
• Manufacturer details
• Applicable legislation
• Harmonized standards applied
• Notified body (if applicable)
• Authorized representative signature
• Date and place of issue

Legal Significance

• Manufacturer Declaration: Legal responsibility acceptance
• Market Access: Required for product placement
• Compliance Evidence: Demonstrates CRA conformity
• Liability: Manufacturer assumes product responsibility

Post-Market Obligations

Ongoing Compliance

• Technical Documentation: Maintain for 10 years
• Incident Reporting: Report cybersecurity incidents
• Security Updates: Provide necessary patches
• Market Surveillance: Cooperate with authorities

Certificate Maintenance (Class II)

• Validity Period: Typically 3-5 years
• Renewal Process: Periodic reassessment
• Change Notifications: Inform of product modifications
• Surveillance Audits: Ongoing compliance verification

---

For legal requirements details, see Legal Requirements. For technical implementation, visit Technical Implementation.