This blog provides a practical roadmap to navigate the EU Cyber Resiliency Act (CRA)’s audit requirements. We’ll examine how products are classified under Annex III, which defines different “criticality” levels and dictates whether you can self-certify or need a third-party (Notified Body) assessment. We’ll then explore the conformity assessment modules (A, B, C, D, H) in detail, touching on the expected costs, timelines, and testing processes. By the end, you’ll have a clear understanding of the problem—the complexity of CRA compliance and potential disruptions to your product launch—and the solution—structured guidance to plan for audits, align development cycles, and maintain compliance throughout the product’s lifecycle.
Brief Overview of Article 32 and Annex III
- Article 32 of the proposed EU CRA sets out conformity assessment procedures for products with digital elements.
- Annex III classifies certain products as critical (Class I or Class II). Class II products are deemed higher risk and must always involve a Notified Body for their audit, whereas Class I critical products have somewhat more flexibility.
Product Classification According to Annex III
Use this table to quickly identify your product’s criticality and which type of audit may apply. (Exact classification may evolve with final legislation, but this reflects the general approach in the Commission’s proposal.)
| Classification | Example Product Types | Likely Audit Path | Notified Body Involvement |
|---|---|---|---|
| Non-Critical (Baseline) | – Typical consumer IoT (smart bulbs, fitness trackers) – Simple software utilities – General-purpose hardware/software not listed in Class I/II | – Self-assessment (Module A) is possible – Minimal external oversight | No (unless manufacturer opts for third-party assurance voluntarily) |
| Class I (Critical) | – Credential management software (e.g., password managers) – Network management tools – Industrial automation components (not high-tier) – Smart meters | – Option: Self-assessment (Module A) or Notified Body route (B+C / B+D / H) | Yes if choosing B+C, B+D, or H. No if opting solely for Module A self-assessment. |
| Class II (Critical) | – Operating systems, hypervisors – Security appliances (firewalls, IDS, VPN) – Advanced industrial control for critical sectors (energy, water, healthcare) – PKI products (certificate authorities) | – Must use a Notified Body (B+C, B+D, or H) (No self-assessment allowed) | Yes (mandatory) |
Conformity Assessment Modules (Including Cost & Duration)
Below is an expanded version of the modules table, now featuring approximate cost and typical duration to help software teams plan audits effectively. Exact figures vary with product complexity, scope, and the chosen Notified Body’s fees.
| Module | Name | Who Primarily Performs Tests | Typical Tests / Assessments | Key Goal |
|---|---|---|---|---|
| A | Internal Production Control (Self-Certification) | – Manufacturer’s own dev & QA teams | – Internal Security & Functional Testing: E.g., code reviews, vulnerability scans, functional tests, unit/integration tests. – Compliance Documentation: Demonstrate alignment with CRA requirements. – Risk Analysis: Internal threat assessment and mitigations. | Show compliance through internal evidence and test reports, no external verification. |
| B | EU-Type Examination | – Notified Body (testing a sample product “type”) | – Technical Documentation Review: The Notified Body checks design specs, security controls, test reports. – Representative Sample Testing: Could include functional checks, security scanning, or penetration testing. – Risk & Vulnerability Assessment: Confirm identified threats are addressed. | Confirm the “type” meets essential requirements; leads to a Type Examination Certificate if successful. |
| C | Conformity to Type (Based on Internal Production Control) | – Manufacturer (after Module B) | – Consistency Checks: Ensure each produced unit matches the certified “type.” – Internal QA: Sampling, regression tests, final inspections to confirm no deviation from the approved design. | Guarantee the final production remains identical to the “type” tested under Module B. |
| D | Conformity to Type (Based on QA of Production) | – Manufacturer + Notified Body (QA system audit) | – Quality Assurance Process Audits: Notified Body reviews how you manage production or software releases (e.g., secure SDLC, patching processes). – Periodic Checks: Spot tests, audit logs, etc. | Continuously confirm that products match the “type” via audited QA procedures (version control, patch management). |
| H | Conformity Based on Full Quality Assurance | – Manufacturer + Notified Body (comprehensive QMS audit) | – Full Lifecycle Review: Covers design, development, production, release, and security processes. – Systematic Testing: Could involve scheduled security reviews, code audits, or functional tests for updates. – QMS Audits: Ongoing evaluation of the entire quality management system. | Provide top-tier assurance that both design and production processes continuously meet essential requirements. |
Cost & Duration Estimates for Each Module
| Module | Approx. Cost Range | Typical Duration |
|---|---|---|
| A | – Typically low direct fees (mostly internal resources). – Could be from €5k–€20k in internal staff time. | – Usually faster (few weeks or less), depending on the completeness of internal QA. |
| B | – Can range €15k–€50k+, depending on the scope of testing (penetration tests, code reviews, etc.). | – Several weeks to 2+ months, depending on complexity and Notified Body’s availability. |
| C | – Minimal extra cost beyond Module B (mostly internal QA). | – Ongoing but typically short checks each release or production run (days to weeks per iteration). |
| D | – €20k–€80k+ for initial audits, plus annual surveillance fees. | – Several months for initial approval + periodic audits (e.g., annually or semi-annually). |
| H | – €50k–€150k+ depending on org size, product complexity, and QMS maturity. | – Initial approval might take 3–6+ months, with ongoing surveillance audits (e.g., once or twice per year). |
Internal Resource Impact: Even when external fees are low, you’ll likely need internal staff for preparing documents, performing self-assessments, implementing security measures, etc. Scope & Complexity: The more critical or technically complex a product is, the more rigorous (and costly) the testing. Market Launch Timelines: For Class II products (where Notified Body involvement is mandatory), plan for several months of audits. Ensure time for remediation if issues are found.
Conclusion
- Know Your Product’s Classification: Determine whether you are Non-Critical, Class I, or Class II under Annex III.
- Choose the Right Module(s): Understand whether self-assessment (Module A) suffices or if you must involve a Notified Body (Modules B+C, B+D, or H).
- Plan for Time & Budget: Align your product release roadmap with the potential weeks to months required for external audits—especially for Class II.
- Continuous Compliance: Under the CRA, responsibilities don’t stop after certification; you must maintain secure development and post-market surveillance throughout the product lifecycle.
By mapping out these audit requirements—including the costs and timelines—software product and project managers can effectively prepare for EU CRA compliance and avoid last-minute surprises.
Comments are closed