Skip to main content

What is Self-Assessment (Module A) for Software Products?

Under the Cyber Resilience Act (CRA), "Module A," also known as the "internal control" procedure, is your path to conformity if you're developing most types of software, like games, apps, or uncritical software components. Think of it as the manufacturer-led route to compliance.

Manufacturer Takes the Wheel

Essentially, Module A means that you, the manufacturer, take full responsibility for ensuring and declaring that your software product meets all the relevant essential cybersecurity requirements set out in Annex I of the CRA. There's no mandatory third-party notified body checking your homework before you declare conformity, provided your software doesn't fall into higher-risk categories.

Key Obligations in Module A

Performing a self-assessment under Module A involves several key steps outlined in Annex VIII, Part I of the CRA:

  • You must establish and document that your design, development, production (which for software means build and packaging processes), and vulnerability handling processes ensure your software and these processes comply with Annex I.
  • You need to prepare and maintain the technical documentation as detailed in Annex VII.
  • You draw up a written EU Declaration of Conformity.
  • You affix the CE marking to your product.

This process empowers you to manage your own conformity assessment, but it also places the entire burden of proof and accuracy on your shoulders.

Key Takeway

Module A is the CRA's self-assessment conformity route where you, the software manufacturer, are responsible for ensuring, documenting, and declaring that your product and processes meet the essential cybersecurity requirements.