CRA Conformity Assessment: Proving Your Software's Compliance

So, you've built your software, done your risk assessment, and worked through the essential requirements in Annex I. What's next? You need to officially demonstrate that your product and processes meet the CRA's standards. This is called 'Conformity Assessment' (Article 3(27) of the CRA legal text).

Self-Assessment for Most Software

For the vast majority of software products like games, apps, uncritical components, and paid libraries that are not classified by the CRA as 'important' (Annex III) or 'critical' (Annex IV) – these have stricter rules – the good news is you can perform a 'self-assessment' (Article 32(1) of the CRA legal text; Recital 91 of the CRA legal text). This procedure is based on 'Module A' (internal control) as detailed in Annex VIII of the CRA legal text.

This means you, the manufacturer, take responsibility for ensuring and declaring that your product with digital elements, and your vulnerability handling processes, comply with the CRA (Annex VIII, Part I, point 1 of the CRA legal text). It involves compiling the necessary technical documentation and then drawing up and signing an EU Declaration of Conformity.

Key Takeaway

For most games, apps, and general software, CRA compliance involves a self-assessment where you, the developer, declare your product meets the rules, backed by your technical documentation.

Self-Assessment for Most Software​

Key Takeaway​

Self-Assessment for Most Software

Key Takeaway