CRA Art.24: CE Marking — Placement, Format & Digital Affixing for Software Products (Developer Guide 2026)

Post #470 in the sota.io EU Cyber Compliance Series

The CE marking is the visible endpoint of the EU Cyber Resilience Act (Regulation (EU) 2024/2847, "CRA") conformity assessment process. Article 24 governs when CE marking is permitted, how it must look, and — critically for software developers — where it must be placed when the product has no tangible physical form. Affixing CE without completing the Art.22 technical documentation and Art.23 EU Declaration of Conformity is unlawful and triggers penalties under Art.64 of up to €15 million or 2.5% of global annual turnover.

Critical deadline: 11 December 2027. Art.24 obligations apply in full from that date for most products with digital elements. Art.73 transitional provisions may require earlier compliance infrastructure for Class I and Class II products requiring notified body involvement.

The Conformity Assessment Triad: Art.22–24 Complete

Article 24 is the third and final step in the CRA conformity assessment sequence:

The three articles form an interdependent chain: CE marking is only permitted after the EU DoC (Art.23) is drawn up, the EU DoC references the conformity assessment procedure (Annex VIII, IX, or X), and the technical documentation (Art.22 / Annex V) must contain a reference to the EU DoC. Affixing CE marking is the act that places the product on the EU market under the CRA framework.

Art.24(1) — When CE Marking Is Permitted

Art.24(1) establishes the precondition: CE marking may be affixed only after the conformity assessment procedure under Annex VIII, IX, or X has been completed and the manufacturer has drawn up the EU DoC under Art.23.

The three conformity assessment procedures differ by product class:

For most software products (SaaS, developer tools, APIs, open-source components placed on the market), the default Annex VIII internal control procedure applies. CE marking follows from the manufacturer's own conformity assessment and EU DoC — no external certification required.

Art.24(2) — CE Marking Format Requirements

Article 24(2) incorporates the CE marking format rules from the New Legislative Framework (NLF) — specifically Regulation (EC) No 765/2008 and Annex II of Decision 768/2008/EC. The CE marking must comply with these specifications:

Minimum dimensions: The CE marking must have a minimum height of 5 mm (unless the nature of the product makes this disproportionate — e.g., small IoT components). If the marking is enlarged or reduced, the proportions given in the NLF grid must be respected.

CE letterform: The stylised "CE" initials must follow the exact graphic proportions specified in Decision 768/2008/EC Annex II. Manufacturers may not substitute an approximate rendition. The Commission has published a downloadable vector graphic of the correct CE form for use in product documentation and packaging.

No modification: The CE marking must not be modified, decorated, or combined with other graphic elements in a way that reduces its visibility or legibility. It must stand alone or be placed adjacent to any notified body identification number (four-digit NB number) where applicable.

Colour: The CE marking may appear in any colour, provided it is clearly visible and legible in contrast to its background. Black on white is conventional; reversed white on dark background is acceptable.

Minimum CE marking format (5mm minimum height):
  ┌─────────────────────────────┐
  │    CE                       │
  │   ─ ─  ─ ─ ─ ─ ─           │  ← proportional to letterform
  │    minimum height: 5mm      │
  └─────────────────────────────┘
  
If notified body involved (Class II):
  ┌─────────────────────────────┐
  │    CE  [XXXX]               │
  │         ↑ 4-digit NB number │
  └─────────────────────────────┘

Art.24(3) — Where CE Marking Must Be Placed

Article 24(3) specifies where the CE marking must appear. The rules distinguish between products with and without physical form.

Products with physical form (hardware with digital elements):

1. On the product itself (preferred)
2. On the packaging
3. On accompanying documentation

Where the product is too small to bear the CE marking directly (e.g., a microcontroller, a smart sensor), placement on packaging or accompanying documentation satisfies the requirement.

Software products with no physical form (pure software):

Art.24(3) recognises that software products typically have no tangible form. For these products, the CE marking must be placed on one or more of:

1. On the packaging (if the software is distributed in physical packaging, e.g., boxed retail software)
2. On the accompanying documentation (licence agreement, getting started guide, README)
3. Made electronically accessible — via the product itself (About screen, settings panel, splash screen) or via the manufacturer's website/documentation

The "electronically accessible" route is the practical standard for SaaS, API products, CLI tools, and downloadable software. A CE marking displayed in an application's About dialog or on a product's compliance page satisfies Art.24(3) for software.

Practical CE Marking Placement for Software Products

For the typical software manufacturer covered by CRA, the following placements satisfy Art.24(3):

Option 1 — About Screen / Settings Panel

About MyApp v2.4.1
Manufacturer: Example GmbH, Berlin, Germany
EU Declaration of Conformity: [link]
CE [CE mark graphic]
CRA conformity assessment: Annex VIII (internal control)

Option 2 — Documentation / README

## Compliance

This product bears the CE marking and conforms to the requirements
of Regulation (EU) 2024/2847 (Cyber Resilience Act).

CE [CE mark graphic]

EU Declaration of Conformity: https://example.com/eu-doc
Annex V Technical Documentation: available on request

Option 3 — Product Website Compliance Page A dedicated /compliance or /legal/ce-marking page on the product website listing:

• CE mark graphic (min. 5mm in print, proportional on screen)
• Link to EU DoC (PDF or structured HTML)
• Conformity assessment procedure used
• Manufacturer identification per Art.23(3)(b)

Option 4 — QR Code Linking to EU DoC For physical products where space is limited, a QR code on the product or packaging may link to the EU DoC and CE marking information online. The CE mark graphic must still appear — the QR code supplements it, it does not replace it.

Art.24(4) — Prohibited Marks and Confusingly Similar Marks

Art.24(4) prohibits affixing markings, signs, inscriptions, or labels on a product that could mislead third parties about:

• The meaning of the CE marking
• The form of the CE marking
• The visibility or legibility of the CE marking

In practice, this prohibition targets:

1. CE lookalikes — marks that reproduce the CE letterform in a modified or stylised way that creates confusion
2. National quality marks that duplicate the function of CE marking without the same legal significance
3. "China Export" CE marks — a widely circulated misconception that a visually similar mark used on some Chinese-manufactured goods is equivalent to the EU CE marking. Under Art.24(4), CRA-covered manufacturers may not affix any mark that could cause such confusion
4. Stacked marks — combining CE with other conformity symbols in a way that reduces CE marking legibility

The prohibition extends beyond the product itself to packaging, documentation, and websites.

Notified Body Identification Number

Where a product has been assessed by a notified body under Annex IX (Class I) or Annex X (Class II), the four-digit identification number of the notified body must appear immediately after the CE marking. The notified body number must be:

• The same height as the CE marking
• Affixed by or under the instruction of the notified body (not by the manufacturer unilaterally)
• Present on the product, packaging, or accompanying documentation in the same location as the CE marking

For pure software products using the internal control procedure (Annex VIII), no notified body number is required — CE appears alone.

CE Marking and the EUCC Cybersecurity Certification Scheme

The EU Cybersecurity Certification Scheme for Common Criteria (EUCC) under the Cybersecurity Act (Regulation (EU) 2019/881) is relevant for Class I CRA products that elect to use a third-party conformity assessment rather than internal control. Where a product holds an EUCC certificate at Assurance Level "high" or "substantial", this certificate forms part of the technical documentation and supports the EU DoC. The CE marking under Art.24 remains the CRA-specific conformity indicator; EUCC certificates are referenced in the EU DoC but do not replace the CE mark.

Python CRACEMarkingKit — Lifecycle and Placement Verification

from dataclasses import dataclass, field
from datetime import datetime
from typing import Optional

@dataclass
class CRACEMarkingRecord:
    product_name: str
    product_version: str
    manufacturer_name: str
    manufacturer_address: str
    conformity_assessment_procedure: str  # "Annex VIII", "Annex IX", or "Annex X"
    eu_doc_reference: str                 # URL or document identifier
    ce_marking_placement: list[str]       # e.g. ["about_screen", "documentation", "website"]
    notified_body_number: Optional[str] = None  # 4-digit NB number if applicable
    affixing_date: datetime = field(default_factory=datetime.now)
    product_class: str = "default"        # "default", "class_i", "class_ii"

    def validate(self) -> list[str]:
        issues = []
        if self.product_class == "class_ii" and not self.notified_body_number:
            issues.append("Class II products require a notified body number adjacent to CE marking")
        if self.product_class == "class_ii" and self.conformity_assessment_procedure != "Annex X":
            issues.append("Class II products must use Annex X (notified body) conformity assessment")
        if not self.eu_doc_reference:
            issues.append("EU DoC reference required — CE marking presupposes valid EU DoC under Art.23")
        if not self.ce_marking_placement:
            issues.append("At least one CE marking placement required under Art.24(3)")
        valid_placements = {"product", "packaging", "documentation", "about_screen", "website", "qr_code"}
        for p in self.ce_marking_placement:
            if p not in valid_placements:
                issues.append(f"Unknown placement '{p}'. Valid: {valid_placements}")
        return issues

    def generate_compliance_statement(self) -> str:
        placement_str = ", ".join(self.ce_marking_placement)
        nb_str = f" Notified body: {self.notified_body_number}." if self.notified_body_number else ""
        return (
            f"CE marking affixed to {self.product_name} v{self.product_version} "
            f"({self.manufacturer_name}) under {self.conformity_assessment_procedure}. "
            f"EU DoC: {self.eu_doc_reference}. "
            f"Placement: {placement_str}.{nb_str} "
            f"CRA Art.24 satisfied."
        )

class CRACEMarkingKit:
    def __init__(self):
        self.records: list[CRACEMarkingRecord] = []

    def register_product(self, record: CRACEMarkingRecord) -> dict:
        issues = record.validate()
        status = "COMPLIANT" if not issues else "NON-COMPLIANT"
        self.records.append(record)
        return {
            "product": record.product_name,
            "version": record.product_version,
            "status": status,
            "issues": issues,
            "statement": record.generate_compliance_statement() if not issues else None,
        }

    def compliance_report(self) -> dict:
        compliant = [r for r in self.records if not r.validate()]
        non_compliant = [r for r in self.records if r.validate()]
        return {
            "total_products": len(self.records),
            "compliant": len(compliant),
            "non_compliant": len(non_compliant),
            "products": [
                {"name": r.product_name, "version": r.product_version,
                 "issues": r.validate() or ["none"]}
                for r in self.records
            ],
        }

# Example: software product using Annex VIII internal control
kit = CRACEMarkingKit()
result = kit.register_product(CRACEMarkingRecord(
    product_name="ExampleApp",
    product_version="2.4.1",
    manufacturer_name="Example GmbH",
    manufacturer_address="Unter den Linden 1, 10117 Berlin, Germany",
    conformity_assessment_procedure="Annex VIII",
    eu_doc_reference="https://example.com/eu-doc/exampleapp-v2.4.1.pdf",
    ce_marking_placement=["about_screen", "documentation", "website"],
    product_class="default",
))
print(result["statement"])

CRA Art.24 Compliance Checklist (30 Items)

CE Marking Preconditions

• Annex VIII/IX/X conformity assessment procedure fully completed before CE marking affixed
• EU DoC under Art.23 drawn up before CE marking affixed
• Annex V technical documentation (Art.22) finalised and referenced in EU DoC
• Conformity assessment procedure correctly selected (default → Annex VIII; Class I → VIII/IX; Class II → X)
• Manufacturer established or authorised representative designated (Art.12) before CE marking

CE Marking Format

• CE marking uses the exact letterform from Decision 768/2008/EC Annex II
• Minimum height 5mm maintained (or proportional for small products)
• CE marking not modified, decorated, or combined with other graphic elements reducing legibility
• CE marking clearly visible and legible against background
• No confusingly similar marks or CE lookalikes present on product, packaging, or docs
• National quality marks do not duplicate or overshadow CE marking meaning

CE Marking Placement — Physical Products

• For physical products: CE marking appears on product, packaging, or accompanying docs
• Packaging placement used where product too small for direct affixing
• Accompanying documentation placement used only where product and packaging both impractical

CE Marking Placement — Software Products

• For software with no physical form: CE marking accessible via packaging, docs, About screen, or website
• About screen / settings panel contains CE mark graphic at min. 5mm (print) or proportional (screen)
• Product documentation (README, licence agreement) includes CE mark and EU DoC link
• Company compliance page (/compliance or equivalent) displays CE marking
• CE marking accessible before or during product use (not only post-purchase in invoice)
• QR code used as supplement only — CE mark graphic still present where QR code used

Notified Body Number

• Class II products: four-digit NB number placed immediately after CE marking
• NB number height matches CE marking height
• NB number affixed under instruction of notified body (not self-assigned)
• Class I (Annex VIII internal control): no NB number added

Post-Market / Lifecycle

• CE marking removed or withdrawn if product is subsequently found non-conforming
• CE marking updated if NB number changes (Class II) or new EU DoC drawn up
• CE marking on new versions verified against updated EU DoC and technical documentation
• If substantial modification (Art.20): new CE marking process initiated as for new product
• Market surveillance authorities have access to EU DoC whenever CE marking visible

Prohibited Actions

• No CE marking affixed before conformity assessment complete
• No CE marking affixed before EU DoC drawn up
• No misleading marks used alongside or instead of CE marking
• No CE marking used on products with known exploitable vulnerabilities (Art.13 market withdrawal trigger)

CE Marking Across the CRA Lifecycle

The CE marking is not a static badge — it reflects a product's conformity status at a point in time. Three lifecycle events affect CE marking:

1. Substantial modification (Art.20): If a product undergoes a substantial modification (functional or security-relevant change), the manufacturer must re-evaluate conformity, update the technical documentation (Art.22), draw up a new EU DoC (Art.23), and re-affix CE marking reflecting the new conformity assessment. For software, this means updating the version referenced in the About screen and EU DoC link.

2. Non-conformity discovered post-market (Art.13/Art.14): If a product placed on the market with CE marking is subsequently found to have an exploitable vulnerability or fails an Annex I requirement, the manufacturer must initiate corrective action. If the non-conformity is fundamental, the product must be withdrawn from the market and CE marking cannot be used for that product version until conformity is restored.

3. Standard revision: If a harmonised standard referenced in the EU DoC is revised and the product no longer conforms to the new version, the manufacturer must update the conformity assessment and draw up a new EU DoC. The CE marking may continue on existing units already placed on the market, but new units must reflect the updated assessment.

sota.io and CRA Art.24

For SaaS products or software tools hosted on EU cloud infrastructure — such as sota.io — the CE marking framework applies as follows:

The CE marking for your product appears in:

• Your application's About / Settings page
• Your product documentation (README, compliance page)
• The EU DoC hosted on your compliance infrastructure

Hosting your EU DoC, CE marking statement, and technical documentation on sota.io means the documentation is stored exclusively within EU jurisdiction under a single legal order, without CLOUD Act extraterritorial exposure. Your CE marking compliance page at https://yourapp.io/compliance referencing a sota.io-hosted EU DoC satisfies Art.24(3) for software products.

Conclusion: Completing the CRA Conformity Triad

Article 24 completes the conformity assessment triad that began with Art.22 (technical documentation) and Art.23 (EU Declaration of Conformity). For most software products, the CE marking journey under CRA is:

1. Build the technical documentation (Art.22 / Annex V): product description, SBOM, CVD policy, test records, standards applied
2. Conduct the internal conformity assessment (Annex VIII): verify all Annex I Part I+II requirements met
3. Draw up the EU DoC (Art.23): formal declaration referencing assessment procedure and standards
4. Affix CE marking (Art.24): place CE mark in About screen, documentation, and compliance page
5. Maintain throughout lifecycle: update when substantial modifications occur, standards are revised, or non-conformities are discovered

The December 2027 deadline is firm. Building the conformity infrastructure now — documentation, EU DoC templates, CE marking placements — means you can demonstrate compliance on day one of enforcement rather than scrambling at the deadline.

See Also

• CRA Art.22: Technical Documentation Requirements (Annex V & VI) — technical documentation that must be in place before CE marking can be affixed
• CRA Art.23: EU Declaration of Conformity — the formal declaration that must precede CE marking
• CRA Art.25: Conformity Assessment Procedures (Annex VIII, Class I & II) — which assessment path applies before CE marking is permitted
• CRA Art.13: Manufacturer Obligations — security-by-design and update support obligations that CE marking attests to