2026-04-19·13 min read·

CRA Art.25: Conformity Assessment Procedures — Annex VIII, Class I & Class II Paths, Notified Bodies & EUCC (Developer Guide 2026)

Post #471 in the sota.io EU Cyber Compliance Series

Before affixing CE marking and drawing up the EU Declaration of Conformity under Articles 23–24, a manufacturer must complete a conformity assessment procedure. Article 25 of the EU Cyber Resilience Act (Regulation (EU) 2024/2847, "CRA") defines which procedure applies depending on the product class. Most software developers will use the internal self-assessment path under Annex VIII. Manufacturers of Class I (important) products may choose between self-assessment and third-party audit. Only Class II (critical) products require mandatory involvement of a notified body under Annex X.

Critical deadline: 11 December 2027. Article 25 obligations apply in full from that date. Class II manufacturers requiring notified body involvement should begin procurement by mid-2026 to account for accreditation backlogs.

The Three Conformity Assessment Paths Under Art.25

Article 25(1) maps each product class to one or more permitted assessment procedures:

Product Class	Annex	Procedure	Who Performs It
Default (non-critical)	Annex VIII	Internal production control	Manufacturer self-assessment
Class I (important)	Annex VIII or Annex IX	Self-assessment OR EU type-examination	Manufacturer or third party
Class I with EUCC	—	European Cybersecurity Certification Scheme	Accredited EUCC CAB
Class II (critical)	Annex X	Third-party certification	Notified body (mandatory)

The default path — Annex VIII — applies to the vast majority of software products: SaaS tools, developer libraries, APIs, firmware for non-critical IoT devices, and enterprise applications not listed in CRA Annex III or Annex IV. For these products, conformity assessment is entirely internal: no external auditor, no notified body, no certification fee.

Determining Your Product Class (Annex III and Annex IV)

Before selecting the conformity assessment path, manufacturers must determine whether their product falls into Class I or Class II:

Class II (Annex III — Critical Products): Require Annex X notified body certification. Examples include:

Hardware devices with security boxes (smartcard readers, HSMs)
Microprocessors and microcontrollers with security functionality
Industrial IoT devices in critical infrastructure sectors
Smart meters for gas and electricity networks
Root certificate authorities and PKI issuing certificates for public trust

Class I (Annex IV — Important Products): May use Annex VIII self-assessment or Annex IX third-party audit. Examples include:

Operating systems (desktop, server, mobile, real-time)
Hypervisors and container runtime environments
Web browsers and security-relevant browser extensions
Password managers
Network monitoring and SIEM tools
VPN software
Firewalls and intrusion detection/prevention systems
Routers, modems, and wireless access points for commercial use
Industrial automation and control system components

Default (all others): Products not listed in Annex III or Annex IV use the Annex VIII internal control path. Most commercial software products — developer tools, productivity applications, libraries — fall here.

Annex VIII — Internal Production Control (Default Path)

Annex VIII implements Module A from the New Legislative Framework (Decision 768/2008/EC). It is the least burdensome conformity assessment procedure and consists of four steps:

Step 1: Design and Development Documentation The manufacturer prepares the technical documentation described in CRA Annex V. This includes product description, design specifications, risk assessment, security-by-design evidence, SBOM (Annex I Part II), vulnerability handling processes, and applied harmonised standards. The documentation must be sufficient for conformity assessment and remain available for 10 years after placing on the market.

Step 2: Manufacturing / Production Control The manufacturer takes all necessary measures to ensure the manufactured product conforms to the technical documentation. For software, this means: reproducible builds, version-controlled source code, signed releases, and documented update/patching processes.

Step 3: CE Marking and EU Declaration of Conformity The manufacturer affixes CE marking (Art.24) and draws up the EU DoC (Art.23) attesting conformity with all applicable CRA requirements.

Step 4: Retain Documentation The manufacturer keeps the EU DoC and technical documentation for 10 years and makes them available to market surveillance authorities on request (Art.22(7), Art.24(5)).

Under Annex VIII there is no external review requirement — the manufacturer self-certifies. Market surveillance authorities (Art.35+) may request documentation or conduct product testing after market placement.

Annex IX — EU Type-Examination (Optional for Class I)

Annex IX implements Module B and requires a notified body to examine a representative sample (the "EU type") of the product. The procedure:

The manufacturer submits an application to a notified body with the technical documentation
The notified body examines the technical documentation and the representative EU type
If conformity is established, the notified body issues an EU type-examination certificate valid for a maximum of 5 years
The manufacturer may then affix CE marking and draw up the EU DoC referencing the certificate

Class I manufacturers choosing Annex IX gain a third-party validation signal useful for enterprise procurement and public sector contracts. However, the procedure adds 3–9 months and significant cost compared to Annex VIII. Class I manufacturers are therefore not obligated to choose Annex IX — Annex VIII self-assessment is sufficient.

Annex X — Third-Party Certification (Mandatory for Class II)

Annex X requires a notified body to perform full product assessment. The key requirements:

EU Type-Examination (Module B): Same as Annex IX — the notified body examines a representative sample against all Annex I essential requirements and applicable harmonised standards.

Conformity to Type (Module C, C2, or D): Production control ensuring every manufactured unit conforms to the approved type. For software, this typically means:

Module C: Manufacturer declares conformity to EU type (minimal external oversight)
Module C2: Third-party spot checks on production/release process
Module D: Production quality assurance with notified body oversight of QMS

Notified Body Certificate: Issued after successful Annex X assessment, required before CE marking can be affixed. Certificates are valid for 5 years and are published in the NANDO (New Approach Notified and Designated Organisations) database.

EUCC — European Cybersecurity Certification Scheme as Alternative Path

Article 25(2) establishes that a European Cybersecurity Certification Scheme (EUCC) under the EU Cybersecurity Act (Regulation (EU) 2019/881) may substitute for the relevant conformity assessment procedure if the scheme:

Covers the security requirements of CRA Annex I
Is issued at assurance level "substantial" or "high"

The EUCC scheme (Commission Implementing Regulation (EU) 2024/482) is the first scheme applicable to CRA products. It covers ICT products including software components, hardware devices, and integrated solutions. Assurance levels:

Substantial: Covers vulnerability scanning, functional security testing, and source code review. Appropriate for Class I products.
High: Adds penetration testing and architectural analysis. Required for some Class II products.

EUCC certificates are issued by Conformity Assessment Bodies (CABs) accredited by national accreditation bodies. The certificate references the specific assurance level, evaluation scope, and tested configuration.

Important limitation: EUCC only substitutes for the conformity assessment procedure, not for the EU DoC (Art.23) or CE marking (Art.24). A manufacturer with a EUCC certificate must still draw up the EU DoC and affix CE marking before market placement.

Selecting a Notified Body

For manufacturers requiring a notified body (Class II mandatory, Class I optional Annex IX), selection follows this process:

1. Identify Designated Bodies in NANDO The NANDO database (ec.europa.eu/growth/tools-databases/nando/) lists all EU-notified bodies by directive/regulation and product scope. As CRA is new, designated CRA notified bodies will appear after Member States submit notifications to the European Commission post-August 2026.

2. Check Scope Accreditation Each notified body publishes its scope of accreditation. For software products, relevant competencies include: software development lifecycle security, vulnerability analysis, penetration testing, SBOM analysis, and harmonised standard EN 18031.

3. Request Quotation and Timeline Notified body engagement typically requires:

Pre-assessment: 4–8 weeks (review of technical documentation)
Type-examination: 8–16 weeks (testing against Annex I requirements)
Certificate issuance: 2–4 weeks
Total: 4–7 months from engagement to certificate

4. Cost Estimates

Class I Annex IX: €15,000–€50,000 depending on product complexity
Class II Annex X: €40,000–€120,000 for full assessment
EUCC Substantial: €20,000–€60,000
EUCC High: €60,000–€200,000

Note: These are 2025 market estimates. Final CRA notified body fees will be established as the ecosystem matures post-2026.

Art.25 and the Relationship to Art.22–24

Article 25 sits at the centre of the CRA conformity chain:

Art.22 Technical Documentation
    ↓ (referenced by)
Art.25 Conformity Assessment Procedure (Annex VIII/IX/X or EUCC)
    ↓ (required before)
Art.23 EU Declaration of Conformity
    ↓ (required before)
Art.24 CE Marking → Product placed on EU market

The conformity assessment procedure (Art.25) consumes the Art.22 technical documentation as its primary input. Its output — either a self-assessment record, notified body certificate, or EUCC certificate — is referenced in the Art.23 EU DoC. CE marking (Art.24) can only be affixed after the EU DoC is drawn up.

Python CRAConformityAssessmentPlanner

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
import datetime

class ProductClass(Enum):
    DEFAULT = "default"
    CLASS_I = "class_i"
    CLASS_II = "class_ii"

class AssessmentPath(Enum):
    ANNEX_VIII = "annex_viii"
    ANNEX_IX = "annex_ix"
    ANNEX_X = "annex_x"
    EUCC_SUBSTANTIAL = "eucc_substantial"
    EUCC_HIGH = "eucc_high"

@dataclass
class ConformityAssessmentPlan:
    product_name: str
    product_class: ProductClass
    chosen_path: AssessmentPath
    market_placement_target: datetime.date
    notified_body: Optional[str] = None
    eucc_cab: Optional[str] = None
    estimated_cost_eur: Optional[int] = None
    milestones: list = field(default_factory=list)

    def validate(self) -> list[str]:
        issues = []
        if self.product_class == ProductClass.CLASS_II:
            if self.chosen_path not in (AssessmentPath.ANNEX_X,
                                         AssessmentPath.EUCC_HIGH):
                issues.append(
                    "Class II products require Annex X or EUCC High assurance"
                )
        if self.chosen_path in (AssessmentPath.ANNEX_IX, AssessmentPath.ANNEX_X):
            if not self.notified_body:
                issues.append(
                    f"{self.chosen_path.value} requires a designated notified body"
                )
        if self.chosen_path in (AssessmentPath.EUCC_SUBSTANTIAL,
                                  AssessmentPath.EUCC_HIGH):
            if not self.eucc_cab:
                issues.append(
                    "EUCC path requires an accredited Conformity Assessment Body (CAB)"
                )
        return issues

    def generate_timeline(self) -> dict:
        today = datetime.date.today()
        durations = {
            AssessmentPath.ANNEX_VIII: 90,   # days (internal)
            AssessmentPath.ANNEX_IX: 180,    # days (notified body)
            AssessmentPath.ANNEX_X: 210,     # days (notified body full)
            AssessmentPath.EUCC_SUBSTANTIAL: 150,
            AssessmentPath.EUCC_HIGH: 240,
        }
        duration = durations[self.chosen_path]
        assessment_start = today
        assessment_end = today + datetime.timedelta(days=duration)
        doc_preparation = today + datetime.timedelta(days=duration + 14)
        ce_marking = doc_preparation + datetime.timedelta(days=7)

        return {
            "assessment_start": str(assessment_start),
            "assessment_complete": str(assessment_end),
            "eu_doc_ready": str(doc_preparation),
            "ce_marking_affixed": str(ce_marking),
            "cra_deadline": "2027-12-11",
            "buffer_days": (
                datetime.date(2027, 12, 11) - ce_marking
            ).days,
        }

    def compliance_report(self) -> dict:
        issues = self.validate()
        timeline = self.generate_timeline()
        return {
            "product": self.product_name,
            "class": self.product_class.value,
            "path": self.chosen_path.value,
            "issues": issues,
            "compliant": len(issues) == 0,
            "timeline": timeline,
            "cost_estimate_eur": self.estimated_cost_eur,
        }

# Usage example
plan = ConformityAssessmentPlan(
    product_name="MyAPIGateway",
    product_class=ProductClass.DEFAULT,
    chosen_path=AssessmentPath.ANNEX_VIII,
    market_placement_target=datetime.date(2027, 9, 1),
    estimated_cost_eur=5000,
)

report = plan.compliance_report()
print(f"Compliant: {report['compliant']}")
print(f"Assessment complete by: {report['timeline']['assessment_complete']}")
print(f"CE marking affixed by: {report['timeline']['ce_marking_affixed']}")
print(f"Buffer before deadline: {report['timeline']['buffer_days']} days")

Art.25 Conformity Assessment Checklist (25 Items)

Pre-Assessment

Determined product class (Default / Class I / Class II) using Annex III + IV
Selected conformity assessment path (Annex VIII / IX / X / EUCC)
For Class I: documented rationale for choosing Annex VIII vs IX
For Class II: identified designated notified body in NANDO database
For EUCC path: identified accredited CAB; confirmed scheme covers CRA Annex I scope

Annex VIII (Internal Control — All Default and Class I Self-Assessment)

Art.22 technical documentation complete (Annex V dossier)
Risk assessment against all Annex I Part I essential requirements performed
SBOM prepared per Annex I Part II
Vulnerability handling process documented
Applied harmonised standards (EN 18031 series) listed
Security testing evidence recorded (SAST, DAST, dependency scanning)
Manufacturing/production controls documented (build pipeline, signing, release)
Self-assessment record signed by authorised representative

Annex IX / Annex X (Notified Body Path)

Notified body engaged and contract signed
Pre-assessment documentation submitted
Representative product sample / software build provided to notified body
Notified body examination completed and issues resolved
EU type-examination certificate (Module B) received
Production conformity module (Module C/C2/D) selected and implemented
Certificate reference number obtained for EU DoC

Post-Assessment

EU Declaration of Conformity (Art.23) drawn up referencing assessment path + certificate
CE marking affixed per Art.24 requirements (format, placement, digital affixing)
Technical documentation and EU DoC stored for 10 years
EUCC certificate (if used) published via ENISA EUCC portal
Notified body certificate number added to product labelling for Class II
Review process established for substantial modifications requiring reassessment (Art.20)
Calendar reminder set for certificate renewal (5-year validity)
Market surveillance authority contact identified for jurisdiction of main EU establishment

Key Takeaways for Developers

Most developers use Annex VIII. If your product is not in CRA Annex III or Annex IV, self-assessment under Annex VIII applies. No notified body. No certification fee. Primarily a documentation exercise.
Class I: choose your path based on market requirements. Enterprise customers and public procurement increasingly require third-party validation. Annex IX or EUCC Substantial may be worth the investment even when not legally required.
Class II is the exception, not the rule. Most commercial software — including most SaaS products, developer tools, and non-critical IoT firmware — is not Class II. Check Annex III carefully before assuming notified body involvement is required.
EUCC is a valid and often preferable alternative. An EUCC certificate is recognised across all EU member states, provides a clear assurance level, and may be accepted for procurement requirements in addition to CRA compliance.
Start early for Class II. Notified body capacity is limited in the early years of CRA. Class II manufacturers targeting a 2027 launch should begin notified body procurement in mid-2026.
Assessment is a one-time investment per major version. Substantial modifications (Art.20) trigger reassessment. Minor updates — security patches, non-security feature additions — do not reset the conformity assessment if the technical documentation is updated accordingly.

Next in the CRA series: Article 26 — Simplified EU Declaration of Conformity and European Cybersecurity Certification Scheme integration.