sota.io
2026-04-27·16 min read·

CRA Art.43-50: CE Marking and Conformity Assessment for Software Products — Internal Control vs Notified Body Decision Guide 2026

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) introduces a mandatory CE marking requirement for all products with digital elements placed on the EU market. Articles 43 through 50 define the conformity assessment procedures that manufacturers must complete before affixing the CE mark and issuing an EU Declaration of Conformity (EU DoC).

The CRA's full application date is 11 December 2027 (36 months after entry into force, per Art.71(1)). But for manufacturers of important products (Annex III Class I) and critical important products (Annex III Class II), the path to that date requires decisions that cannot wait until November 2027. Notified bodies designated for CRA under NANDO are beginning to accept conformity assessment applications from June 2026 onward — and Class II assessment processes take 6–18 months under current market capacity.

This guide covers what Art.43-50 requires, how the classification decision drives your assessment path, what the EUCC alternative pathway means, and the documentation you need to begin internal control now.

The CRA Conformity Assessment Framework in Three Procedures

CRA Art.6 establishes which assessment procedure applies to which products. The Regulation defines three distinct procedures across Art.43-50, each with different documentation requirements, timelines, and evidence burdens.

Art.43: Internal Control — manufacturer-conducted assessment with no third-party involvement. Applicable to all products with digital elements not classified as important or critical important products, and to Class I important products where the manufacturer chooses not to use a third-party path. The manufacturer must demonstrate conformity with the essential cybersecurity requirements in Annex I and the vulnerability handling requirements in Annex I Part II, then issue an EU Declaration of Conformity under Art.23 and affix CE marking under Art.24.

Art.44: EU-Type Examination and Quality Assurance — mandatory for Class II critical important products unless Art.45 applies. A designated notified body examines the product's technical documentation, performs testing against essential requirements, and issues a type-examination certificate. The manufacturer then implements a quality assurance system audited by the same or a different notified body. Art.44 maps to Module B (EU-type examination) and Module D (production quality assurance) of Decision 768/2008/EC.

Art.45: Conformity Under European Cybersecurity Certification Scheme — where an applicable European Cybersecurity Certification Scheme (EUCS) with at least "substantial" assurance level exists for the product type, the manufacturer may use EUCS certification as the conformity assessment procedure in lieu of Art.44. This pathway requires ENISA to have developed and the Commission to have adopted a relevant EUCS. For most product categories, no such scheme currently applies specifically to CRA conformity assessment — the EUCC (Common Criteria-based scheme) is operational but covers a different product universe.

Product Classification: What Category Are You In?

The assessment path depends entirely on product classification under Annex III. The classification has three tiers.

Default (no Annex III category): Products with digital elements that do not appear in Annex III are subject to Art.43 internal control only. The manufacturer self-assesses, documents conformity with Annex I requirements, and issues the EU DoC. No notified body involvement is required or permitted. This covers the large majority of commercial software products: SaaS applications, mobile apps, desktop software, most IoT devices, and web services hosted in the EU.

Class I (Important Products — Rule 1-11): Annex III Rule 1-11 lists specific product categories that ENISA and the Commission identified as presenting higher cybersecurity risk. Class I includes: identity management software and privileged access management tools (Rule 1), standalone browsers (Rule 2), password managers (Rule 3), products with virtual private network functions (Rule 4), network monitoring and management tools (Rule 5), SIEM and security information event management tools (Rule 6), network intrusion detection and prevention systems (Rule 7), endpoint protection software (Rule 8), network traffic analyzers (Rule 9), firewalls for end users (Rule 10), and routers, modems, and network switches intended for consumers (Rule 11).

For Class I products, Art.43 internal control is the default. The manufacturer may choose to use Art.44 or Art.45 voluntarily, but is not required to. The practical implication: if your SaaS product includes a VPN feature, endpoint protection component, or identity management function, Annex III Class I classification applies even if cybersecurity is a minor feature.

Class II (Critical Important Products — Rule 12-13): Rule 12 covers hardware devices with security boxes — hardware security modules (HSMs), trusted platform modules (TPMs), smart cards, smart card readers, tokens, and other hardware serving authentication or cryptographic key storage functions. Rule 13 covers microprocessors for general-purpose and embedded use, industrial network equipment including switches, routers, and gateways used in critical infrastructure contexts, network-connected building automation systems, and general-purpose operating systems providing security functions.

Class II manufacturers must use Art.44 third-party assessment unless an Art.45 EUCS scheme applies.

Python: CRAConformityPathDecider

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional


class CRAProductClass(Enum):
    DEFAULT = "default"
    CLASS_I_IMPORTANT = "class_i_important"
    CLASS_II_CRITICAL_IMPORTANT = "class_ii_critical_important"


class ConformityProcedure(Enum):
    ART_43_INTERNAL_CONTROL = "art_43_internal_control"
    ART_44_NOTIFIED_BODY = "art_44_notified_body"
    ART_45_EUCS = "art_45_eucs_scheme"


@dataclass
class ConformityAssessmentPath:
    product_name: str
    product_class: CRAProductClass
    annex_iii_rule: Optional[str]
    procedure: ConformityProcedure
    notified_body_required: bool
    estimated_months: int
    eucs_applicable: bool
    documentation_requirements: list[str]
    start_deadline: str
    notes: str


def decide_conformity_path(
    product_name: str,
    has_vpn: bool = False,
    has_password_manager: bool = False,
    has_iam_pam: bool = False,
    has_edr_endpoint_protection: bool = False,
    has_network_monitoring: bool = False,
    has_siem: bool = False,
    is_consumer_router_modem: bool = False,
    is_hsm_tpm_smartcard: bool = False,
    is_general_purpose_microprocessor: bool = False,
    is_critical_infra_network_equipment: bool = False,
    eucs_scheme_available: bool = False,
) -> ConformityAssessmentPath:

    # Class II classification (Rule 12-13) takes priority
    if is_hsm_tpm_smartcard or is_general_purpose_microprocessor or is_critical_infra_network_equipment:
        procedure = ConformityProcedure.ART_45_EUCS if eucs_scheme_available else ConformityProcedure.ART_44_NOTIFIED_BODY
        return ConformityAssessmentPath(
            product_name=product_name,
            product_class=CRAProductClass.CLASS_II_CRITICAL_IMPORTANT,
            annex_iii_rule="Rule 12 or 13",
            procedure=procedure,
            notified_body_required=not eucs_scheme_available,
            estimated_months=12 if not eucs_scheme_available else 6,
            eucs_applicable=eucs_scheme_available,
            documentation_requirements=[
                "Technical documentation per Annex V (complete)",
                "EU-type examination certificate from notified body",
                "Quality assurance system audit records",
                "Test reports against Annex I essential requirements",
                "Supply chain cybersecurity documentation",
                "Vulnerability disclosure policy",
                "SBOM for all dependencies",
                "Incident response procedures",
            ],
            start_deadline="IMMEDIATE — notified body capacity constrained, applications from June 2026",
            notes="Art.44 mandatory unless Art.45 EUCS scheme covers this product type. EUCC does not currently cover CRA Class II products directly.",
        )

    # Class I classification (Rule 1-11)
    annex_iii_trigger = None
    if has_iam_pam:
        annex_iii_trigger = "Rule 1 — Identity management / privileged access management"
    elif has_vpn:
        annex_iii_trigger = "Rule 4 — VPN functions"
    elif has_password_manager:
        annex_iii_trigger = "Rule 3 — Password manager"
    elif has_edr_endpoint_protection:
        annex_iii_trigger = "Rule 8 — Endpoint protection"
    elif has_network_monitoring:
        annex_iii_trigger = "Rule 5 — Network monitoring / management"
    elif has_siem:
        annex_iii_trigger = "Rule 6 — SIEM"
    elif is_consumer_router_modem:
        annex_iii_trigger = "Rule 11 — Consumer router / modem"

    if annex_iii_trigger:
        return ConformityAssessmentPath(
            product_name=product_name,
            product_class=CRAProductClass.CLASS_I_IMPORTANT,
            annex_iii_rule=annex_iii_trigger,
            procedure=ConformityProcedure.ART_43_INTERNAL_CONTROL,
            notified_body_required=False,
            estimated_months=3,
            eucs_applicable=False,
            documentation_requirements=[
                "Technical documentation per Annex V",
                "Conformity assessment records per Annex VI",
                "EU Declaration of Conformity per Annex IV",
                "Test evidence for Annex I Part I essential requirements",
                "Vulnerability handling process documentation per Annex I Part II",
                "SBOM for direct and transitive dependencies",
                "Security update policy (minimum 5 years for products with 5+ year expected lifetime)",
            ],
            start_deadline="Start documentation Q2 2026 for December 2027 readiness",
            notes=f"Internal control (Art.43) is default for Class I. Voluntary Art.44 third-party assessment permitted but not required.",
        )

    # Default product class
    return ConformityAssessmentPath(
        product_name=product_name,
        product_class=CRAProductClass.DEFAULT,
        annex_iii_rule=None,
        procedure=ConformityProcedure.ART_43_INTERNAL_CONTROL,
        notified_body_required=False,
        estimated_months=2,
        eucs_applicable=False,
        documentation_requirements=[
            "Technical documentation per Annex V (lightweight)",
            "EU Declaration of Conformity",
            "Evidence of Annex I Part I security requirements",
            "Vulnerability disclosure and update policy",
        ],
        start_deadline="Begin Annex I gap analysis Q3 2026 for December 2027 readiness",
        notes="No classification under Annex III. Art.43 internal control only.",
    )


# Example outputs
products = [
    decide_conformity_path("PasswordVault SaaS", has_password_manager=True),
    decide_conformity_path("CloudVPN Enterprise", has_vpn=True),
    decide_conformity_path("SecureHSM Module", is_hsm_tpm_smartcard=True),
    decide_conformity_path("ProjectManagement App"),
]

for p in products:
    print(f"\n{p.product_name}")
    print(f"  Class: {p.product_class.value}")
    print(f"  Procedure: {p.procedure.value}")
    print(f"  Notified body required: {p.notified_body_required}")
    print(f"  Estimated months: {p.estimated_months}")
    print(f"  Start deadline: {p.start_deadline}")

Output:

PasswordVault SaaS
  Class: class_i_important
  Procedure: art_43_internal_control
  Notified body required: False
  Estimated months: 3
  Start deadline: Start documentation Q2 2026 for December 2027 readiness

CloudVPN Enterprise
  Class: class_i_important
  Procedure: art_43_internal_control
  Notified body required: False
  Estimated months: 3
  Start deadline: Start documentation Q2 2026 for December 2027 readiness

SecureHSM Module
  Class: class_ii_critical_important
  Procedure: art_44_notified_body
  Notified body required: True
  Estimated months: 12
  Start deadline: IMMEDIATE — notified body capacity constrained, applications from June 2026

ProjectManagement App
  Class: default
  Procedure: art_43_internal_control
  Notified body required: False
  Estimated months: 2
  Start deadline: Begin Annex I gap analysis Q3 2026 for December 2027 readiness

Art.43 Internal Control: What Self-Assessment Actually Requires

Internal control under Art.43 does not mean no documentation. It means the manufacturer performs and documents the conformity assessment without a notified body reviewing that documentation before CE marking. The technical documentation must be sufficient for market surveillance authorities (MSAs) to verify conformity on request.

Technical documentation per Annex V must include: a general description of the product and its intended use, design and manufacturing drawings (for hardware) or architecture documentation (for software) including interfaces, components, and data flows; a list of harmonised standards applied (such as EN 18031-1 for IoT cybersecurity); descriptions of conformity assessment solutions where harmonised standards are not available; test reports or evaluation records; and the EU Declaration of Conformity itself (Annex IV).

Annex I Part I essential requirements maps to the documented evidence requirements:

Annex I Part II vulnerability handling requirements for Art.43: document the vulnerability disclosure process, SBOM maintenance procedure, security update timeline and support period, and coordination with ENISA under Art.16 for actively exploited vulnerabilities.

The internal control procedure concludes with the manufacturer signing the EU Declaration of Conformity (EU DoC) — the formal statement that the product meets the essential requirements. The EU DoC must identify the product, the applicable CRA articles and Annex references, the manufacturer, and where applicable the harmonised standards applied.

Art.44: When Notified Body Assessment Is Mandatory

For Class II products, Art.44 removes manufacturer self-assessment as an option. The procedure requires:

Module B: EU-type examination — the manufacturer submits technical documentation and a representative sample of the product to a notified body. The notified body examines the design, performs or oversees testing against Annex I requirements, and issues an EU-type examination certificate valid for 5 years (renewable). The certificate identifies the product, the notified body number, and the specific Annex I requirements verified.

Module D: Production quality assurance — the manufacturer implements a quality management system for the production phase covering conformity with the approved type, quality control procedures, and record keeping. The notified body audits this QMS annually and issues surveillance certificates.

The combined Module B + Module D process takes 6–18 months depending on product complexity, documentation maturity, and notified body queue. Hardware security modules and TPMs represent the most common Class II product category — and these are complex products where documentation preparation alone takes 3–6 months.

Art.45: The EUCS Pathway and Its Current Limitations

Art.45 creates an alternative to Art.44 for Class II products when an applicable European Cybersecurity Certification Scheme (EUCS) with at least "substantial" assurance level exists and covers the product type in question.

The theoretical advantage: EUCS certification, once obtained, substitutes for the notified body process. ENISA manages the EUCS process, accredited conformity assessment bodies (CABs) perform the evaluation, and the Commission issues an implementing act recognising the scheme as CRA Art.45-equivalent.

The practical limitation in 2026: no EUCS scheme currently covers CRA conformity assessment for Class II products. The European Cybersecurity Certification Scheme for Common Criteria (EUCC), adopted by Commission Implementing Regulation (EU) 2024/482, covers IT products evaluated against Common Criteria (ISO/IEC 15408) and is operational. However, EUCC scope and CRA Class II scope overlap partially — some hardware security modules fall under both — but the Commission has not yet issued an implementing act recognising EUCC as a CRA Art.45 equivalent for any product category.

ENISA's work programme for 2025–2027 includes development of candidate EUCS schemes for cloud services (EUCS), 5G network equipment, and IoT products. Until the Commission formally adopts an implementing act under Art.45(2) recognising a scheme as CRA-equivalent, manufacturers of Class II products cannot use Art.45 and must use Art.44.

Art.46: Notified Body Designation Under NANDO

Art.46 sets the competence requirements for bodies applying for CRA notified body status. Requirements include: demonstrated expertise in cybersecurity assessment, independence from manufacturers and importers, sufficient qualified staff with specific cybersecurity technical competencies, professional indemnity insurance, and participation in coordination mechanisms under Art.49.

Member States notify their designated bodies to the Commission, which publishes them in NANDO (New Approach Notified and Designated Organisations database at ec.europa.eu/growth/tools-databases/nando). The notification becomes effective 15 working days after submission unless the Commission objects.

The NANDO database as of April 2026 shows a limited number of bodies designated under CRA — the Regulation is relatively new (entered into force December 2024) and notified body designation processes take 12–18 months. As of the date of this article, bodies previously designated under NIS2-related frameworks (such as under the Machine Directive or Medical Device Regulation) are beginning CRA designation applications, but the pool of CRA-designated notified bodies is significantly smaller than what will be needed when Art.44 becomes mandatory in December 2027.

This creates a supply constraint that makes the June 2026 to December 2026 window critical for Class II manufacturers: early applications will face less queue pressure and better notified body availability than applications submitted in 2027.

Art.47–50: Operational Rules for Notified Bodies

Art.47 Operational Obligations requires notified bodies to: assess products without unnecessary delay, refuse assessment where independence would be compromised, maintain technical documentation for 10 years, participate in coordination activities, and report to the notifying authority on significant conformity assessment findings.

Art.48 Notification Procedure details how Member States notify the Commission and other Member States when designating a new notified body. The Commission and other Member States have 15 working days to object. If no objection, the body may begin assessments immediately. If objection, the Commission makes a final decision within 45 working days.

Art.49 Notified Body Coordination requires the Commission to establish a sectoral group of CRA notified bodies. The group coordinates assessment approaches, shares information on products identified as non-compliant, and develops common interpretations of conformity assessment requirements. For manufacturers, this means that assessment standards will converge over time — early assessments may face more interpretive variance than assessments conducted from 2026 onward when coordination has matured.

Art.50 Challenge to Competence allows any party (manufacturer, Member State, MSA) to challenge a notified body's assessment findings. The notifying authority investigates and may withdraw or restrict the body's notification if the challenge is substantiated. For manufacturers, this means that notified body certificates are legally robust — but the 5-year validity means renewal processes must be planned.

The June 2026 Decision Window: What You Need to Do Now

The CRA's December 2027 application date creates a false sense of distance. For Class II manufacturers specifically, the assessment process must begin by Q4 2026 at the latest to complete before December 2027. The practical preparation steps differ by classification.

If your product is Class II (critical important): Start notified body selection immediately. Identify 2-3 designated bodies in NANDO with CRA experience (or bodies currently seeking CRA designation). Begin technical documentation preparation — the Annex V documentation is the critical path item, not the notified body queue. Module B examination requires complete and stable technical documentation; any gaps discovered during examination restart the clock.

If your product is Class I (important): Art.43 internal control removes notified body dependency, but the documentation requirements are substantial. The Annex V technical documentation gap analysis should begin in Q2 2026 — a realistic assessment against all Annex I Part I essential requirements will identify which controls are documented, which are implemented but not documented, and which require security control additions.

If your product is default (not in Annex III): Art.43 internal control applies. Documentation requirements are proportional — lighter than Class I — but still require an SBOM, vulnerability disclosure policy, and evidence of Annex I Part I compliance. Q3 2026 documentation start is appropriate for December 2027 readiness.

Art.43-50 Conformity Assessment Readiness: 20-Item Checklist

Classification and Scope (4 items)

Technical Documentation — Annex V (5 items)

Annex I Part I Essential Requirements (5 items)

Vulnerability Handling — Annex I Part II (3 items)

Notified Body (Class II only) (3 items)

See Also