If you manufacture or distribute connected devices in the EU, and your product is subject to the Cyber Resilience Act (CRA), you may be able to use the internal control conformity route (Module A) to show compliance. Here’s how to do that properly.
What Is Internal Control?
Internal control means you, the manufacturer, take full responsibility for assessing your product’s compliance with CRA’s essential cybersecurity requirements—without involving a notified body. This is allowed for most Class I products (Article 32(2)(a)).
What the CRA Requires in a Declaration of Conformity
According to Article 28 and Annex VI, your DoC must include:
- Product identification (name, version, model, type)
- Manufacturer info (address, contact)
- A statement of full compliance with the CRA
- A reference to applied standards or specifications (if any)
- Details about the support period (Article 13(19))
- A signature and date
You must also:
- Affix the CE marking (Article 30)
- Include the DoC (or a link to it) with the product (Article 13(20))
How to Prepare It
- Conduct a risk assessment (Annex I, Part I): Evaluate what cybersecurity risks your product faces and how you’ve mitigated them.
- Map those risks to CRA requirements (Annex I, Parts I and II): Document how your product meets each one.
- Compile technical documentation (Article 31, Annex VII): Include your SBOM, security design details, test results, and vulnerability handling policy.
- Write the DoC: Keep it clear, consistent with your tech docs, and aligned with EU’s cybersecurity regulation language.
- Keep records: You’ll need to retain the DoC and supporting documents for at least 10 years or the full support period (Article 13(13)).
The DoC is your legal claim that the product is safe, secure, and compliant. Make sure it’s backed by real evidence and a documented process. This is key for IoT, embedded software, and digital products entering the European market.