Skip to main content

Steps in Performing a Self-Assessment (Module A) for Software

So, your app, game, or uncritical software component is eligible for self-assessment under Module A of the Cyber Resilience Act (CRA). What does that actually involve? Here's a straightforward breakdown based on Annex VIII, Part I.

Step 1: Ensure Your Processes and Product Comply

The core of Module A is your own due diligence. You, the manufacturer, must take all necessary measures during design, development, and what the CRA calls "production" (for software, think of this as your build, packaging, and release processes), and throughout your vulnerability handling, to ensure your software product meets the essential cybersecurity requirements of Annex I. This also means your internal processes for handling vulnerabilities must comply with Annex I, Part II. This step heavily relies on the cybersecurity risk assessment you've already performed.

Step 2: Prepare the Technical Documentation

You need to compile comprehensive technical documentation as described in Annex VII. This is your evidence locker, showing how your software meets the CRA requirements. It includes things like your risk assessment, software architecture, SBOM, vulnerability handling procedures, and test reports.

Step 3: Draw Up the EU Declaration of Conformity (DoC)

Once you're confident your software and processes comply, you must draw up and sign a written EU Declaration of Conformity. This is a formal statement, as per Article 28 and modeled in Annex V, declaring that your product meets the CRA's requirements. You take sole responsibility for this declaration.

Step 4: Affix the CE Marking

Finally, you must affix the CE marking to your software product. For software, this can be on the EU Declaration of Conformity itself or on a website accompanying the software, ensuring it's easily and directly accessible (Article 30, Paragraph 1).

Key Takeway

Self-assessment (Module A) involves ensuring your software and security processes comply with Annex I, creating detailed technical documentation, formally declaring conformity via an EU DoC, and then applying the CE mark.