Skip to main content

When is Third-Party Assessment Needed for Software? (Important & Critical Overview)

While self-assessment (Module A) is the go-to for many apps, games, and uncritical software components under the Cyber Resilience Act (CRA), it's not a one-size-fits-all solution. The CRA cranks up the scrutiny for software deemed to carry higher risks, pushing them towards third-party conformity assessment.

Beyond Self-Assessment: Important Products

If your software has the core functionality of a category listed in Annex III (Important Products with Digital Elements), you might need a notified body (a third party) involved.

  • Class I (Annex III): Examples include identity management systems, standalone browsers, password managers, VPN software, and operating systems. For these, you can still use self-assessment (Module A) if you fully apply relevant harmonised standards, common specifications, or European cybersecurity certification schemes that give a presumption of conformity. If you don't, or if such standards/schemes don't exist or don't cover all requirements, then a third-party assessment (Module B+C or Module H) is mandatory (Article 32, Paragraph 2; Recital 91).
  • Class II (Annex III): This includes products like hypervisors, firewalls, and tamper-resistant microprocessors. For these, third-party conformity assessment (Module B+C or Module H) is always required (Article 32, Paragraph 3; Recital 91).

The Highest Tier: Critical Products

For software falling into Annex IV (Critical Products with Digital Elements), such as hardware devices with security boxes or smart meter gateways, the CRA envisages an even stricter regime. The Commission can mandate European cybersecurity certification for these products (Article 8, Paragraph 1). If such a mandate isn't in place, these products follow the same third-party assessment path as Important Products Class II (Article 32, Paragraph 4).

What This Means for Uncritical Software

If your game, app, or general-purpose software doesn't perform these specific "important" or "critical" functions, you generally stick with self-assessment (Module A).

Key Takeway

Self-assessment is common, but if your software falls into the CRA's "Important" (Annex III) or "Critical" (Annex IV) categories due to its functionality, expect more rigorous conformity assessment, usually involving a third-party notified body.