03/07/2025
Cyberstand.eu and TIC council explain the role of third party assessment labs in the EU CRA
Cyberstand.eu and TIC council explain the role of third party assessment labs in the EU CRA

Under the EU CRA, some device manufacturers must perform a third party assessment. When is it mandatory?

The Short Anwer: 

The need for a third-party assessment under the EU Cyber Resilience Act (CRA) depends entirely on your product’s risk classification. While most products can be self-assessed by the manufacturer, products falling into the higher-risk “Important Class 1”, “Important Class 2” and “Critical” categories will require mandatory involvement from a third-party conformity assessment body, also known as a Notified body. Some “Important” products that have used the harmonized standards adopted by the EU, may use the self-assessment method instead.

 

Introduction to the webinar

In our previous series of posts, we explored different tools and methods, device manufacturers can use to prove conformance to EU Cyber Resilience Act (CRA). But not all products can be self-assessed and declared. Sometimes, it is important that a third party needs to validate the implementation and testing of the device manufacturer. This article provides an introduction to which device manufacturers need to use third party for their conformity assessment under the CRA. 

Webinar Objectives

The webinar’s key objectives were:

  1. To provide a high-level, “getting started” introduction to third-party conformity assessments under the Cyber Resilience Act (CRA).
  2. To target and inform small market operators who may not have previous experience with third-party conformity assessments.
  3. To bridge the knowledge gap between stakeholders who are experts on the CRA and those who are unfamiliar with the law and its provisions.

Target Audience

The webinar is designed for companies at the beginning of their cybersecurity journey, particularly smaller manufacturers who may need to perform a third-party conformity assessment for the first time under the CRA. It is explicitly described as a “very high-level introduction session” for those who “barely know what the law is about.”

The webinar is especially useful to the following roles:

    • Engineering Managers, Product Managers, and Project Managers: These roles are responsible for  planning the software development lifecycle, budgeting costs and making sure that their products meet the needed cybersecurity requirements needed legally and for their customers.
    • Certification and Regulatory Managers: These roles are usually the interface to the third party conformance labs and coordinate the activity.

While it provides a useful overview for C-suite executives, it is not primarily aimed at them, nor is it detailed enough for deep technical engineers.

 

Presenters and their profiles:

  1. Matteo Mole: Works for the European Cyber Security Organization and is involved in the Cyber Resilience Act (CRA) implementation through the CyberStand project.

  2. Angel Moreno Rubio: The Digital Policy Manager at the TIC Council, which is the international trade association representing the testing, inspection, and certification (TIC) industry.

Summary of the Webinar

Core Concepts of Conformity Assessment

Angel provided foundational knowledge by defining three critical terms that form the basis of the EU’s product legislation framework:

  1. Conformity Assessment: This is the process of demonstrating or verifying that a product, service, or system has fulfilled specified requirements. In the context of the CRA, it means proving that a product meets the essential cybersecurity requirements listed in the act.

  2. Conformity Assessment Body (CAB): An organization that performs conformity assessment services, such as testing, certification, and inspection. The members of the TIC Council are all CABs.

  3. Notified Body: A CAB that has been formally “designated” by a national authority in an EU member state. This designation authorizes the body to perform mandatory third-party conformity assessments for specific legislation, like the CRA.

 

First-Party vs. Third-Party Assessment

The webinar detailed the key differences between assessment types, which are determined by who performs the verification:

    • First-Party Assessment (Self-Assessment): The manufacturer itself performs the assessment and declares that its product meets the necessary requirements. This is typically used for products with a low degree of risk.

    • Third-Party Assessment: An independent, external body (a Notified Body) with no commercial interest in the product performs the assessment. This method provides the highest level of objectivity and is mandatory for products deemed to pose a higher risk.

 

Conformity Assessment Procedures in the CRA

The CRA outlines several procedures for manufacturers, with the choice depending on the product’s risk level:

    • Risk-Based Categories: Products are divided into three tiers:

      • Default Category: The vast majority of products, which can undergo a first-party self-assessment. 

      • Important (Class 1 & Class 2) & Critical products: These two categories cover products that pose a higher cybersecurity risk (estimated to be about 10% of all products in scope). These products will generally require a mandatory third-party conformity assessment performed by a Notified Body.

    • Assessment Modules: For products requiring third-party assessment, manufacturers can choose between different procedures, such as “Module B + C” (EU-type examination plus internal production control) or “Module H” (full quality assurance).

The Crucial Role of Harmonized Standards

A significant portion of the discussion was dedicated to the role of standards in the compliance process:

    • Purpose of Standards: Standards translate the high-level, legal requirements of the CRA into detailed, “actionable, testable technical specifications.” Notified Bodies use these standards as the benchmark for testing products.

    • Presumption of Conformity: If a manufacturer chooses to apply a “harmonized standard” (one that is officially recognized by the European Commission and published in the Official Journal of the EU), their product benefits from a “presumption of conformity.” This means it is presumed to be in compliance with the CRA’s requirements, which can simplify the assessment process.

    • Voluntary but Powerful: Using harmonized standards is voluntary. A manufacturer can always choose another technical solution and go through a full third-party assessment to prove compliance. However, for products in the “Important” and “Critical” categories, applying harmonized standards can, in some cases, allow them to perform a self-assessment instead of a mandatory third-party assessment.

 

Key Takeaways from the webinar

The webinar concluded by reassuring attendees, especially small manufacturers, that while the CRA introduces new and complex obligations, help is available. Organizations that are already actively engaged in improving the cybersecurity of their products are in a strong position to achieve compliance. The presenters encouraged attendees to reach out to organizations like the TIC Council and Cyberstand for guidance. The session also acknowledged more complex issues, such as how to handle software components with different certification levels within a single product, noting that these are “hot topics” that will be addressed in the future.

Other tools and methods available

This webinar was focused on performing conformance assessment using third party Conformity Assessment Bodies (CAB) and Notified Bodies (NB). For products that are not categorized as Important (Class 1 and Class 2) or Critical, a self-assessment is enough under EU CRA. There are several tools under development, both commercial and open source, that can help self assessment. We have covered webinars about CRA-AI and OCCTET.

One interesting tool which uses self assessment and supplements that with documentation from third party labs is CRACoWi. It is a tool created by a consortium with notable names like Bureau Veritas. Read our summary of CRACoWi tool here: https://iotregulations.com/security/cra-compliance-tools-cracowi/.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

PSA Certified Level 2 or higher MCUs can simplify obtaining the FCC Cyber Trust Mark

How to get the US FCC Cyber Trust Mark using PSA Certified MCUs and NIST 8425

28/06/2025
The FCC has chosen NIST 8425 as the standard that IoT manufacturers must comply with for acquiring the US Cyber Trust Mark

How to Get the FCC Cyber Trust Mark: An Analysis of NIST 8425 Requirements

26/06/2025

You may have missed

PSA Certified Level 2 or higher MCUs can simplify obtaining the FCC Cyber Trust Mark

How to get the US FCC Cyber Trust Mark using PSA Certified MCUs and NIST 8425

28/06/2025
The FCC has chosen NIST 8425 as the standard that IoT manufacturers must comply with for acquiring the US Cyber Trust Mark

How to Get the FCC Cyber Trust Mark: An Analysis of NIST 8425 Requirements

26/06/2025
how to Comply with CRA using pre-certified components

Speed up compliance with EU CRA using PSA Certified components

25/06/2025
Nemko Group held a technical deepdive webinar on how EN 18031 standards are used to meet RED cybersecurity requirements

How to use ETSI EN 18031 to meet RED cybersecurity requirements

23/06/2025
Comply with different Global Cybersecurity Regulations easily by using pre-certified components

Complying with Global Cybersecurity Regulations using certified components

23/06/2025
Cyberstand.eu and TIC council explain the role of third party assessment labs in the EU CRA

When do device manufacturers need third party assessment under EU Cyber Resilience Act?

21/06/2025