CRA Conformity Assessment in 2026: Notified Bodies Are Open, But the Standards Aren't Ready Yet
This article provides general guidance, not legal advice. If you need advice specific to your product or situation, consult a qualified legal or compliance professional.
Two things happened at once this month, and they pull in opposite directions. On 11 June 2026, Chapter IV of Regulation (EU) 2024/2847 - the Cyber Resilience Act - came into application, meaning Member States must now have their notifying authority procedures in place and conformity assessment bodies (notified bodies) can formally be designated and notified to the Commission. The machinery for third-party assessment is switching on.
At the same time, as of early June 2026, no CRA harmonised standard has been published in the Official Journal of the EU. The presumption of conformity that most manufacturers are counting on - and the self-assessment shortcut it unlocks for Important Class I products - is not yet available.
That gap is the central planning problem for anyone building a product with digital elements for the EU market right now.
Key points
- Full CRA application: 11 December 2027 - that's your hard deadline.
- Notified bodies: Chapter IV applies from 11 June 2026; bodies are being designated now, but capacity is still ramping up.
- Harmonised standards: None cited in the Official Journal yet. The two core horizontal standards are targeted for ~30 August 2026; most vertical standards by ~30 October 2026. Dates may slip.
- Practical consequence: Important Class I self-assessment via harmonised standards is not possible today. Class II and Critical products always need a notified body regardless.
- What to do now: Determine your product class, start building Annex I evidence, and engage a notified body early if you need one.
Not sure which class your product falls into? Use the scope & class checker before reading further.
What conformity assessment actually means under the CRA
Before you can affix the CE mark and place a product on the EU market, you must complete a conformity assessment - a structured process to demonstrate that your product meets the CRA's essential cybersecurity requirements in Annex I.
The route you must follow depends entirely on your product class. There is no single universal process.
Under the CRA, roughly 90% of products with digital elements fall into the default category and may use Module A - a self-assessment where the manufacturer evaluates their own product against CRA requirements, draws up technical documentation, and issues an EU Declaration of Conformity without involving any external body. Self-assessment does not mean a lighter standard; the Annex I requirements apply in full. It just means the evidence stays in-house.
For products in the higher tiers, the rules tighten considerably.
| Product Class | Examples (Annex III/IV) | Required Route | Notified Body Needed? |
|---|---|---|---|
| Default | Smart speakers, mobile apps, connected toys, general software | Module A (self-assessment) | No |
| Important — Class I | Password managers, VPNs, browsers, OS, identity & access management, network management | Module A only if harmonised standards fully applied; otherwise Module B+C or H | Only if standards not applied |
| Important — Class II | Firewalls, IDS/IPS, hypervisors, container runtimes | Module B+C or Module H (third-party mandatory) | Yes — always |
| Critical (Annex IV) | HSMs, smartcards, smart meter gateways | EU cybersecurity certification scheme where mandated; otherwise Module B+C or H | Yes — always |
For a deeper look at what each tier means for your obligations, see the related post Default, Important or Critical? Find your CRA product class.
The harmonised standards gap - and why it matters right now
Harmonised standards are the CRA's main implementation layer. Products that fully conform to a harmonised standard whose reference has been published in the Official Journal of the EU benefit from a legal "presumption of conformity" with the essential cybersecurity requirements covered by that standard. For Important Class I manufacturers, this presumption is what unlocks Module A self-assessment - without it, a third-party route is required.
The standards are being developed. In April 2025, CEN, CENELEC and ETSI officially accepted Standardisation Request M/606 from the European Commission, covering a set of 41 harmonised standards for CRA compliance - roughly 15 horizontal (product-agnostic) standards and the remainder vertical (product-specific).
The current expected timeline:
- ~30 August 2026: The two core horizontal standards - on secure development and on vulnerability handling - targeted for delivery.
- ~30 October 2026: Vertical (product-specific) standards for Important and Critical product categories.
- ~30 October 2027: Remaining horizontal standards (including generic security requirements), roughly six weeks before full CRA application.
These are target dates, not guarantees. Standards development is complex, and slippage is common. Even once a standard is technically complete, it must be approved as a European Norm (EN) and then have its reference cited in the Official Journal before it confers presumption of conformity. The realistic earliest OJ citation for the first standards is Q4 2026 at the earliest — and several vertical standards may slip into 2027.
The practical consequence is stark. As of June 2026, no CRA harmonised standard has been approved or had its reference published in the Official Journal, meaning the Article 27 presumption of conformity is not available for any product category. If you manufacture an Important Class I product - a VPN, a password manager, a browser - self-assessment via harmonised standards is not a viable route today. The only currently compliant path for Class I products is a notified-body assessment (Module B+C or Module H), or waiting until the relevant standard is cited and then fully applying it.
Where standards are delayed, the Commission has a fallback: under Article 27 of the CRA, the Commission may adopt "common specifications" - detailed technical guidelines that carry the same presumption of conformity as harmonised standards - when standards are unavailable or delayed. No common specifications have been adopted yet, but this is a mechanism worth tracking.
Notified bodies: the machinery is on, but capacity is tight
From 11 June 2026, Member States are required to have established the procedures for assessing, designating and notifying conformity assessment bodies. This is the formal activation of the notified-body system under the CRA - bodies can now be designated and listed in the Commission's database.
This matters most for Class II and Critical product manufacturers, for whom a notified body is mandatory regardless of what happens with harmonised standards. But it also matters for Class I manufacturers who cannot wait for standards and need to proceed via the third-party route now.
A few practical realities to factor in:
- Lead times are already stretching. By mid-2026, assessment lead times of 6-12 months are being quoted for comparable EU conformity regimes; by 2027, those are expected to lengthen further as the December deadline concentrates demand.
- Capacity is finite. The CRA notified-body ecosystem is new. Bodies are being designated now, but the pool is small and will take time to scale. Manufacturers who engage early will have more choice and shorter queues.
- Documentation readiness matters. Notified bodies assess your technical documentation. Arriving with incomplete or poorly structured evidence adds months to the process.
You can find CRA-designated notified bodies in the Commission's NANDO database once they are listed. Check the CRA deadlines page for the latest on designation progress.
What to do now: a practical sequence
The standards gap and the notified-body ramp-up create a window of genuine uncertainty. Here is how to navigate it without waiting for the dust to settle.
Everything else flows from this. Use the scope & class checker to confirm whether your product is Default, Important Class I, Important Class II, or Critical. The implementing regulation (Commission Implementing Regulation (EU) 2025/2392) has now published technical descriptions of the Annex III/IV categories — check your product against those.
The harmonised standards, when published, will translate Annex I requirements into testable technical specifications. But Annex I itself is already law. Start documenting your security architecture, threat model, vulnerability handling process, and secure development practices against the Annex I requirements directly. When standards land, you will be able to map your existing evidence to them — not start from scratch. See the CRA checklist for a structured starting point.
You have no self-assessment option. With 18 months to the December 2027 deadline and lead times already at 6–12 months, the window for comfortable engagement is closing. Identify candidate bodies, request scoping calls, and get into their intake queue. Ask specifically about their experience with software products and their current lead times.
Track the harmonised standards as they progress through public enquiry and formal vote — the CRA deadlines page will be updated as standards reach OJ citation. If your product's relevant standard is cited in time and you can fully apply it, Module A self-assessment becomes available. If not — or if you need to go to market before then — plan for a notified-body route. Build your Annex I evidence either way.
If harmonised standards slip significantly, the Commission may issue common specifications as a bridge. These would carry the same presumption of conformity. No common specifications have been adopted yet, but monitor the Commission's CRA standardisation page for announcements.
Use this decision tool to map your route
The widget below walks you through the key questions - product class, standards availability, timeline - and outputs a recommended conformity assessment route with the key actions for your situation.
The bottom line
The CRA's conformity assessment machinery is now operational in a meaningful sense - notified bodies can be designated, and the clock is running toward December 2027. But the harmonised standards that most manufacturers were counting on to simplify that process are still being written.
That is not a reason to pause. It is a reason to act on what is already certain: know your product class, build your Annex I evidence, and if you need a notified body, get into the queue before it fills up.
The standards will land. When they do, manufacturers who have already built solid technical documentation will be able to map to them quickly. Those who waited will be starting from scratch with less than a year on the clock.
Want updates as harmonised standards reach Official Journal citation and new notified bodies are designated? Subscribe to The CRA Brief - free, no spam, straight to your inbox.
Sources: Regulation (EU) 2024/2847 (EUR-Lex) · European Commission CRA summary · European Commission CRA conformity assessment · European Commission CRA standardisation · CEN-CENELEC M/606 acceptance