The CE marking is a certification mark that indicates that a product conforms to a standard and/or legislation of the European Union (EU). For IoT devices, the CE marking signifies that the product meets the requirements of the Cyber Resilience Act.
Starting December 2027, IoT products without the CE mark cannot be legally sold within the EU, which makes obtaining this CE marking a critical step for any manufacturer looking to distribute their products into the EU market.
Starting December 2027, products with digital elements that fall under the purview of the Cyber Resilience Act must meet essential cybersecurity requirements and undergo conformity assessment procedures in order to receive the CE marking and be made available on the EU market.
Below, we detail the steps necessary to legally affix the CE marking on products with digital elements.
● Products with digital elements must be designed, developed, and produced in accordance with the essential cybersecurity requirements outlined in Annex I of the regulation. These requirements relate to the properties of products with digital elements and to the handling of vulnerabilities. ● A manufacturer must perform a cybersecurity risk assessment to identify relevant risks and determine the appropriate essential cybersecurity requirements. The outcome of this assessment must be considered throughout the product's lifecycle. If specific essential cybersecurity requirements are not applicable, the manufacturer needs to justify this in the risk assessment documentation.
To demonstrate compliance with the essential cybersecurity requirements, manufacturers must choose from several conformity assessment procedures.
● For products not listed as important or critical: Manufacturers can use the internal control procedure based on module A, which allows them to assess conformity under their own responsibility. This means, that the manufacturer is free to determine if their product meets the requirements of the CRA. You may check our compliance checklist to verify that your product meets the CRA requirements.
● For important products with digital elements:
○
Class I: Manufacturers can use module A if they apply harmonized standards, common specifications, or European cybersecurity certification schemes identified by the Commission. If not, they need to undergo third-party conformity assessment (modules B and C or module H).
○ Class II: Third-party conformity assessment is always required, even if the product partially complies with harmonized standards, common specifications, or European cybersecurity certification schemes.
→ check the compliance checklist ("important and critical products" tab) for more information.
● For critical products with digital elements: Manufacturers need to obtain a European cybersecurity certificate under a scheme adopted pursuant to Regulation (EU) 2019/881 or follow the same third-party conformity assessment procedures as important products in class II.
● For free and open-source software: Manufacturers can follow the internal control procedure (module A) for important products with digital elements, as long as they make the technical documentation publicly available.
● Manufacturers are required to compile technical documentation containing relevant data and details about how they ensure compliance with the essential cybersecurity requirements. This documentation should include details about the product's design, development, production, vulnerability handling, and the risk assessment. The required content of the technical documentation is stated in Annex VII of the legislation
● The technical documentation must be kept for at least 10 years after the product is placed on the market or for the duration of the support period, whichever is longer.
● Once compliance is demonstrated through the chosen conformity assessment procedure, manufacturers must draw up an EU declaration of conformity. This declaration states that the product fulfills the essential cybersecurity requirements and provides information about the product and the manufacturer. The required content for the EU Declaration of Conformity is stated in Annex V of the legislation.
● The declaration of conformity must be available in the languages required by the Member State where the product is marketed. For microenterprises and small enterprises, a simplified declaration can be used.
● We invite you to use the free EU Declaration of Conformity generator created by our technical partner i46 here to create EU Declaration of Conformity for your products.
● After completing the above steps, the manufacturer can affix the CE marking to the product, its packaging, or the accompanying documentation (or website for software).
● The CE marking must be visible, legible, and indelible. It indicates that the product complies with the essential cybersecurity requirements and can be freely traded within the internal market.
Starting December 2027, distributing products with digital elements in the EU without a CE mark OR affixing the CE mark without fulfilling the requirements detailed above can lead to fines:
i46 is the Technical Partner of the Cyber Resilience Act.
i46 helps IoT manufacturers and distributors navigate CRA compliance.
For them, i46 offers comprehensive services, including initial and full assessments to identify security gaps, certification guidance to ensure compliance, and ongoing monitoring to maintain device security.
For non-EU companies, i46 also provides EU representation services.
Their state-of-the-art laboratory, equipped with a private 5G network, allows i46 to test even the most unconventional IoT devices, including those without operating systems, ensuring compliance for a wide range of devices.
Nouveautés et événements sur la cybersécurité
Consultez les derniers événements sur la cybersécurité et la loi sur la cyberrésilience.
