Obtaining the CE marking

The CE marking is a certification mark that indicates that a product conforms to a standard and/or legislation of the European Union (EU). For IoT devices, the CE marking signifies that the product meets the requirements of the Cyber Resilience Act. 

Starting December 2027, IoT products without the CE mark cannot be legally sold within the EU, which makes obtaining this CE marking a critical step for any manufacturer looking to distribute their products into the EU market.

Obtaining the CE marking for the Cyber Resilience Act

How do I obtain the CE marking for my products?

Starting December 2027, products with digital elements that fall under the purview of the Cyber Resilience Act must meet essential cybersecurity requirements and undergo conformity assessment procedures in order to receive the CE marking and be made available on the EU market.

Below, we detail the steps necessary to legally affix the CE marking on products with digital elements.

1. Meet the essential requirements

● Products with digital elements must be designed, developed, and produced in accordance with the essential cybersecurity requirements outlined in Annex I of the regulation. These requirements relate to the properties of products with digital elements and to the handling of vulnerabilities.

● A manufacturer must perform a cybersecurity risk assessment to identify relevant risks and determine the appropriate essential cybersecurity requirements. The outcome of this assessment must be considered throughout the product's lifecycle. If specific essential cybersecurity requirements are not applicable, the manufacturer needs to justify this in the risk assessment documentation.

2. Undergo the Conformity Assessment Procedures

To demonstrate compliance with the essential cybersecurity requirements, manufacturers must choose from several conformity assessment procedures.

For products not listed as important or critical: Manufacturers can use the internal control procedure based on module A, which allows them to assess conformity under their own responsibility. This means, that the manufacturer is free to determine if their product meets the requirements of the CRA. You may check our compliance checklist to verify that your product meets the CRA requirements.

For important products with digital elements:
○ Class I: Manufacturers can use module A if they apply harmonized standards, common specifications, or European cybersecurity certification schemes identified by the Commission. If not, they need to undergo third-party conformity assessment (modules B and C or module H).
○ Class II: Third-party conformity assessment is always required, even if the product partially complies with harmonized standards, common specifications, or European cybersecurity certification schemes.
→ check the compliance checklist ("important and critical products" tab) for more information.

For critical products with digital elements: Manufacturers need to obtain a European cybersecurity certificate under a scheme adopted pursuant to Regulation (EU) 2019/881 or follow the same third-party conformity assessment procedures as important products in class II.

For free and open-source software: Manufacturers can follow the internal control procedure (module A) for important products with digital elements, as long as they make the technical documentation publicly available.

3. Draft the Technical Documentation

● Manufacturers are required to compile technical documentation containing relevant data and details about how they ensure compliance with the essential cybersecurity requirements. This documentation should include details about the product's design, development, production, vulnerability handling, and the risk assessment. The required content of the technical documentation is stated in Annex VII of the legislation

● The technical documentation must be kept for at least 10 years after the product is placed on the market or for the duration of the support period, whichever is longer.

4. Draft the EU Declaration of Conformity:

● Once compliance is demonstrated through the chosen conformity assessment procedure, manufacturers must draw up an EU declaration of conformity. This declaration states that the product fulfills the essential cybersecurity requirements and provides information about the product and the manufacturer. The required content for the EU Declaration of Conformity is stated in Annex V of the legislation.

● The declaration of conformity must be available in the languages required by the Member State where the product is marketed. For microenterprises and small enterprises, a simplified declaration can be used.

● We invite you to use the free EU Declaration of Conformity generator created by our technical partner i46 here to create EU Declaration of Conformity for your products.

5. Affix the CE marking

● After completing the above steps, the manufacturer can affix the CE marking to the product, its packaging, or the accompanying documentation (or website for software).

● The CE marking must be visible, legible, and indelible. It indicates that the product complies with the essential cybersecurity requirements and can be freely traded within the internal market.

The CE marking in video

What happens if I do not affix the CE marking?

Starting December 2027,  distributing products with digital elements in the EU without a CE mark OR affixing the CE mark without fulfilling the requirements detailed above can lead to fines:

 
Administrative Fines: These fines can reach up to €15,000,000 or 2.5% of the offender’s total worldwide annual turnover from the previous financial year, whichever amount is higher. This maximum penalty applies specifically to violations of the essential cybersecurity requirements outlined in Annex I and the obligations stipulated in Articles 13 (includes CE marking requirement) and 14 (reporting requirements).
 
Penalties for Misinformation: Providing inaccurate, incomplete, or misleading information to notified bodies (for instance, during the assessment of critical and important products Class II) can lead to fines of up to €5,000,000 or 1% of the offender’s worldwide annual turnover, whichever is greater.
 
Factors Determining Fine Amount: The specific amount of the administrative fine imposed in each case depends on various factors, including the severity and duration of the infringement, its consequences, whether previous fines have been levied against the same economic operator, and the size and market share of the offender.
 
 
Related Links

Need help?

i46 is the Technical Partner of the Cyber Resilience Act.

 i46 helps IoT manufacturers and distributors navigate CRA compliance.

For them, i46 offers comprehensive services, including initial and full assessments to identify security gaps, certification guidance to ensure compliance, and ongoing monitoring to maintain device security.

For non-EU companies, i46 also provides EU representation services.

Their state-of-the-art laboratory, equipped with a private 5G network, allows i46 to test even the most unconventional IoT devices, including those without operating systems, ensuring compliance for a wide range of devices.

How will i46 help your achieve compliance?

Cyber Security News and Events

Check out the latest events on cyber security and the Cyber Resilience Act.