Implementing Module H under the Cyber Resilience Act

Eurosmart’s Guide to Full Quality Assurance for CRA’s Conformity Assessment

The Cyber Resilience Act (CRA) requires manufacturers of products with digital elements to demonstrate security by design and effective vulnerability handling across the entire lifecycle. While the CRA remains product-centric, focusing on the conformity of each product with the essential cybersecurity requirements, manufacturers can benefit from a system-level approach to streamline compliance.

This Eurosmart guide explains how to use Module H – Full Quality Assurance to meet those obligations through an auditable, process-centric approach.

The following represents our interpretation of how Module H could be applied in practice, based on our current understanding and experience with quality assurance frameworks. By leveraging existing quality systems (e.g., ISO 9001) and aligning them with the CRA’s essential cybersecurity requirements (Annex I, Parts I & II), Module H enables Notified Bodies to audit the manufacturer’s quality system and verify its implementation on representative products and without mandating exhaustive product-by-product testing.