26 Mar 2026 CyberAct Conference: Why Full Quality Assurance (Module H) is a Strategic Path to CRA Compliance
At the CyberAct Conference, Eurosmart had the opportunity to present and discuss the role of Full Quality Assurance (Module H) within the framework of the Cyber Resilience Act (CRA). As organizations prepare for the implementation of the CRA, Module H is emerging as a particularly relevant and strategic conformity assessment pathway for the industry.
Moving from Product Testing to Process Assurance
One of the key shifts introduced by Module H is the transition from traditional product-by-product conformity assessment toward a process-based approach. Instead of assessing each product individually, Module H evaluates the manufacturer’s Quality Assurance System (QAS) and its ability to consistently deliver compliant products.
This approach ensures that cybersecurity is not treated as a final checkpoint, but is embedded throughout the entire product lifecycle – from design and development to maintenance and vulnerability management.
A Scalable Approach for Manufacturers
For organizations managing broad and evolving product portfolios, Module H offers significant advantages. By certifying the underlying processes rather than individual products, companies can:
- Scale compliance across multiple products efficiently
- Reduce duplication of assessments and audits
- Streamline interactions with Notified Bodies
- Ensure consistency and standardization across product lines
This makes Module H particularly well-suited for industrial environments where repeatability, efficiency, and governance are critical.
Integrating Cybersecurity into Organizational Processes
A central requirement of Module H is the implementation of a comprehensive Quality Assurance System covering cybersecurity. This includes:
- Governance structures and cybersecurity policies
- Risk management processes aligned with CRA requirements
- Secure development lifecycle practices
- Vulnerability handling processes, including coordinated disclosure and patch management
- Documentation and traceability across the product lifecycle
By embedding these elements into existing organizational processes, manufacturers can move toward a systematic and sustainable approach to cybersecurity compliance.
The Role of Notified Bodies
Under Module H, Notified Bodies play a key role in assessing and certifying the manufacturer’s Quality Assurance System. Their responsibilities include:
- Evaluating the design and implementation of the QAS
- Verifying that processes effectively address CRA requirements
- Conducting initial certification and ongoing surveillance audits
This ensures that compliance is not a one-time effort, but a continuous and monitored process.
A Flexible Path to Compliance
While harmonised European standards provide a presumption of conformity under the CRA, Module H also offers flexibility. Even in the absence of suitable standards, manufacturers can demonstrate compliance through structured processes and risk-based approaches.
Additionally, Module H may allow the reuse of existing certifications and prior assessment results as supporting evidence, helping to reduce redundancy and optimize compliance efforts.
Why Module H is a Strong Option for the Industry
Module H stands out as a compelling choice for organizations seeking to align cybersecurity with industrial practices. Its key strengths include:
- A process-driven model aligned with existing quality frameworks (e.g. ISO-based systems)
- Increased efficiency by avoiding repetitive product-level certification
- Enhanced scalability for organizations with multiple or evolving products
- Improved consistency and governance across development and operational processes
- Support for faster time-to-market while maintaining a high level of cybersecurity assurance
Conclusion
As the Cyber Resilience Act reshapes the regulatory landscape, Module H provides a forward-looking approach that integrates cybersecurity into the core of organizational processes. By focusing on quality, repeatability, and continuous improvement, it enables manufacturers to meet regulatory requirements while strengthening their overall cybersecurity posture.
The discussions at the CyberAct Conference highlighted strong industry interest in this approach and confirmed that building cybersecurity into processes – not adding it afterwards – is key to sustainable compliance.
CRA-Module-H