Does the Cyber Resilience Act require CE marking?
Direct answer
Yes. From 11 December 2027, products with digital elements need CE marking under the Cyber Resilience Act, and CRA compliance becomes a precondition for that mark. This makes the CRA a hard prerequisite for market access, so non-EU manufacturers relying on the CE mark for distribution are in scope even if they never sell directly into the EU.
Key Facts
- CE marking is required and signifies CRA conformity (Art. 28, 30).
- Conformity assessment procedures are governed by Article 32; the route depends on the product class.
- Steps: technical documentation (Annex VII) · conformity assessment (Art. 32) · EU declaration of conformity (Art. 28, Annex V) · affix CE mark (Art. 30).
- Applies from 11 December 2027.
- CRA compliance is a prerequisite for CE marking, so it gates EU market access for non-EU makers too.
Yes. Products with digital elements must carry the CE marking, and under the CRA that mark now signifies conformity with the regulation's cybersecurity requirements (Art. 28, 30). The sequence is fixed: compile the technical documentation (Annex VII) and keep it for ten years; carry out the conformity assessment appropriate to the product class under Article 32 (default products may self-assess under Module A, important class I and II products require third-party involvement, critical products require mandatory certification); draw up the EU declaration of conformity (Art. 28, Annex V); and affix the CE marking (Art. 30). Because the CE mark is a precondition for placing most products on the EU market, the CRA becomes a hard prerequisite for market access. A manufacturer established outside the EU that relies on the CE mark for international distribution is therefore in scope, even if it does not sell directly into the Union. The obligation applies from 11 December 2027.
Regulatory References