Product categories

There are a couple of options for how conformity assessment can be done. The options vary depending on product category.

Most products with digital elements are expected to undergo internal conformity assessment by the manufacture. These are sometimes referred to as the "default category".

Some products are presumed to carry higher risks, and should therefore undergo stricter conformity assessment procedures. Those products are referred to as important products with digital elements (art 7) and critical products with digital elements (art 8).

Important products with digital elements are further divided into two classes based on risk level. An incident for class II products might have greater negative impact than class I. Critical products with digital elements are subject to the most strict conformity assessment procedure.

Further details on product categories are provided in Commission Implementing Regulation (EU) 2025/2392. Note that the Commission can adopt delegated acts changing how products are categorized in accordance to Article 61.

High risk AI systems are subject to additional conformity assessment procedures as defined 2020/1828 (Artificial Intelligence Act). See Article 12.

There might also be additional requirements and assessment procedures for product categories that fall under other acts such as NIS2 and DORA.

The procedures for conformity assessment are described in ANNEX VIII. There are 3 procedures for conformity assessment.

  • Module A: conformity based on internal control.

  • Module B+C: EU-type examination.

  • Module H: conformity based on full quality assurance.

  • Default category

    • Can follow Module A (internal control).
    • Can also follow Module B+C & H

  • Important products Class I

    • Can follow Module A, if harmonized standards have been applied or if free and open source and technical documentation is public.
    • Can also follow Module B+C & H

  • Important products Class II

    • Can follow Module A, only if free and open source and technical documentation is public.
    • Can also follow Module B+C & H

  • Critical products

    • Can follow Module B+C, unless European cybersecurity certification scheme is made mandatory in accordance with Article 8.
    • Can also follow Module H

Module B+C involves examination of the product by a notified body. In Module H, the manufacture shall put a full quality assurance system in place. The quality system need approval from a notified body. See ANNEX VIII for more details.