Module A Self-Assessment

Module A is the conformity assessment procedure for default and important (Class I) products. It is a self-assessment — no third-party audit required.

What Module A Requires

The manufacturer must:

1. Perform a cybersecurity risk assessment covering all Annex I requirements
2. Design, develop, and produce the product in conformity with those requirements
3. Create technical documentation (before placing on market) proving conformity
4. Draw up an EU Declaration of Conformity (DoC)
5. Affix the CE marking to the product
6. Retain documentation for 10 years after last product placed on market

The Technical Documentation

This is the core deliverable. It must contain evidence that each applicable Annex I requirement is met:

Section	Content	Fleet Support
Product description	What the product does, boundaries	Product profile in dashboard
Risk assessment	Threats, risks, mitigations per requirement	163 risks mapped to Annex I, gap analysis
Design decisions	How risks are addressed in architecture	LLM-generated evidence text
Testing evidence	Test results, scan reports, penetration tests	Scan reports, SBOM, CBOM
Vulnerability handling	CVD policy, ENISA process, SLA documentation	Questionnaire + VH-* detectors
SBOM	Software Bill of Materials	CycloneDX 1.6 SBOM generation

Note

Fleet’s --report flag generates a Module A Markdown report covering executive summary, security profile, CBOM, findings, and evidence records.

How Fleet Maps to Module A

fleet scan → Findings + Evidence → Technical Documentation
     │                                      │
     ├── Auto findings (56) → Direct evidence
     ├── Semi findings (150) → LLM-reviewed evidence
     ├── Doc findings (187) → Questionnaire evidence
     └── Test findings (8) → Manual test results
                                             │
                              EU Declaration of Conformity
                                             │
                                         CE Marking

The Person Responsible

Under the CRA, the person responsible (Article 13(15)) must:

• Have sufficient knowledge of cybersecurity
• Be authorized to make the conformity determination
• Be named in the Declaration of Conformity
• Be personally liable for the compliance decision

Fleet provides the evidence and gap analysis — the person responsible makes the conformity judgment.

Evidence Quality Standard

Evidence must be:

• Specific: References exact files, lines, configurations
• Contemporary: Generated at or near the time of assessment
• Traceable: Linked to specific requirements via ID
• Integrity-protected: SHA-256 hashed, optionally HMAC-signed
• Retained: Kept for 10 years (CRA Article 23)

Fleet generates all evidence with these properties by default.