Reference

EU Compliance Glossary

The terms a hardware manufacturer meets on the way to the EU market — defined in plain English, with the exact regulation, article and date behind each one. Every definition is drawn from the primary EU sources our Library cites.

Marking & documentation

CE MarkingCE: CE marking is the manufacturer's own declaration — made under its sole responsibility — that a product meets every applicable EU directive and regulation, allowing it to be placed on the European single market. "CE" stands for Conformité Européenne; the mark is not a quality or safety certification and is not issued by any authority. It is mandatory for products within the scope of the EU's New Legislative Framework directives and regulations (24 in force in 2026), and must be at least 5 mm high, visible, legible and indelible, with a Notified Body's four-digit number beside it where third-party assessment was required.
Declaration of ConformityDoC: The EU Declaration of Conformity is the one-page legal document a manufacturer signs to take sole responsibility for a CE-marked product meeting all the EU regulations and directives that apply to it; without a valid DoC the product cannot lawfully be placed on the EU market. One single DoC must cite every applicable directive together (e.g. RED, LVD, EMC, RoHS and, from December 2027, the CRA) and list the harmonised standards applied. It must be drawn up in an official EU language with a translation for the market of sale, and retained for ten years (codified for products with digital elements in CRA Annex V of Regulation (EU) 2024/2847).
Technical File: The Technical File (Technical Documentation under newer regulations) is the evidence bundle that supports a CE-marked product's signed Declaration of Conformity — product description, design drawings, BOM, risk assessment, the list of harmonised standards applied, test reports, software-specific records (SBOM, secure-update mechanism) and a post-market surveillance plan. Customers do not see it; market surveillance authorities and Notified Bodies inspect it on request under Regulation (EU) 2019/1020. It must be retained for ten years from the date the last unit is placed on the EU market (longer for medical devices), with the modern eight-section structure set out in CRA Annex VII of Regulation (EU) 2024/2847.
Essential Requirements: Essential requirements are the high-level, outcome-based safety and performance objectives a product must meet under an EU directive or regulation, set out in the act's annexes rather than as detailed technical rules. For example, EMC Directive 2014/30/EU Annex I requires that equipment neither generates excessive electromagnetic disturbance nor lacks adequate immunity, and Cyber Resilience Act Annex I sets out the cybersecurity essential requirements. Applying a relevant harmonised standard correctly gives a presumption of conformity with the corresponding essential requirements.

Regulations & directives

Cyber Resilience ActCRA: The Cyber Resilience Act, Regulation (EU) 2024/2847, is the EU regulation imposing cybersecurity requirements on every "product with digital elements" placed on the EU market. It entered into force on 11 December 2024; its Article 14 incident-reporting obligations apply from 11 September 2026, and it fully applies from 11 December 2027, after which no in-scope product can be CE-marked without satisfying the essential cybersecurity requirements in Annex I. Penalties under Article 64 reach €15 million or 2.5% of global annual turnover for breaches of the Annex I essential requirements. Medical devices under MDR/IVDR are carved out by Article 2(2).
Radio Equipment DirectiveRED: The Radio Equipment Directive, Directive 2014/53/EU, governs any equipment that intentionally transmits or receives radio waves (Wi-Fi, Bluetooth, LoRa, cellular, etc.) placed on the EU market. Its Article 3 essential requirements cover health and safety and EMC (3(1)), efficient use of radio spectrum (3(2)), and additional requirements including cybersecurity (3(3)). Commission Delegated Regulation (EU) 2022/30 activated the cybersecurity requirements in Article 3(3)(d), (e) and (f) from 1 August 2025, with EN 18031-1/-2/-3 as the harmonised standards giving presumption of conformity. Manufacturers may self-assess under Module A (Annex II) when standards are fully applied, otherwise a Notified Body is required via Annex III (Modules B+C) or Annex IV (Module H).
EMC DirectiveEMC: The EMC Directive, Directive 2014/30/EU, harmonises electromagnetic compatibility rules for equipment placed on the EU market and has applied since 20 April 2016 (replacing Directive 2004/108/EC). Its Annex I essential requirements demand that equipment neither generates electromagnetic disturbance above the level that prevents other equipment operating as intended, nor lacks adequate immunity to expected disturbance. Conformity is shown via Module A self-assessment (Annex II) or Module B+C with a Notified Body (Annex III). Radio equipment is excluded — its EMC requirements are folded into Article 3.1(b) of the RED.
Low Voltage DirectiveLVD: The Low Voltage Directive, Directive 2014/35/EU, harmonises safety rules for electrical equipment rated 50–1000 V AC or 75–1500 V DC placed on the EU market, and has applied since 20 April 2016. It sets high-level safety objectives in Annex I and uses a single conformity route — Module A internal production control (Annex III) — with no Notified Body involvement. The manufacturer keeps the technical documentation and EU Declaration of Conformity for 10 years; harmonised standards such as the EN 60335 family and EN 62368-1 confer presumption of conformity. Where a product is in scope of the RED, the LVD safety objectives are absorbed into RED Article 3(1)(a) instead.
RoHS DirectiveRoHS: The RoHS Directive ("RoHS 2"), Directive 2011/65/EU, restricts hazardous substances in electrical and electronic equipment placed on the EU market. Annex II lists ten restricted substances — the original six (lead, mercury, cadmium, hexavalent chromium, PBB, PBDE) plus four phthalates (DEHP, BBP, DBP, DIBP) added by Commission Delegated Directive (EU) 2015/863. Maximum concentration values apply at the level of homogeneous materials, not the whole product. Conformity is demonstrated under Article 7 via Module A internal production control, an EU Declaration of Conformity and the CE mark.
Medical Device RegulationMDR: The Medical Device Regulation, Regulation (EU) 2017/745, governs CE marking of medical devices in the EU. Devices are classified I, IIa, IIb or III under Annex VIII; Notified Body involvement is mandatory from Class IIa upward per Article 52. Manufacturers register devices and obtain UDI-DIs in EUDAMED, whose first four modules became mandatory on 28 May 2026. Technical File retention extends to 10 years (15 for implantable devices). Products regulated under MDR are carved out of the Cyber Resilience Act by Article 2(2) of Regulation (EU) 2024/2847 — their cybersecurity baseline is MDR Annex I §17, not CRA Annex I.
General Product Safety RegulationGPSR: The General Product Safety Regulation, Regulation (EU) 2023/988, applies from 13 December 2024 and repeals the 2001 General Product Safety Directive (2001/95/EC). It is the EU's safety net for consumer products where no sector-specific harmonisation law with the same safety objective applies (the lex specialis rule). It imposes a general safety requirement (Article 5), traceability and labelling duties, enforceable obligations on online marketplaces (Article 22), and routes recalls through the Safety Gate system (successor to RAPEX). GPSR does not introduce a CE mark or DoC — it is additional to, not a replacement for, sector CE-marking law.
Machinery Regulation: The Machinery Regulation, Regulation (EU) 2023/1230, was adopted on 14 June 2023 and applies in general from 20 January 2027, when it repeals the Machinery Directive 2006/42/EC. As a directly applicable Regulation it replaces 27 national transpositions with one EU text, adds explicit cybersecurity duties in its essential health and safety requirements, treats safety control systems with self-evolving (AI) behaviour as high-risk requiring third-party conformity assessment, and permits digital instructions for use. Until 19 January 2027 machinery is placed on the market under the old Directive 2006/42/EC.
New Legislative FrameworkNLF: The New Legislative Framework is the EU's standardised system for product CE marking, introduced in 2008 through Decision 768/2008/EC and Regulation (EC) 765/2008. It defines a common set of conformity assessment modules (A through H), economic-operator obligations, and the official form of the CE mark, which is why most modern EU product directives share very similar conformity assessment structures. In 2026 there are 24 NLF directives and regulations in force — from the Low Voltage and EMC Directives to the Cyber Resilience Act.

Standards

Conformity Assessment: Conformity assessment is the process by which a manufacturer demonstrates that a product meets the essential requirements of the applicable EU directive(s) before affixing the CE mark. The EU's New Legislative Framework defines eight standardised modules (A through H) in Annex II of Decision 768/2008/EC: Module A is full self-assessment with no Notified Body, while Modules B through H involve a Notified Body in escalating degrees (e.g. B for EU-type examination, H for full quality assurance). Each directive specifies which modules are permitted for products in its scope, often as combinations such as B+C.
Harmonised Standard: A harmonised standard is a European standard adopted on the basis of a Commission request for the application of EU harmonisation legislation, as defined in Article 2(1)(c) of Regulation (EU) No 1025/2012. Applying such a standard correctly gives a "presumption of conformity" with the essential requirements it covers — a safe harbour, not a mandatory route. Critically, an EN standard published by CEN, CENELEC or ETSI only becomes legally harmonised once the Commission cites its reference in the Official Journal via a Commission Implementing Decision; the two events can be months or years apart (for example, EN 18031 was published in 2024 but only listed for the RED by Implementing Decision (EU) 2025/138 of 28 January 2025).
EN 18031: EN 18031 is the harmonised standard family (three parts, approved by CEN-CENELEC on 1 August 2024) that gives presumption of conformity with the cybersecurity essential requirements of the Radio Equipment Directive. EN 18031-1 covers Article 3(3)(d) network protection for internet-connected radio equipment, EN 18031-2 covers Article 3(3)(e) personal-data and privacy protection, and EN 18031-3 covers Article 3(3)(f) fraud protection for equipment transferring money or virtual currency. The three parts were cited for the RED by Commission Implementing Decision (EU) 2025/138 of 28 January 2025, which excludes specific clauses (e.g. the "rationale" and "guidance" sections, and certain password and parental-control criteria) from presumption of conformity.

Roles & bodies

Notified BodyNB: A Notified Body is a third-party conformity assessment body designated by an EU member state and notified to the European Commission to perform assessment tasks under specific directives; most are private organisations such as TÜV, DEKRA, SGS, BSI and Intertek. Each is assigned a unique four-digit identification number that appears beside the CE mark and on the Declaration of Conformity whenever it was involved. A Notified Body is mandatory when the applicable directive requires Modules B, C1, C2, D, E, F, G or H rather than Module A self-assessment — common triggers include medical devices Class IIa+, radio equipment on the RED Annex IV path, and CRA important/critical products. Notified Bodies are listed in the NANDO database.
EU Authorised RepresentativeEC REP: An EU Authorised Representative (EC REP) is a natural or legal person established in the EU/EEA, appointed in writing by a manufacturer based outside the EU/EEA to perform defined tasks on its behalf — holding the Declaration of Conformity and Technical File, cooperating with market surveillance authorities, and acting on identified compliance failures. Appointment is mandatory for non-EU manufacturers placing CE-marked products on the EU market under most directives, including CRA Article 13, RED Article 11 and MDR Article 11. The EC REP's name and contact address must appear on the DoC and on the product, its packaging or accompanying documents. It carries liability for its own mandated tasks but not for the product's intrinsic conformity, which stays with the manufacturer.
Market Surveillance AuthorityMSA: Market surveillance authorities are the bodies each EU member state designates to enforce product compliance, operating under the harmonised framework of Regulation (EU) 2019/1020 (examples: the Slovak Trade Inspection, Germany's BAuA and state authorities, France's DGCCRF). They can inspect a manufacturer's Technical File and Declaration of Conformity, take and test product samples, and order withdrawal, recall and import bans, as well as impose administrative fines set by national law. Under Article 14(4) of Regulation (EU) 2019/1020 an incomplete Technical File is treated as a presumption of non-conformity.

Security & SBOM

Software Bill of MaterialsSBOM: A Software Bill of Materials (SBOM) is a machine-readable list of all software components in a product — operating system, libraries, runtimes, drivers, firmware blobs and build-time toolchain — each listed with name, version, supplier, licence and identifiers, enabling vulnerability monitoring and regulatory disclosure. Under the Cyber Resilience Act (Regulation (EU) 2024/2847), Annex I Part II requires manufacturers to identify and document the components in a product "covering at the very least the top-level dependencies", and Annex VII requires the SBOM in a commonly used machine-readable format (in practice CycloneDX or SPDX) within the Technical File. It is updated per release and retained for the full retention period; this becomes mandatory for every product with digital elements from 11 December 2027.
Common Vulnerabilities and ExposuresCVE: CVE (Common Vulnerabilities and Exposures) is the standard identifier scheme for publicly known software security vulnerabilities, each assigned a unique ID (e.g. CVE-2024-12345). In EU hardware compliance, CVEs are matched against a product's SBOM so manufacturers can answer which fielded firmware versions are affected when a vulnerability is published. The Cyber Resilience Act builds on this: products must ship without known exploitable vulnerabilities, manufacturers must run continuous CVE monitoring against the live SBOM, and Annex I Part II requires security updates to be disseminated without delay and free of charge once a relevant vulnerability is identified. A related companion format, VEX, asserts whether a given CVE is actually exploitable in a specific product context.

Reference tools

EUR-Lex: EUR-Lex is the official portal for EU law, run by the Publications Office, covering treaties, regulations, directives, decisions and case law in all 24 official languages — the single source of truth for any EU compliance project. Every act has a permanent ELI (European Legislation Identifier) URI following the template eur-lex.europa.eu/eli/<type>/<year>/<num>/oj (for example /eli/reg/2024/2847/oj for the CRA). Note that EUR-Lex "consolidated" texts integrating amendments are editorial and for information only; the legally authentic version is the act as published in the Official Journal.
CELEX number: A CELEX number is EUR-Lex's stable internal identifier for every EU document, formed of four parts: sector (1 digit) + year (4 digits) + document-type letter(s) + sequential number. In sector 3 (legal acts), L = directive, R = regulation, D = decision — so 32014L0053 is Directive 2014/53/EU (the RED) and 32024R2847 is Regulation (EU) 2024/2847 (the CRA). Consolidated versions use sector 0 with an applicability-date suffix, e.g. 02014L0053-20180101. A CELEX resolves directly via the URL eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:<celex>.
NANDO: NANDO (New Approach Notified and Designated Organisations) is the European Commission's public database of conformity assessment bodies notified under EU harmonisation legislation — the single source of truth for verifying Notified Bodies. It lists each body's registered name, four-digit identification number, notifying authority, the legal acts and modules it is notified for, and its status (notified, suspended or withdrawn). CRA Article 43(1) names NANDO explicitly as the system member states use to notify bodies, and Article 44(1) provides that the Commission assigns each body its identification number. Manufacturers use it to confirm that an NB number quoted on a Declaration of Conformity is real, current and valid for the relevant directive and module.