FAQ: Can I self-assess my connected product security?
Short answer
For most products - yes, legally you can. The CRA allows self-assessment for Default and Class I products (if you follow harmonised standards). But whether you should do it entirely on your own depends on your team, your product, and your customers.
Long answer
The CRA doesn't require a lab for Default products. You assess yourself, document the results, sign the declaration of conformity, affix the CE marking. For Class I products, if you follow a harmonised standard like EN 303 645, self-assessment is also enough. If you don't follow one, you need a third-party notified body. For Class II, it's always third-party. For Critical products (HSMs, smartcards, smart meter gateways), it's EUCC certification -- a formal certification body, no alternative.
When you can self-test?
- you have someone in-house who can run network scans, analyse TLS configurations, review firmware, and check BLE/Wi-Fi security
- your product is relatively simple -- a sensor, a monitor, a single-purpose connected device
- you're Default category -- self-assessment is your only path anyway
When is it better to go to a test lab?
- you don't have security testing skills in-house
- your product is complex -- multiple interfaces, cloud backend, mobile app, BLE + Wi-Fi + cellular
- you want independent validation that carries more weight with customers
- your customers or sector expect third-party evidence (common in B2B, industrial, healthcare-adjacent)
The middle ground
Hire a security consultant to run the tests with your team, document the results, but skip the formal certification body. You get structured testing and an independent set of eyes without the cost and timeline of a full lab engagement. The test specification (ETSI TS 103 701) was written for labs, but nothing stops you from running the same checks yourself - it's publicly available and describes exactly what to test and what counts as a pass.
Rough costs
- Self-testing: your team's time + tools (nmap, Wireshark, testssl.sh are free)
- Security consultant: EUR 5-15K depending on product complexity
- Full lab testing (TS 103 701): EUR 15-50K+ depending on the lab and product
- Notified body assessment (Class II): EUR 20-60K+, plus ongoing surveillance
Next steps
Determine your product category (Default, Class I/II, or Critical) to know which assessment path applies. Then decide whether to self-test, hire a consultant, or go to a lab based on your team's capabilities and your customers' expectations.
Related
As a Chief Information Officer with over a decade of experience as a C# developer, I approach my work with a passion for technology and a belief that the best solutions come from understanding diverse perspectives. This mindset shapes how I lead—whether in my career, family, or personal life—balancing innovation with practicality. My wife and two kids inspire everything I do, guiding me to create harmony and meaningful outcomes by blending different ideas with empathy and insight.
Rapidly adapt our competences into your IoT solution
Contact us and share your challenges
