Module A Self-Declaration: Why It's Only as Good as Your Documented Procedures

    Under EN 18031, Module A (internal production control) lets manufacturers self-declare cybersecurity conformity without a notified body. But "internal production control" is a legal term - it requires documented, repeatable, verifiable procedures, not just a signed Declaration of Conformity. This guide explains the procedure-documentation layer that most self-declarations forget.

    June 8, 2026

    Key Takeaways

    Module A self-declaration under EN 18031 - connected device with shield, signed EN 18031 conformity document, and a process workflow

    Module A (internal production control) is the self-declaration route under the Radio Equipment Directive (RED) for the cybersecurity requirements of EN 18031. The manufacturer evaluates the product, prepares the technical documentation, and signs the Declaration of Conformity (DoC) without a notified body. The catch: the phrase "internal production control" is not decorative - it obliges you to operate and document repeatable internal procedures that a market surveillance authority can later verify.

    • Self-declaration is legally valid: Module A is explicitly permitted under the Radio Equipment Directive for the cybersecurity requirements activated by Delegated Regulation (EU) 2022/30.

    • "Internal production control" means documented procedures: Module A requires you to demonstrate that conformity is produced by a controlled, repeatable internal process - not by a one-off assessment that happened to pass.

    • There are two layers of documentation, not one: the conformity evidence (tables, decision trees, test plans, DoC) and the operational procedures that produced it (how tests are run, how each build is verified, how vulnerabilities are triaged).

    • Undocumented procedures are the hidden audit risk: if your process lives only in one engineer's head, it is neither repeatable nor verifiable - exactly what a market surveillance authority will probe.

    • Tools cover both layers: RedComply automates the conformity evidence; a procedure-capture tool like SOPMODO turns tacit shop-floor and lab know-how into structured Standard Operating Procedures (SOPs).

    What "Internal Production Control" Actually Demands

    Internal production control under Module A - a signed Declaration of Conformity resting on an underlying layer of build verification, testing, and vulnerability procedures

    Module A is named "internal production control" for a reason. The conformity assessment framework does not just ask "is this product compliant?" - it asks "does the manufacturer have an internal process that reliably produces compliant products?" The Declaration of Conformity is the visible output. The internal production control is the machinery underneath it.

    That distinction is where many self-declarations are quietly weak. Teams invest heavily in producing the conformity evidence for one device, sign the DoC, and ship - without ever documenting how that result was achieved. When the next firmware release, the next variant, or the next engineer comes along, the process has to be reconstructed from memory.

    The evidence layer vs. the procedure layer

    A defensible Module A self-declaration has two distinct documentation layers:

    • Conformity evidence - the EN 18031 deliverables: asset inventories, completed compliance tables, decision tree outcomes, three-tier test plan results, and the signed Declaration of Conformity. This describes what you assessed and what verdict you reached.

    • Operational procedures - the documented, repeatable internal processes that produced that evidence: how you run each test, how every build is verified before release, how a reported vulnerability is triaged and remediated, how a new variant is re-assessed. This describes how the result is reliably reproduced.

    EN 18031 and the RED's conformity framework care about both. A perfect set of tables for a single device, with no documented process behind it, is a snapshot - not internal production control. Market surveillance authorities are entitled to request the technical documentation at any time after the product is on the market, and "we did it correctly, trust us" is not the same as "here is the procedure we follow every time."

    The Two Layers of a Defensible Self-Declaration

    Two layers of a defensible self-declaration - conformity artifacts (tables, decision trees, Declaration of Conformity) supported by a foundation of operational process documentation

    Think of your self-declaration as a structure: the conformity artifacts sit on top, and the operational procedures are the foundation that holds them up. Remove the foundation and the top layer becomes a one-time achievement that nobody can repeat or defend.

    DimensionConformity evidence layerOperational procedure layer

    What it documents

    The assessment result for a specific device

    The repeatable process that produces that result

    Typical artifacts

    Asset tables, decision trees, test plans, DoC

    Test procedures, build-verification steps, vulnerability triage workflow, SOPs

    Question it answers

    Is this device compliant?

    Will the next device be compliant the same way?

    Who relies on it

    The signer of the DoC; market surveillance

    Engineers, QA, new hires, auditors checking process control

    Failure mode if missing

    No basis for the DoC at all

    Process lives in one person's head; not repeatable or verifiable

    Where RedComply / SOPMODO fit

    RedComply automates this layer

    SOPMODO captures and structures this layer

    The two layers are complementary, not competing. RedComply is purpose-built to generate the conformity evidence - it turns the document-heavy EN 18031 assessment into structured tables, decision trees, auto-calculated test plan verdicts, and a one-click Declaration of Conformity. What it does not do - because it is a different job - is document the human procedures your team performs on the shop floor and in the lab. That is the second layer.

    Why Undocumented Procedures Are Your Biggest Audit Risk

    Capturing tacit shop-floor and lab procedures - a technician narrating and photographing a procedure that an AI turns into a structured SOP, with an audit verification motif

    The most common weakness in a Module A self-declaration is not a missing table or a wrong decision tree outcome. It is tacit knowledge: the test setup, the build-verification ritual, the vulnerability triage steps that one or two senior engineers simply know and have never written down.

    This is a real compliance risk for three reasons:

    • It is not repeatable. Internal production control assumes the process is followed consistently across every build and variant. If the process is undocumented, the next release may diverge silently - and your DoC no longer reflects reality.

    • It is not verifiable. A market surveillance authority assessing your process control wants to see the procedure, not hear that it exists. Undocumented steps look, on inspection, like steps that were never performed.

    • It is a key-person dependency. When the engineer who "owns" the procedure leaves, reproducibility - and therefore your continued conformity - walks out with them.

    Turning tacit procedures into structured SOPs

    The fix is to capture these operational procedures as documented, repeatable Standard Operating Procedures (SOPs) - before they walk out the door. The obstacle is that writing SOPs by hand is tedious, so it rarely gets done, especially for hands-on lab and shop-floor work.

    This is exactly the gap our sister product SOPMODO is built to close. Instead of writing procedures from scratch, an engineer simply performs the procedure in the real environment - narrating the steps out loud and taking photos - and SOPMODO's AI assembles a structured, repeatable SOP from that captured walkthrough. The tacit knowledge in someone's head becomes a documented, shareable procedure that supports the "internal production control" half of your Module A self-declaration.

    Used together, the picture is complete: RedComply produces the conformity evidence the standard requires, and SOPMODO documents the operational procedures behind it - so your self-declaration is not just signed, but defensible.

    Self-Declaration Procedure-Documentation Checklist

    Use this checklist to test whether your Module A self-declaration rests on documented procedures - not just a one-time assessment. If several items are missing, your conformity evidence may be solid while your internal production control is not.

    • Conformity evidence complete: asset inventories, compliance tables, decision tree outcomes, three-tier test plan results, and a signed Declaration of Conformity are all in place.

    • Test procedures documented: there is a written, repeatable procedure for each security test you run - not just the result it produced this time.

    • Build-verification procedure documented: how each firmware build is checked before release is captured as a step-by-step procedure, not an informal habit.

    • Vulnerability triage workflow documented: the steps from a reported vulnerability to a remediated, re-verified release exist as a defined procedure.

    • Re-assessment procedure documented: there is a clear, repeatable process for re-evaluating conformity when a new variant or firmware update is released.

    • Procedures are not key-person dependent: a new engineer could follow the documented SOPs and reproduce the work without the original author.

    • Procedures are verifiable: each documented procedure is concrete enough that a market surveillance authority could check it against what your team actually does.

    • Procedures stay current: there is an owner and a cadence for keeping operational SOPs aligned with how the work is really performed.

    For the first item, a dedicated platform like RedComply handles the conformity evidence end to end. For the procedure items, capturing the work as you perform it - rather than writing SOPs after the fact - is what makes the documentation actually happen; that is the role SOPMODO plays.

    If you are still scoping which EN 18031 parts apply and how the self-assessment runs end to end, our RED cybersecurity self-assessment guide walks through the full Module A workflow.

    Frequently Asked Questions

    Does Module A really require documented procedures, or just a signed DoC?

    It requires both. "Internal production control" is the formal name of Module A, and it refers to a controlled, repeatable process that produces conformity - not only to the signed Declaration of Conformity at the end. The DoC is the output; the documented internal procedures are the control that makes the output trustworthy. A self-declaration backed only by a signed DoC and a one-time assessment is weaker than one backed by documented, repeatable procedures.

    What kinds of procedures should I document for an EN 18031 self-declaration?

    Focus on the operational processes that produce your conformity evidence: how each security test is set up and run, how every firmware build is verified before release, how a reported vulnerability is triaged and remediated, and how conformity is re-assessed when a variant or update ships. These are the procedures a market surveillance authority would expect to see when evaluating your internal production control.

    What happens if a market surveillance authority asks for my procedures and they are not written down?

    Authorities can request your technical documentation at any time after market placement. If your operational procedures are undocumented, they appear - from the outside - to be procedures that were never followed. That can lead to findings of inadequate process control, requests for corrective action, and in serious cases restriction or withdrawal of the product. Documented, repeatable procedures are how you demonstrate the "control" in internal production control.

    How is RedComply different from SOPMODO?

    They address the two different documentation layers. RedComply is purpose-built for the EN 18031 conformity evidence - asset tables, decision trees, test plans, and Declaration of Conformity generation. SOPMODO documents the operational procedures behind that evidence: an engineer records and narrates a hands-on procedure, and its AI turns the captured walkthrough into a structured Standard Operating Procedure. RedComply proves the device is compliant; SOPMODO proves your process for producing compliant devices is real and repeatable.

    Can I capture procedures after the assessment, or should it happen during?

    Capturing procedures as the work is performed is far more reliable than reconstructing them later. After-the-fact SOP writing tends to be skipped under deadline pressure and loses the small, tacit details that matter. Recording the procedure while it is actually being done - narrating and photographing the steps - preserves those details and is the approach a tool like SOPMODO is designed around.

    How RedComply Supports Your Module A Self-Declaration

    RedComply is purpose-built for the EN 18031 conformity evidence at the heart of a Module A self-declaration. It transforms the complex, document-heavy assessment into a guided, structured workflow with AI assistance at every step.

    1. Scope definition: create a project, select which EN 18031 parts apply, and the platform filters sections, tables, and requirements to show only what is relevant.

    2. Asset identification: structured tables for security functions, security parameters, network, privacy, and financial assets - with AI assistance to suggest and cross-reference entries.

    3. Section-by-section evaluation: AG Grid-powered compliance tables with decision tree integration, auto-populated fields, and real-time consistency checks.

    4. Test plan execution: a three-tier test plan with auto-calculated verdict conditions and pass/fail criteria masks that flag incomplete assessments.

    5. Declaration of Conformity: one-click PDF generation that compiles all assessment data into a regulatory document ready for CE marking.

    RedComply gives you a rock-solid conformity evidence layer. To complete the picture, pair it with documented operational procedures: our sister product SOPMODO turns the hands-on processes your team performs - in the lab and on the shop floor - into structured, repeatable SOPs by simply recording the procedure as it happens. Together they cover both halves of internal production control.

    Visit redcomply.com to start your EN 18031 self-declaration, and sopmodo.com to document the procedures behind it.