CRA Product Classification: Is Your Product Default, Important, or Critical?

Your CRA conformity assessment route depends on your product classification. "Important" and "Critical" products face mandatory third-party assessment. "Default" products can self-certify.

What Are the Four CRA Product Categories?

The CRA classifies products with digital elements into four tiers based on cybersecurity risk:

Default Products

The vast majority of products fall here. If your product isn't specifically listed in Annex III or IV, it's "Default."

Conformity assessment: Self-assessment (Module A) is sufficient.

Examples:

• Simple IoT sensors
• Basic consumer electronics
• Standard business software
• General-purpose applications
• Non-networked embedded devices

Important Class I (Annex III, Part I)

Products with elevated risk due to their function or user base.

Conformity assessment: Self-assessment allowed IF you fully apply relevant harmonized standards. Otherwise, third-party assessment required.

Full list from Annex III, Part I:

1. Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers
2. Standalone and embedded browsers
3. Password managers
4. Software that searches for, removes, or quarantines malicious software
5. Products with digital elements with the function of virtual private network (VPN)
6. Network management systems
7. Security information and event management (SIEM) systems
8. Boot managers
9. Public key infrastructure and digital certificate issuance software
10. Physical and virtual network interfaces
11. Operating systems
12. Routers, modems intended for the connection to the internet, and switches
13. Microprocessors with security-related functionalities
14. Microcontrollers with security-related functionalities
15. Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities
16. Smart home general purpose virtual assistants
17. Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems
18. Internet connected toys covered by Directive 2009/48/EC that have social interactive features (e.g. speaking or filming) or that have location tracking features
19. Personal wearable products to be worn or placed on a human body that have a health monitoring (such as tracking) purpose and to which Regulation (EU) 2017/745 or (EU) No 2017/746 do not apply, or personal wearable products that are intended for the use by and for children

Important Class II (Annex III, Part II)

Higher-risk products requiring mandatory third-party assessment.

Conformity assessment: Third-party (Notified Body) assessment required. No self-assessment option.

Full list from Annex III, Part II:

1. Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments
2. Firewalls, intrusion detection and prevention systems
3. Tamper-resistant microprocessors
4. Tamper-resistant microcontrollers

Critical Products (Annex IV)

The highest-risk category. Hardware security modules and similar.

Conformity assessment: Third-party assessment PLUS European Union Cybersecurity Certification (EUCC) at "substantial" level or higher.

Full list from Annex IV:

1. Hardware Devices with Security Boxes
2. Smart meter gateways within smart metering systems as defined in Article 2, point (23) of Directive (EU) 2019/944 and other devices for advanced security purposes, including for secure cryptoprocessing
3. Smartcards or similar devices, including secure elements

Decision Tree: Finding Your Category

Use this process to classify your product:

START: Does your product have digital elements?
|
+- NO → Not in CRA scope. Stop here.
|
\- YES → Is it listed in Annex IV (Critical products)?
     |
     +- YES → CRITICAL
     |        Third-party + EUCC certification required
     |
     \- NO → Is it listed in Annex III, Part II (Important Class II)?
          |
          +- YES → IMPORTANT CLASS II
          |        Third-party assessment required
          |
          \- NO → Is it listed in Annex III, Part I (Important Class I)?
               |
               +- YES → IMPORTANT CLASS I
               |        Third-party OR self-assessment with standards
               |
               \- NO → DEFAULT
                        Self-assessment (Module A) permitted

Conformity Assessment Routes by Category

Module A is the full self-assessment cycle: technical file, EU Declaration of Conformity, CE marking. No external auditor involved.

Module B+C splits the work: a Notified Body examines a type specimen and issues a certificate (Module B); the manufacturer then ensures all production conforms to that type (Module C).

Module H replaces the product-by-product approach with an audit of the manufacturer's quality management system. Better suited when you have a large product portfolio.

EUCC sits on top of Module B+C or H for Critical products. Issued under the EU Cybersecurity Act at "substantial" assurance level or higher by an accredited conformity assessment body.

How Do You Classify a Product That Falls Into Multiple Categories?

Not every product is a clean fit. These are the most common edge cases:

Multi-Function Products

Rule: If ANY function triggers a higher category, the entire product is classified at that level.

Example: A smart home hub that includes:

• Basic automation control (Default)
• VPN functionality (Important Class I)
• Security camera integration (Important Class I)

Classification: Important Class I (highest triggered category)

Embedded Components

Rule: Consider whether security-relevant components trigger classification.

Example: A consumer device containing:

• General-purpose microcontroller → Default
• Microcontroller "with security-related functionalities" → Important Class I

Key question: Does the microcontroller perform security functions (encryption, authentication, secure boot)?

"Intended For" Considerations

Some Annex III items specify intended use or product context (e.g. items referencing "connected toys covered by Directive 2009/48/EC" or health monitoring wearables that reference Regulations 2017/745 and 2017/746).

If your product could be used in these contexts but isn't specifically intended for them, the classification may not apply. Document your intended use clearly.

Operating Systems

Operating systems are listed only in Annex III Part I (Important Class I). There is no operating system category in Class II:

Example: A custom Linux distribution for embedded devices would typically be Important Class I. Ubuntu Server is Important Class I.

Software vs Hardware

Classification considers the product as placed on the market:

• Standalone software: Classified based on software function
• Hardware with embedded software: Classified based on combined functionality
• Software component sold separately: Classified independently

Industry-Specific Guidance

IoT Device Manufacturers

Most IoT devices are Default unless they:

• Include VPN functionality → Class I
• Are smart home security devices → Class I
• Are industrial IoT → Class I or II
• Include tamper-resistant security features → Class II

Software Companies

Most software is Default unless specifically listed:

• Browsers, password managers, anti-malware → Class I
• Network security tools (firewalls, IDS) → Class II
• Operating systems → Class I

Embedded Systems

Classification depends heavily on:

• Security functions of microcontrollers/processors
• Whether product is industrial/professional use
• Target deployment environment (critical infrastructure?)

Medical Devices

Medical devices are excluded from CRA scope (covered by MDR/IVDR). However, companion software or non-medical functions may still be in scope.

Finding a Notified Body

For products requiring third-party assessment:

1. Check the NANDO database: EU's official list of Notified Bodies
2. Look for CRA-specific designation: Bodies must be designated for CRA conformity assessment
3. Consider capacity: Early CRA adoption means limited NB availability
4. Geographic considerations: Working with an NB in your region may be easier

The CRA's Notified Body designation process is ongoing. Check the NANDO database directly for the current list of designated bodies.

Common Classification Mistakes

"Consumer product = Default"

Wrong. Classification is by function, not market.

A smart door lock sold to consumers is Important Class I because it's a "smart home product with security functionality," regardless of the consumer target market.

"We're B2B, so lower classification"

Wrong. B2B vs B2C doesn't affect classification.

Industrial IoT products for business customers may be Important Class I or II depending on their function.

"Our product is small/simple, so Default"

Maybe wrong. Size and complexity don't determine classification.

A tiny microcontroller with security functions may be Important Class I. A large, complex product without listed functions may be Default.

"We already have ISO 27001, so we're covered"

Wrong. ISO 27001 is for organizational information security, not product conformity assessment.

CRA requires product-specific conformity assessment regardless of organizational certifications.

Product Classification Checklist

PRODUCT CLASSIFICATION CHECKLIST

Product: _______________________________________
Date: _________________________________________

INITIAL SCOPE CHECK:
[ ] Product has digital elements (software and/or data connection)
[ ] Product will be placed on EU market
[ ] Product is not excluded (medical, automotive, aviation, military)

ANNEX IV CHECK (CRITICAL):
[ ] Not a hardware device with a security box
[ ] Not a smart meter gateway (as defined in Directive (EU) 2019/944 Art. 2(23)) or other device for advanced security purposes
[ ] Not a smartcard or similar device, including secure elements

If any above are YES → CRITICAL (stop here)

ANNEX III PART II CHECK (IMPORTANT CLASS II):
[ ] Not a hypervisor or container runtime system
[ ] Not a firewall, intrusion detection or prevention system
[ ] Not a tamper-resistant microprocessor
[ ] Not a tamper-resistant microcontroller

If any above are YES → IMPORTANT CLASS II (stop here)

ANNEX III PART I CHECK (IMPORTANT CLASS I):
[ ] Review full list of 19 categories
[ ] Consider multi-function implications
[ ] Check for security-related functionalities in components

If any category applies → IMPORTANT CLASS I (stop here)

DEFAULT:
[ ] Product not listed in any Annex
[ ] Classification: DEFAULT

CONFORMITY ASSESSMENT ROUTE:
[ ] Module A (self-assessment) - Default, Class I with standards
[ ] Module B+C (third-party) - Class I without standards, Class II
[ ] Module H (quality assurance) - Alternative to B+C
[ ] EUCC certification - Critical products only

DOCUMENTATION:
[ ] Classification rationale documented
[ ] Multi-function analysis completed
[ ] Intended use clearly defined
[ ] Notified Body identified (if required)

Classified by: _________________________________
Date: _________________________________________

Next Steps

Managing CRA compliance across multiple products? CRA Evidence tracks classification, conformity routes, and documentation in one place.

Once you know your classification, the next step is your conformity assessment route. Check the CRA implementation timeline for key deadlines. Note that all categories, regardless of tier, require an SBOM. See the SBOM requirements guide.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel familiar with EU product regulations.