CRA Product Classification: Is Your Product Default, Important, or Critical?

Your CRA conformity assessment route (and cost) depends on your product classification. "Important" and "Critical" products face mandatory third-party assessment. "Default" products can self-certify.

This guide helps you determine your category and what it means for compliance.

The Four CRA Product Categories

The CRA classifies products with digital elements into four tiers based on cybersecurity risk:

┌─────────────────────────────────────────────────────────────┐
│                   CRA PRODUCT CATEGORIES                     │
├───────────────┬───────────────┬───────────────┬─────────────┤
│    DEFAULT    │  IMPORTANT    │  IMPORTANT    │  CRITICAL   │
│               │   CLASS I     │   CLASS II    │             │
├───────────────┼───────────────┼───────────────┼─────────────┤
│ Self-assess   │ Self-assess   │ Third-party   │ Third-party │
│ (Module A)    │ IF following  │ REQUIRED      │ REQUIRED    │
│               │ harmonized    │               │ + EUCC      │
│               │ standards     │               │ certification│
├───────────────┼───────────────┼───────────────┼─────────────┤
│ ~90% of       │ Listed in     │ Listed in     │ Listed in   │
│ products      │ Annex III     │ Annex III     │ Annex IV    │
│               │ Part I        │ Part II       │             │
└───────────────┴───────────────┴───────────────┴─────────────┘

Default Products

The vast majority of products fall here. If your product isn't specifically listed in Annex III or IV, it's "Default."

Conformity assessment: Self-assessment (Module A) is sufficient.

Examples:

• Simple IoT sensors
• Basic consumer electronics
• Standard business software
• General-purpose applications
• Non-networked embedded devices

Important Class I (Annex III, Part I)

Products with elevated risk due to their function or user base.

Conformity assessment: Self-assessment allowed IF you fully apply relevant harmonized standards. Otherwise, third-party assessment required.

Full list from Annex III, Part I:

1. Identity management systems and privileged access management software/hardware
2. Standalone web browsers
3. Password managers
4. Software for searching, removing, or quarantining malware
5. Products with digital elements with VPN functionality
6. Network management systems
7. Security information and event management (SIEM) systems
8. Boot managers
9. Public key infrastructure and digital certificate issuance software
10. Physical and virtual network interfaces
11. Operating systems not covered by Class II
12. Routers and modems intended for internet connection
13. Microprocessors with security-related functionalities
14. Microcontrollers with security-related functionalities
15. Application-specific integrated circuits (ASICs) with security-related functionalities
16. Field programmable gate arrays (FPGAs) with security-related functionalities
17. Smart home general-purpose virtual assistants
18. Smart home products with security functionalities (door locks, cameras, baby monitors, alarm systems)
19. Internet-connected toys with social interactive features or location tracking
20. Personal wearable products for health monitoring (not medical devices)

Important Class II (Annex III, Part II)

Higher-risk products requiring mandatory third-party assessment.

Conformity assessment: Third-party (Notified Body) assessment required. No self-assessment option.

Full list from Annex III, Part II:

1. Hypervisors and container runtime systems supporting virtualized execution
2. Firewalls, intrusion detection and prevention systems (network layer)
3. Tamper-resistant microprocessors
4. Tamper-resistant microcontrollers
5. Operating systems for servers, desktops, and mobile devices
6. Industrial automation and control systems (IACS) intended for essential entities under NIS 2
7. Industrial Internet of Things not covered elsewhere
8. Robot sensing and actuating components for industrial/professional use
9. Smart meter gateways intended for smart metering systems

Critical Products (Annex IV)

The highest-risk category. Hardware security modules and similar.

Conformity assessment: Third-party assessment PLUS European Union Cybersecurity Certification (EUCC) at "substantial" level or higher.

Full list from Annex IV:

1. Hardware devices with security boxes
2. Smart meter gateways within advanced metering infrastructure
3. Smartcard or similar device readers
4. Tokens for security/cryptographic purposes (hardware)
5. Hardware Security Modules (HSMs)
6. Smartcards or similar devices, including secure elements
7. Secure cryptoprocessors

Decision Tree: Finding Your Category

Use this process to classify your product:

START: Does your product have digital elements?
│
├─ NO → Not in CRA scope. Stop here.
│
└─ YES → Is it listed in Annex IV (Critical products)?
     │
     ├─ YES → CRITICAL
     │        Third-party + EUCC certification required
     │
     └─ NO → Is it listed in Annex III, Part II (Important Class II)?
          │
          ├─ YES → IMPORTANT CLASS II
          │        Third-party assessment required
          │
          └─ NO → Is it listed in Annex III, Part I (Important Class I)?
               │
               ├─ YES → IMPORTANT CLASS I
               │        Third-party OR self-assessment with standards
               │
               └─ NO → DEFAULT
                        Self-assessment (Module A) permitted

Conformity Assessment Routes by Category

Module A: Internal Production Control (Self-Assessment)

Available for: Default products, Important Class I (with harmonized standards)

What it involves:

• Manufacturer performs internal assessment
• Documents compliance in technical file
• Issues EU Declaration of Conformity
• Affixes CE marking
• No external auditor required

When to use: Most products. Cost-effective for Default category.

Module B+C: EU-Type Examination + Production Control

Required for: Important Class II, Critical (or Important Class I without standards)

What it involves:

• Module B: Notified Body examines a type specimen and technical documentation
• Module C: Manufacturer ensures production conforms to the examined type
• NB issues certificate for Module B
• Manufacturer issues DoC based on both

When to use: When third-party assessment is mandatory or desired for credibility.

Module H: Full Quality Assurance

Available for: All categories as an alternative to B+C

What it involves:

• Notified Body assesses manufacturer's quality management system
• Covers design, production, and testing
• Ongoing surveillance audits
• Well-suited for manufacturers with many products

When to use: High-volume manufacturers with mature quality systems.

EUCC Certification (Critical Products Only)

Required for: Critical products (Annex IV)

What it involves:

• Certification under EU Cybersecurity Act
• "Substantial" assurance level minimum
• Performed by accredited conformity assessment bodies
• Additional to standard conformity assessment

Borderline Cases: How to Decide

Product classification isn't always obvious. Here's guidance for common questions:

Multi-Function Products

Rule: If ANY function triggers a higher category, the entire product is classified at that level.

Example: A smart home hub that includes:

• Basic automation control (Default)
• VPN functionality (Important Class I)
• Security camera integration (Important Class I)

Classification: Important Class I (highest triggered category)

Embedded Components

Rule: Consider whether security-relevant components trigger classification.

Example: A consumer device containing:

• General-purpose microcontroller → Default
• Microcontroller "with security-related functionalities" → Important Class I

Key question: Does the microcontroller perform security functions (encryption, authentication, secure boot)?

"Intended For" Considerations

Several Annex III items specify intended use:

• "Industrial automation and control systems intended for use by essential entities"
• "Smart meter gateways intended for smart metering systems"

If your product could be used in these contexts but isn't specifically intended for them, the classification may not apply. Document your intended use clearly.

Operating Systems

Operating systems are split across categories:

Example: A custom Linux distribution for embedded devices would typically be Important Class I. Ubuntu Server would be Important Class II.

Software vs Hardware

Classification considers the product as placed on the market:

• Standalone software: Classified based on software function
• Hardware with embedded software: Classified based on combined functionality
• Software component sold separately: Classified independently

Industry-Specific Guidance

IoT Device Manufacturers

Most IoT devices are Default unless they:

• Include VPN functionality → Class I
• Are smart home security devices → Class I
• Are industrial IoT → Class I or II
• Include tamper-resistant security features → Class II

Software Companies

Most software is Default unless specifically listed:

• Browsers, password managers, anti-malware → Class I
• Network security tools (firewalls, IDS) → Class II
• Server/desktop operating systems → Class II

Embedded Systems

Classification depends heavily on:

• Security functions of microcontrollers/processors
• Whether product is industrial/professional use
• Target deployment environment (critical infrastructure?)

Medical Devices

Medical devices are excluded from CRA scope (covered by MDR/IVDR). However, companion software or non-medical functions may still be in scope.

What Classification Means for Your Timeline

Higher classifications require more preparation time:

Start now. If you discover you're Class II or Critical, you need runway for Notified Body engagement.

Finding a Notified Body

For products requiring third-party assessment:

1. Check the NANDO database: EU's official list of Notified Bodies
2. Look for CRA-specific designation: Bodies must be designated for CRA conformity assessment
3. Consider capacity: Early CRA adoption means limited NB availability
4. Geographic considerations: Working with an NB in your region may be easier

VERIFY WITH PRIMARY SOURCE: The full list of designated Notified Bodies for CRA is still being established as of this writing.

Common Classification Mistakes

"Consumer product = Default"

Wrong. Classification is by function, not market.

A smart door lock sold to consumers is Important Class I because it's a "smart home product with security functionality," regardless of the consumer target market.

"We're B2B, so lower classification"

Wrong. B2B vs B2C doesn't affect classification.

Industrial IoT products for business customers may be Important Class I or II depending on their function.

"Our product is small/simple, so Default"

Maybe wrong. Size and complexity don't determine classification.

A tiny microcontroller with security functions may be Important Class I. A large, complex product without listed functions may be Default.

"We already have ISO 27001, so we're covered"

Wrong. ISO 27001 is for organizational information security, not product conformity assessment.

CRA requires product-specific conformity assessment regardless of organizational certifications.

Product Classification Checklist

PRODUCT CLASSIFICATION CHECKLIST

Product: _______________________________________
Date: _________________________________________

INITIAL SCOPE CHECK:
[ ] Product has digital elements (software and/or data connection)
[ ] Product will be placed on EU market
[ ] Product is not excluded (medical, automotive, aviation, military)

ANNEX IV CHECK (CRITICAL):
[ ] Not a hardware security box
[ ] Not a smart meter gateway for AMI
[ ] Not a smartcard/secure element reader
[ ] Not a hardware security token
[ ] Not an HSM
[ ] Not a smartcard or secure element
[ ] Not a secure cryptoprocessor

If any above are YES → CRITICAL (stop here)

ANNEX III PART II CHECK (IMPORTANT CLASS II):
[ ] Not a hypervisor or container runtime
[ ] Not a network firewall or IDS/IPS
[ ] Not a tamper-resistant microprocessor/microcontroller
[ ] Not a server/desktop/mobile operating system
[ ] Not an IACS for NIS 2 essential entities
[ ] Not industrial IoT (not otherwise covered)
[ ] Not a robot component for industrial/professional use
[ ] Not a smart meter gateway for smart metering

If any above are YES → IMPORTANT CLASS II (stop here)

ANNEX III PART I CHECK (IMPORTANT CLASS I):
[ ] Review full list of 20 categories
[ ] Consider multi-function implications
[ ] Check for security-related functionalities in components

If any category applies → IMPORTANT CLASS I (stop here)

DEFAULT:
[ ] Product not listed in any Annex
[ ] Classification: DEFAULT

CONFORMITY ASSESSMENT ROUTE:
[ ] Module A (self-assessment) - Default, Class I with standards
[ ] Module B+C (third-party) - Class I without standards, Class II
[ ] Module H (quality assurance) - Alternative to B+C
[ ] EUCC certification - Critical products only

DOCUMENTATION:
[ ] Classification rationale documented
[ ] Multi-function analysis completed
[ ] Intended use clearly defined
[ ] Notified Body identified (if required)

Classified by: _________________________________
Date: _________________________________________

How CRA Evidence Helps

CRA Evidence includes built-in product classification support:

• Guided classification wizard: Answer questions, get your category
• Annex mapping: Track which requirements apply
• Conformity route guidance: Understand your assessment options
• Documentation templates: Category-specific technical file structure

Start your classification assessment at app.craevidence.com.

Next: Once you know your classification, determine your conformity assessment route.

Timeline: Check the CRA implementation timeline for key deadlines.

SBOMs: All categories need SBOMs. See our SBOM requirements guide.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel familiar with EU product regulations.