Critical product with digital elements
A product whose core functionality falls within Annex IV of the CRA. Currently the three categories are: hardware devices with security boxes, smart meter gateways, and smartcards/secure elements. Critical products face the most stringent conformity requirements and, once Commission delegated acts are in force, must obtain formal European cybersecurity (EUCC) certification.
Source citations
Regulation text
Article 8(1) of Regulation (EU) 2024/2847 empowers the Commission to designate critical products and require them to obtain:
"a European cybersecurity certificate at assurance level at least 'substantial' under a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881"
Until delegated acts have been adopted, Art. 8(1) final paragraph requires critical products to comply with Article 32(3) (the most stringent third-party conformity assessment).
Annex IV categories (current)
- Hardware Devices with Security Boxes
- Smart meter gateways and other devices for advanced security purposes, including secure cryptoprocessing
- Smartcards or similar devices, including secure elements
Distinction from important products
Critical products represent the very highest risk tier. The key differences:
| Important (Class II) | Critical (Annex IV) | |
|---|---|---|
| Notified body required? | Yes | Yes |
| Certification scheme required? | Optional EUCC | Mandatory EUCC (once delegated act) |
| Penalty threshold | €10M / 2% | €10M / 2% (same — Art. 64(3)) |
Commission update power
The Commission may add or remove categories from Annex IV by delegated act (Art. 8(2)), subject to assessing the criticality criteria in Art. 7(2).