Important product with digital elements
A product whose core functionality falls within a category listed in Annex III of the CRA. Such products primarily perform functions critical to the cybersecurity of other products, networks, or services, or carry a significant risk of adverse effects if exploited. Important products are divided into Class I and Class II, with Class II attracting stricter conformity requirements.
Source citations
Regulation text
Article 7(1) of Regulation (EU) 2024/2847:
"Products with digital elements which have the core functionality of a product category set out in Annex III shall be considered to be important products with digital elements and shall be subject to the conformity assessment procedures referred to in Article 32(2) and (3)."
Class I examples
VPNs, password managers, browsers, OS, routers/modems for internet connection, network management systems, SIEMs, boot managers, smart locks, security cameras, microprocessors and microcontrollers with security functions
Class II examples
Hypervisors and container runtime systems, firewalls, intrusion detection and prevention systems, tamper-resistant microprocessors and microcontrollers
Conformity assessment implications
| Class | Harmonised standards fully applied? | Procedure required |
|---|---|---|
| I | Yes | Module A (self-assessment permitted) |
| I | No | Module B+C or Module H (notified body required) |
| II | Either | Module B+C, Module H, or EUCC |
Classification note
Only the product whose core functionality is in an Annex III category is important. A product that merely integrates an important component is not automatically important (Art. 7(1), second sentence).