Determine whether your product is an "important product" and apply the correct conformity assessment
- Applies to
- Manufacturer
- Source citations
- Art. 7(1)Art. 7(2)Art. 32Annex IIIAnnex VI
- Product classes
- Important — Class IImportant — Class II
Plain language
Check Annex III. If your product's core function matches one of the listed categories (such as a VPN, password manager, firewall, browser, OS, router, or smart lock), it is an "important product" in Class I or Class II. This matters enormously for conformity assessment: Class I products without applicable harmonised standards need a notified body; Class II products always need one. If you haven't classified your product, you risk using the wrong conformity route.
Legal text
Article 7(1) of Regulation (EU) 2024/2847 provides that:
Products with digital elements which have the core functionality of a product category set out in Annex III shall be considered to be important products with digital elements and shall be subject to the conformity assessment procedures referred to in Article 32(2) and (3).
Article 7(2) sets out the criteria: important products primarily perform functions critical to the cybersecurity of other products, networks, or services, or perform a function that carries a significant risk of disruption if exploited.
Annex III categories
Class I
| # | Category |
|---|---|
| 1 | Identity management & privileged access management software / hardware |
| 2 | Standalone and embedded browsers |
| 3 | Password managers |
| 4 | Anti-malware software |
| 5 | VPN products |
| 6 | Network management systems |
| 7 | SIEM systems |
| 8 | Boot managers |
| 9 | PKI and digital certificate issuance software |
| 10 | Physical and virtual network interfaces |
| 11 | Operating systems |
| 12 | Routers, modems intended for internet connection, and switches |
| 13 | Microprocessors with security-related functionalities |
| 14 | Microcontrollers with security-related functionalities |
| 15 | ASICs and FPGAs with security-related functionalities |
| 16 | Smart home general-purpose virtual assistants |
| 17 | Smart home products with security functionalities (locks, cameras, baby monitors, alarms) |
| 18 | Internet-connected toys with social interactive or location tracking features |
| 19 | Personal wearables with health monitoring purpose (not covered by MDR/IVDR) |
Class II
| # | Category |
|---|---|
| 1 | Hypervisors and container runtime systems |
| 2 | Firewalls, intrusion detection and prevention systems |
| 3 | Tamper-resistant microprocessors |
| 4 | Tamper-resistant microcontrollers |
Classification note
A product that integrates an important-category component (e.g. includes a VPN) is not automatically an important product. Only products whose core functionality falls within an Annex III category are in scope.
The Commission will publish an implementing act specifying the technical description of each category (Art. 7(4), due by 11 December 2025). Until that act is in force, manufacturers should apply the Annex III category descriptions directly and seek legal and technical advice where classification is unclear.
Conformity assessment implications
| Product class | Route available | Notified body? |
|---|---|---|
| Important Class I (with harmonised standards) | Module A | No |
| Important Class I (without harmonised standards) | Module B+C or H | Yes |
| Important Class II | Module B+C, H, or EUCC | Yes |
See OBL-ART13-04 for conformity assessment procedure details.
Evidence you may need
- Product classification analysis documenting why the product is or is not important, with reference to specific Annex III categories
- Justification for the chosen conformity assessment route
- Evidence of applied harmonised standards (if relying on Class I Module A)