CRA Compliance Hub
EN中文日本語한국어DEFRESIT繁中NLPL
OBL-ART8-01Binding

Determine whether your product is a "critical product" and obtain European cybersecurity certification

Applies to
Manufacturer
Source citations
Art. 8(1)Art. 32(4)Annex IV
Product classes
Critical
Last reviewed

Plain language

Annex IV currently lists three product categories as critical: hardware devices with security boxes, smart meter gateways, and smartcards/secure elements. If your product falls into one of these categories, you will eventually be required to obtain formal European cybersecurity certification (EUCC) — not just do a self-assessment. The Commission will trigger this via delegated act. Until then, you must still pass a third-party conformity assessment (Module B+C or H).

Legal text

Article 8(1) of Regulation (EU) 2024/2847 empowers the Commission to adopt delegated acts specifying that products with the core functionality of a category in Annex IV must obtain:

a European cybersecurity certificate at assurance level at least 'substantial' under a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881, to demonstrate conformity with the essential cybersecurity requirements.

Until the relevant delegated acts have been adopted, Article 8(1) last paragraph states that:

products with digital elements which have the core functionality of a product category as set out in Annex IV shall be subject to the conformity assessment procedures referred to in Article 32(3).

Article 32(3) requires Module B+C, Module H, or a European cybersecurity certification scheme at assurance level 'substantial'.

Annex IV — Critical products with digital elements

The current Annex IV lists:

  1. Hardware Devices with Security Boxes
  2. Smart meter gateways within smart metering systems (as defined in Directive (EU) 2019/944), and other devices for advanced security purposes, including for secure cryptoprocessing
  3. Smartcards or similar devices, including secure elements

Current obligation (pending delegated act)

Until the Commission adopts the delegated act mandating EUCC certification for a specific Annex IV category:

  • Manufacturers of critical products must follow Article 32(3) conformity assessment (Module B+C, Module H, or EUCC if available and applicable)
  • A notified body is always required for critical products

Obligation once delegated act is in force

Once the Commission's delegated act is adopted and its transitional period expires (minimum 6 months):

  • The product must be certified under the specified European cybersecurity certification scheme at assurance level 'substantial' or above
  • EUCC certification replaces the obligation to undergo a separate third-party conformity assessment for the corresponding requirements

Evidence you may need

  • Product classification analysis with reference to Annex IV categories
  • Notified body engagement letter / certification contract
  • EU-type examination certificate (Module B) or quality assurance certificate (Module H)
  • EUCC certificate (once delegated act is in force)
Determine whether your product is a "critical product" and obtain European cybersecurity certification — CRA Compliance Hub