Product classification
CRA products with digital elements are classified into four tiers. The classification determines which conformity assessment route applies. Most products are Default. Only those explicitly listed in Annexes III and IV are Important or Critical.
Default
Any product with digital elements not listed in Annexes III or IV. The vast majority of consumer IoT, enterprise software, and industrial devices fall here.
Conformity assessment
Module A (self-assessment)
Example products
- Smart home appliances not in Annex III
- Consumer mobile apps (non-Annex-III functions)
- General-purpose server software
- Industrial sensors without critical infrastructure role
Important — Class I
Products listed in Annex III, Class I — those posing a significant cybersecurity risk to the EU. Includes identity management software, browsers, password managers (lightweight variant), and network management tools.
Conformity assessment
Module A (if harmonised standards applied); otherwise Module B+C or H
Example products
- Identity management and privileged access management software
- Standalone and embedded browsers
- Password managers
- Network and application firewalls (lower tier)
- Microcontrollers and microprocessors (general purpose)
- Physical and virtual network interface controllers (NICs)
- Operating systems for general use
Important — Class II
Higher-risk products listed in Annex III, Class II — including hypervisors, TPMs, smart meter gateways, and industrial/critical-infrastructure-adjacent devices. A notified body must always be involved.
Conformity assessment
Module B+C or H (notified body required)
Example products
- Hypervisors and container runtime engines
- Trusted Platform Modules (TPMs)
- Firewalls and IDS/IPS for industrial/critical infrastructure use
- Secure elements
- Smart meter gateways
- Industrial automation and control system software
- Remote access software
Critical
The highest-risk products listed in Annex IV — hardware devices with security boxes, smart cards, and specialised hardware security modules. Subject to the strictest conformity assessment requirements.
Conformity assessment
Module B+C or H (notified body required) — or EU cybersecurity certification
Example products
- Hardware security modules (HSMs)
- Smart cards and smart card readers
- Hardware devices with security boxes (tamper-evident/tamper-resistant)
- Specialised cryptographic processors
Conformity assessment routes
| Class | Module A | Module B+C / H | EU Cybersecurity Certification |
|---|---|---|---|
| Default | ✓ Always available | Optional | Optional |
| Important — Class I | If harmonised standards applied | Required if no harmonised standards | Alternative |
| Important — Class II | ✗ Not available | ✓ Required | Alternative |
| Critical | ✗ Not available | ✓ Required | Alternative (when adopted) |
EU cybersecurity certification schemes under Regulation (EU) 2019/881 (EUCC etc.) may substitute for Module B+C/H once the relevant implementing act is adopted. Placeholder shown until then.