Blackfort Technology

CRA Product Classes: How Is Your Product Classified — and What Does That Mean?

Blackfort Technology · Cyber Resilience Act knowledge

The Cyber Resilience Act (Regulation (EU) 2024/2847) divides products with digital elements into four risk classes. This classification determines which conformity assessment procedure a manufacturer must complete before the product may bear the CE marking and be placed on the EU market. This article explains the classes, provides typical examples, and shows which assessment path applies to each category.

Full product requirements under the CRA — including the CE marking obligation — apply from 11 December 2027. Manufacturers who determine now which class their product typically falls into gain valuable time for development adjustments, documentation, and, where necessary, engaging a notified body.

The Risk-Based Class System at a Glance

The CRA follows a risk-based approach: the more critical a product is to the security of users, infrastructure, or society, the stricter the requirements for demonstrating conformity. The basic structure:

Class Legal Basis Conformity Assessment Notified Body
Standard Default (not in Annex III/IV) Internal control (Module A) Not required
Important — Class I Annex III, Part I Self-assessment only if harmonised standards/common specifications applied; otherwise third-party assessment Conditionally required
Important — Class II Annex III, Part II EU type-examination (Module B) + conformity to type (Module C), or full quality assurance (Module H) Always required
Critical Annex IV Notified body involvement or mandatory EU cybersecurity certification scheme Always required

The specific product list for Classes I and II was further detailed through Implementing Regulation (EU) 2025/2392 of 28 November 2025 with technical descriptions. Since individual classifications may require interpretation, manufacturers should seek expert guidance when in doubt about their product's classification.

Standard Class: The Default — Self-Assessment Suffices

The majority of products with digital elements fall into the standard category. For these products, internal control under Module A is sufficient: the manufacturer assesses whether its product meets the essential cybersecurity requirements (Annex I CRA), creates the technical documentation, and draws up the EU declaration of conformity. Assessment by a notified body is not required.

Typical products in this category (non-exhaustive):

  • Simple mobile apps without safety-critical functions
  • Computer games
  • Smart speakers for home use
  • Memory chips without independent security functions
  • Smart home appliances (provided no Class I functions are performed)

Even for standard products, the following obligations apply: security by design, vulnerability handling, SBOM as part of technical documentation, and reporting obligations from 11 September 2026. Class membership only eases the conformity assessment path — it does not reduce the substantive security requirements.

Important Products — Class I: Self-Assessment Under Conditions

For Class I products (Annex III, Part I), self-assessment remains possible — but only if the manufacturer demonstrably applies harmonised standards, common specifications, or a recognised EU cybersecurity certification scheme. Without such evidence, a notified body must be involved.

In practice: manufacturers of Class I products who build on established technical standards (e.g., relevant ETSI standards once harmonised under the CRA) can avoid the cost and effort of third-party assessments. Those working without harmonised standards cannot avoid external assessment.

Typical Class I products (schematic — not a binding case-by-case determination):

  • Identity and access management (IAM) software
  • Browsers and browser-like products
  • Password managers
  • Malware detection and endpoint protection software
  • VPN products
  • Network management tools
  • SIEM systems
  • Boot managers and secure boot components
  • Public key infrastructure (PKI) and certificate management
  • Routers, modems, and switches
  • Microprocessors and microcontrollers with security-related functionalities

Important Products — Class II: Notified Body Always Required

Class II products (Annex III, Part II) are subject to significantly stricter requirements: involvement of a notified body is mandatory in all cases, regardless of whether harmonised standards are applied. The conformity assessment procedure follows either Module B + Module C (EU type-examination plus conformity to type) or Module H (full quality assurance).

For manufacturers, this means: capacity planning with notified bodies should begin early. With many manufacturers entering the market simultaneously, bottlenecks at accredited testing bodies are foreseeable.

Typical Class II products (schematic — not a binding case-by-case determination):

  • Hypervisors and container runtimes
  • Hardware firewalls and intrusion detection/prevention systems (IDS/IPS)
  • Tamper-resistant microprocessors
  • Tamper-resistant microcontrollers

Critical Products: Highest Conformity Requirements

Products in the "critical" class (Annex IV) carry the highest risk potential for security and critical infrastructure. Here, involvement of a notified body is mandatory without exception — or a mandatory EU cybersecurity certification scheme must be applied once one exists for the relevant product category.

Typical products in this category:

  • Smart cards and comparable products
  • Secure elements (hardware security modules at chip level)
  • Smart meter gateways

The Core Function Principle: What Drives Classification

Whether a product qualifies as "important" or "critical" depends not primarily on brand names or industry labels, but on the function actually performed. A product typically placed in the standard category may fall into a higher class if it simultaneously performs core functions of a Class I or Class II product (e.g., a device that combines home automation with PKI services).

Implementing Regulation (EU) 2025/2392 provides technical descriptions for classification. Since the final classification of a specific product depends on its function, deployment context, and technical characteristics, a structured assessment and classification analysis is advisable for complex products.

Conformity Assessment Procedures in Detail

Module A — Internal Control

The manufacturer creates technical documentation, assesses conformity internally, draws up the EU declaration of conformity, and affixes the CE marking. No external body involved. Permitted for standard products and conditionally for Class I products (when harmonised standards are applied).

Module B — EU Type-Examination

A notified body examines the product specimen and issues an EU type-examination certificate. Must be combined with Module C.

Module C — Conformity to Type

The manufacturer declares that its product conforms to the examined type. Requires a quality management system for production.

Module H — Full Quality Assurance

A notified body assesses the manufacturer's entire quality management system (design, manufacturing, final inspection) and monitors it on an ongoing basis. Alternative to Module B+C for Class II products.

Timeline and Strategic Recommendations

The deadlines are tight:

  • 11 September 2026: Reporting and notification obligations for actively exploited vulnerabilities and severe incidents apply — regardless of product class.
  • 11 December 2027: Full product requirements including CE marking and conformity assessment for all classes.

Manufacturers of Class II and critical products should begin their classification analysis now, as audit capacity at notified bodies is limited and building a CRA-compliant quality management system typically takes several months. Manufacturers of Class I products benefit from clarifying early whether applicable harmonised standards exist — this determines the effort required for conformity assessment.

For an initial check of whether your product falls within the scope of the CRA at all, the interactive applicability check is a good starting point. We are happy to discuss the specific classification and the appropriate conformity path in an initial consultation.

Further Reading

Frequently asked questions

How do I find out which CRA product class my product falls into?
The starting point is Annex III of the CRA (important products, Classes I and II) and Annex IV (critical products). Implementing Regulation (EU) 2025/2392 provides more detailed technical descriptions. The decisive factor is the function actually performed by the product, not its brand name. Since classification may require interpretation, a structured classification analysis with expert support is advisable for complex products.
Do I always need a notified body for a Class I product?
No — for Class I products, self-assessment is possible if the manufacturer demonstrably applies harmonised standards, common specifications, or a recognised EU cybersecurity certification scheme. Without such evidence, involvement of a notified body is mandatory.
What is the difference between Module B+C and Module H?
Both procedures are permitted for Class II products and require a notified body. Module B+C focuses at the product level: the notified body examines the type specimen (Module B), and the manufacturer then confirms series conformity (Module C). Module H is process-oriented: the notified body assesses and monitors the manufacturer's entire quality management system across design, manufacturing, and final inspection. Which path is more suitable depends on existing QMS structures and product complexity, among other factors.
Do the product class requirements already apply before 11 December 2027?
The CE marking obligation and full product requirements apply from 11 December 2027. However, reporting and notification obligations (actively exploited vulnerabilities, severe incidents) apply from 11 September 2026 — regardless of product class. Manufacturers should therefore clarify their classification early and build reporting processes in parallel.
What does Implementing Regulation (EU) 2025/2392 mean for classification?
Implementing Regulation (EU) 2025/2392 of 28 November 2025 provides detailed technical descriptions for Class I, II, and critical products. It is the authoritative reference when Annexes III and IV of the base CRA text allow multiple interpretations for a specific product. The precise classification of individual products should therefore always take this implementing regulation into account.

Let's talk about your CRA readiness

Unsure which class your product falls into? Christian Gebhardt, Managing Director of Blackfort Technology and co-author of the ACS/BSI guide on pentesting LLMs, supports manufacturers with CRA classification and selecting the right conformity path. Request a no-obligation initial consultation now.

Request a first call Check eligibility
The content on this website provides general technical and organizational information on the Cyber Resilience Act (Regulation (EU) 2024/2847) and does not constitute legal advice. Blackfort Technology provides technical/organizational IT-security and compliance consulting, not legal services.