CRA Product Classes: How Is Your Product Classified — and What Does That Mean?
The Cyber Resilience Act (Regulation (EU) 2024/2847) divides products with digital elements into four risk classes. This classification determines which conformity assessment procedure a manufacturer must complete before the product may bear the CE marking and be placed on the EU market. This article explains the classes, provides typical examples, and shows which assessment path applies to each category.
Full product requirements under the CRA — including the CE marking obligation — apply from 11 December 2027. Manufacturers who determine now which class their product typically falls into gain valuable time for development adjustments, documentation, and, where necessary, engaging a notified body.
The Risk-Based Class System at a Glance
The CRA follows a risk-based approach: the more critical a product is to the security of users, infrastructure, or society, the stricter the requirements for demonstrating conformity. The basic structure:
| Class | Legal Basis | Conformity Assessment | Notified Body |
|---|---|---|---|
| Standard | Default (not in Annex III/IV) | Internal control (Module A) | Not required |
| Important — Class I | Annex III, Part I | Self-assessment only if harmonised standards/common specifications applied; otherwise third-party assessment | Conditionally required |
| Important — Class II | Annex III, Part II | EU type-examination (Module B) + conformity to type (Module C), or full quality assurance (Module H) | Always required |
| Critical | Annex IV | Notified body involvement or mandatory EU cybersecurity certification scheme | Always required |
The specific product list for Classes I and II was further detailed through Implementing Regulation (EU) 2025/2392 of 28 November 2025 with technical descriptions. Since individual classifications may require interpretation, manufacturers should seek expert guidance when in doubt about their product's classification.
Standard Class: The Default — Self-Assessment Suffices
The majority of products with digital elements fall into the standard category. For these products, internal control under Module A is sufficient: the manufacturer assesses whether its product meets the essential cybersecurity requirements (Annex I CRA), creates the technical documentation, and draws up the EU declaration of conformity. Assessment by a notified body is not required.
Typical products in this category (non-exhaustive):
- Simple mobile apps without safety-critical functions
- Computer games
- Smart speakers for home use
- Memory chips without independent security functions
- Smart home appliances (provided no Class I functions are performed)
Even for standard products, the following obligations apply: security by design, vulnerability handling, SBOM as part of technical documentation, and reporting obligations from 11 September 2026. Class membership only eases the conformity assessment path — it does not reduce the substantive security requirements.
Important Products — Class I: Self-Assessment Under Conditions
For Class I products (Annex III, Part I), self-assessment remains possible — but only if the manufacturer demonstrably applies harmonised standards, common specifications, or a recognised EU cybersecurity certification scheme. Without such evidence, a notified body must be involved.
In practice: manufacturers of Class I products who build on established technical standards (e.g., relevant ETSI standards once harmonised under the CRA) can avoid the cost and effort of third-party assessments. Those working without harmonised standards cannot avoid external assessment.
Typical Class I products (schematic — not a binding case-by-case determination):
- Identity and access management (IAM) software
- Browsers and browser-like products
- Password managers
- Malware detection and endpoint protection software
- VPN products
- Network management tools
- SIEM systems
- Boot managers and secure boot components
- Public key infrastructure (PKI) and certificate management
- Routers, modems, and switches
- Microprocessors and microcontrollers with security-related functionalities
Important Products — Class II: Notified Body Always Required
Class II products (Annex III, Part II) are subject to significantly stricter requirements: involvement of a notified body is mandatory in all cases, regardless of whether harmonised standards are applied. The conformity assessment procedure follows either Module B + Module C (EU type-examination plus conformity to type) or Module H (full quality assurance).
For manufacturers, this means: capacity planning with notified bodies should begin early. With many manufacturers entering the market simultaneously, bottlenecks at accredited testing bodies are foreseeable.
Typical Class II products (schematic — not a binding case-by-case determination):
- Hypervisors and container runtimes
- Hardware firewalls and intrusion detection/prevention systems (IDS/IPS)
- Tamper-resistant microprocessors
- Tamper-resistant microcontrollers
Critical Products: Highest Conformity Requirements
Products in the "critical" class (Annex IV) carry the highest risk potential for security and critical infrastructure. Here, involvement of a notified body is mandatory without exception — or a mandatory EU cybersecurity certification scheme must be applied once one exists for the relevant product category.
Typical products in this category:
- Smart cards and comparable products
- Secure elements (hardware security modules at chip level)
- Smart meter gateways
The Core Function Principle: What Drives Classification
Whether a product qualifies as "important" or "critical" depends not primarily on brand names or industry labels, but on the function actually performed. A product typically placed in the standard category may fall into a higher class if it simultaneously performs core functions of a Class I or Class II product (e.g., a device that combines home automation with PKI services).
Implementing Regulation (EU) 2025/2392 provides technical descriptions for classification. Since the final classification of a specific product depends on its function, deployment context, and technical characteristics, a structured assessment and classification analysis is advisable for complex products.
Conformity Assessment Procedures in Detail
Module A — Internal Control
The manufacturer creates technical documentation, assesses conformity internally, draws up the EU declaration of conformity, and affixes the CE marking. No external body involved. Permitted for standard products and conditionally for Class I products (when harmonised standards are applied).
Module B — EU Type-Examination
A notified body examines the product specimen and issues an EU type-examination certificate. Must be combined with Module C.
Module C — Conformity to Type
The manufacturer declares that its product conforms to the examined type. Requires a quality management system for production.
Module H — Full Quality Assurance
A notified body assesses the manufacturer's entire quality management system (design, manufacturing, final inspection) and monitors it on an ongoing basis. Alternative to Module B+C for Class II products.
Timeline and Strategic Recommendations
The deadlines are tight:
- 11 September 2026: Reporting and notification obligations for actively exploited vulnerabilities and severe incidents apply — regardless of product class.
- 11 December 2027: Full product requirements including CE marking and conformity assessment for all classes.
Manufacturers of Class II and critical products should begin their classification analysis now, as audit capacity at notified bodies is limited and building a CRA-compliant quality management system typically takes several months. Manufacturers of Class I products benefit from clarifying early whether applicable harmonised standards exist — this determines the effort required for conformity assessment.
For an initial check of whether your product falls within the scope of the CRA at all, the interactive applicability check is a good starting point. We are happy to discuss the specific classification and the appropriate conformity path in an initial consultation.
Further Reading
- Clarify applicability first, then classification — systematic steps for manufacturers, importers, and distributors
- SBOM requirements by product class — which software bill of materials depth is typically expected per class
- Conformity assessment in full overview — all CRA obligations at a glance
Frequently asked questions
How do I find out which CRA product class my product falls into?
Do I always need a notified body for a Class I product?
What is the difference between Module B+C and Module H?
Do the product class requirements already apply before 11 December 2027?
What does Implementing Regulation (EU) 2025/2392 mean for classification?
Let's talk about your CRA readiness
Unsure which class your product falls into? Christian Gebhardt, Managing Director of Blackfort Technology and co-author of the ACS/BSI guide on pentesting LLMs, supports manufacturers with CRA classification and selecting the right conformity path. Request a no-obligation initial consultation now.
Request a first call Check eligibility