CRA product classification
CRA product classes
Last updated · 8 Jun 2026
The EU Cyber Resilience Act puts every product with digital elements into one of four tiers. The tier decides your conformity route - whether you can self-assess or need an independent body to sign off. Search or filter below to find where your product sits. Regulation (EU) 2024/2847, Annexes III & IV
The four tiers
What each tier means
Default
Roughly 90% of products. Not listed in Annex III or IV. Conformity is normally self-assessed (internal control) - you still meet all essential requirements, you just sign off yourself.
Important - Class I
Annex III, Class I. Security-sensitive products. You may self-assess only if you fully apply the relevant harmonised standards/common specifications; otherwise a third-party (notified body) assessment is required.
Important - Class II
Annex III, Class II. Higher-risk. A third-party conformity assessment (or full quality-assurance / EU cybersecurity certification route) is required - self-assessment alone is not enough.
Critical
Annex IV. The highest-risk categories. Subject to the strictest route; the Commission can mandate a European cybersecurity certificate before they can be sold.
Tier definitions come from Regulation (EU) 2024/2847 (Annex III for important products, Annex IV for critical products). The Commission may refine these lists through delegated acts.
Representative list - not a legal substitute for the Annexes
23 products shown
| Product category | Group | Tier | Conformity route | Annex |
|---|---|---|---|---|
| Connected white goods (fridges, washers) | Consumer electronics | Default | Self-assessment (internal control) | - |
| Hard drives & general storage devices | Hardware | Default | Self-assessment (internal control) | - |
| Mobile / desktop games & productivity apps | Applications | Default | Self-assessment (internal control) | - |
| Photo / video editing softwareTypical of the ~90% of products in the default category. | Applications | Default | Self-assessment (internal control) | - |
| Smart speakers (without security functions) | Consumer electronics | Default | Self-assessment (internal control) | - |
| Container runtime systems | System software | Important I | Harmonised standards → self-assess, else third-party | Annex III |
| Identity & access management systems | Identity & access | Important I | Harmonised standards → self-assess, else third-party | Annex III |
| Internet-connected toys (with tracking / interactivity) | Smart home / IoT | Important I | Harmonised standards → self-assess, else third-party | Annex III |
| Network management / configuration systems | Network security | Important I | Harmonised standards → self-assess, else third-party | Annex III |
| Operating systems (desktop & mobile) | System software | Important I | Harmonised standards → self-assess, else third-party | Annex III |
| Password managers | Identity & access | Important I | Harmonised standards → self-assess, else third-party | Annex III |
| Personal wearables for health monitoring | Smart home / IoT | Important I | Harmonised standards → self-assess, else third-party | Annex III |
| Public key infrastructure & certificate issuers | Identity & access | Important I | Harmonised standards → self-assess, else third-party | Annex III |
| Smart home security devices (locks, cameras, baby monitors, alarms) | Smart home / IoT | Important I | Harmonised standards → self-assess, else third-party | Annex III |
| VPN software / clients | Network security | Important I | Harmonised standards → self-assess, else third-party | Annex III |
| Web browsers | Applications | Important I | Harmonised standards → self-assess, else third-party | Annex III |
| Firewalls (for industrial / professional use) | Network security | Important II | Third-party assessment (notified body) | Annex III |
| Intrusion detection & prevention systems | Network security | Important II | Third-party assessment (notified body) | Annex III |
| Tamper-resistant microcontrollers | Hardware security | Important II | Third-party assessment (notified body) | Annex III |
| Tamper-resistant microprocessors | Hardware security | Important II | Third-party assessment (notified body) | Annex III |
| Hardware security modules (HSMs) | Hardware security | Critical | Strictest route; EU cybersecurity certificate may be required | Annex IV |
| Smart meter gateways | Critical infrastructure | Critical | Strictest route; EU cybersecurity certificate may be required | Annex IV |
| Smartcards & secure elements | Hardware security | Critical | Strictest route; EU cybersecurity certificate may be required | Annex IV |
This is guidance, not legal advice. Confirm your product's classification against the official Annexes or with a qualified adviser. Not sure if you are in scope?
Sources
- [1]Regulation (EU) 2024/2847 (Cyber Resilience Act) - Annex III (important products) and Annex IV (critical products)retrieved 8 Jun 2026
- [2]European Commission - CRA legislative summaryretrieved 8 Jun 2026
- [3]European Commission - Cyber Resilience Act policy pageretrieved 8 Jun 2026
The CRA Brief
Stay current on CRA deadlines and guidance
We watch Brussels so you don't. Plain-English CRA updates, free.
No spam. Unsubscribe anytime.