Default, Important or Critical? Find your CRA product class

Not every product under the Cyber Resilience Act is treated the same. The CRA sorts products with digital elements into tiers, and your tier decides one thing that matters a lot: whether you can sign off your own compliance, or whether an independent body has to. Here is how to find where your product sits.

The key points

• The CRA has four tiers: default, important Class I, important Class II, and critical.
• Default covers roughly 90% of products - you self-assess.
• Important products (Annex III) are security-sensitive; critical products (Annex IV) are the highest risk.
• The higher the tier, the stricter the conformity assessment - up to a possible mandatory EU cybersecurity certificate.

Default: most products

If your product is not named in Annex III or Annex IV, it is in the default category - about nine in ten products with digital elements. You still have to meet every essential requirement (security by design, an SBOM, vulnerability handling, updates), but you can demonstrate conformity yourself through internal control. Think general productivity apps, most connected consumer electronics, photo editing software.

Important - Class I (Annex III)

These products perform a security-relevant function, so a failure has outsized consequences. Examples named by the Commission include web browsers, password managers, VPNs, operating systems, identity and access management systems, network management tools, and smart-home security devices such as connected locks, cameras and baby monitors.

For Class I you can still self-assess if you fully apply the relevant harmonised standards or common specifications. If you do not, you need a third-party (notified body) assessment.

Important - Class II (Annex III)

Class II is the higher-risk band of "important". Examples include firewalls, intrusion detection and prevention systems, and tamper-resistant microprocessors and microcontrollers. Here, self-assessment alone is not enough - a third-party conformity assessment is required.

Critical (Annex IV)

The critical tier covers products that essential services depend on and whose compromise could cause widespread disruption: hardware security modules (HSMs), smartcards and secure elements, and smart meter gateways. These face the strictest route, and the Commission can require them to hold a European cybersecurity certificate before they can be sold.

A quick way to place your product

1. Is it a product with digital elements at all? Software, or hardware with software, that can connect to a device or network. Pure SaaS and a few sectoral categories (medical devices, vehicles, aviation, marine) are out.
2. Is it named in Annex IV? If yes, it is critical.
3. Is it named in Annex III? If yes, it is important - check whether it is Class I or Class II.
4. Otherwise it is default - self-assessment, but all the essential requirements still apply.

One caveat: the technical descriptions of the Annex III and IV categories are still being refined by Commission acts, so treat any borderline call as provisional and re-check against the official lists.

This is general guidance on the Cyber Resilience Act, not legal advice. Confirm specifics against the official sources below or with a qualified adviser.

Where to go next on CRA Facts

• Browse the searchable product classes table to find your category.
• Run the scope & class checker for a guided answer.
• See what each tier means for your duties in the obligations checker.
• Subscribe to The CRA Brief for updates as the Annex III/IV descriptions are finalised.

Sources: European Commission - CRA legislative summary, European Commission - Cyber Resilience Act, Regulation (EU) 2024/2847 (EUR-Lex).