← Back to Blogregulation

How to Classify Your Product Under the CRA

The CRA defines three product risk categories — Default, Class I Important, and Class II Important — with different conformity assessment routes. Getting your classification right determines whether you can self-certify or need a notified body.

CRAReady Team·

Why Product Classification Matters

Under the CRA, not all products with digital elements carry the same compliance burden. The regulation defines three risk categories, each with different conformity assessment requirements. Misclassifying your product — particularly under-classifying it — can result in invalid CE marking and significant enforcement risk.

The Three Categories

Default Products

The vast majority of products with digital elements fall into the default category. These products can self-certify using Module A (internal production control) — no third-party notified body is required. The manufacturer conducts their own assessment against Annex I requirements, draws up a technical file, signs the EU Declaration of Conformity, and affixes CE marking.

Examples: consumer IoT devices not listed in Annex III, general-purpose software applications, smart home devices.

Class I Important Products (Annex III, List 1)

Class I products pose a higher cybersecurity risk due to their function or the systems they protect. They require either enhanced self-assessment (including independent third-party review of the technical file) or third-party assessment. Class I products include:

  • Identity and access management software and hardware
  • Browsers
  • Password managers
  • Security information and event management (SIEM) systems
  • VPNs and network management software
  • Routers and modems intended for consumer use

Class II Important Products (Annex III, List 2)

Class II products carry the highest risk and mandatorily require assessment by an accredited notified body. Class II includes:

  • Server and desktop operating systems
  • Industrial IoT and industrial automation systems
  • Safety-critical industrial control systems
  • Smartcards and secure elements
  • Network interface cards used in critical infrastructure

The Classification Decision Process

  1. Is it a PDE? — Does the product have a logical or physical data connection to another device or network? If no, the CRA does not apply.
  2. Is it listed in Annex III? — Check both the Class I and Class II lists. Annex III descriptions may require some interpretation; ENISA guidance and delegated acts will provide further clarity.
  3. What is your intended use? — The same hardware component may be classified differently depending on whether it is marketed for consumer, industrial, or critical infrastructure use.
  4. Is it a critical product? — A small category of highly critical products may be subject to additional requirements under EU Implementing Acts.

Practical Steps

  • Use CRAReady's CRA Assessment module to work through the classification decision tree
  • Document your classification rationale — market surveillance authorities may request it
  • Review classification when you update the product significantly — a new connectivity feature may change the risk profile
  • Monitor ENISA guidance and Commission delegated acts, which will refine Annex III definitions over time

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker