← Back to Blogregulation

CRA Product Classification: Default, Important Class I, Important Class II, or Critical?

Getting your CRA product classification right determines whether you can self-certify or need a notified body. This guide walks through the decision process for all three risk categories.

CRAReady Team·

Why Classification Matters

The CRA defines three risk categories, each with different conformity assessment requirements. Misclassifying your product -- particularly under-classifying it -- can result in invalid CE marking and significant enforcement risk.

Default Products

The vast majority of products fall into the default category. These can self-certify using Module A (internal production control) -- no third-party notified body required. The manufacturer conducts their own assessment, draws up a technical file, signs the EU DoC, and affixes CE marking.

Examples: consumer IoT devices not listed in Annex III, general-purpose software applications, smart home devices without safety-critical functions.

Important Products -- Class I (Annex III, List 1)

Class I products pose a higher cybersecurity risk and require either enhanced self-assessment (including independent third-party review) or third-party assessment. Class I includes: identity and access management software and hardware, browsers, password managers, SIEM systems, VPNs and network management software, and consumer routers and modems.

Important Products -- Class II (Annex III, List 2)

Class II products mandate assessment by an accredited notified body. Class II includes: server and desktop operating systems, industrial IoT and automation systems, safety-critical industrial control systems, smartcards and secure elements, and network interface cards used in critical infrastructure.

The Classification Decision Process

  1. Is it a PDE? Does the product have a data connection to another device or network? If no, the CRA does not apply. 2. Is it listed in Annex III? Check both Class I and Class II lists carefully. 3. What is the intended use context? The same hardware may be classified differently for consumer vs critical infrastructure use. 4. Has the rationale been documented? Market surveillance authorities may request the reasoning.

Common Misclassification Mistakes

VPNs classified as default (they are explicitly Class I). Consumer routers classified as default (they are Class I). Applying the same classification across product variants when intended use differs. Failing to reclassify when a significant product update changes the risk profile.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker