CRA Product Classification: Default, Class I, Class II, and Critical
Your product's risk class under the Cyber Resilience Act determines which conformity assessment route you must follow — from self-certification through to full EU cybersecurity certification. This guide explains how to determine your class and what it means in practice.
| Class | Listed in | Conformity route |
|---|---|---|
| Default | Not in Annex III/IV | Self-assessment (Module A) |
| Important — Class I | Annex III, Class I | Harmonised standard + self-cert, OR 3rd-party audit |
| Important — Class II | Annex III, Class II | Notified Body (mandatory) |
| Critical | Annex IV | EUCC Certification |
Default
Annex III — not listedOr harmonised standard conformity where applicable
The vast majority of products fall into the Default class. These products present a lower cybersecurity risk and can self-certify compliance. The full Annex I requirements still apply — it is only the conformity assessment route that is lighter.
Examples
- Smart home devices (thermostats, lights, cameras)
- General-purpose consumer software
- Productivity and office applications
- Network-attached storage devices
- Consumer routers (most)
- Wearables without significant security functions
Important — Class I
Annex III, Class ISelf-assessment only permitted if a harmonised standard is applied in full
Class I products have significant cybersecurity risk profiles due to their function (identity, access control, network security) or their prevalence. Manufacturers must either apply a harmonised standard and self-certify, or submit to a third-party conformity assessment.
Examples
- Identity management software and identity providers
- Password managers
- Web browsers
- Firewalls and IDS/IPS (non-industrial)
- VPNs and remote access solutions
- Mobile device management (MDM) software
- Operating systems for servers and desktops
- Network management software
- SIEM systems
Important — Class II
Annex III, Class IINo self-assessment option regardless of harmonised standards
Class II products are deemed higher-risk critical infrastructure components. Their compromise could have significant impact across sectors. All Class II products require mandatory assessment by an EU-recognised Notified Body.
Examples
- Hypervisors and container runtime environments
- Public Key Infrastructure (PKI) and certificate authorities
- Hardware security modules (HSMs)
- Industrial Intrusion Detection Systems
- Industrial firewalls and DMZs
- Safety-critical embedded systems (IEC 62443 scope)
- Tamper-resistant microprocessors
- Secure boot components
Critical
Annex IVUnder the EU Cybersecurity Act (ENISA EUCC scheme)
Critical products are those whose compromise could cause widespread harm to critical infrastructure, national security, or public safety. They require full EUCC certification — the most rigorous conformity assessment available under EU cybersecurity law.
Examples
- Smart meter gateways
- Secure elements (SEs) and secure enclaves
- Hardware security modules for critical infrastructure
- Smart cards for government/identity programmes
- Tamper-resistant hardware with security functions for critical infrastructure
How to Determine Your Product's Class
Classification follows a three-step process:
- 1
Check Annex IV first
If your product is listed in Annex IV (smart meter gateways, secure elements, HSMs for critical infrastructure, smart cards), it is Critical. This is a short list.
- 2
Check Annex III
If your product category appears in Annex III, Class I or Class II, it is Important. Read the class definitions carefully — many products that sound like they might qualify do not because of scope qualifications (e.g. 'used in critical infrastructure' or 'with direct network access').
- 3
Default if not listed
If your product does not appear in Annex III or IV, it is Default. The full Annex I security requirements still apply — only the conformity assessment route is lighter.
Tip: The CRAReady assessment wizard walks through the classification questions step by step and produces a documented result you can include in your technical file. It takes 5 minutes.
The free CRA assessment determines your product class, applicable conformity route, and key obligations in under 5 minutes.