CRA Compliance Starts with Product Classification: How to Define Your Product Under the Cyber Resilience Act

As the European Union’s Cyber Resilience Act (CRA) moves toward full implementation, manufacturers across multiple industries are assessing its impact on their products and development processes. A fundamental question often arises at the outset of any CRA project: “What category does my product belong to under the CRA?”

This seemingly straightforward question often masks a common misunderstanding of the CRA’s classification framework. Unlike many traditional EU regulations that classify products based on names or market segments, the CRA adopts a functionality-based approach. This requires manufacturers to first determine if a product falls within the regulation’s scope and then assess its core functionality¹.

Step 1: Determine Whether the Product Falls Within CRA Scope

Before delving into specific product categories, the initial inquiry for manufacturers should be: “Does my product fall within the scope of the CRA?” The CRA applies to Products with Digital Elements (PDEs). Generally, products containing software, firmware, or digital processing capabilities that can connect directly or indirectly to other devices or networks are likely considered PDEs. Common examples include routers, switches, IP cameras, industrial gateways, PLCs, smart home devices, NAS systems, and AI servers.

However, it is crucial to note that not all products with digital functionality are subject to the CRA² .

Step 2: Identify Whether the Product Falls Under an Exclusion

The CRA is not intended to regulate every digital product on the market. Certain product categories are already governed by sector-specific EU legislation and are therefore either fully or partially excluded from the CRA framework. Examples of such exclusions include:

Medical Devices: Governed by the Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR), such as patient monitors and diagnostic equipment.
Automotive Products: Governed by UNECE R155 and UNECE R156, including vehicle ECUs and connected vehicle systems.
Aviation, Maritime, and Defense Products: These are typically subject to their own dedicated regulatory frameworks.

Determining regulatory applicability is often the first critical step in any CRA compliance project¹.

Step 3: CRA Does Not Classify Products by Name

Once a product is confirmed to be within CRA scope, manufacturers often inquire whether it is a Default Product, an Important Product, or a Critical Product. A common pitfall is to classify products solely based on their commercial name or marketing description (e.g., “Router,” “Gateway,” “Server”).

However, according to Commission Implementing Regulation (EU) 2025/2392, classification is determined by a product’s Core Functionality, not its commercial designation ¹ ³ . This regulation further clarifies that integrating components or functions associated with another category does not automatically alter the classification of the overall product. For instance, a router may integrate firewall functionality, or an operating system may include browser functionality. Nevertheless, the final classification must be based on the product’s primary or core functionality.

Step 4: Determine Whether the Product Is a Default, Important, or Critical Product

After identifying the product’s core functionality, manufacturers can compare it against the categories listed in CRA Annex III (Important Products) and Annex IV (Critical Products) ² ⁴. The CRA framework generally categorizes products as follows:

CRA Product Categories at a Glance

It is vital to remember that actual classification must always be based on the product’s core functionality. The same product name might fall into different categories depending on its design, intended purpose, and security role within the ecosystem.

Default Products: These are products not explicitly listed in Annex III or Annex IV. Examples include standard IP cameras, NVRs, general NAS systems, and many IoT devices. These products are still subject to CRA requirements but are not categorized as Important or Critical Products.
Important Products – Class I: As per CRA Annex III and Implementing Regulation (EU) 2025/2392, this class includes identity management systems, password managers, VPN products, operating systems, routers, switches, and internet modems ³ ⁴.
Important Products – Class II: This class covers products performing highly significant cybersecurity functions, such as hypervisors, container runtime systems, firewalls, intrusion detection/prevention systems (IDS/IPS), and tamper-resistant microprocessors ³ ⁴.
Critical Products: Listed in CRA Annex IV, these products often serve as foundational trust anchors within digital ecosystems. Examples include Hardware Security Modules (HSMs), Smart Meter Gateways, Secure Elements, and Trusted Platform Modules (TPMs) ³ ⁴.

A Common Misconception About CRA Classification

Many manufacturers mistakenly assume that “Class I,” “Class II,” and “Critical” represent a traditional risk-ranking system. However, the CRA framework is more accurately understood as a product category classification system rather than a pure risk classification model¹ . The European Commission assigns categories based on a product’s core functionality and its role within the broader digital ecosystem, not necessarily its inherent risk level.

CRA Flow — *CRA Product Classification Flow*

Conclusion

Product classification and regulatory applicability analysis are often the starting point for a successful CRA compliance strategy. Before initiating detailed compliance activities, manufacturers should prioritize answering four key questions:

Is the product a Product with Digital Elements (PDE)?
Does any CRA exclusion apply?
What is the product’s Core Functionality?
Does the product fall under Annex III or Annex IV?

Commission Implementing Regulation (EU) 2025/2392 delivers a clear message to the industry: CRA classification is driven by a product’s Core Functionality, not by its product name, marketing description, or form factor ³ . For manufacturers, establishing the correct product positioning at the beginning of a CRA project is the foundation for effective compliance planning, resource allocation, and long-term cybersecurity governance.

Not Sure What to do？

Read our services information and request a free initial consultation or product assessment.
Our experts are here to help.

Step 1: Determine Whether the Product Falls Within CRA Scope

Step 2: Identify Whether the Product Falls Under an Exclusion

Step 3: CRA Does Not Classify Products by Name

Step 4: Determine Whether the Product Is a Default, Important, or Critical Product

CRA Product Categories at a Glance

A Common Misconception About CRA Classification

Conclusion

Not Sure What to do？

IEC 62443 Certified? Why That Still Doesn’t Mean You’re CRA Compliant

Taiwan’s New Cybersecurity Requirements: A Paradigm Shift in Market Access

【TC260】China Releases 18 National Cybersecurity Standards Effective Dec 2026

【EU】EU Agrees to Simplify AI Rules to Boost Innovation, Ban ‘Nudification’ Apps, and Set Clear Hardware Integration Timelines

【EU CRA】 EN 304627 Final Draft Released, Clarifying Security Requirements for Network Devices

【Vietnam ICT】Enforces Circular No. 14/2026/TT-BKHCN: Paradigm Shift to Risk-Based Conformity Framework and Introduction of E-Labeling

Step 1: Determine Whether the Product Falls Within CRA Scope

Step 2: Identify Whether the Product Falls Under an Exclusion

Step 3: CRA Does Not Classify Products by Name

Step 4: Determine Whether the Product Is a Default, Important, or Critical Product

CRA Product Categories at a Glance

A Common Misconception About CRA Classification

Conclusion

Not Sure What to do？

Similar Posts