The first question every manufacturer needs to answer about CRA is not "what do I need to implement" - it is "what category is my product." Everything else follows from that: the compliance process, whether you need a third-party auditor, your realistic timeline, and your exposure if something goes wrong.
Most manufacturers assume they are in the Default category. Most of them are right - but not all, and the ones who get this wrong tend to find out late.
If you are new to CRA, our complete guide to the EU Cyber Resilience Act covers the full regulation, deadlines, and technical requirements in detail.
The four categories
CRA divides all products with digital elements into four tiers based on cybersecurity risk.
Default is the baseline. Any product not explicitly listed as Important or Critical falls here by definition. The large majority of consumer and industrial IoT devices are Default. Self-assessment is sufficient - you evaluate your own product, prepare the documentation, sign the Declaration of Conformity, and apply CE marking. No third-party auditor required.
Important Class I covers products with functions that carry elevated cybersecurity risk. Self-assessment is permitted if you apply harmonised standards. If you do not use harmonised standards, third-party assessment is required.
Important Class II is the higher criticality tier. Third-party conformity assessment by a Notified Body is mandatory regardless of whether you follow harmonised standards. No self-assessment route exists for Class II.
Critical products require a European cybersecurity certification scheme - currently EUCC. This is hardware security modules, root CA software, smart card readers for PKI. Most manufacturers reading this will not be in this category.
What the Important category actually covers
In December 2025, the European Commission published Implementing Regulation (EU) 2025/2392, which gives technical definitions for all 26 Important and Critical product categories listed in CRA Annex III and Annex IV. This regulation entered into force in December 2025 and removes most of the ambiguity that existed in the original CRA text.
Important Class I includes, among others:
- Smart home products with security functions - smart locks, connected doorbells, home alarm systems, access control devices
- Baby monitors and child-monitoring devices with network connectivity
- Internet-connected toys with interactive features or location tracking
- Wearables designed for health monitoring or used by children
- Personal virtual assistants (stand-alone smart speakers, home hubs)
- Home routers and network switches intended for consumer or small business use
- Microcontrollers and microprocessors used in security-sensitive applications
Important Class II includes, among others:
- Firewalls, intrusion detection and prevention systems
- Hypervisors and container runtime environments
- VPN products
- Hardware designed to provide tamper-resistance or attestation
- Industrial automation and control components used in critical infrastructure contexts
One clarification that comes up often: if your product contains a component that would itself qualify as Important, that does not automatically make your product Important. Classification is based on the core functionality of the product as a whole. A smart thermostat that uses a microcontroller with security features is still classified based on what the thermostat does - not on the chip inside it.
The cases that cause confusion
Smart locks and access control. These are explicitly Important Class I in the implementing regulation. If your product controls physical access - a door, a gate, a barrier - it is not Default. This surprises some manufacturers who think of these as simple consumer devices.
Security cameras and video doorbells. Also Class I. The combination of network connectivity, video capture, and potential for surveillance places them in the elevated risk tier.
Industrial sensors with network connectivity. These are often Default, but context matters. A sensor feeding into a building management system is different from a sensor embedded in critical infrastructure. If your device operates in an industrial automation context, review the Class II definitions carefully before assuming Default.
Home routers. Consumer and small business routers are Class I, not Default. If you make networking equipment, your compliance path involves harmonised standards or third-party assessment.
Software products. CRA applies to standalone software as well as hardware. A firmware update tool, a device management application, or a security monitoring agent can all be in scope. Classification for software follows the same functional logic - what does it do, and what is the security impact if it is compromised.
Why getting the classification wrong is expensive
The practical consequence of misclassifying a product as Default when it is Class I is that your self-assessment Declaration of Conformity does not satisfy the legal requirements. The CE marking on the product is invalid. Market surveillance authorities can challenge it, require corrective measures, or in serious cases order the product off the market.
The practical consequence of misclassifying a product as Class I when it is Class II is the same problem compounded: you went through a self-assessment process when a Notified Body was mandatory. Your certification is void.
Getting this right at the start is cheaper than discovering it during an audit or after a market entry challenge.
How to classify your product in practice
Step 1 - Read Annex III of the CRA and Implementing Regulation 2025/2392. Annex III lists the high-level Important product categories. The implementing regulation provides the technical definitions. Read both. If your product clearly does not appear in either list, you are Default.
Step 2 - Apply the functional test. What is the core function of your product? Not what components it contains - what does it do? Classification follows function.
Step 3 - Consider the use context. The same hardware running different firmware in different deployment contexts can have different classifications. Industrial automation components used in critical infrastructure sectors may attract Class II treatment even if the base hardware would otherwise be Class I.
Step 4 - Document your reasoning. Whether you conclude Default or Important, write down how you reached that conclusion and which Annex III categories you considered and ruled out. This is part of your technical documentation and is what you would present to a market surveillance authority if your classification were challenged.
Step 5 - Get a formal opinion if you are uncertain. If your product sits in a grey area - and some genuinely do - get a qualified opinion before proceeding. The cost of a classification review is far lower than the cost of redoing your compliance process after the fact.
What changes based on category
To make the practical difference concrete:
| Path | Who it applies to | Notified Body required? |
|---|---|---|
| Default | Products not in Annex III | No - self-assessment only |
| Important Class I (with harmonised standards) | Listed Class I products | No - self-assessment permitted |
| Important Class I (without harmonised standards) | Listed Class I products | Yes - third-party assessment |
| Important Class II | Listed Class II products | Yes - always mandatory |
On the timeline side: if your product is Class II and you need CE marking before December 2027, the Notified Body assessment needs to start well before Q3 2027. Since June 11, 2026, Notified Bodies are officially designated across EU member states - but their queues will fill. Do not assume a six-week turnaround.
Regardless of your category, the September 11, 2026 vulnerability reporting deadline applies to all products currently on the EU market - Default, Class I, and Class II alike. That deadline is closer and operationally more demanding than most manufacturers expect.
FAQ
My product contains a chip designed for security applications. Does that make my product Important? Not automatically. Classification is based on the function of the product as a whole, not on the components it contains. If the product itself does not perform a security function as its core purpose, the embedded security chip does not elevate the classification.
We sell the same hardware in consumer and industrial versions. Do they have the same CRA category? Not necessarily. The use context and deployment environment can affect classification. Review each product variant separately against the Annex III categories and the implementing regulation definitions.
The implementing regulation was only published in December 2025. Does it apply now? Yes. It entered into force on 21 December 2025 and the technical descriptions it provides are the operative definitions for classification purposes.
What if no harmonised CRA standards exist yet for my product type? This is a real issue. Harmonised standards for CRA are still being developed. Until they are published in the Official Journal, manufacturers in Class I can either apply existing relevant standards (EN 303 645, IEC 62443 series, ISO/IEC 27001) and document the mapping, or use third-party assessment. The absence of harmonised standards does not exempt you from compliance.
How long does Notified Body assessment take for Class II products? This varies by body and product complexity. Estimates in the market range from 3 to 6 months for a straightforward product. If you are in Class II and need CE marking before December 2027, the assessment process needs to start well before Q3 2027.
Sources: CRA Regulation (EU) 2024/2847 - Annex III and Annex IV; Commission Implementing Regulation (EU) 2025/2392 - technical descriptions for Important and Critical product categories; European Commission CRA overview
Valentyna Shulga, CEO at Platanor Technologies. Platanor works with IoT and hardware manufacturers on the embedded security architecture and CRA compliance documentation - including product classification reviews. Reach us at platanor.com/contact.