Blog | OCT 16, 2025
CRA Classification - How Does It Impact Your Requirements?
The EU’s Cyber Resilience Act (CRA) requires every product with digital elements, including IoT and OT products, to be classified, default, important, or critical. This classification decides how strict your conformity path will be: from simple self-assessment to mandatory EU certification. In this article, we explain what each category means in practice, what it costs, and how manufacturers can turn compliance into a market advantage.
The EU’s Cyber Resilience Act (CRA) is more than just another regulation, it’s a rulebook that will reshape how connected products are built and maintained in Europe. At the heart of it lies one simple but decisive step: classification.
Every product with a digital element must be placed into a category. That category decides how much proof you need to show, which conformity path applies, and ultimately how complex your compliance journey will be.
Default / Non-Important Products
The vast majority of IoT devices, industry estimates suggest around 90%, will fall into the default or non-important category. This includes everyday products such as smart watches, smart toothbrushes, or connected toys.
What’s required:
• Compliance can be demonstrated through self-assessment using the internal control procedure (Annex VIII, Module A).
• A technical documentation (Annex VII) must be created and continuously updated.
• The product must carry the CE mark, backed by evidence in the documentation.
• Vulnerabilities and incidents still need to be handled and reported — with strict deadlines of 24 to 72 hours depending on severity. Find more information about reporting obligations here.
What it means in practice: Being in the default category does not mean being exempt. Regulators expect records that can stand up to audits, consistent processes across product generations, and a clear support period of at least five years.
Takeaway: Default = simpler, not optional. Treat self-assessment as a structured internal audit. Build templates and repeatable processes now, they are your best defense if authorities come knocking.
Important Products – Class 1
Products move into the Important category when they perform security-critical or central system functions. At this level, manufacturers can no longer rely on self-assessment: third-party involvement becomes mandatory.
Examples of Class 1 Important Products:
Identity and access management systems (including biometric readers)
VPN products
SIEM (Security Information and Event Management) systems
Public Key Infrastructure (PKI) and certificate issuance software
Operating systems
Routers, modems, and switches for internet connectivity
Microprocessors, microcontrollers, ASICs and FPGAs with security features
Smart home devices with security functions (smart locks, cameras, baby monitors, alarms, virtual assistants)
What’s required:
Conformity assessment via EU-type examination plus production control (Module B+C) or full quality assurance (Module H).
A detailed Annex VII technical documentation: architecture diagrams, SBOM (Software Bill of Materials), vulnerability disclosure policy, update/rollback procedures, test results, and evidence of applied standards.
CE marking remains mandatory, but now it must be backed by third-party reviewed evidence.
What it means in practice: Class 1 products often act as building blocks for larger systems. Their security posture directly affects other devices and networks. That’s why regulators demand independent oversight. Manufacturers should expect longer lead times to market and higher costs for certification, but also benefit from a stronger trust signal toward enterprise customers.
Takeaway: For Class 1, compliance is no longer an internal exercise. It’s an externally validated process. Manufacturers who treat it strategically, by integrating evidence collection and supplier obligations early in development, will not only pass audits faster but also position their products as market-ready, trustworthy solutions.
Important Products – Class 2
Class 2 covers products that directly control or protect system-level operations and therefore carry higher systemic risk. They are central to enterprise and industrial environments where compromise could have wide-reaching consequences.
Examples of Class 2 Important Products:
Hypervisors and container runtime systems
Firewalls and intrusion detection/prevention systems
Tamper-resistant microprocessors
Tamper-resistant microcontrollers
What’s required:
Conformity assessment by a third party is mandatory, with stricter scrutiny than Class 1. Read more here.
Evidence must go beyond functional checks: security mechanisms, resilience under attack, and compliance with harmonised standards are expected.
Full Annex VII technical documentation with clear mapping of risks to requirements, penetration testing results, and update/rollback procedures.
Continuous monitoring of open-source and third-party components, since a single vulnerable dependency can undermine conformity.
What it means in practice: Class 2 products are core infrastructure pieces. Their classification reflects the potential for disruption across entire networks or industrial systems. Manufacturers should plan for significant compliance overhead, from longer certification cycles to higher testing costs. However, the reward is strategic: a Class 2 certificate signals that your technology is enterprise-grade and regulatory-aligned, a decisive factor in critical sectors like energy, healthcare, or manufacturing.
Takeaway: Class 2 is where compliance becomes a strategic differentiator. Manufacturers that embed conformity into the development process, from risk mapping to continuous monitoring, not only secure faster approvals but also position their products as trusted pillars of digital infrastructure.
Critical Products
At the top of the CRA hierarchy are Critical products, categories where failure could have severe consequences for essential services, critical infrastructure, or entire supply chains. These products face the most demanding compliance path.
Examples of Critical Products:
Hardware security modules or devices with embedded security boxes
Smart meter gateways (as defined in EU energy directives)
Secure crypto-processing devices
Smartcards and secure elements
What’s required:
Once EU schemes are in place, Critical products require mandatory European cybersecurity certification (at least assurance level substantial, e.g. EUCC).
Until those schemes are designated, manufacturers must demonstrate compliance through third-party conformity assessment (Module B+C or Module H).
The Annex VII technical documentation must be exhaustive: full architecture and risk analysis, SBOM, coordinated vulnerability disclosure policy, test evidence, update/rollback mechanisms, and long-term support planning.
Expect tighter reporting and oversight: incidents and vulnerabilities in Critical products will receive close attention from authorities.
What it means in practice: Critical classification sets the highest bar. Certification requires external audits, ongoing validation, and significant investment in security processes. Development and market entry will take longer — but the reward is market credibility. Certified Critical products will be able to access contracts in highly regulated environments (energy grids, telecom networks, financial services, public administration) where trust is non-negotiable.
Takeaway: For Critical products, compliance is a strategic investment. Manufacturers that embrace certification as part of their product identity can leverage it as a trust signal to regulators, customers, and partners. In sensitive markets, being certified under the CRA won’t just be a requirement — it will be a decisive competitive advantage.
Need a clear starting point for the EU's Cyber Resilience Act? Explore Tributech’s CRA Guide to understand all requirements, timelines, and practical steps for compliant digital products.
Practice – Common Pitfalls Across All CRA Classes
No matter whether a product is classified as Default, Important, or Critical, the same practical mistakes appear again and again. They stem less from technical weaknesses than from misunderstanding how the CRA works in practice.
Treating self-assessment or certification as a one-time event Compliance under the CRA is continuous. Whether through internal control or EU-level certification, each product update can affect conformity. Treat classification as part of your release cycle — not as a checkbox before launch.
Weak or outdated documentation Annex VII technical documentation must be a living file. Regulators expect to see version history, SBOM updates, and traceable risk analyses. Incomplete or static documentation is among the fastest ways to fail an audit.
Overlooking vulnerability handling The 24–72 hour reporting obligations apply to all products. Even simple consumer IoT devices must have defined intake, triage, and notification processes. Claiming “low risk” or “not critical” does not exempt a manufacturer.
Supplier and open-source blind spots Many non-conformities originate in the supply chain. Every third-party or OSS component must come with update SLAs, disclosure duties, and traceable provenance. Without them, a vulnerability upstream becomes your liability.
Underestimating third-party interaction For Important and Critical products, notified bodies will question every assumption. Engaging them too late — or providing incomplete evidence — leads to costly delays. The earlier these relationships are established, the smoother the assessment.
Missing long-term planning Authorities expect realistic support periods that reflect product lifecycles — often longer than five years for industrial and Critical devices. Lack of planning here directly undermines conformity and customer trust.
Across all classes, the biggest risk is treating CRA compliance as paperwork rather than an ongoing design control. Manufacturers who build repeatable processes for documentation, supplier management, and vulnerability handling will not only stay compliant — they will move faster, face fewer surprises, and turn security into a lasting competitive edge.
From Compliance Burden to Market Advantage
For many manufacturers, the CRA first appears as a heavy burden: new documentation rules, third-party assessments, long support periods. Yet looked at differently, classification can become a strategic advantage.
For default products, a clean self-assessment and solid documentation ensure fast market entry and protect against recalls or reputational damage. For Important products, external validation by a notified body is more than bureaucracy, it becomes a trust signal that shortens procurement cycles and reassures enterprise customers. And for Critical products, EU-level certification is less an obstacle than a market passport: without it, participation in regulated sectors like energy, finance, or healthcare will simply not be possible.
What ties all classes together is the opportunity to turn compliance into a selling point. Transparent security practices, published SBOMs, and clear vulnerability handling processes demonstrate professionalism. In markets where resilience is increasingly decisive, these factors differentiate a product as much as features or price.
The message is clear: classification defines your obligations, but it also shapes your position in the market. Companies that treat compliance as part of their design and brand strategy will not just meet regulatory requirements, they will build lasting trust with customers and regulators alike.
Our CRA experts can help align your product, processes, and documentation with regulatory expectations.
Book a free meeting and get the guidance you need.
Blog | OCT 16, 2025
)
)
)
)
)
)