Free, niche-specific compliance checklists for manufacturers placing products with digital elements on the EU market. Covers classification, security requirements, CVD obligations, and Article 14 reporting. Deadline: September 2026.
Consumer routers and modems are high-value targets for attackers and face specific CRA requirements around default credentials, remote management security, and firmware update integrity. Routers marketed for home use are Default class; those marketed for industrial or critical infrastructure use may be Annex III Class II.
Default Class for consumer use - Important Class II if marketed for industrial or SCADA useE-readers and consumer tablets are among the most widely deployed consumer products with digital elements. They run complex software stacks, connect to app stores and cloud services, and often store sensitive personal data. As Default-class products under the CRA, manufacturers must implement all Annex I security requirements, maintain vulnerability disclosure processes, and support timely security updates.
Default - consumer tablets and e-readers are general-purpose consumer devices; not listed in Annex III unless used in critical or industrial contextsGaming consoles and connected peripherals are consumer products with digital elements fully in scope for the CRA. They involve complex software ecosystems, online multiplayer services, digital storefronts, and user account systems - each presenting distinct cybersecurity risks. While classified as Default, gaming platforms process significant personal and payment data, making robust security practices essential.
Default - gaming consoles and peripherals are consumer products with digital elements; not listed in Annex III unless they incorporate critical infrastructure connectivitySmart appliances - including connected washing machines, refrigerators, dishwashers, and ovens - are products with digital elements subject to the full CRA. They typically connect to home networks and cloud services, presenting risks including unauthorised access, data leakage, and as entry points for lateral movement. As consumer products they are Default class but must meet all Annex I security requirements.
Default - smart appliances are consumer-facing products with digital elements; not listed in Annex III unless repurposed for critical infrastructureSmart home devices - thermostats, smart speakers, lighting controllers, home security cameras - are among the most common products with digital elements in scope for the CRA. Most will fall into the Default class requiring self-assessment, but devices with gateway functionality may be classified as Important Class I.
Default Class (self-assessment) - unless device functions as a gateway or identity management componentSmart toys and connected children's products are among the most sensitive categories under the CRA. Toys intended for children that incorporate AI or collect personal data are explicitly listed in Annex III Class II, requiring mandatory third-party conformity assessment by an EU Notified Body. Manufacturers must also address the intersection with GDPR children's data protections and the Toy Safety Directive.
Annex III Class II - toys intended for children that incorporate AI capabilities or collect personal data require third-party conformity assessment under CRA Annex IIIWearable devices - fitness trackers, smartwatches, and health monitors - collect sensitive biometric and health data and are in scope for the CRA as products with digital elements. Unlike medical devices regulated under MDR, general fitness wearables are not excluded from the CRA and must comply with all Annex I security requirements, including data minimisation, encrypted transmission, and secure update mechanisms.
Default Class (self-assessment) - wearables not classified as medical devices under MDRBuilding automation systems (BAS/BMS) control HVAC, lighting, access, fire safety, and energy management across commercial and industrial buildings. Most BAS components are Default class under the CRA, but those deployed in hospitals, data centres, and other critical facilities may be treated as critical infrastructure components. The BACnet and Modbus protocols widely used in BAS were not designed with security in mind - CRA compliance requires significant attention to protocol security and access control.
Default Class to Important Class I - depends on deployment in critical facilitiesIndustrial controllers, PLCs, and SCADA components are classified as Important Class II under Annex III of the CRA, requiring third-party conformity assessment. These products have long operational lifetimes (10–20+ years), network connectivity, and significant safety implications. CRA compliance must be planned well in advance of the September 2026 deadline.
Important Class II (Annex III) - industrial automation and control systems for critical processesIoT sensors - temperature, humidity, pressure, flow, and motion sensors - are the backbone of industrial and building automation. Most fall into the Default CRA class, but their constrained hardware often makes meeting Annex I security requirements challenging. Manufacturers must plan for secure update mechanisms even on resource-constrained devices.
Default Class (self-assessment) - most IoT sensors with limited functionalityAssistive technologies and augmentative and alternative communication (AAC) devices serve users with disabilities and complex communication needs. Products not classified as medical devices under MDR fall fully within CRA scope. Given the vulnerable user population and the critical dependency of users on these devices, security and continuity requirements are especially important. Manufacturers must balance rigorous security with accessibility and usability needs.
Default - most assistive technologies and AAC devices not classified as medical devices are in full CRA scope; MDR-classified devices may be excludedDental equipment falls into two CRA categories. Dental devices classified as medical devices under MDR (imaging systems, diagnostic sensors, implant-planning software as SaMD) are excluded from CRA if properly MDR-compliant. However, dental practice management software, appointment systems, patient record platforms, and non-MDR dental IT are fully in CRA scope. Manufacturers must carefully verify their product's regulatory classification.
Excluded from CRA if classified as medical devices under MDR 2017/745 - but dental practice management software and non-MDR digital equipment are fully in CRA scopeHealth monitoring wearables - fitness trackers, smartwatches with health sensors, sleep monitors, and consumer ECG devices not classified as medical devices under MDR - are fully in scope for the CRA. Unlike regulated medical devices, these consumer health products cannot claim the MDR exclusion and must meet all CRA requirements. The combination of sensitive health data and consumer deployment makes security practices critical.
Default - health monitoring wearables not classified as medical devices under MDR are in full CRA scope; not excluded by MDR carve-outHospital IT systems - including electronic health record (EHR) systems, clinical information systems, hospital information systems (HIS), and clinical decision support tools not classified as Software as a Medical Device (SaMD) - are not excluded from the CRA by the MDR carve-out. These systems are critical to patient care, process sensitive patient data at scale, and face sophisticated threat actors. They likely qualify as Annex III Class I products.
Annex III Class I likely - hospital IT and clinical information systems are important products with digital elements processing sensitive patient data at scale; not excluded by MDR unless classified as SaMDMedical devices regulated under the EU Medical Device Regulation (MDR) or In Vitro Diagnostic Regulation (IVDR) are generally excluded from the CRA. However, software products used in healthcare that are not classified as medical devices under MDR may fall within CRA scope. Manufacturers should carefully verify their product's regulatory classification.
Excluded from CRA if covered by MDR/IVDR - but manufacturers should verify their product's regulatory classificationEnvironmental monitoring sensors - including air quality monitors, water quality sensors, weather stations, soil sensors, and flood detection systems - are products with digital elements subject to the CRA. Most are Default class, but sensors integrated into official environmental regulatory monitoring networks or emergency warning systems may be Annex III Class I. Compromise of environmental monitoring data could have public health, regulatory, and emergency response implications.
Default to Annex III Class I - environmental monitoring sensors are products with digital elements; Class I may apply to sensors integrated into critical environmental regulatory or emergency systemsLivestock monitoring systems - including connected ear tags, health monitoring wearables for animals, automated feeding and milking systems, and livestock management platforms - are products with digital elements in scope for the CRA. They collect sensitive farm data, often operate in remote or low-connectivity environments, and their compromise could affect animal welfare, food safety, and farm productivity. Most are Default class.
Default - livestock monitoring systems are products with digital elements; consumer and professional products range from simple wearable sensors to integrated farm management systemsPrecision agriculture systems - including connected tractors, autonomous field robots, variable rate applicators, soil and crop sensors, and farm management platforms - are products with digital elements subject to the CRA. Agriculture is increasingly recognised as critical infrastructure in the context of food security. Most precision agriculture systems are Default class, but systems integrated into large-scale food supply chain infrastructure may be Class I.
Default to Annex III Class I - precision agriculture systems are products with digital elements; Class I applies to systems controlling critical agricultural infrastructure or food supply chainsSmart greenhouse automation systems - including climate control, automated irrigation, LED lighting control, CO2 enrichment systems, and integrated greenhouse management platforms - are products with digital elements in scope for the CRA. They control critical agricultural production environments and their compromise could affect crop yields, food supply, and energy consumption. Most systems are Default class, but large-scale controlled environment agriculture installations may approach Class I.
Default to Annex III Class I - smart greenhouse automation systems are products with digital elements; large-scale controlled environment agriculture may approach Class IProfessional audio and video equipment - including networked broadcast systems, IP audio routing (Dante, AES67), live production switchers, IP video distribution, and broadcast management systems - are products with digital elements subject to the CRA. While most professional AV products are Default class, broadcast infrastructure for national broadcasters and critical live event systems may approach Class I given their public communication role.
Default to Annex III Class I - professional AV equipment is a product with digital elements; broadcast infrastructure and critical event production systems may approach Class ILaboratory instruments and scientific equipment - including networked analysers, chromatography systems, mass spectrometers, laboratory information management systems (LIMS), and laboratory automation platforms - are products with digital elements subject to the CRA. In Vitro Diagnostic (IVD) instruments regulated under IVDR are excluded from CRA scope. General-purpose laboratory instruments with network connectivity and data management capabilities are fully in CRA scope.
Default to Annex III Class I - laboratory instruments with network connectivity are products with digital elements; analytical instruments in regulated environments may be Class I; IVD-classified instruments are MDR-excludedOpen source hardware (OSH) projects occupy a unique position under the CRA. The regulation explicitly excludes hardware developed for non-commercial purposes, shared freely without monetisation. However, when open source hardware designs are manufactured and sold commercially - even by small businesses or community projects - the CRA's full scope applies. The CRA also introduces a 'steward' concept for open source projects that is relevant to OSH ecosystems. Understanding the commercial/non-commercial boundary is essential.
In scope when placed on the EU market commercially - explicitly excluded for non-commercial hobby and research use; steward model applies to community OSH projects not placing products on the marketPayment terminals and ATMs are products with digital elements that sit at the intersection of the CRA, PCI DSS, PSD2, and EBA regulatory frameworks. They are Annex III Class I due to their financial infrastructure role. ATMs and unattended payment terminals in public spaces face significant physical and cybersecurity risks. While PCI DSS compliance does not provide a CRA exclusion, the two frameworks address overlapping security domains and compliance evidence from PCI assessments can support CRA technical documentation.
Annex III Class I - payment terminals and ATMs are important products processing financial transactions; intersection with PCI DSS, PSD2, and EBA RTS on strong customer authenticationSatellite and space technology presents unique CRA challenges. Satellite communication systems and ground segment infrastructure are Annex III Class II as critical telecommunications infrastructure. User terminal equipment (VSATs, satellite broadband modems, satellite navigation receivers used in critical applications) may be Class I or II depending on their role. The 2022 Viasat/KA-SAT cyberattack demonstrated the severe real-world impact of satellite cybersecurity failures.
Annex III Class II - satellite communication infrastructure and ground segment systems are critical infrastructure products; user terminals are Annex III Class I or Default depending on applicationSmart grid systems - including advanced metering infrastructure (AMI), distribution automation systems, grid management software, and grid-connected energy storage controllers - are among the most critical products under the CRA. CRA Annex III Class II applies, requiring mandatory Notified Body assessment. The energy sector is NIS2-classified as essential infrastructure, creating overlapping obligations between CRA product requirements and NIS2 operator obligations.
Annex III Class II - smart grid components and energy infrastructure systems are critical infrastructure products requiring third-party conformity assessmentAccess control systems - including IP-connected door controllers, card readers, biometric access terminals, and integrated physical security management platforms - are products with digital elements that directly control physical access to facilities. Their compromise can enable physical security breaches with serious consequences. Most networked access control systems qualify as Annex III Class I; those securing critical infrastructure or government facilities may be Class II.
Annex III Class I - networked access control systems are important products; Class II if deployed in critical infrastructure or government security contextsEdge computing devices and gateways - including industrial IoT gateways, edge AI inference nodes, fog computing appliances, and protocol converters - sit at the boundary between operational technology and IT networks. They often aggregate sensitive data from many downstream devices and may have elevated privileges in industrial environments. Most industrial edge gateways are Annex III Class I; those processing critical infrastructure data may be Class II.
Annex III Class I for most industrial edge gateways - Default for consumer edge devices; Class II if processing critical infrastructure dataEmbedded Linux devices span a vast range - from network gateways and industrial HMIs to set-top boxes and smart displays. All are products with digital elements subject to the CRA. The open-source nature of Linux creates specific obligations around SBOM completeness and CVE monitoring. Classification ranges from Default for consumer devices to Annex III Class I or II for industrial or infrastructure applications.
Default to Annex III Class I depending on deployment - embedded Linux devices span a wide range; industrial or infrastructure use may attract Class I or Class IINetwork attached storage devices are high-value targets - they store critical personal, business, and infrastructure data and are frequently targeted by ransomware and data exfiltration actors. Consumer NAS is Default class; enterprise NAS marketed as critical data infrastructure may be Class I. NAS vendors have a poor historical track record on patching, making CRA obligations in this area particularly significant.
Default for consumer NAS - Annex III Class I for enterprise NAS products marketed as critical data infrastructure componentsTelecommunications equipment ranges from consumer CPE (modems, set-top boxes) to core network infrastructure (base stations, routers, switching systems). Core network and 5G infrastructure equipment is Annex III Class II given its critical infrastructure role. End-user equipment is Default class. Manufacturers must also address the intersection with the European Electronic Communications Code (EECC) and 5G security requirements.
Annex III Class II for core network and 5G infrastructure equipment - Default or Class I for end-user CPE and access equipmentAutomotive electronics face a complex regulatory landscape. Vehicles and vehicle-integrated systems subject to UNECE WP.29 type approval (UN Regulations R155 and R156) may be excluded from CRA scope, as these regulations provide equivalent cybersecurity requirements. However, standalone aftermarket automotive electronics, diagnostic tools, and fleet telematics devices placed on the market independently are fully in CRA scope. Manufacturers must carefully map each product to determine applicable regulations.
Complex intersection with UN R155/R156 (UNECE WP.29) - vehicles and vehicle systems covered by type approval under R155 may be excluded from CRA; standalone aftermarket electronics are in full CRA scopeDrones and unmanned aerial vehicles operate in a complex regulatory environment combining the CRA and EU Drone Regulation (EU) 2019/947. Higher-category drones (C2 and above) capable of BVLOS operations, remote identification, and integration with UTM systems are likely Annex III Class II under the CRA. Consumer toy drones in the lowest categories may be Default class. Manufacturers must map each product to both regulatory frameworks.
Annex III Class II likely for C2 and above drone categories - interaction with EU Drone Regulation (EU) 2019/947; lower-category consumer drones may be Default or Class IFleet management and telematics systems - including GPS trackers, OBD-connected devices, electronic logging devices (ELDs), tachograph systems, and fleet management platforms - are products with digital elements fully in scope for the CRA. They collect sensitive location and operational data at scale, often operate in remote or unattended environments, and some are legally mandated safety and compliance devices. Security is both a CRA obligation and a competitive differentiator.
Default to Annex III Class I - fleet telematics hardware and software are products with digital elements; tachographs and legally mandated devices may have additional regulatory intersectionsMarine electronics range from safety-critical navigation systems (ECDIS, AIS, GMDSS equipment) to consumer chartplotters and fish finders. Safety-critical navigation systems are Annex III Class I or higher due to their role in vessel safety. Consumer marine electronics are Default class. Manufacturers must also address the intersection with IMO maritime cybersecurity guidelines and flag state regulations for commercial vessels.
Annex III Class I for safety-critical navigation systems (ECDIS, AIS, GMDSS) - Default for consumer marine electronics; intersection with IMO MSC-FAL.1/Circ.3 maritime cybersecurity guidelinesCCTV and video surveillance systems - including IP cameras, network video recorders (NVRs), video management software (VMS), and integrated surveillance platforms - are products with digital elements with a significant history of security vulnerabilities. IP cameras have repeatedly been mass-compromised to form botnets (Mirai and successors). Professional surveillance systems used in critical infrastructure are Annex III Class I or II. Consumer cameras are Default. All must meet CRA security requirements.
Annex III Class I for professional CCTV and IP cameras - Default for basic consumer cameras; Class II if deployed in critical infrastructure monitoring rolesNetworked fire detection and suppression systems are life safety infrastructure - their failure or compromise can result in loss of life. Networked fire alarm control panels, addressable fire detection systems, and remotely managed suppression systems are classified as Annex III Class II under the CRA, requiring third-party Notified Body conformity assessment. Manufacturers must also address the intersection with the Construction Products Regulation (CPR) and EN 54 standards.
Annex III Class II - networked fire detection and suppression systems are safety-critical life safety infrastructure requiring third-party conformity assessmentIntruder alarm and security systems range from consumer burglar alarms to commercial grade monitored alarm systems protecting critical facilities. The CRA classification depends on deployment context: systems protecting critical infrastructure are Class II; commercial security systems are likely Class I; basic consumer alarm products may be Default. All networked alarm systems must meet CRA Annex I requirements regardless of classification.
Annex III Class II for systems protecting critical infrastructure or high-security facilities - Annex III Class I for commercial security systems; Default for basic consumer alarm productsPerimeter security systems - including IP-connected vehicle barriers, automated gate systems, electric perimeter fencing with smart controllers, and ground radar detection systems - are safety-critical physical security products with digital elements. Systems protecting critical infrastructure sites are Annex III Class II. Commercial and industrial perimeter systems are likely Class I. Their compromise could enable physical security breaches at sensitive facilities.
Annex III Class I to Class II depending on deployment - perimeter security for critical infrastructure sites is Class II; commercial perimeter systems are Class INetworked CNC machines and industrial 3D printers are safety-critical manufacturing systems increasingly connected to production networks and cloud-based management platforms. Their digital control systems - including G-code interpreters, machine controllers, and remote monitoring agents - fall under the CRA. Most networked industrial CNC systems are Annex III Class I due to their safety-critical nature; those integrated into critical manufacturing infrastructure may be Class II.
Annex III Class I - networked CNC machines and industrial 3D printers are important products with safety-critical digital control elementsEnergy management systems (EMS) - including building energy management, industrial energy optimisation, and grid-connected demand response systems - are classified as critical products under the CRA. Those connected to energy infrastructure or capable of controlling significant energy loads fall under Annex III Class II, mandating third-party conformity assessment. Manufacturers must also address the intersection with the NIS2 Directive for operators in the energy sector.
Annex III Class II - energy management systems for grid-connected or industrial energy infrastructure are critical systems requiring third-party conformity assessmentIndustrial robots and collaborative robots (cobots) are safety-critical connected systems deployed in manufacturing, logistics, and process automation. Their CRA classification depends on deployment context - standalone industrial robots are Annex III Class I, while those integrated into critical infrastructure control systems may be Class II. Safety and security are inseparable in robotics: a cyber attack that disables safety interlocks can cause physical harm.
Annex III Class I - industrial robots and collaborative robots in manufacturing environments are important products with safety-critical digital elements; Class II if integrated into critical infrastructure controlSCADA systems and industrial process controllers form the backbone of critical infrastructure - water treatment, energy generation, chemical processing, and manufacturing. CRA Annex III Class II applies to these systems given their potential for widespread societal harm if compromised. Third-party conformity assessment by an EU Notified Body is mandatory. Manufacturers must align with IEC 62443 and address the intersection with NIS2 Directive obligations for their customers.
Annex III Class II - SCADA systems and industrial process controllers for critical infrastructure are among the highest-risk categories under CRA; third-party conformity assessment mandatoryWarehouse automation systems - including autonomous guided vehicles (AGVs), conveyor control systems, warehouse management systems (WMS), and robotic picking systems - are networked products with safety-critical digital elements subject to the CRA. Their classification as Annex III Class I reflects their safety implications and importance to supply chains. Systems forming part of critical logistics infrastructure may be Class II.
Annex III Class I - warehouse automation systems with networked safety-critical control elements; Class II if integrated into critical supply chain infrastructureDigital signage systems - including commercial displays, media players, content management systems (CMS), and interactive display platforms - are products with digital elements subject to the CRA. While classified as Default, digital signage systems in public spaces present risks including unauthorised content injection, privacy violations through connected cameras, and use as botnet infrastructure. Manufacturers must implement robust security practices.
Default - digital signage hardware and software are consumer and commercial products with digital elements; not Annex III unless integrated into critical infrastructure information systemsHotel and hospitality technology - including electronic door locks, in-room automation systems, property management software (PMS), guest Wi-Fi platforms, and hotel IoT devices - are products with digital elements subject to the CRA. Hotels process sensitive guest personal and payment data, and their technology systems face threats including room access compromise, guest data theft, and payment fraud. Most hospitality products are Default class.
Default - hotel and hospitality technology products are consumer and commercial products with digital elements; not Annex III unless handling critical infrastructure dataPoint of sale systems and payment terminals are products with digital elements that process financial transaction data and interact with payment card networks. They face specific CRA obligations and must also address the intersection with PCI DSS (Payment Card Industry Data Security Standard) and PSD2 Strong Customer Authentication requirements. While PCI DSS does not provide a CRA exclusion, compliance with it addresses many overlapping security requirements.
Annex III Class I - POS terminals and payment hardware processing financial transaction data are important products; interaction with PCI DSS and PSD2 regulatory frameworksConnected vending machines and interactive kiosks - including self-service retail kiosks, bill payment terminals, information kiosks, and automated retail machines - are products with digital elements subject to the CRA. Those integrating payment processing overlap with PCI DSS requirements. Kiosks deployed in public spaces face specific risks including physical tampering, kiosk breakout attacks, and unauthorised data access. Most are Default class; payment kiosks may be Class I.
Default to Annex III Class I - connected vending machines and interactive kiosks are products with digital elements; payment-integrated kiosks may attract Class ICVD Portal provides a complete vulnerability disclosure programme — submission portal, Article 14 deadline tracking, and CSAF advisory generation. Free for Article 14 compliance — for all manufacturers placing products with digital elements on the EU market.
Set up your free portal