← CRA Guide
Annex III

Important Products with Digital Elements — Class I and Class II Classification

Annex III of the EU Cyber Resilience Act classifies products as 'Important' — meaning they pose a higher cybersecurity risk and therefore require third-party conformity assessment before CE marking. Products are split into Class I (lower-risk important) and Class II (higher-risk important). If your product appears in Annex III, self-assessment alone is not sufficient.

Effective: September 2026Applies to: Manufacturers of products listed in Annex III Classes I and II
Free compliance portal →

Why Annex III Matters: Three-Tier Product Classification

The CRA classifies products into three risk tiers, each with different conformity assessment requirements:

TierClassificationConformity Assessment
DefaultNot in Annex III or IVSelf-assessment allowed
ImportantListed in Annex IIIThird-party audit required
CriticalListed in Annex IVEU type-examination required

If your product is listed in Annex III, you cannot self-certify CRA compliance. You must engage an EU notified body to audit your technical documentation and security processes.

CRA reference:Article 32(2), Annex III

Annex III Class I — Important Products

Class I covers important products that have significant cybersecurity implications but where existing security standards or market maturity provide some assurance baseline. Class I products include:

  • Identity and access management software — Password managers, identity providers, authentication software
  • Browsers — Standalone web browsers
  • Password managers — Software designed primarily to store and manage credentials
  • Malware detection software — Anti-virus and endpoint security products
  • VPN products — Virtual private network client and server software
  • Network management tools — Products managing network devices and configurations
  • SIEM systems — Security information and event management software
  • Boot managers — Secure boot and firmware management tools
  • Public key infrastructure — Certificate management and PKI software
  • Network monitoring tools — Intrusion detection and network traffic analysis products

For Class I, the manufacturer may use a harmonised standard route: demonstrate conformity with an approved European standard (EN/ISO) and the notified body reviews the technical documentation.

CRA reference:Annex III, Class I

Annex III Class II — Important Products (Higher Risk)

Class II covers important products where a compromise would have more severe consequences, often affecting critical infrastructure or large populations. Class II products include:

  • Hypervisors and container runtime environments — Products managing virtualised workloads
  • Hardware firewalls — Standalone network security appliances
  • Tamper-resistant microprocessors — Secure elements, HSMs, TPMs
  • Industrial automation and control — Smart meters, SCADA systems (subject to other directives)
  • Routers and modems for industrial use — Industrial-grade networking equipment
  • General-purpose microprocessors — CPUs used in security-relevant contexts

For Class II, the manufacturer must also submit to a notified body EU type-examination — a more rigorous third-party review of both the product and the conformity assessment process.

CRA reference:Annex III, Class II

How to Determine If Your Product Is Annex III

Determining Annex III classification requires careful analysis:

  1. Read the Annex III text — The classification is based on product function, not product name. A 'router' sold to consumers may be Default class; the same router marketed for industrial SCADA use may be Class II.
  1. Check the intended use — The classification often depends on the primary use case and typical deployment environment.
  1. Review draft delegated acts — The European Commission may add products to Annex III via delegated regulation. Monitor ENISA and Commission publications for updates.
  1. Seek legal counsel — For borderline cases, the product classification has significant commercial implications (mandatory third-party audit costs, delays to market). Professional legal and technical advice is recommended.
CRA reference:Annex III, Article 7

Conformity Assessment for Annex III Products

  • Module B + C: Notified body reviews technical documentation (Module B) + manufacturer declares conformity to assessed type (Module C)
  • Module H: Full quality assurance — notified body audits the manufacturer's quality management system
  • Module B + C with more detailed notified body examination
  • The notified body must perform additional testing or examination of the product itself

In all cases, the CE marking declaration of conformity must reference the Annex III classification and the notified body's involvement.

CRA reference:Article 32(2)–(3), Annex VI, Annex VII

Finding an Accredited Notified Body

Notified bodies for CRA conformity assessment are designated by EU member state accreditation bodies and listed in the NANDO database (New Approach Notified and Designated Organisations).

  • Ensure they are notified specifically for CRA assessment (designations will expand as September 2026 approaches)
  • Check their experience with your product category
  • Factor in lead times — notified bodies are expected to face significant demand backlogs before the September 2026 deadline

Early engagement with a notified body is strongly recommended for Annex III manufacturers.

CRA reference:Article 39, Article 40

CVD Portal helps you comply with Annex III automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.

Start your free portal

Frequently asked

Is my consumer router covered by Annex III?+

Consumer routers are generally Default class products subject to self-assessment. However, routers marketed for or typically used in industrial, SCADA, or critical infrastructure environments may be classified as Class II Important Products. The key factor is the intended and foreseeable use.

What happens if I self-assess a product that should have been Annex III?+

This would constitute a non-conformity under the CRA. National market surveillance authorities can require product withdrawal, corrective action, or impose fines. The CE marking would be considered improperly affixed, which carries its own legal consequences.

When will the notified body designation process be complete?+

ENISA and national accreditation bodies are working to designate CRA notified bodies before the September 2026 deadline. However, this process is still in progress. Manufacturers of Annex III products should monitor the NANDO database and engage early with candidates.

Do CVD Portal obligations differ for Annex III products?+

The CVD and Article 14 obligations (Articles 13 and 14) apply equally to all in-scope products regardless of Annex III classification. Annex III only affects the conformity assessment route, not the post-market vulnerability handling obligations.

Related CRA Articles

Annex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsArticle 10Obligations of Manufacturers — Product Security by DesignAnnex IVCritical Products with Digital Elements — Highest-Risk Classification

Need a CVD policy that satisfies Annex III?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →