← CRA Guide
Annex IV

Critical Products with Digital Elements — Highest-Risk Classification

Annex IV of the EU Cyber Resilience Act identifies Critical Products — those whose compromise would have the most severe societal or infrastructure impact. Products in Annex IV require the most rigorous conformity assessment, including mandatory EU type-examination by an accredited notified body. These products cannot self-certify under any circumstance.

Effective: September 2026Applies to: Manufacturers of critical products with digital elements listed in Annex IV
Free compliance portal →

What Makes a Product 'Critical' Under the CRA?

Critical products are those whose cybersecurity failure could have the most severe systemic impact — affecting critical infrastructure, large populations, or fundamental societal functions.

  • Hardware devices with security boxes — HSMs (Hardware Security Modules), secure cryptoprocessors, trusted execution environments
  • Smart meter gateways — Gateway devices used in smart metering infrastructure
  • Industrial automation and control systems — (where not covered by sector-specific law)
  • Microcontrollers for critical applications — Used in industrial, automotive, or safety contexts

The list in Annex IV is shorter than Annex III — critical classification is reserved for products where a single compromised unit could have catastrophic consequences.

CRA reference:Annex IV, Article 32(3)

Conformity Assessment for Critical Products

For Annex IV Critical Products, the only permitted conformity assessment route is:

  1. EU type-examination (Module B): A notified body physically examines and tests a representative sample of the product
  2. Followed by Module D (Quality Assurance) or Module E (Product Verification)

Self-assessment is not permitted. The notified body must be specifically accredited for the product category and the CRA framework.

This is the most demanding and expensive conformity route in EU product regulation — comparable to the process used for medical devices.

CRA reference:Article 32(3), Annex VIII

Timeline and Cost Implications

EU type-examination for Annex IV products can take 6–18 months and cost significantly more than other conformity routes. For manufacturers whose products may be classified as Critical:

  • Start notified body engagement immediately — lead times are long and capacity is limited
  • Budget for iterative testing — the first examination often identifies non-conformities requiring remediation and re-test
  • Allow time for documentation review — notified bodies will scrutinise the security risk assessment, technical file, and vulnerability management processes

The September 2026 application date means manufacturers should have started this process by Q1 2025 at the latest.

CRA reference:Annex IV, Article 32

CVD Portal helps you comply with Annex IV automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.

Start your free portal

Frequently asked

What happens if my product falls into both Annex III and Annex IV?+

If a product meets the criteria for Annex IV Critical classification, that classification takes precedence over Annex III Important classification. The Annex IV route (EU type-examination) applies.

Are HSMs used in cloud infrastructure covered by Annex IV?+

HSMs (Hardware Security Modules) are explicitly listed as critical products in Annex IV. Cloud-delivered HSM services (HSM as a Service) may be outside CRA scope as a cloud service, but physical HSM appliances sold to customers are in scope.

Related CRA Articles

Annex IIIImportant Products with Digital Elements — Class I and Class II ClassificationAnnex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 10Obligations of Manufacturers — Product Security by DesignArticle 13Coordinated Vulnerability Disclosure Obligations for Manufacturers

Need a CVD policy that satisfies Annex IV?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →