← CRA Guide
Article 7

Important Products with Digital Elements - Annex III Classification

Article 7 designates certain products with digital elements as 'important' because their cybersecurity properties are critical to other systems or pose elevated risks. Products listed in Annex III fall into two classes: Class I (significant cybersecurity functions) and Class II (higher-risk products performing critical security roles). Important products face stricter conformity assessment — self-certification alone is not sufficient; Class I requires third-party documentation review and Class II requires full EU-type examination or quality assurance assessment.

Effective: December 2027Applies to: Manufacturers of products listed in Annex III to the CRA
Free compliance portal →

What Makes a Product 'Important' Under Article 7

Article 7 designates as 'important' those products that either:

  1. Primarily perform functions critical to the cybersecurity of other products, networks or services — such as identity management systems, password managers, VPN software, network security tools, or PKI components. These products are security infrastructure: if they are compromised, other systems' security is undermined.
  1. Perform functions that pose a significant risk of adverse effects through capabilities such as network management, asset management, or data processing at scale — including industrial control systems (SCADA/ICS), robotics, automotive components, medical devices with network interfaces, and smart grid equipment.

The full list of important products is in Annex III. The Commission may update Annex III by delegated act as technology evolves.

CRA reference:Article 7(1)

Class I vs Class II: The Two Tiers

Annex III divides important products into two classes with different conformity assessment requirements:

  • Identity and access management software
  • Password managers
  • Standalone and embedded browsers
  • VPN software (client-side)
  • Network traffic management and monitoring tools
  • Network routers for home use
  • Microcontrollers with security functions
  • Smart home products (general consumer IoT)
  • Operating systems for servers, desktops, and mobile devices
  • Hypervisors and container runtimes
  • Hardware security modules (HSMs)
  • Firewalls and intrusion detection systems (industrial)
  • Tamper-resistant microprocessors / secure elements
  • Industrial automation and control systems with direct safety impact

Class II carries the highest conformity assessment burden short of Critical (Annex IV) products.

CRA reference:Article 7(2)

Conformity Assessment for Class I Products

Manufacturers of Class I products cannot self-certify using Module A alone. They must choose between:

Option A: Third-party technical documentation review — Submit the product's technical documentation to a notified body, which reviews it against the essential requirements. The notified body does not test the product itself but assesses whether the documentation demonstrates compliance.

Option B: Quality management system audit (Module H) — Have a notified body audit and certify the manufacturer's quality management system, which must cover the security development lifecycle. This approach is suited to manufacturers with multiple products.

In both cases, the notified body issues a certificate, which the manufacturer references in their EU Declaration of Conformity. The manufacturer retains ongoing responsibility for the product's compliance.

CRA reference:Article 7, Annex VI

Conformity Assessment for Class II Products

Class II products must undergo the most stringent assessment available for important products: EU-type examination (Module B) followed by conformity to type (Module C), or full quality assurance assessment (Module H).

  • Module B involves the notified body examining the product design and, where appropriate, representative production samples against the essential requirements and any applicable harmonised standards.
  • Module C confirms that production units conform to the approved type.
  • Module H provides an alternative if the manufacturer's entire quality management system — including development, production, and testing — is assessed and certified by the notified body.

Class II manufacturers should engage with notified bodies early, as assessment timelines for complex products can be 6–18 months.

CRA reference:Article 7, Annex VI

The Commission's Power to Update Annex III

Article 7 grants the European Commission the power to amend Annex III by delegated act, adding or removing product categories as the threat landscape and technology evolve. When the Commission proposes to add a product category, it must provide a minimum transitional period of 12 months before the new classification takes effect, giving affected manufacturers time to adapt their conformity assessment processes.

Manufacturers of products in adjacent categories — or of products whose security properties are becoming more critical — should monitor Commission delegated acts under Article 7. ENISA publishes analysis of product category risk profiles that may inform future Annex III amendments.

CRA reference:Article 7(3)

CVD Portal helps you comply with Article 7 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free for Article 14 compliance — for all manufacturers placing products with digital elements on the EU market.

Start your free portal

Frequently asked

Is my product automatically Class I or Class II, or do I have to self-classify?+

You must assess whether your product matches the descriptions in Annex III. If it does, you must apply the appropriate conformity assessment procedure. There is no central classification authority — the manufacturer is responsible for self-identifying Annex III status and documenting the rationale. If your product could be argued either way, seek legal or conformity assessment advice and document your decision.

What if I integrate an Annex III product as a component into my product?+

Integrating an Annex III product as a component does not automatically make the integrating product an Annex III product. However, you must ensure that the Annex III component you source carries a valid CE marking and Declaration of Conformity from its manufacturer before integration. You remain responsible for the overall compliance of the final product.

Are there any notified bodies already designated for CRA Annex III assessments?+

Member states designate notified bodies through their national notifying authorities. As of the CRA's application date, the European Commission maintains a NANDO (New Approach Notified and Designated Organisations) database listing CRA-designated notified bodies. Early engagement with notified bodies is strongly recommended for Class I and Class II manufacturers, as assessment capacity may be limited initially.

Can a product move from Class I to Class II over time?+

If the Commission amends Annex III to reclassify a product from Class I to Class II by delegated act, a minimum 12-month transition period applies. Manufacturers of products already on the market at the time of reclassification may have additional time to bring products into compliance with the new classification's conformity assessment requirements — check the specific delegated act for transitional provisions.

Related CRA Articles

Article 6Essential Cybersecurity Requirements for Products with Digital ElementsArticle 8Critical Products with Digital Elements - Annex IV ClassificationArticle 13Obligations of ManufacturersArticle 32Conformity Assessment Procedures: Module A vs Third-Party AssessmentAnnex IIIImportant Products with Digital Elements - Class I and Class II Classification

Need a CVD policy that satisfies Article 7?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →