Article 8 designates a narrow category of products with digital elements as 'critical' — those whose compromise could have the most severe systemic impact on cybersecurity. Products listed in Annex IV must use an EU cybersecurity certification scheme under the EUCS (EU Cybersecurity Certification Scheme) for their conformity assessment, rather than the notified body routes available to Annex III products. This makes critical products the only CRA product category linked directly to ENISA's certification framework.
What Makes a Product 'Critical' Under Article 8
Article 8 and Annex IV identify critical products as those with the most significant potential for systemic cybersecurity impact. As of the CRA's adoption, Annex IV includes:
- Hardware devices with security boxes — dedicated security hardware (HSMs, security enclaves) protecting cryptographic keys and sensitive data in critical infrastructure
- Smartcard ICs and similar devices — integrated circuits used in identity documents, payment cards, and secure credential storage
- Trusted Platform Modules (TPMs) — hardware components providing root-of-trust functions for device integrity verification
- CPU microprocessors with security features — processors incorporating trusted execution environments or hardware security features
- Cellular IoT modules — modules providing cellular connectivity to IoT devices, particularly for critical infrastructure applications
The Commission may extend Annex IV by delegated act. The category is deliberately narrow — most products, even security-sensitive ones, fall under Annex III.
Conformity Assessment via EU Cybersecurity Certification
Unlike Annex III products (which use notified bodies under the NLF framework), Article 8 products must use a European cybersecurity certification scheme adopted under the EU Cybersecurity Act (Regulation 2019/881). ENISA is responsible for developing these schemes in cooperation with member states.
- The manufacturer must obtain certification under the applicable EU cybersecurity scheme at the substantial or high assurance level
- If no specific EU scheme exists for a product category, the Commission must adopt implementing acts specifying which scheme applies or mandate a new one
- Certification is issued by accredited Conformity Assessment Bodies (CABs) designated under the EUCS framework, not by the notified bodies used for Annex III products
Manufacturers of Annex IV products should engage with ENISA's published roadmap for cybersecurity certification schemes and begin planning for certification well in advance of the CRA application date.
Interaction with the EU Cybersecurity Act
The CRA and the EU Cybersecurity Act (EUCS) interact directly for Annex IV products. The EUCS provides the overall framework for EU cybersecurity certification, while the CRA mandates its use for the critical product category.
- EUCS assurance levels: Article 8 products must be certified at the 'substantial' or 'high' assurance level. The 'basic' level is not sufficient.
- Scheme availability: Where an appropriate EUCS scheme does not yet exist for a specific product type, the Commission must act. Until a scheme is available, there may be transitional provisions or alternative paths.
- Mutual recognition: EU cybersecurity certifications under EUCS schemes are recognised across all EU member states — manufacturers do not need country-by-country assessments.
The Commission's Power to Update Annex IV
As with Annex III, the Commission can amend Annex IV by delegated act to add new product categories as critical infrastructure dependencies and attack surfaces evolve. Given the narrow scope of Annex IV, such additions are expected to be infrequent and subject to careful technical analysis.
A minimum 12-month transition period must be provided when new products are added to Annex IV, giving manufacturers time to undergo the certification process — which, at the substantial or high assurance level, can take 12-24 months for complex hardware products.
CVD Portal helps you comply with Article 8 automatically.
Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free for Article 14 compliance — for all manufacturers placing products with digital elements on the EU market.
Start your free portalFrequently asked
How do I know if my hardware product needs Annex IV certification vs. Annex III assessment?+
Compare your product against the specific descriptions in Annex IV. Annex IV is narrow and product-specific — a general IoT device or security camera is not Annex IV even if it has security functions. Annex IV targets specific hardware components (HSMs, TPMs, smartcard ICs, cellular IoT modules) used as security roots of trust. If uncertain, seek specialist CRA compliance advice and document your self-classification rationale.
Which EUCS certification schemes apply to Annex IV products?+
The Commission specifies by implementing act which scheme applies to each Annex IV product category. ENISA's EUCS (EU Common Criteria-based Scheme for ICT products) is the primary candidate for hardware security products, with Common Criteria EAL4+ or EAL5+ likely required for the 'high' assurance level. Check the Commission's implementing acts and ENISA's scheme documentation for the specific requirements applicable to your product.
Can Annex IV products also bear the CE marking?+
Yes. CE marking under the CRA applies to all products in scope, including Annex IV. The certification obtained under the EU cybersecurity scheme is referenced in the EU Declaration of Conformity, which underpins the CE marking. The CE marking does not replace or duplicate the cybersecurity certification — both are required.
Related CRA Articles
Need a CVD policy that satisfies Article 8?
Download a free CRA-compliant template and deploy it in minutes.