← CRA Glossary
CRA Legal Terms

Annex III Important Product Classification

Annex III of the EU Cyber Resilience Act lists product categories classified as 'Important' (Class I or Class II) or 'Critical', which are subject to stricter conformity assessment requirements than the Default class. Most products not listed in Annex III fall into the Default class and can self-certify.

Annex III of the EU Cyber Resilience Act lists product categories classified as 'Important' (Class I or Class II) or 'Critical', which are subject to stricter conformity assessment requirements than the Default class. Most products not listed in Annex III fall into the Default class and can self-certify.

CRA Legal Terms
Free CVD portal →

What Is Annex III?

Annex III of the EU Cyber Resilience Act lists categories of products with digital elements that are classified as Important (further divided into Class I and Class II) or Critical due to their higher cybersecurity risk potential. Products not listed in Annex III fall into the Default class. The classification determines the conformity assessment route available to the manufacturer: higher-class products require increasingly rigorous third-party assessment. The classification also affects regulatory scrutiny intensity: market surveillance authorities are expected to prioritise higher-class products. The European Commission may update Annex III via delegated acts as the threat landscape and product categories evolve.

CRA reference:Annex III, Article 7

Important Class I Products

Class I Important Products include categories with significant cybersecurity risk but where self-assessment against harmonised standards is permitted. Examples listed in Annex III include:

  • Identity management software and privileged access management tools.
  • Password managers.
  • Browsers.
  • Network traffic monitoring tools.
  • Routers and modems for home and SOHO use.
  • Microprocessors with security-relevant functionality (e.g. TPM, secure enclaves).
  • Firewalls for home and SOHO use.
  • General-purpose operating systems.
  • Wearable health monitoring devices.

For Class I, manufacturers may self-assess if applying harmonised standards. Without harmonised standards, a third-party conformity assessment module is required.

CRA reference:Annex III Part I, Article 32

Important Class II and Critical Products

Class II Important Products carry higher risk and require mandatory third-party conformity assessment by a notified body. Examples include:

  • Hypervisors and container runtime environments.
  • Industrial firewalls, IDS/IPS, and PKI systems.
  • Network switches and routers for industrial use.
  • Industrial control systems (SCADA, PLCs, DCS).
  • Medical devices with connected components.
  • Automotive components with network connectivity.

Critical products (Annex IV) include hardware security modules (HSMs), smartcard chips, and industrial IoT gateways used in critical infrastructure. Critical products require a European Cybersecurity Certification Scheme assessment. The distinction between Class I and Class II is primarily the mandatory third-party assessment requirement for Class II.

CRA reference:Annex III Part II, Article 32, Annex IV

Determining Your Product's Classification

Classification is not always straightforward. Key guidance:

  • Function, not form — a product's classification depends on what it does, not what it is called. A home router used in an industrial environment may still be Class I.
  • Multi-function products — a product that performs functions listed in both Class I and Class II is classified at the higher level.
  • Software components vs. products — a software library integrated into another product is assessed as part of that product; a standalone software product is assessed independently.
  • Manufacturer responsibility — the manufacturer (or importer for EU market purposes) determines classification and documents the reasoning in technical documentation. Market surveillance authorities may challenge this determination.
  • ENISA guidance — ENISA publishes classification guidance that manufacturers should consult when their product's classification is ambiguous.

CVD Portal makes Annex III Important Product Classification compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

If my product is not listed in Annex III, does the CRA still apply?+

Yes. The CRA applies to all products with digital elements within its scope, regardless of Annex III classification. Products not listed in Annex III are classified as Default class. Default class products must still meet all Annex I essential requirements — the difference is that they may self-declare conformity rather than requiring third-party assessment. Only products explicitly excluded from the CRA's scope (e.g. those covered by sector-specific regulations like the Medical Device Regulation) are exempt.

Can a manufacturer challenge or change its product's Annex III classification?+

A manufacturer who disagrees with how a market surveillance authority has classified their product can challenge the determination through national administrative and judicial processes. Proactively, manufacturers should document their classification reasoning thoroughly in technical documentation and seek legal counsel for borderline cases. The European Commission periodically updates Annex III, and manufacturers can provide technical input through public consultations.

How does Annex III classification affect our conformity assessment timeline?+

Class I products can use self-assessment, which is faster and cheaper. Class II products require a notified body, which means engaging an accredited certification organisation, scheduling assessment activities, and potentially waiting for notified body capacity. Given limited notified body capacity across the EU, Class II manufacturers should begin conformity assessment engagement well before the December 2027 deadline — 12–18 months' lead time is advisable.

Related terms

EU Cyber Resilience Act (CRA)The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal EU regulation that establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market. It entered into force on 10 December 2024, with most obligations applying from 11 December 2027.Conformity AssessmentConformity assessment is the process by which a manufacturer demonstrates that its product meets the CRA's essential cybersecurity requirements. The process required depends on the product's classification: Default and Class I products can self-assess; Class II and Critical products require third-party assessment by a notified body.Important Product Class IImportant Product Class I is the lower tier of the CRA's two-tier classification for products with digital elements that present a significant cybersecurity risk. Class I products face an elevated conformity assessment pathway compared to Default Class products, but less stringent than Class II. Examples include identity management software and general-purpose browsers.Important Product Class IIImportant Product Class II is the highest risk tier under the EU Cyber Resilience Act's product classification system, covering products with digital elements whose compromise could have severe or widespread impact. Class II products — including industrial control systems, medical devices, and critical infrastructure components — face mandatory third-party conformity assessment.

CRA articles using this term

Annex IIIImportant Products with Digital Elements — Class I and Class II ClassificationArticle 6Obligations of Importers — CRA Compliance for Non-EU ManufacturersArticle 3Scope — Which Products Are Covered by the CRA?Annex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how Annex III Important Product Classification fits into your complete CRA compliance programme.

View checklists →