Default Class Product (CRA)

Under the EU Cyber Resilience Act's three-tier classification system, Default Class is the baseline category applied to all products with digital elements that are not explicitly listed in Annex III as Important Class I or Class II. Default Class covers the widest range of connected products — consumer smart home devices, general-purpose IoT sensors, connected toys, wearables, smart appliances, and a broad range of commercial software products. Despite the 'default' label suggesting a low-risk designation, these products must still comply with all of the CRA's essential cybersecurity requirements in Annex I; the classification only affects the conformity assessment pathway.

Manufacturers of Default Class products may use the internal control procedure (Module A under Annex VI) to self-certify conformity with the CRA's essential requirements. This means the manufacturer conducts its own assessment against Annex I requirements, produces technical documentation, issues a Declaration of Conformity, and affixes the CE marking — all without mandatory third-party notified body involvement. However, self-certification does not mean self-exemption: the manufacturer must still perform a genuine assessment, maintain documentation, and be able to demonstrate compliance to market surveillance authorities if challenged. The internal control route requires intellectual honesty, not a rubber-stamp exercise.

Regardless of the simplified conformity pathway, Default Class manufacturers must: conduct and document a cybersecurity risk assessment; implement all Annex I essential cybersecurity requirements (including unique default passwords, attack surface minimisation, secure update mechanisms, and vulnerability handling); establish a coordinated vulnerability disclosure process with a published contact and policy; provide security updates for the full support period (minimum five years); generate and maintain an SBOM; and issue a Declaration of Conformity with complete and accurate information. Failure to meet any of these obligations exposes the manufacturer to enforcement action regardless of class, as market surveillance authorities are empowered to investigate all CE-marked products.

The most common Default Class error is conflating 'I can self-certify' with 'compliance is simple'. Self-certification means the manufacturer accepts full responsibility for the conformity assessment — it does not reduce the substantive requirements. Manufacturers who produce a cursory self-assessment and affix the CE marking without genuine compliance are committing the same violations as any non-compliant manufacturer, with the added problem that they have formally declared conformity. A second error is failing to review the Annex III list carefully: products that include security-critical functions (e.g. identity management features embedded in a consumer device) may qualify as Important Class I even if the overall product category seems generic.