Important Product Class I

Important Product Class I is one of two elevated risk categories defined in Annex III of the EU Cyber Resilience Act for products with digital elements that present a significant cybersecurity risk due to their security functions, the sensitive data they process, or the breadth of their potential impact if compromised. Class I is the lower of the two important categories — products with higher risk potential fall into Class II. Examples of Class I products listed in Annex III include: identity management software, password managers, security information and event management (SIEM) tools, patch management software, and general-purpose operating systems not covered by Class II.

Unlike Default Class products, which can self-certify conformity through an internal control procedure, Important Class I manufacturers must choose one of three pathways for conformity assessment: (1) follow an EU-harmonised standard and self-declare (internal control with standardised testing); (2) undergo a third-party conformity assessment by a notified body; or (3) seek a European cybersecurity certificate under the EU Cybersecurity Act. In practice, pathway (1) is available only when relevant harmonised standards exist. Where no harmonised standard covers the product's security requirements, notified body involvement becomes the default route for Class I products.

Class I manufacturers face the same core obligations as all CRA manufacturers — risk assessment, CVD process, security updates, technical documentation — but with heightened scrutiny. Technical documentation must be more comprehensive, demonstrating compliance with each Annex I essential requirement individually. Manufacturers must retain conformity assessment evidence and make it available to market surveillance authorities on request. The CE marking and Declaration of Conformity must reference the specific conformity assessment procedure followed. Manufacturers should also be prepared for proactive engagement by market surveillance authorities, who are directed to prioritise Important Class products in post-market surveillance.

Manufacturers frequently misclassify their products as Default Class when a correct reading of Annex III would place them in Class I — often because they focus on the product's primary function rather than its security functions. Identity management components embedded in larger products are a frequent source of misclassification. Another error is assuming that harmonised standards will be available for Class I conformity at CRA application date — manufacturers should assess whether they need to engage a notified body well in advance of compliance deadlines. Self-declaration without a harmonised standard is not available for Class I.