Important Product Class II

Important Product Class II is the highest risk classification in the EU Cyber Resilience Act, reserved for products with digital elements that present a particularly significant cybersecurity risk — products whose compromise could have severe, widespread, or safety-critical consequences. Annex III Part II lists the specific categories, which include: operating systems for servers and industrial systems, hypervisors, industrial automation and control systems (ICS/SCADA), industrial IoT, programmable logic controllers (PLCs), safety devices for industrial environments, and smart meter gateways. These are products embedded in critical infrastructure or safety systems where a security failure could affect public safety or essential services.

Unlike Class I, Important Class II manufacturers cannot self-certify regardless of whether a harmonised standard exists. Article 6(3) of the CRA requires Class II manufacturers to have their products assessed by a notified body or to obtain a European cybersecurity certificate under the EU Cybersecurity Act. This mandatory third-party involvement reflects the regulatory determination that the stakes of non-compliance for these products are too high to rely on manufacturer self-assessment. Notified bodies must be accredited for the relevant product category and are listed in the EU NANDO database. Manufacturers should engage a notified body early in their development cycle, as assessment timelines can be significant.

Class II manufacturers must satisfy all CRA essential requirements and additionally produce comprehensive technical documentation demonstrating compliance with each Annex I requirement. The notified body assessment evaluates both the product's technical security properties and the manufacturer's quality management system and processes. Class II manufacturers must also: maintain the technical file for ten years after last market placement (the standard period under most EU product regulations); immediately notify ENISA and market surveillance authorities of any actively exploited vulnerability; and ensure their CVD process meets the highest standards of responsiveness and transparency. Post-market surveillance by authorities will focus disproportionately on Class II products.

The most damaging error for Class II manufacturers is underestimating the lead time required for notified body assessment. Assessment processes for complex industrial systems can take many months; manufacturers who begin the process only weeks before the compliance deadline will face non-compliance by default. A second error is treating the Class II assessment as a one-time event: any significant change to the product may require reassessment. Manufacturers should also avoid assuming that compliance with other sector-specific regulations (such as the EU Medical Devices Regulation) automatically satisfies CRA Class II requirements — the two regulatory regimes have different scopes and requirements.