What are the Cyber Resilience Act product classes?

Alexis Hirschhorn· CEO, Acuna16 July 2026

Direct answer

The Cyber Resilience Act sorts products into four groups by risk: default (self-assessment), important class I and important class II (stricter routes), and critical (mandatory certification). Classification follows the product's core function, and where more than one class could apply, the stricter one governs.

Key Facts

  • Default: the majority of products; self-assessment (Module A).
  • Important class I (e.g. password managers, VPNs, network management): harmonised standards or a third party.
  • Important class II (e.g. operating systems, firewalls, microprocessors): third-party assessment.
  • Critical (e.g. smart meters, smart cards, secure elements): mandatory certification.
  • Categories are set in Annexes III and IV; the stricter class governs overlaps (Art. 6, 7).

The conformity route a product must follow depends on its risk class (Art. 6, 7; Annex III, IV). Classification follows the product's core functionality, not every feature it includes, and where more than one category could apply the stricter one governs. - **Default** -- most products with digital elements; the manufacturer self-assesses (Module A). - **Important, class I** -- for example password managers, network management and VPNs; conformity via harmonised standards or a third party. - **Important, class II** -- for example operating systems, firewalls and microprocessors; third-party assessment. - **Critical** -- for example smart meters, smart cards and secure elements; mandatory certification.

What's next

See how Acuna handles this