What are the Cyber Resilience Act product classes?
Direct answer
The Cyber Resilience Act sorts products into four groups by risk: default (self-assessment), important class I and important class II (stricter routes), and critical (mandatory certification). Classification follows the product's core function, and where more than one class could apply, the stricter one governs.
Key Facts
- Default: the majority of products; self-assessment (Module A).
- Important class I (e.g. password managers, VPNs, network management): harmonised standards or a third party.
- Important class II (e.g. operating systems, firewalls, microprocessors): third-party assessment.
- Critical (e.g. smart meters, smart cards, secure elements): mandatory certification.
- Categories are set in Annexes III and IV; the stricter class governs overlaps (Art. 6, 7).
The conformity route a product must follow depends on its risk class (Art. 6, 7; Annex III, IV). Classification follows the product's core functionality, not every feature it includes, and where more than one category could apply the stricter one governs. - **Default** -- most products with digital elements; the manufacturer self-assesses (Module A). - **Important, class I** -- for example password managers, network management and VPNs; conformity via harmonised standards or a third party. - **Important, class II** -- for example operating systems, firewalls and microprocessors; third-party assessment. - **Critical** -- for example smart meters, smart cards and secure elements; mandatory certification.
Regulatory References