The EU Cyber Resilience Act does not apply uniformly to all products. It creates a tiered system where products with higher potential for harm face stricter conformity assessment requirements. Understanding this classification system is essential — your product's classification determines the path to CE marking, whether third-party audit is required, and how much lead time you need for compliance.
This guide unpacks the key Annexes of Regulation (EU) 2024/2847 in plain language.
Annex I: The Security Requirements That Apply to All Products
Annex I applies to every product with digital elements in scope — regardless of classification. It sets the floor for what "secure by design" means under the CRA. Annex I is divided into two Parts:
Annex I, Part I — Security Properties of the Product
These are the technical requirements your product must meet when placed on the market:
| Requirement | What It Means in Practice |
|---|---|
| No known exploitable vulnerabilities | Scan all components; remediate before release |
| Secure by default configuration | No default passwords; minimal open ports; security features enabled |
| Minimal attack surface | Disable unused interfaces; remove debug features from production builds |
| Confidentiality protection | Encrypt data in transit and at rest where appropriate |
| Data integrity | Protect stored and transmitted data from unauthorised modification |
| Availability and resilience | Tolerate and recover from DoS; fail-safe defaults |
| Limit data access and minimise data collection | Only collect data necessary for product function |
| Protect confidentiality of user data | Authenticated access; prevent unauthorised disclosure |
| Log security events | Sufficient audit trail for incident investigation |
| Secure update mechanism | Authenticated, integrity-verified software updates |
| Software Bill of Materials (SBOM) | Identify all components at minimum to top-level dependency level |
Annex I, Part II — Vulnerability Handling Obligations
These are ongoing operational requirements — not product properties, but organisational processes:
- Operate a coordinated vulnerability disclosure (CVD) policy
- Provide security updates throughout the supported lifecycle (minimum 5 years)
- Notify ENISA of actively exploited vulnerabilities within 24 hours of becoming aware
- Provide full vulnerability notification within 72 hours
- Maintain a point of contact for security researchers
- Share information about actively exploited vulnerabilities with CERT/CSIRTs
Annex III: The Product Classification Lists
Annex III is the specific list of products classified as "important" or "critical" — and therefore subject to stricter conformity assessment. The list is broken into two parts corresponding to two risk tiers.
Annex III, Part I — Important Products (Class I)
Class I products require either: (a) self-assessment against a harmonised European standard (when published), or (b) third-party audit by a notified body. Products on this list include:
Annex III, Part II — Critical Products (Class II)
Class II products require mandatory third-party certification by an EU notified body. Self-assessment is not permitted, regardless of standards compliance. Class II products include:
- Hardware security modules (HSMs) — including smart cards and similar secure execution environments
- Secure elements and trusted platform modules (TPMs)
- Industrial firewalls and network equipment intended for use in critical infrastructure
- Smart meters and metering infrastructure
- Microcontrollers and microprocessors with security functions used in critical sectors
- Critical infrastructure monitoring systems (power grid, water, transport)
- Publicly available PKI and root certificate authority software
The Conformity Assessment Paths
What If My Product Is Not Listed in Annex III?
If your product is not specifically listed in Annex III, it falls into the Default Class — the largest category, covering approximately 90% of products. This is good news: self-assessment is sufficient, and no third-party audit is required. However, all Annex I security requirements still apply in full. Classification only affects the conformity assessment process, not the security obligations themselves.
The European Commission can update Annex III by delegated act — so classifications may expand over time as new product categories emerge.
Practical Implications for Product Teams
If you develop or sell any of the following, check carefully whether you fall into Class I or II:
- VPN clients or servers
- Password managers or credential vaults
- Network monitoring or SIEM tools
- Remote access or RDP solutions
- Endpoint protection or antivirus software
- Consumer Wi-Fi routers or smart home hubs
- Any product using an HSM or TPM
- Industrial control systems or SCADA software
If in doubt, seek legal advice and reference the European Commission's CRA guidance or the ENISA CRA resources.