Classifying products under the CRA: a practical guide to Annex III

Why classification is the first strategic decision in any CRA project

In the Cyber Resilience Act framework, product classification is the mandatory entry point for any conformity process. It precedes the risk assessment, the technical file, and the selection of the assessment module. It is not an administrative formality: it determines whether conformity can be self-declared or requires involvement of a notified body, with the associated costs and timelines.

The mechanism is laid out in Article 32 of the CRA. For a standard product: Module A : internal production control declaration, no third party. For an important Class I product without an applicable harmonised standard: Module B+C : EU type examination followed by conformity to type attestation, issued by a notified body. For an important Class II product: Module B+C or Module H without exception. Indicative cost of a notified body audit: €15,000–50,000 depending on product complexity, 6–12 months depending on notified body availability.

Classification is therefore binary in its effects: self-assessment or external audit. There is no intermediate path. This is why precise classification analysis, in ambiguous cases, warrants upfront investment in specialist expertise.

The basic functionality test

Article 7(1) of the CRA defines important products as those whose basic functionality corresponds to a category listed in Annex III. The concept of basic functionality is central and its correct interpretation determines the entire classification exercise.

A product is not classified as Class I simply because it incorporates, on a secondary basis, a function listed in Annex III. A home router that includes a built-in VPN client is not automatically classified as Class I under Category 5 (VPN) if its basic functionality is providing network connectivity, Category 12 (routers), also Class I, but through a different provision. The question is: what is the primary function for which this product is designed and marketed?

Implementing Regulation (EU) 2025/2392, adopted in March 2025 pursuant to Article 7(4) of the CRA, provides precise technical descriptions for each category in Annex III and Annex IV. Its role is operational: it gives manufacturers and market surveillance authorities a sufficiently precise definition to reduce ambiguity in borderline cases. When a product meets the technical description of a category as defined by this implementing regulation, it falls within that category, and its classification follows accordingly.

A complementary integration rule appears in Article 7(1) in fine: integrating a Class I component (for example a microcontroller with security-related features, Category 14) into a host product does not automatically elevate the host product to the component's classification level. The component is subject to its own obligations; the host product remains classified according to its own basic functionality. The two CRA technical files are separate.

Reading Annex III Class I

Annex III Class I contains nineteen categories. The most directly relevant for manufacturers of connected equipment outside the pure IT sector are the following:

Category 1 : Identity and access management systems

Includes authentication and access control readers, and biometric readers. For a manufacturer of connected physical access control systems (RFID card readers, networked biometric readers, IP-connected access control panels), this category applies directly if identity or privileged access management is the primary functionality. An RFID reader used as an accessory within an alarm system must be assessed independently.

Category 5 : Products with VPN functionality

This category targets products whose basic function is VPN. Industrial equipment that uses a VPN tunnel for maintenance communication is not classified here if VPN is the means, not the purpose. Conversely, a dedicated VPN appliance securing industrial site communications falls within this category.

Category 12 : Routers, internet-facing modems and switches

This category has broad scope: consumer CPE routers, industrial connected routers, ADSL/fibre modems, managed switches with network interfaces. For industrial network equipment manufacturers, this is often the triggering category: an industrial data concentrator with IP routing functionality falls under Category 12.

Category 14 : Microcontrollers with security-related features

The qualifier "security-related features" limits the scope: standard microcontrollers without dedicated cryptographic capability or memory protection do not qualify. Covered are microcontrollers integrating a cryptographic engine, a protected memory zone (TrustZone, embedded Secure Element, or equivalent mechanism), or a secure boot function. For component manufacturers or equipment builders integrating such microcontrollers, the classification question for the component arises independently of the host product.

A practical corollary for integrators: under the CRA, certification of a module (for example a CRA-certified modem with its own conformity assessment) can contribute positively to the host product's conformity, provided the module is used in accordance with its documentation and its interface is correctly implemented. 

Category 17 : Smart home products with security functionalities

This is the most important category for manufacturers in the electronic security sector. Annex III explicitly cites: locks, security cameras, baby monitoring systems and alarm systems. This enumeration is not exhaustive : Implementing Regulation (EU) 2025/2392 provides the reference technical description, aligned with the scope of ETSI EN 304 632 (Smart Home Products with Security Functionalities, SHPSF). A connected alarm panel with a cloud interface, a connected detector transmitting to a server, an IP video surveillance system: all fall under Category 17. Classification is Class I.

Reading Annex III Class II

Annex III Class II contains four categories, deliberately limited to critical digital infrastructure components:

• Category 1: Hypervisors and container runtime environments, virtualisation software (VMware ESXi, Hyper-V, KVM, OCI container engines) used for running multiple OS environments;
• Category 2: Firewalls, intrusion detection and prevention systems (IDS/IPS);
• Categories 3 and 4: Tamper-resistant microprocessors and microcontrollers, distinct from Class I Category 14: physical tamper resistance is the determining property here (assessed against criteria such as Common Criteria EAL4+).

For the vast majority of connected product manufacturers outside the professional IT sector, Class II is not the relevant classification. It primarily concerns IT infrastructure software vendors, security semiconductor manufacturers, and dedicated network security appliance vendors.

Critical products (Annex IV) : for reference

Annex IV lists three categories of critical products: hardware devices with security box (HSMs), smart metering gateways, and smart cards or similar devices including secure elements. These products are subject to a European cybersecurity certification scheme under the EUCS Regulation (EU 2019/881) or, failing that, to Module B+C. This scope does not affect consumer IoT manufacturers.

Borderline cases and multi-category situations

A product whose functionalities span multiple categories

A connected access control system integrating a biometric reader (Category 1), a VPN for communication with the management server (Category 5), and a connected alarm function (Category 17): each function must be assessed against its category. If all three categories are Class I and none is Class II, the overall product is Class I. The most onerous applicable classification applies. The technical documentation must address each applicable category.

Connected industrial products not listed in Annex III

Programmable logic controllers (PLCs), SCADA systems, OT/IT gateways, industrial sensors: these categories do not appear in Annex III as published in 2024. They therefore fall into the residual category: standard products, Module A. This situation may evolve: Article 7(3) empowers the Commission to amend Annex III by delegated act. Manufacturers of connected industrial equipment must monitor changes to this list.

Firmware distributed separately from hardware

Firmware delivered with hardware forms a single product. If the hardware is not Class I or II, the combined product does not become so merely by the presence of firmware. However, if firmware is distributed separately (via download, OTA update) and its basic functionality corresponds to an Annex III category (for example, an operating system for microcontrollers, Category 11), it may be classified as Class I as a standalone product.

The EN 304 632 question: the conformity assessment module for Category 17

For Class I product manufacturers (and in particular those in Category 17: alarm systems, connected locks, security cameras), the most practically urgent question is: will the harmonised standard enabling Module A be published before the December 2027 deadline?

ETSI EN 304 632 (V0.2.1, February 2026) is the sectoral standard intended for Category 17 products. As of April 2026, it is at mature draft stage, submitted for combined Public Enquiry and Vote (ETSI TC CYBER). Harmonisation requires: completion of the ETSI process (final vote), transmission to the Commission under standardisation request M/606, and finally citation in the Official Journal of the European Union. This entire process can take 12–18 months after the final ETSI vote, placing the realistic harmonisation window between end of 2026 and mid-2027.

If harmonisation occurs by mid-2027 and the technical file can invoke presumption of conformity: Module A available, self-declaration possible for December 2027. If harmonisation is delayed, or if the technical file is not in a state to invoke it: Module B+C mandatory, notified body required. The NANDO list of CRA notified bodies was not yet published as of April 2026 (CRA notified body designation was required by 11 June 2026 under Article 38).

The practical recommendation is to plan for two scenarios: Module A budget if EN 304 632 is harmonised in time, alternative Module B+C budget if delayed. These two scenarios have very different implications in terms of cost, timeline and technical file preparation. Waiting until 2027 to choose risks running out of time to engage a notified body.

When to seek external legal or technical advice on classification

Classification is straightforward in most cases: a consumer router is Category 12 Class I, a connected alarm system is Category 17 Class I, an IoT temperature sensor with only a Bluetooth interface is a standard product. In these cases, an internally documented decision is sufficient.

External expertise is justified in the following situations:

• The technical description in Implementing Regulation (EU) 2025/2392 does not clearly cover the product, and the classification determines whether a notified body is required;
• The product is a component integrated into multiple other products of different classifications, and its own classification is structurally significant for integrator customers;
• The product portfolio includes product families at the boundary between multiple categories;
• The classification decision will be subject to review by a market surveillance authority in the context of a technical file audit; in which case rigorously documenting the classification reasoning is as important as the conclusion itself.

The legal manufacturer and the technical file: the most common point of friction

A critical distinction for CRA compliance is that between the physical manufacturer (the entity that owns the factory, the design files, and has full control over the product's design) and the legal manufacturer (the importer or distributor who affixes its brand to a product designed and manufactured by a third party, and who, under the CRA, assumes the full regulatory obligations of a manufacturer).

For the legal manufacturer, the technical file problem is structural: it typically does not have direct access to the physical manufacturer's design documents (PCB layouts, architecture diagrams, internal test results). It depends on a contractual arrangement with the original manufacturer for those documents to be supplied or made available to market surveillance authorities on request. This is the most frequent documentary non-conformity during the early enforcement phase of new product regulations: the legal manufacturer declares conformity, signs the EU declaration of conformity, affixes the CE marking, but when an authority requests the technical file, it either does not exist in the legal manufacturer's possession, or is incomplete because the physical manufacturer only provided part of the documentation.

Under the CRA, this situation is particularly critical. The obligation to make the SBOM available on request (Article 13(14)), to notify vulnerabilities within the Article 14 timelines, and to have an operational vulnerability management procedure in place all require the legal manufacturer to have access to the complete technical information on the product, including the software components integrated by the physical manufacturer. Without an explicit contractual arrangement covering these elements, the legal manufacturer is legally responsible for obligations it cannot technically fulfil. Reviewing this contractual arrangement (and updating it to cover CRA obligations) is a priority to address at the outset of any compliance project.

Conclusion

Classification is the first concrete deliverable of a CRA compliance project, and it is structurally determinative of everything that follows. A classification error discovered during the conformity assessment phase (by the company itself or by the market surveillance authority) can invalidate an already-completed technical file and require a full restart of the conformity process.

For manufacturers of connected domestic security products, the answer is generally unambiguous: Category 17, Class I. The operationally more difficult question is the conformity assessment module, which depends on EN 304 632 harmonisation. This normative dependency is, as of today, the primary risk factor for meeting the CRA conformity timeline in this sector.

As for what the first CRA compliance attempts are already revealing, two documentary patterns are predictable from what comparable regulation launches have produced. The first is the company that has not performed a classification analysis: it produces a declaration of conformity without having checked whether its product falls under Annex III. The second, more subtle, is the generic risk assessment: a formally complete document, but not tailored to the specific product : an analysis produced at company or product-line level, without per-product adaptation. Annex I of the CRA requires a per-product analysis; a market surveillance authority reviewing the same assessment across ten different products from the same manufacturer will immediately identify the absence of product-specific content. These two patterns will be among the most frequent causes of documentary non-conformity in the first years of CRA enforcement.