Part 2: Product Classification - The Hidden Complexity

Part 2: Product Classification - The Hidden Complexity

One of the most challenging aspects of preparing for CRA compliance is product classification. Understanding where your product falls within the CRA’s risk-based structure will determine your assessment route—and whether you can self-declare compliance or must involve a third-party notified body.

The CRA defines three broad categories of products:

1. Standard Products with Digital Elements (PDEs): These are connected products not listed in Annex III or Annex IV. They can typically undergo self-assessment under Module A (Internal Production Control). This is the simplest conformity route and does not require third-party testing or notified body involvement.
2. Important Products (Annex III): These include technologies like identity management systems, firewalls, and password managers. They are divided into Class I and Class II, with Class II products requiring more stringent assessments. In most cases, these products must undergo third-party conformity assessment via Module B+C (EU-type examination and conformity to type) or Module H (full quality assurance).
3. Critical Products (Annex IV): This highest-risk class includes secure elements, smart meter gateways, and other products whose compromise would have systemic consequences. These may require certification under the EU Cybersecurity Act (Regulation (EU) 2019/881) at a substantial or high assurance level. Even if no scheme has yet been mandated, these products must follow the strictest available CRA conformity procedures.

Product classification is not always straightforward. A manufacturer of an industrial control sensor or a secure IoT gateway may not know if their product is considered critical. Annex III and IV lists are broad and open to updates by the European Commission. Compounding the issue, classification isn’t based purely on technical functionality, it also considers intended use, integration context, and potential impact.

If a product is deployed in critical national infrastructure (CNI) or other high-assurance environments, it may face higher scrutiny regardless of its default category. This means that even products not currently listed in Annex IV could end up being treated as critical in practice.

Incorrect classification can have serious consequences. A product incorrectly assessed under Module A may be blocked from market access if later found to require notified body involvement. Worse, a post-market audit could result in product recalls or regulatory fines. Manufacturers should therefore treat classification as an urgent strategic task, not just a legal technicality.

Our CRA Gap Assessment includes a classification review, ensuring product owners understand their obligations and assessment path early in the development cycle. Drop us a message to find out more.

‍