What is the EU Cyber Resilience Act?

The CRA (Regulation 2024/2847) is an EU regulation requiring manufacturers of products with digital elements to meet cybersecurity requirements throughout the product lifecycle. It covers vulnerability handling, SBOM provision, and incident reporting to ENISA.

When does the CRA take effect?

Reporting obligations start 11 September 2026. All other requirements (vulnerability handling, SBOM, documentation, conformity assessment) apply from 11 December 2027.

Who does the CRA apply to?

Any manufacturer placing a product with digital elements on the EU market, including commercial software, IoT devices, and open-source projects with a commercial activity. SaaS is generally out of scope unless it involves embedded or downloadable components.

What is an SBOM and why does the CRA require it?

A Software Bill of Materials is a machine-readable inventory of all components in your software. The CRA requires it under Article 13(5) and Annex I Part II(1) so that downstream users and market surveillance authorities can identify vulnerable components.

How does Complaro help with CRA compliance?

Complaro helps automate the three hardest parts: classifying your products under CRA Annex III/IV, continuously scanning for known vulnerabilities, and generating pre-filled ENISA-format incident reports when actively exploited vulnerabilities are discovered.

CRA Product Classification: Annex III & IV Guide

One of the first decisions you need to make under the EU Cyber Resilience Act is how to classify your product. The CRA defines three risk categories — default, important, and critical — and your classification determines the conformity assessment path you must follow.

Get it wrong and you either waste resources on unnecessary third-party audits or, worse, self-assess when a third-party assessment is legally required. This guide walks you through the classification step by step.

The Three Categories

Default Category

The vast majority of products with digital elements fall here. If your product is not explicitly listed in Annex III or Annex IV of Regulation 2024/2847, it is in the default category.

Examples: most commercial software applications, mobile apps, web applications with on-premise components, IoT consumer devices (smart lights, fitness trackers), developer libraries, productivity tools.

Conformity assessment: self-assessment by the manufacturer. No third-party audit required. You must still meet all essential cybersecurity requirements, maintain an SBOM, handle vulnerabilities, and report to ENISA.

Important Products — Class I (Annex III, Part I)

These are products with higher cybersecurity risk. Class I products can use self-assessment if they apply a harmonized standard that covers all essential requirements. Otherwise, third-party assessment is required.

Annex III Class I includes:

Identity management systems and privileged access management software
Standalone and embedded browsers
Password managers
Software that searches for, removes, or quarantines malware
VPN products
Network management systems
Security information and event management (SIEM) systems
Boot managers and BIOS/UEFI firmware
Remote access and sharing software
Mobile device management (MDM) software
Physical network interfaces and routers
Operating systems
Microprocessors and microcontrollers with security-relevant functionality

Important Products — Class II (Annex III, Part II)

Class II products have the highest risk level within the important category and always require third-party conformity assessment.

Annex III Class II includes:

Hypervisors and container runtime systems
Firewalls, intrusion detection and prevention systems
Tamper-resistant microprocessors and microcontrollers
Industrial automation and control systems (IACS) and PLCs
Industrial IoT not covered by other EU regulations

Critical Products (Annex IV)

The highest risk tier. These products always require third-party certification by a notified body.

Annex IV includes:

Hardware devices with security boxes (HSMs, smart cards, secure elements)
Smart meter gateways within smart metering systems
Other products essential for the cybersecurity of critical infrastructure

Decision Tree: How to Classify Your Product

Follow these steps:

Step 1: Is your product a product with digital elements? Does it include software or connect to a device or network? If no, the CRA does not apply. If yes, continue.

Step 2: Check Annex IV. Is your product an HSM, smart card, secure element, or smart meter gateway? If yes, it is critical. If no, continue.

Step 3: Check Annex III Part II. Is your product a hypervisor, container runtime, firewall, IDS/IPS, or industrial control system? If yes, it is Important Class II. If no, continue.

Step 4: Check Annex III Part I. Is your product a VPN, SIEM, identity manager, OS, browser, network management tool, MDM, boot manager, or similar? If yes, it is Important Class I. If no, continue.

Step 5: Default category. If your product does not appear in any Annex, it falls in the default category.

Common Edge Cases

Cloud-Managed Devices

If your product is a physical device managed through cloud software, the device itself is the product with digital elements. The cloud management plane may not be separately in scope (SaaS is generally excluded), but the firmware and on-device software are. See our article on whether the CRA applies to SaaS.

SDKs and Developer Libraries

An SDK distributed as a standalone product falls in the default category unless it provides security functionality listed in Annex III (for example, a cryptography library might be considered security-relevant). In most cases, SDKs are default category, but the products built with them may be classified higher.

Products with Multiple Functions

If your product includes functionality from multiple Annex categories — say, a firewall with VPN capability — classify it based on the highest applicable category. A product that is both a VPN (Class I) and a firewall (Class II) should be assessed as Class II.

Open Source Components

Open source libraries are not independently classified unless they are placed on the market as standalone products. When integrated into your product, they are part of your product's classification. You are responsible for their security. See our guide on CRA and open source.

Conformity Assessment Paths

Default products: Internal control (self-assessment) based on Annex VIII, Module A. Document that you meet essential requirements, maintain technical documentation, apply CE marking.

Important Class I: Self-assessment is possible if a harmonized standard covers all essential requirements and you apply it fully. Otherwise, EU-type examination (Module B) plus type conformity (Module C) by a notified body, or full quality assurance (Module H).

Important Class II: Always requires third-party assessment — EU-type examination or full quality assurance by a notified body.

Critical products: European cybersecurity certification where available, or EU-type examination by a notified body.

Practical Next Steps

Map your product portfolio against the Annexes. Document each classification decision and your reasoning.
Identify gaps. For products requiring third-party assessment, start identifying notified bodies early — capacity will be limited as deadlines approach.
Generate SBOMs for all products regardless of category. See our SBOM generation guide.
Run a readiness assessment. Use cra-scanner to assess each product's current compliance posture.

For a complete preparation timeline, see our CRA compliance checklist.

Complaro includes an interactive classification wizard that guides you through the Annex III/IV decision tree and documents your classification for audit purposes. Get started free.

How to Classify Your Product Under the CRA: Default, Important, and Critical