FAQEUCyber Resilience Act

EU Cyber Resilience Act FAQ Important and Critical Products

Use this CRA FAQ to understand Annex III and Annex IV classification, what core functionality means in practice, and how important or critical status changes the applicable conformity assessment route.

Built for product, legal, certification, and compliance teams classifying products under the CRA.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 10, 2026
Updated
Mar 10, 2026
Sections
30

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 10, 2026
Updated Mar 10, 2026
Overview

Important and critical classification under the CRA changes the conformity-assessment route, but only when a product's core functionality actually matches Annex III or Annex IV. This FAQ focuses on category matching, route consequences, product-wide assessment scope, and the limits of special rules such as the Annex III FOSS derogation.

Search this module

Find a question or answer quickly

30 of 30 sections
Section 1

What are important and critical products with digital elements under the CRA?

Under the CRA, a product is important or critical if it has the core functionality of a category listed in Annex III or Annex IV.

Products with the core functionality of a category in Annex III are important products. Products with the core functionality of a category in Annex IV are critical products. Important products are divided into class I and class II.

Citations
Recommended next step

Use EU Cyber Resilience Act FAQ Important and Critical Products as a cited research workflow

Research Copilot can turn EU Cyber Resilience Act FAQ Important and Critical Products into a reusable cited workflow for teams implementing EU Cyber Resilience Act FAQ.

Research workflow
Open Research Copilot

Start from EU Cyber Resilience Act FAQ Important and Critical Products and move to source-backed decisions and evidence workflows.

Explore next step
Talk to Sorena
Talk through your EU Cyber Resilience Act FAQ implementation

Review evidence gaps, ownership, and next steps for EU Cyber Resilience Act FAQ.

Explore next step
Section 2

What is the main practical CRA consequence of being classified as an important or critical product?

The main consequence is the conformity assessment route.

Products outside Annex III and Annex IV follow Article 32(1). Important products of class I follow Article 32(2) when its trigger is met. Important products of class II follow Article 32(3). Critical products follow Article 32(4).

Citations
Section 3

Is "default category" an official CRA term?

No.

The March 2026 draft guidance uses that expression as a practical label for products that do not have the core functionality of an Annex III or Annex IV category and therefore remain under the Article 32(1) conformity assessment regime.

Citations
Section 4

Which product categories are listed in Annex III class I?

Annex III class I lists these categories:

- identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers

- standalone and embedded browsers

- password managers

- software that searches for, removes, or quarantines malicious software

- products with digital elements with the function of virtual private network (VPN)

- network management systems

- security information and event management (SIEM) systems

- boot managers

- public key infrastructure and digital certificate issuance software

- physical and virtual network interfaces

- operating systems

- routers, modems intended for the connection to the internet, and switches

- microprocessors with security-related functionalities

- microcontrollers with security-related functionalities

- application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities

- smart home general purpose virtual assistants

- smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems

- internet connected toys covered by Directive 2009/48/EC that have social interactive features or location-tracking features

- personal wearable products with a health-monitoring purpose outside the MDR and IVDR regimes, and certain personal wearable products for children

Citations
Section 5

Which product categories are listed in Annex III class II?

Annex III class II lists these categories:

- hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments

- firewalls, intrusion detection systems and intrusion prevention systems

- tamper-resistant microprocessors

- tamper-resistant microcontrollers

Citations
Section 6

Which product categories are listed in Annex IV?

Annex IV lists these critical-product categories:

- hardware devices with security boxes

- smart meter gateways within smart metering systems and other devices for advanced security purposes, including for secure cryptoprocessing

- smartcards or similar devices, including secure elements

Citations
Section 7

Why does the CRA treat these categories as important or critical?

For important products, Article 7(2) says the listed categories meet at least one of two criteria: they primarily perform functions critical to the cybersecurity of other products, networks or services, or they perform a function carrying a significant risk of adverse effects through disruption, control, or damage.

For critical products, Article 8(2) adds a higher-threshold logic linked to critical dependency by essential entities or serious disruption of critical supply chains.

Citations
Section 8

What determines whether a specific product really belongs in one of those CRA important or critical categories?

The key question is the product's core functionality.

The Commission FAQ and draft guidance both say manufacturers should assess the product's real features and technical capabilities, reflected in its intended purpose, against the relevant technical descriptions. Classification is not decided by product labels alone.

Citations
Section 9

Can a product have more than one core functionality for CRA classification purposes?

No.

The draft guidance says a product may not have more than one core functionality for the purpose of determining the applicable conformity assessment regime. The core functionality should therefore be identified clearly in the technical documentation.

Citations
Section 11

What if a product looks similar to a listed category but its functionality is broader or narrower?

Similarity is not enough on its own.

The draft guidance says a product may substantially exceed or substantially fall short of the core functionality of a listed category. In those cases, partial overlap in domain, purpose, or deployment context is not enough to treat it as important or critical.

Citations
Section 12

If a product integrates an important or critical component, does that automatically make the full product important or critical?

No.

Article 7(1) expressly says that integrating an Annex III product does not in itself make the larger product important. The Commission FAQ gives examples such as an embedded browser inside a news app or a secure element inside a laptop. The draft guidance applies the same logic to critical products: the classification turns on the core functionality of the product as a whole.

Citations
Section 13

Does classification as important or critical change the need for a cybersecurity risk assessment?

No.

All in-scope products need a CRA cybersecurity risk assessment. Classification mainly affects the conformity assessment route, not whether the manufacturer must assess and document the cybersecurity risks of the product.

Citations
Section 14

Can a manufacturer of a non-Annex III or non-Annex IV product still choose a stricter conformity assessment route?

Yes.

Article 32(1) allows manufacturers in that situation to use module A, module B plus C, module H, or, where available and applicable, a relevant European cybersecurity certification scheme. The draft guidance also notes that a manufacturer can always choose a more rigorous route.

Citations
Section 15

When can an important product of class I use internal control under module A?

An important class I product can remain on the internal-control path only if Article 32(2) is not triggered.

The draft guidance adds that, for that path to remain available, all applicable requirements of the relevant harmonised standards, common specifications, or specified certification scheme must be applied, and the scope must cover at least the risks related to the product's core functionality.

Citations
Section 16

What happens if an important class I manufacturer has not applied the relevant harmonised standards, has applied them only in part, or no relevant conformity tool exists?

Then Article 32(2) applies.

In that case, the product must go through either EU-type examination followed by conformity to type based on internal production control, or full quality assurance.

Citations
Section 17

What conformity assessment routes apply to important class II products?

Important class II products must use one of the Article 32(3) procedures:

- module B plus C

- module H

- where available and applicable, a European cybersecurity certification scheme at assurance level at least substantial

Citations
Section 18

What conformity assessment routes apply to critical products?

Critical products follow Article 32(4).

That means a European cybersecurity certification scheme under Article 8(1), if the Commission has adopted the relevant delegated act and an applicable scheme is available. If not, the product falls back to one of the Article 32(3) procedures.

Citations
Section 19

Do important and critical products always need third-party conformity assessment?

Important class II products always do, and important class I products do whenever Article 32(2) is triggered.

For critical products, the route is also third-party in practice, either through Article 8(1) certification if that delegated-act route exists, or through Article 32(3) if it does not. The draft guidance describes important class II and critical products as subject to mandatory third-party conformity assessment, and says the same for important class I when the internal-control path is unavailable.

Citations
Section 20

Is there a special rule for important products qualifying as free and open-source software?

Yes.

Article 32(5) says that manufacturers of products qualifying as free and open-source software and falling under Annex III may use one of the Article 32(1) procedures, provided that the technical documentation is made available to the public at the time of placing on the market.

Citations
Section 21

Does being classified as important or critical mean that only the core function is assessed?

No.

The draft guidance says that once the core functionality has been identified and the route selected, the conformity assessment still has to cover the product as a whole. Additional or ancillary functions can create additional risks that still need to be addressed.

Citations
Section 22

If a harmonised standard covers only the core functionality of an important class I product, does the whole product automatically get presumption of conformity?

No.

The draft guidance explains that a harmonised standard may support the use of internal control for an important class I product where it covers the core functionality, but the presumption of conformity extends only to the parts whose risks are actually covered by that standard. Additional functions and additional risks may still need to be addressed through other means.

Citations
Section 23

What should manufacturers use as the main reference for deciding whether a product matches a listed CRA important or critical category?

The CRA itself points to a Commission implementing act that sets the technical descriptions, and the Commission FAQ says those descriptions are now laid down in Implementing Regulation (EU) 2025/2392.

So in practice, manufacturers should compare the product's actual features and technical capabilities against those technical descriptions, not classify the product only by marketing label or broad product family.

Citations
Section 24

Can the Annex III and Annex IV lists change over time?

Yes.

The CRA empowers the Commission to amend Annex III and Annex IV by delegated act. For Annex III changes, the CRA generally requires a minimum transitional period of 12 months where appropriate. For Article 8 delegated acts and Annex IV changes, the CRA generally requires a minimum transitional period of six months.

Citations
Section 25

How does the CRA work for important or critical products that are also high-risk AI systems?

The CRA contains a special overlap rule.

As a rule, Article 12(2) points to the relevant AI Act conformity assessment procedure for products covered by both regimes. But Article 12(3) creates a derogation for certain important and critical CRA products that are also high-risk AI systems and use the AI Act's internal-control route. In that situation, the CRA's own conformity assessment procedures still apply for the CRA essential cybersecurity requirements.

Citations
Section 26

Can a manufacturer downplay or overstate the core functionality to avoid the stricter regime?

No.

The draft guidance says a manufacturer may not misrepresent the product's core functionality in order to escape the conformity assessment regime applicable to important or critical products. It gives the example of inconsistencies between promotional materials, instructions for use, and technical documentation.

Citations
Section 27

Does being classified as important or critical create a separate set of CRA essential cybersecurity requirements?

No.

The core CRA essential cybersecurity requirements still come from Article 6, Article 13 and Annex I. The classification as default, important class I, important class II or critical mainly determines which conformity assessment route applies before the product is placed on the market. The Commission FAQ's risk-assessment section likewise explains that manufacturers of all products with digital elements must implement the essential requirements in a way proportionate to the product's risks.

Citations
Section 28

Can a product move into a stricter class just because one version is intended for a more sensitive environment or presents higher deployment risk?

No, not by itself.

Classification still turns on the product's core functionality against the Annex III or Annex IV category descriptions. The Commission FAQ's VPN example shows that two products with the same core functionality can present different risk levels because of their intended deployment and therefore require different risk treatment measures, but that does not by itself change whether they are an important, critical or default-category product.

Citations
Section 29

Does the Article 32(5) free-and-open-source-software rule apply to critical products?

No.

Article 32(5) is expressly limited to products qualifying as free and open-source software that fall under the categories set out in Annex III. So that special route can apply to important products in Annex III, subject to the public-technical-documentation condition, but it does not extend the same derogation to Annex IV critical products.

Citations
Section 30

If the Commission later adds, removes, or reclassifies an Annex III or Annex IV category, does that automatically retroactively change products already placed on the market?

Not automatically.

Read together, the CRA's delegated-act transition rules and the Blue Guide's placing-on-the-market principle mean that the new classification matters for products placed on the market after the new rules start applying, while products already placed on the market are not automatically reclassified just because the legislation is later revised. For Annex III changes, the CRA generally requires a transitional period of at least 12 months where appropriate. For Article 8 delegated acts and Annex IV changes, the CRA generally requires at least six months, unless urgency justifies less.

Citations
Primary sources

References and citations

Cyber Resilience Act
data.europa.eu30 citations
Referenced sections
  • Article 7(1), Article 8(1), Annex III, Annex IV
  • Article 32(1)-(4)
  • Article 32(1)
Show 24 more
  • Annex III, Class I
  • Annex III, Class II
  • Annex IV
  • Article 7(2), Article 8(2)
  • recitals 44 to 47
  • Annex VII
  • Article 7(1)
  • Article 13(2)-(4), Article 32
  • Article 32(1)-(2)
  • Article 32(2)
  • Article 32(3)
  • Article 8(1), Article 32(4)
  • Article 8(1), Article 32(2)-(4)
  • Article 32(5)
  • Article 27(1), Article 27(5), Article 32(2)
  • Article 7(4)
  • Article 7(3), Article 8(1)-(2)
  • Article 12(2)-(3)
  • recital 52
  • Article 32, Annex VII
  • Article 6, Article 13, Article 32, Annex I
  • Article 7(1)-(2), Article 8(1)-(2), Article 13(2)-(3)
  • Article 32(4)-(5)
  • recital 91
Draft Commission guidance on the CRA (March 2026 draft)
ec.europa.eu22 citations
Referenced sections
  • point 121
  • point 122
  • footnote 16 to point 122
Show 15 more
  • points 124-129
  • point 128
  • point 125
  • points 127-128
  • points 126 and 136
  • points 122 and 131
  • footnote 17 to point 122
  • points 132-135
  • point 132
  • points 122 and 132
  • points 131 and 134-139
  • points 133-139
  • footnote 15 and examples 48 to 53
  • point 129
  • points 124-128
Related guides

Explore more topics

Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification.
Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations.
Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting.
Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking
Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales.
CRA CE Marking FAQ | Meaning, Placement Rules, Software Labeling, Notified Bodies
CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers.
CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities
CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products
CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes.
CRA Core Functionality FAQ | Important Products, Critical Products, Classification
CRA FAQ on core functionality covering classification of important and critical products, ancillary functions, integrated components.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints
CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation.
CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties
CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on the essential cybersecurity requirements covering Annex I Part I and Part II, applicability, evidence, interoperability constraints.
CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence
Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code
CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing.
CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication
CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication.
CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components
CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies.
CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery
CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine.
CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries
CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls.
CRA Legacy Products FAQ | Pre-2027 Products, Reporting, Grandfathering, Substantial Modification
CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs.
CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation
CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation.
CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance
CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities.
CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation
CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records.
CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence
CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting.
CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions
CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories.
CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths
CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths.
CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards
CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences.
CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation
CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope.
CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility
CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements.
CRA Reporting Obligations FAQ | Article 14 Deadlines, CSIRT Filing, User Notices, Legacy Products
CRA FAQ on reporting obligations covering Article 14 deadlines, actively exploited vulnerabilities, severe incidents, CSIRT routing, user notifications.
CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions
CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions.
CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits
CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability.
CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)
CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates.
CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products
CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment.
CRA Support Period FAQ | Placement on the Market, Unit-Level Timing, Update Availability
CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability.
CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence
CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence.
CRA Technical Documentation FAQ | Annex VII, Languages, Authority Access, Updates
CRA FAQ on technical documentation covering Annex VII content, timing, languages, versioning, authority access, reused documentation, simplified formats.
CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay
CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software.
CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions
CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates.
CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices
CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices.
CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply.
CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule.
CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing
CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing.
Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking
Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date.
Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA essential cybersecurity requirements in Annex I.
Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure.
Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes.
Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking
Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing.
Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting.
SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence.
Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence.
Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates.