Search every question across CRA sub-FAQs

No.

As an inference from Article 27 and the Blue Guide, CRA presumption of conformity attaches to the European standard version whose reference is published in the Official Journal for the relevant legal coverage. A standard harmonised under another Union act, or an ISO or IEC base text on its own, can still be used as another technical specification, but it does not automatically create CRA presumption of conformity under the CRA.

The legal effect can narrow or end.

The Blue Guide explains that the Commission may publish a reference with restrictions, or later maintain, restrict or withdraw the reference after the relevant objection procedures. When a standard is revised, the Official Journal often sets a coexistence period during which both the old and revised references still give presumption of conformity. After the withdrawal date, only the revised standard continues to do so. Manufacturers therefore need to monitor Official Journal publications and take account of those changes for future conformity work and for ongoing series production.

Under the CRA, a product is important or critical if it has the core functionality of a category listed in Annex III or Annex IV.

Products with the core functionality of a category in Annex III are important products. Products with the core functionality of a category in Annex IV are critical products. Important products are divided into class I and class II.

The main consequence is the conformity assessment route.

Products outside Annex III and Annex IV follow Article 32(1). Important products of class I follow Article 32(2) when its trigger is met. Important products of class II follow Article 32(3). Critical products follow Article 32(4).

No.

The March 2026 draft guidance uses that expression as a practical label for products that do not have the core functionality of an Annex III or Annex IV category and therefore remain under the Article 32(1) conformity assessment regime.

Annex III class I lists these categories:

- identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers

- standalone and embedded browsers

- password managers

- software that searches for, removes, or quarantines malicious software

- products with digital elements with the function of virtual private network (VPN)

- network management systems

- security information and event management (SIEM) systems

- boot managers

- public key infrastructure and digital certificate issuance software

- physical and virtual network interfaces

- operating systems

- routers, modems intended for the connection to the internet, and switches

- microprocessors with security-related functionalities

- microcontrollers with security-related functionalities

- application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities

- smart home general purpose virtual assistants

- smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems

- internet connected toys covered by Directive 2009/48/EC that have social interactive features or location-tracking features

- personal wearable products with a health-monitoring purpose outside the MDR and IVDR regimes, and certain personal wearable products for children

Annex III class II lists these categories:

- hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments

- firewalls, intrusion detection systems and intrusion prevention systems

- tamper-resistant microprocessors

- tamper-resistant microcontrollers

Annex IV lists these critical-product categories:

- hardware devices with security boxes

- smart meter gateways within smart metering systems and other devices for advanced security purposes, including for secure cryptoprocessing

- smartcards or similar devices, including secure elements

For important products, Article 7(2) says the listed categories meet at least one of two criteria: they primarily perform functions critical to the cybersecurity of other products, networks or services, or they perform a function carrying a significant risk of adverse effects through disruption, control, or damage.

For critical products, Article 8(2) adds a higher-threshold logic linked to critical dependency by essential entities or serious disruption of critical supply chains.

The key question is the product's core functionality.

The Commission FAQ and draft guidance both say manufacturers should assess the product's real features and technical capabilities, reflected in its intended purpose, against the relevant technical descriptions. Classification is not decided by product labels alone.

No.

The draft guidance says a product may not have more than one core functionality for the purpose of determining the applicable conformity assessment regime. The core functionality should therefore be identified clearly in the technical documentation.

No.

The Commission FAQ and the draft guidance both explain that products often have additional functions beyond their core functionality. That does not by itself stop the product from having the core functionality of an important or critical category.

Similarity is not enough on its own.

The draft guidance says a product may substantially exceed or substantially fall short of the core functionality of a listed category. In those cases, partial overlap in domain, purpose, or deployment context is not enough to treat it as important or critical.

No.

Article 7(1) expressly says that integrating an Annex III product does not in itself make the larger product important. The Commission FAQ gives examples such as an embedded browser inside a news app or a secure element inside a laptop. The draft guidance applies the same logic to critical products: the classification turns on the core functionality of the product as a whole.

No.

All in-scope products need a CRA cybersecurity risk assessment. Classification mainly affects the conformity assessment route, not whether the manufacturer must assess and document the cybersecurity risks of the product.

Yes.

Article 32(1) allows manufacturers in that situation to use module A, module B plus C, module H, or, where available and applicable, a relevant European cybersecurity certification scheme. The draft guidance also notes that a manufacturer can always choose a more rigorous route.

An important class I product can remain on the internal-control path only if Article 32(2) is not triggered.

The draft guidance adds that, for that path to remain available, all applicable requirements of the relevant harmonised standards, common specifications, or specified certification scheme must be applied, and the scope must cover at least the risks related to the product's core functionality.

Then Article 32(2) applies.

In that case, the product must go through either EU-type examination followed by conformity to type based on internal production control, or full quality assurance.

Important class II products must use one of the Article 32(3) procedures:

- module B plus C

- module H

- where available and applicable, a European cybersecurity certification scheme at assurance level at least substantial

Critical products follow Article 32(4).

That means a European cybersecurity certification scheme under Article 8(1), if the Commission has adopted the relevant delegated act and an applicable scheme is available. If not, the product falls back to one of the Article 32(3) procedures.