← All posts

EU CRA Cybersecurity

Which EU Cyber Resilience Act conformity assessment route does my product need?

Most products self-assess. The CRA's default category — the large majority of products with digital elements, widely estimated at around 90% — uses internal self-assessment (Module A), with no external body involved. Products listed as important (Annex III) or critical (Annex IV) face stricter routes, and several require a notified body. The catch in mid-2026: the harmonised standards and notified bodies those routes depend on do not exist yet.

Most products self-assess. Under the EU Cyber Resilience Act, the default category — the large majority of products with digital elements, widely estimated at around 90% — uses internal self-assessment, Module A, with no external body involved. Products listed as important in Annex III (Class I and Class II) or critical in Annex IV face stricter routes, and several require a notified body. The practical catch in mid-2026 is that the harmonised standards and notified bodies those routes depend on do not exist yet.

How does the CRA sort products into routes?

The Cyber Resilience Act (Regulation (EU) 2024/2847) places every product with digital elements into one of three risk tiers, and the tier decides which conformity assessment route you take to CE marking.

The tiers are: a default category that covers the large majority of products; an important category listed in Annex III and split into Class I and Class II; and a critical category listed in Annex IV. The higher the tier, the more external scrutiny the route requires.

For a long time the boundary between these tiers was vague. That changed with Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025, published in the Official Journal on 1 December 2025 and taking effect on 21 December 2025, which set out technical descriptions for the important and critical categories. The descriptions turn high-level labels into criteria you can actually apply to a product, which is what makes classification a job you can do now rather than guess at.

Which conformity assessment route maps to each class?

The CRA offers three assessment modules, and the class determines which are open to you.

  • Module A (internal control) — you assess the product against the essential requirements yourself, compile the technical documentation, and declare conformity. No external body is involved.
  • Module B+C — a notified body runs a type examination (B), and you run the production-conformity phase (C).
  • Module H — a notified body approves and then continuously surveils your quality management system.

The routing works like this; the procedures themselves are set out in Annex VIII of the CRA.

  • Default products — Module A self-assessment, regardless of which technical specification you use to demonstrate conformity.
  • Important, Class I — self-assessment is open only if you apply harmonised standards or common specifications in full; without them, a notified body is required, via Module B+C or Module H. This is the Commission’s stated rule for important products — harmonised standards, or a notified body.
  • Important, Class II — a notified body is required. There is no self-assessment route; you take Module B+C or Module H.
  • Critical products — a notified body is required in every case, and these products may additionally have to use a European cybersecurity certification scheme where one applies.

The shape of this is the same pathway-selection problem that runs through every regulated-hardware regime: the route is not a free choice, it is dictated by what the product is. Getting the classification wrong at the start cascades into the wrong evidence, the wrong timeline, and in the worst case a rejected conformity claim.

How do I figure out which class my product is in?

Start from the principle the Implementing Regulation makes explicit: classification follows the core functionality of the product, not an ancillary or embedded feature. A product that embeds a browser does not become a browser unless browsing is its core function.

The worked examples make the tiers concrete:

  • Important, Class I — browsers, password managers, VPNs, routers, boot managers, and a range of smart home security products including smart door locks, camera systems, baby monitors, and alarm systems.
  • Important, Class II — firewalls, intrusion detection and prevention systems, tamper-resistant microprocessors and microcontrollers, and hypervisors.
  • Critical (Annex IV) — hardware security modules, smart meter gateways, smartcards, and secure elements.
  • Default — everything not named in Annex III or Annex IV. This is where most connected consumer and industrial products land, which is why self-assessment is the common case.

If your product is not on an Annex III or Annex IV list, it is default by exclusion. But check the technical descriptions before you conclude that — the lists are broader than they first read, and a single security-relevant function can move a product up a tier.

Why can’t you finish choosing your route yet?

This is the part most CRA explainers skip. The route you are entitled to take may not be available to take.

The self-assessment route for important Class I products depends on harmonised standards. As of April 2026, no harmonised standard for the CRA had been published in the Official Journal, and the Commission’s standardisation request to the European standardisation organisations covers dozens of standards still in development. Until a relevant standard lands, a Class I manufacturer cannot lean on it to self-assess and is pushed toward a third-party route.

The third-party route depends on notified bodies — and none had yet been designated under the CRA. The Commission’s NANDO database will list CRA notified bodies only once they become available, and as of early 2026 it listed none. The provisions on notifying conformity assessment bodies begin to apply on 11 June 2026, which starts the designation process rather than finishing it. The deadline cluster is laid out on the EU Cyber Resilience Act deadline tracker.

So in mid-2026 there is a real gap: the standards that open the self-assessment route are not published, and the bodies that run third-party assessment are not yet designated. Both are expected to arrive before the main obligations apply on 11 December 2027, but the sequencing is tight. This is separate from the reporting obligations, which begin earlier on 11 September 2026 — covered in what the CRA’s September 2026 reporting obligation requires.

What should you do before 11 December 2027?

Four actions, in priority order.

  1. Classify every product against the tiers — do it now, using the Annex III and Annex IV lists together with the Implementing Regulation’s technical descriptions. Document the reasoning, including why a product is default by exclusion. This single decision sets the route, the evidence, and the timeline.
  2. Build the technical documentation now — independent of the route. The essential cybersecurity requirements in Annex I and the technical file in Annex VII are required whether you self-assess or use a notified body. None of that work waits on a harmonised standard. The same evidence-assembly discipline drives the US analogue — the cybersecurity documentation FDA Section 524B requires in a premarket submission.
  3. Plan your route for a standards slip — if you are Class I, model both paths: self-assessment against a future standard, and a notified-body path if the standard does not arrive in time. The product that has a notified-body plan ready does not lose a quarter waiting for one to become available.
  4. Track the standards and notified-body cadence — publication of harmonised standards in the Official Journal and the first CRA notified-body designations are the two events that open the routes. Watch them the way you would watch a long-lead component.

ForgeComply’s compliance pathway and evidence-assembly modules are built for steps 1 and 2 — classifying a product against a regime’s scope and assembling the Annex I and Annex VII evidence from a verified clause library, so the technical file is ready before the route is. For a small team facing a CE-marking deadline without dedicated regulatory staff, the classification and documentation work is where software carries the most load. Many of the same connected products also face the EU Digital Product Passport registry launch in the same window.

Key takeaways

  • Default category — the large majority of products with digital elements (widely estimated at around 90%) self-assess under Module A, with no external body involved.
  • Important, Class I (Annex III) — self-assessment is allowed only if a harmonised standard or common specification is fully applied; otherwise a notified body is required.
  • Important, Class II (Annex III) — a notified body is mandatory; Module B+C or Module H, with no self-assessment route.
  • Critical (Annex IV) — a notified body is mandatory in every case, and a European cybersecurity certification scheme may apply.
  • Classification follows core functionality — Commission Implementing Regulation (EU) 2025/2392 set the technical descriptions; a single security-relevant function can move a product up a tier.
  • The routes are not all open yet — as of April 2026 no harmonised standard was in the Official Journal and no notified body had been designated. Classify and build the technical file now; the route can be confirmed once the infrastructure lands ahead of 11 December 2027.

Sources