[{"data":1,"prerenderedAt":805},["ShallowReactive",2],{"blog-cra-product-classification":3},{"id":4,"title":5,"body":6,"date":787,"description":788,"extension":789,"image":790,"keywords":791,"meta":798,"navigation":799,"path":800,"readTime":801,"seo":802,"stem":803,"__hash__":804},"blog/blog/cra-product-classification.md","CRA Classification: Default, Class I, or Class II?",{"type":7,"value":8,"toc":762},"minimark",[9,17,20,23,30,35,40,47,66,69,75,79,82,88,94,97,101,104,113,120,123,127,131,134,198,201,205,208,253,256,260,425,430,441,445,448,451,454,458,461,465,485,489,514,518,542,546,549,554,562,567,578,583,591,596,601,606,617,622,627,630,634,637,640,667,671,674,686,692,703,711,714,720,724],[10,11,12,13],"p",{},"Once you've confirmed your product is in CRA scope, the next critical question is: ",[14,15,16],"strong",{},"what conformity assessment route applies to your product?",[10,18,19],{},"The answer determines whether you can self-certify, whether you need a third-party conformity assessment body (CAB) audit, or whether you need a notified body—the most rigorous and expensive option. For embedded firmware teams managing multiple product lines, this classification decision has significant budget and timeline implications.",[10,21,22],{},"This post walks through the three conformity tiers, how to classify common embedded product types, and what each route actually requires.",[10,24,25],{},[26,27],"img",{"alt":28,"src":29},"CRA Enforcement Timeline — Key dates from entry into force through full enforcement","/images/blog/cra-timeline.svg",[31,32,34],"h2",{"id":33},"the-three-conformity-assessment-tiers","The Three Conformity Assessment Tiers",[36,37,39],"h3",{"id":38},"default-category-self-declaration","Default Category: Self-Declaration",[10,41,42,43,46],{},"Products that aren't listed in Annex III (or don't fall within an Annex III category) are in the ",[14,44,45],{},"default category",". Under Article 24, default-category products can follow a self-assessment route:",[48,49,50,54,57,60,63],"ul",{},[51,52,53],"li",{},"Internal production control (Module A, Annex VI)",[51,55,56],{},"Manufacturer assesses conformity against Annex I essential requirements",[51,58,59],{},"Manufacturer prepares technical documentation (Annex VII)",[51,61,62],{},"Manufacturer draws up EU Declaration of Conformity",[51,64,65],{},"Manufacturer affixes CE mark",[10,67,68],{},"This is the fastest and cheapest route. No third-party involvement is required, though if you implement harmonised standards (when CEN/CENELEC publish them), you get a presumption of conformity that substantially simplifies documentation.",[10,70,71,74],{},[14,72,73],{},"Important:"," \"self-declaration\" does not mean \"no evidence required.\" Market surveillance authorities can request your technical documentation at any time, and they will scrutinize it. A credible self-assessment requires genuine engineering work—threat modelling, vulnerability testing, SBOM generation, and documented security processes.",[36,76,78],{"id":77},"class-i-third-party-audit-required","Class I: Third-Party Audit Required",[10,80,81],{},"Class I products appear in Annex III, Part I. For these products, Article 24(2) requires either:",[10,83,84,87],{},[14,85,86],{},"Option A:"," Assessment by a conformity assessment body (CAB) using an EU-type examination (Module B, Annex VII) followed by internal production control (Module C, Annex VIII)",[10,89,90,93],{},[14,91,92],{},"Option B:"," Quality management system assessment (Module H, Annex IX) by a CAB",[10,95,96],{},"The key difference from the default category: a recognised, accredited third party must be involved in the conformity assessment. You cannot self-certify.",[36,98,100],{"id":99},"class-ii-notified-body-mandatory","Class II: Notified Body Mandatory",[10,102,103],{},"Class II products appear in Annex III, Part II. These are considered highest-risk. Article 24(3) requires:",[10,105,106,108,109,112],{},[14,107,86],{}," EU-type examination (Module B) by a ",[14,110,111],{},"notified body"," + internal production control (Module C)",[10,114,115,117,118],{},[14,116,92],{}," Full quality assurance (Module H) by a ",[14,119,111],{},[10,121,122],{},"A notified body is a conformity assessment body designated by an EU member state and notified to the European Commission. This is a significantly higher bar than a general CAB. As of early 2026, the EU notified body designation process for CRA is still being finalised, making this route the most constrained from a supply perspective.",[31,124,126],{"id":125},"annex-iii-which-products-are-class-i-or-class-ii","Annex III: Which Products Are Class I or Class II?",[36,128,130],{"id":129},"class-i-products-annex-iii-part-i","Class I Products (Annex III, Part I)",[10,132,133],{},"The following product types require third-party conformity assessment:",[48,135,136,139,142,145,148,151,154,157,160,163,166,169,174,177,182,187,192],{},[51,137,138],{},"Identity management systems and privileged access management software",[51,140,141],{},"Standalone and embedded browsers",[51,143,144],{},"Password managers",[51,146,147],{},"Malware detection and antivirus software",[51,149,150],{},"Products with digital elements with VPN functionality",[51,152,153],{},"Network management systems",[51,155,156],{},"Security information and event management (SIEM) systems",[51,158,159],{},"Boot managers",[51,161,162],{},"Public key infrastructure (PKI) and digital certificate issuers",[51,164,165],{},"General-purpose microprocessors",[51,167,168],{},"Operating systems for general-purpose use (servers, desktops, mobile)",[51,170,171],{},[14,172,173],{},"Routers, modems intended for consumers",[51,175,176],{},"Microcontrollers",[51,178,179],{},[14,180,181],{},"Application-specific integrated circuits (ASICs) and field-programmable gate arrays (FPGAs)",[51,183,184],{},[14,185,186],{},"Industrial automation and control systems",[51,188,189],{},[14,190,191],{},"Smart home general-purpose virtual assistants",[51,193,194,197],{},[14,195,196],{},"Smart home products"," with security functionality (locks, alarm systems, baby monitors)",[10,199,200],{},"For embedded firmware teams, the items in bold are most directly relevant. If you're building industrial controllers, PLCs, HMIs, or connected smart home devices with security functions, you're likely in Class I.",[36,202,204],{"id":203},"class-ii-products-annex-iii-part-ii","Class II Products (Annex III, Part II)",[10,206,207],{},"The highest-risk tier covers:",[48,209,210,215,221,227,232,237,242,247],{},[51,211,212],{},[14,213,214],{},"Hypervisors and container runtime software used in industrial, critical infrastructure, or automotive applications",[51,216,217,220],{},[14,218,219],{},"Firewalls, intrusion detection, and intrusion prevention systems"," used in industrial or critical infrastructure",[51,222,223,226],{},[14,224,225],{},"Tamper-resistant microprocessors"," used in sensitive applications",[51,228,229],{},[14,230,231],{},"Hardware security modules (HSMs)",[51,233,234],{},[14,235,236],{},"Secure elements",[51,238,239],{},[14,240,241],{},"Smart meter gateways",[51,243,244,246],{},[14,245,186],{}," used in critical infrastructure (power, water, transport)",[51,248,249,252],{},[14,250,251],{},"Robot sensors and actuators"," used in safety-relevant functions",[10,254,255],{},"Class II products are concentrated in critical infrastructure and high-assurance security components. If you're building HSMs, smart meter gateways, or industrial controllers for power/water utilities, this is your tier.",[31,257,259],{"id":258},"product-classification-map-for-embedded-teams","Product Classification Map for Embedded Teams",[261,262,263,279],"table",{},[264,265,266],"thead",{},[267,268,269,273,276],"tr",{},[270,271,272],"th",{},"Product Type",[270,274,275],{},"Likely Classification",[270,277,278],{},"Rationale",[280,281,282,294,305,315,326,336,346,356,366,376,386,396,406,416],"tbody",{},[267,283,284,288,291],{},[285,286,287],"td",{},"General IoT sensor (no security function)",[285,289,290],{},"Default",[285,292,293],{},"Not listed in Annex III",[267,295,296,299,302],{},[285,297,298],{},"Consumer Wi-Fi router",[285,300,301],{},"Class I",[285,303,304],{},"Annex III Part I explicitly lists consumer routers",[267,306,307,310,312],{},[285,308,309],{},"Industrial PLC (non-critical infrastructure)",[285,311,301],{},[285,313,314],{},"ICS listed in Annex III Part I",[267,316,317,320,323],{},[285,318,319],{},"Industrial PLC (power/water utilities)",[285,321,322],{},"Class II",[285,324,325],{},"Critical infrastructure ICS",[267,327,328,331,333],{},[285,329,330],{},"Smart door lock",[285,332,301],{},[285,334,335],{},"Smart home with security function",[267,337,338,341,343],{},[285,339,340],{},"Baby monitor with camera",[285,342,301],{},[285,344,345],{},"Smart home product listed",[267,347,348,351,353],{},[285,349,350],{},"FPGA development board",[285,352,301],{},[285,354,355],{},"FPGAs listed in Annex III Part I",[267,357,358,361,363],{},[285,359,360],{},"Custom ASIC",[285,362,301],{},[285,364,365],{},"ASICs listed in Annex III Part I",[267,367,368,371,373],{},[285,369,370],{},"Hardware Security Module",[285,372,322],{},[285,374,375],{},"Explicitly listed",[267,377,378,381,383],{},[285,379,380],{},"Embedded RTOS (standalone, for sale)",[285,382,290],{},[285,384,385],{},"Not listed (RTOS ≠ general OS)",[267,387,388,391,393],{},[285,389,390],{},"General-purpose MCU",[285,392,301],{},[285,394,395],{},"Microcontrollers listed in Annex III Part I",[267,397,398,401,403],{},[285,399,400],{},"Wearable health tracker (non-medical)",[285,402,290],{},[285,404,405],{},"Not listed",[267,407,408,411,413],{},[285,409,410],{},"VPN appliance",[285,412,301],{},[285,414,415],{},"VPN functionality listed",[267,417,418,421,423],{},[285,419,420],{},"Smart meter gateway",[285,422,322],{},[285,424,375],{},[10,426,427],{},[14,428,429],{},"Important caveats:",[48,431,432,435,438],{},[51,433,434],{},"Annex III is subject to update via delegated acts as the Commission collects market data",[51,436,437],{},"Classification depends on the product's \"intended purpose\"—the same hardware with different firmware/intended use cases may classify differently",[51,439,440],{},"ENISA has published classification guidance, but final harmonised interpretation will emerge through market surveillance practice",[31,442,444],{"id":443},"how-intended-purpose-affects-classification","How \"Intended Purpose\" Affects Classification",[10,446,447],{},"Article 6(2) requires classification based on the product's intended purpose as declared by the manufacturer. This gives manufacturers some flexibility, but also responsibility.",[10,449,450],{},"If you build a general-purpose embedded controller and position it as a \"development kit\" with \"not for safety-critical use\" disclaimers, you may be able to justify a lower classification. But if the same hardware is sold as an industrial PLC for factory automation without such restrictions, Class I likely applies.",[10,452,453],{},"The \"reasonably foreseeable use\" language in Article 2(1) means you can't simply use disclaimers to avoid higher-risk classification if market surveillance authorities determine that safety-critical use was foreseeable. Keep this in mind when writing your product documentation and intended purpose statements.",[31,455,457],{"id":456},"conformity-assessment-routes-time-and-cost-estimates","Conformity Assessment Routes: Time and Cost Estimates",[10,459,460],{},"These are approximate figures based on industry experience—actual costs vary significantly by CAB and product complexity:",[36,462,464],{"id":463},"default-category-module-a","Default Category (Module A)",[48,466,467,473,479],{},[51,468,469,472],{},[14,470,471],{},"Timeline:"," 3–9 months depending on existing documentation and security maturity",[51,474,475,478],{},[14,476,477],{},"Cost:"," Primarily internal engineering time + optional consultant review",[51,480,481,484],{},[14,482,483],{},"Documentation required:"," Annex VII technical file (threat model, vulnerability assessment, test results, SBOM, incident handling procedures, technical description)",[36,486,488],{"id":487},"class-i-module-b-c-or-module-h","Class I (Module B + C or Module H)",[48,490,491,496,502,508],{},[51,492,493,495],{},[14,494,471],{}," 6–18 months",[51,497,498,501],{},[14,499,500],{},"CAB audit cost:"," €15,000–€60,000 depending on product complexity and CAB",[51,503,504,507],{},[14,505,506],{},"Preparation cost:"," Significant internal engineering time + documentation",[51,509,510,513],{},[14,511,512],{},"Key requirement:"," Pass EU-type examination with CAB; demonstrate Annex I conformance",[36,515,517],{"id":516},"class-ii-notified-body-module-b-c-or-module-h","Class II (Notified Body, Module B + C or Module H)",[48,519,520,525,531,536],{},[51,521,522,524],{},[14,523,471],{}," 12–24 months (limited by notified body availability in 2026–2027)",[51,526,527,530],{},[14,528,529],{},"Notified body cost:"," €40,000–€150,000+",[51,532,533,535],{},[14,534,506],{}," Very high; requires extensive security testing, formal documentation",[51,537,538,541],{},[14,539,540],{},"Key constraint:"," Notified body supply is limited; book early",[31,543,545],{"id":544},"what-the-technical-documentation-must-include","What the Technical Documentation Must Include",[10,547,548],{},"Regardless of conformity route, Article 31 and Annex VII require manufacturers to prepare and maintain technical documentation. For firmware teams, the relevant sections are:",[10,550,551],{},[14,552,553],{},"Section 1: Product description",[48,555,556,559],{},[51,557,558],{},"General description including intended purpose",[51,560,561],{},"Hardware and software version(s) to which it applies",[10,563,564],{},[14,565,566],{},"Section 2: Design and development",[48,568,569,572,575],{},[51,570,571],{},"Design and development drawings and diagrams",[51,573,574],{},"Threat model",[51,576,577],{},"Security architecture documentation",[10,579,580],{},[14,581,582],{},"Section 3: Testing",[48,584,585,588],{},[51,586,587],{},"Test reports and vulnerability assessment results",[51,589,590],{},"Penetration testing methodology and results (for Class I/II)",[10,592,593],{},[14,594,595],{},"Section 4: SBOM",[48,597,598],{},[51,599,600],{},"Machine-readable SBOM of all software components",[10,602,603],{},[14,604,605],{},"Section 5: Processes",[48,607,608,611,614],{},[51,609,610],{},"Vulnerability handling processes",[51,612,613],{},"Security update delivery mechanism",[51,615,616],{},"End-of-life policies (for how long you'll provide security updates)",[10,618,619],{},[14,620,621],{},"Section 6: Incidents",[48,623,624],{},[51,625,626],{},"Overview of post-market monitoring processes",[10,628,629],{},"This documentation must be kept for 10 years after the product is placed on the market.",[31,631,633],{"id":632},"handling-multi-product-portfolios","Handling Multi-Product Portfolios",[10,635,636],{},"If you have multiple product lines, classification needs to be done per product (or per product family where the products are substantially similar and use the same hardware/firmware platform).",[10,638,639],{},"A common approach for embedded product companies:",[641,642,643,649,655,661],"ol",{},[51,644,645,648],{},[14,646,647],{},"Classify each product family"," against Annex III",[51,650,651,654],{},[14,652,653],{},"Group by conformity route"," — run Module H QMS assessments for Class I products (more efficient if you have multiple similar products) rather than separate Module B + C per product",[51,656,657,660],{},[14,658,659],{},"Prioritise by revenue and sales volume"," — start conformity assessment for your highest-volume or highest-revenue EU products first",[51,662,663,666],{},[14,664,665],{},"Establish a common security baseline"," — implement the Annex I essential requirements once across your platform, then product-specific documentation per product family",[31,668,670],{"id":669},"what-happens-after-classification","What Happens After Classification",[10,672,673],{},"Once you know your tier:",[10,675,676,679,680,685],{},[14,677,678],{},"Default category:"," Proceed directly to implementing Annex I requirements and preparing technical documentation. Use our ",[681,682,684],"a",{"href":683},"/blog/cra-annex-i-essential-requirements-checklist/","Annex I essential requirements checklist"," to track your progress against every requirement. Set up your vulnerability reporting process (required regardless of tier—Article 14 applies to all manufacturers). Generate your SBOM. Write your EU Declaration of Conformity. Affix CE mark.",[10,687,688,691],{},[14,689,690],{},"Class I:"," Do all of the above, but additionally engage a CAB for Module B examination. CABs will want to see your technical documentation in advance of the examination, so prepare thoroughly before booking the assessment.",[10,693,694,697,698,702],{},[14,695,696],{},"Class II:"," Engage a notified body early—as early as 2026 if your deadline is December 2027. The current supply constraint means waiting lists are forming. Start with your ",[681,699,701],{"href":700},"/blog/cra-threat-modeling-embedded/","threat model"," and security architecture documentation, as these are typically the first things notified bodies review.",[10,704,705,706,710],{},"The ",[681,707,709],{"href":708},"/","Stack Canary assessment tool"," will identify your likely classification and the specific gaps you need to address for your product type, based on 7 questions about your firmware and product architecture.",[712,713],"hr",{},[10,715,716],{},[717,718,719],"em",{},"Based on Regulation EU 2024/2847, Annex III, Article 6, Article 24, Annex VI–IX. ENISA classification guidance (2025). This does not constitute legal advice. Classification decisions should be validated with qualified legal counsel familiar with EU product regulation.",[31,721,723],{"id":722},"sources","Sources",[48,725,726,734,741,748,755],{},[51,727,728],{},[681,729,733],{"href":730,"rel":731},"https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng",[732],"nofollow","Regulation (EU) 2024/2847 — Cyber Resilience Act (full text)",[51,735,736],{},[681,737,740],{"href":738,"rel":739},"https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847",[732],"CRA full text (HTML) — see Annex III, Article 6, Article 24",[51,742,743],{},[681,744,747],{"href":745,"rel":746},"https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202402847",[732],"CRA full text (PDF)",[51,749,750],{},[681,751,754],{"href":752,"rel":753},"https://digital-strategy.ec.europa.eu/en/policies/cra-summary",[732],"European Commission — Cyber Resilience Act summary",[51,756,757],{},[681,758,761],{"href":759,"rel":760},"https://www.enisa.europa.eu/publications/cyber-resilience-act-requirements-standards-mapping",[732],"ENISA — CRA implementation guidance",{"title":763,"searchDepth":764,"depth":764,"links":765},"",2,[766,772,776,777,778,783,784,785,786],{"id":33,"depth":764,"text":34,"children":767},[768,770,771],{"id":38,"depth":769,"text":39},3,{"id":77,"depth":769,"text":78},{"id":99,"depth":769,"text":100},{"id":125,"depth":764,"text":126,"children":773},[774,775],{"id":129,"depth":769,"text":130},{"id":203,"depth":769,"text":204},{"id":258,"depth":764,"text":259},{"id":443,"depth":764,"text":444},{"id":456,"depth":764,"text":457,"children":779},[780,781,782],{"id":463,"depth":769,"text":464},{"id":487,"depth":769,"text":488},{"id":516,"depth":769,"text":517},{"id":544,"depth":764,"text":545},{"id":632,"depth":764,"text":633},{"id":669,"depth":764,"text":670},{"id":722,"depth":764,"text":723},"2025-11-20","CRA Default, Class I, and Class II tiers explained: which conformity assessment path you take and what it costs in time and money.","md","/images/blog/previews/classification.svg",[792,793,794,795,796,111,797],"CRA product classification","CRA Class I","CRA Class II","CRA conformity assessment","Annex III","CE marking",{},true,"/blog/cra-product-classification","10 min",{"title":5,"description":788},"blog/cra-product-classification","GmbnjUyXUHLYrWbkrxT7M6L40AA0rwTAkDzzqvdcWl4",1775939691377]