What is the full list of Annex III Class I products?

Annex III Class I includes 19 categories: (1) identity management/privileged access, (2) browsers, (3) password managers, (4) anti-malware, (5) VPN, (6) network management, (7) SIEM, (8) boot managers, (9) PKI/certificate software, (10) network interfaces, (11) operating systems, (12) routers/modems/switches, (13) microprocessors with security functions, (14) microcontrollers with security functions, (15) ASICs/FPGAs with security functions, (16) smart home virtual assistants, (17) smart home products with security functions, (18) internet-connected toys with speaking/filming/tracking, (19) health-monitoring wearables and children's wearables.

What is the difference between Class I and Class II?

Class I products can use Module A self-assessment if harmonised standards are fully applied. Class II products always require notified body assessment under Art. 32.3 — Module B+C or Module H — regardless of harmonised standard application. Class II includes: hypervisors/container runtimes, firewalls/IDS/IPS, tamper-resistant microprocessors and tamper-resistant microcontrollers.

When will harmonised standards be available?

The European Commission has mandated CEN/CENELEC to develop harmonised standards under Regulation (EU) 2024/2847. The timeline depends on the standardisation process. Monitor the Official Journal for publications.

Can we use ETSI EN 303 645 or IEC 62443 as harmonised standards?

These standards are recognised cybersecurity frameworks. They may be listed as harmonised standards under the CRA if published in the Official Journal with a CRA reference. Until that publication, they cannot be used to trigger Module A self-assessment for Class I products. Check EUR-Lex for the current list.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours to keep.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83 on consumer rights, by activating the licence you give express consent for the immediate generation of the digital content, waiving the 14-day withdrawal period. Refunds are accepted only for reproducible technical failures.

What if the regulation changes?

If the regulation changes during the validity of your licence, you can regenerate the document with the updated version of the generator at no additional cost.

Your product is listed in Annex III of Regulation (EU) 2024/2847 as Important Class I. This changes the conformity assessment route. If you have applied the relevant harmonised standard in full, Module A self-assessment is sufficient. If you have not — or if the standard does not exist yet — Article 32.2 requires conformity assessment by a notified body under Module B+C or Module H. CRACheck generates the technical documentation the notified body will review.

Annex III lists 19 categories of Important Class I products and 4 categories of Class II. If your product falls in Class I, you must determine whether harmonised standards under Regulation (EU) 2024/2847 have been published and whether you have applied them fully. If yes: Module A self-assessment. If no: notified body assessment. Either way, Article 31 and Annex VII require technical documentation. CRACheck generates 8 PDF documents covering all Annex VII sections. 15-25 minutes. €149. The documentation is the same regardless of which assessment route applies. Browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15-25 minutes · Browser-side

Key numbers

19 categories

Annex III Class I. From identity management to smart home, from routers to wearables.

Art. 32.2

Without harmonised standards: Module B+C or Module H assessment by notified body.

€149

Annex VII documentation is the same for Module A or notified body assessment.

How to determine your CRA conformity assessment route as a Class I manufacturer

The documentation obligation is the same for all Class I products. The assessment route depends on harmonised standard availability.

Confirm Annex III classification

Review the 19 Class I categories. Use CRACheck classifier to determine which category your product falls under.

Check harmonised standard availability

Have harmonised standards under Regulation (EU) 2024/2847 been published in the Official Journal for your product category? Check EUR-Lex.

If harmonised standard available and fully applied

Module A self-assessment under Art. 32.1(a). You assess conformity yourself. No notified body needed.

If no harmonised standard or not fully applied

Art. 32.2 requires Module B+C (EU-type examination + internal production control) or Module H (full quality assurance) by a notified body.

Generate Annex VII documentation

CRACheck generates the 8-document dossier. This documentation is the input for both Module A and notified body assessment routes.

If notified body route: submit documentation

The notified body reviews your Annex VII documentation. CRACheck generates it; the notified body evaluates it.

The documentation obligation is the same for all Class I products. The assessment route depends on harmonised standard availability.

Class I conformity assessment mistakes

❌

ART. 32.2

Class I always requires a notified body

Not always. Article 32.2 first subparagraph of Regulation (EU) 2024/2847 states that if the manufacturer has applied harmonised standards, common specifications or European cybersecurity certification schemes covering the essential cybersecurity requirements, Module A self-assessment is sufficient even for Class I. The notified body is required only when harmonised standards are not fully applied.

❌

ANNEX VIII

Module A is simpler than Module B+C — the documentation is different

The Annex VII technical documentation is the same regardless of the conformity assessment module. Module A means you assess it yourself. Module B+C means a notified body reviews the same documentation and issues a certificate. Module H means the notified body assesses your quality management system. The documentation obligation does not change.

❌

ANNEX III

My product is not exactly listed in Annex III — it is similar but not identical

Annex III categories describe product types, not specific model numbers. "Routers, modems intended for the connection to the internet, and switches" covers all consumer and enterprise routers. "Smart home products with security functionalities" covers any smart home device with security features. If your product fits the functional description, it is Class I. Use the CRACheck classifier for formal determination.

What each CRACheck dossier contains: 8 documents

Annex VII documentation is required for all Class I products, regardless of whether Module A or notified body assessment applies. CRACheck generates the 8-document package.

Product Classifier

Determines product category per Annex III. Defines conformity assessment route under Art. 32.

Technical Documentation

Complete technical documentation structured per Art. 31 and Annex VII. All 8 mandatory sections.

Risk Assessment

Cybersecurity risk assessment per Art. 13.2 and Art. 13.3. Mapped against Annex I Part I requirements.

User Information

Information and instructions per Annex II. Security properties, support period, vulnerability reporting.

Declaration of Conformity

EU declaration of conformity per Art. 28 and Annex V.

CVD Policy

Coordinated Vulnerability Disclosure policy per Annex I Part II.

ENISA Notification Template

Pre-structured for 24h early warning, 72h notification, 14-day final report under Art. 14.

Obligations Calendar

Key dates: Art. 14 from 11 Sep 2026, full enforcement 11 Dec 2027, support period per Art. 13.8.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated in your browser. No product data is transmitted to any server.

What you pay for Class I documentation

🧾 NOTIFIED BODY FULL-SERVICE (DOCS + ASSESSMENT)

€8,000–€25,000

Documentation + assessment. 3-6 months.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history