What percentage of products are expected to be Default?

The European Commission's impact assessment estimates that approximately 90% of products with digital elements will fall into the Default category and can use Module A self-assessment. The Important and Critical tiers capture products with specific cybersecurity-critical functions as defined in Annex III and Annex IV.

My product has multiple functions — one matches Annex III, others do not. How is it classified?

Article 7(1) classifies based on the "core functionality" of the product. If the function matching an Annex III category is the core functionality, the product is Important. If it is a secondary feature, the classification depends on the primary function. CRACheck asks you to identify the core functionality and classifies accordingly.

Can the classification change after the product is placed on the market?

Article 7(3) empowers the Commission to amend Annex III by delegated act — adding, moving, or withdrawing product categories. If your product's category is added or moved (e.g., from Class I to Class II), a minimum 12-month transitional period applies before the new conformity assessment procedure takes effect.

Is software-only considered a "product with digital elements"?

Yes. Article 3(1) of Regulation (EU) 2024/2847 defines "product with digital elements" as "a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately." Standalone software with a data connection is within scope.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

The Cyber Resilience Act classifies every product with digital elements into one of four tiers: Default, Important Class I, Important Class II, or Critical. The classification is not a choice — it is determined by the core functionality of your product against the categories in Annex III and Annex IV of Regulation (EU) 2024/2847. The tier determines which conformity assessment procedure under Article 32 you must use, whether you need a notified body, and the practical cost and timeline of your compliance project. CRACheck classifies your product automatically.

Most products with digital elements are Default. Default products can use Module A self-assessment under Article 32(1) — no notified body, no certification body, no external engagement. The manufacturer prepares the technical documentation under Article 31, performs the conformity assessment internally, affixes the CE marking, and draws up the Declaration of Conformity. Important Class I products can also use Module A if they apply harmonised standards in full — otherwise Module B+C or Module H with a notified body. Class II and Critical products always need third-party assessment. The classification decision hinges on Annex III (23 categories) and Annex IV (3 categories). CRACheck runs this cross-reference and documents the result. €149. 15–25 minutes. 8 PDFs.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Classification tiers (Default, Important I, Important II, Critical)

Product categories checked (23 Annex III + 3 Annex IV)

Art. 32

Conformity assessment procedure linked to classification

The CRA classification decision tree

Does your product have digital elements and a data connection?

Article 2(1) defines scope: products with a direct or indirect logical or physical data connection. If yes, the CRA applies.

Is your product excluded under Article 2(2)–(7)?

Medical devices (Reg. 2017/745, 2017/746), motor vehicles (Reg. 2019/2144), aviation (Reg. 2018/1139), and marine equipment (Dir. 2014/90/EU) are excluded.

Does the core functionality match an Annex IV category?

3 categories: hardware security boxes, smart meter gateways, smartcards/secure elements. If yes → Critical.

Does the core functionality match an Annex III Class II category?

4 categories: hypervisors/container runtimes, firewalls/IDS/IPS, tamper-resistant microprocessors, tamper-resistant microcontrollers. If yes → Important Class II.

Does the core functionality match an Annex III Class I category?

19 categories including identity management, browsers, password managers, VPNs, routers, OS, smart home devices, IoT toys, health wearables. If yes → Important Class I.

None of the above → Default

CRACheck documents the classification with category matched, rationale, and conformity assessment path under Article 32.

Common mistakes

❌

ART. 7(1)

Classifying by product name instead of core functionality

Article 7(1) uses "core functionality" as the classification criterion, not the product's marketing name. A "smart speaker" could be an Important Class I product if its core functionality matches category 16 (smart home general purpose virtual assistants).

❌

ART. 32(1)

Assuming all products need a notified body

Default products and Class I products applying harmonised standards in full can use Module A self-assessment under Article 32(1). No notified body is required. The majority of products with digital elements will fall into the Default tier.

❌

ANNEX III

Ignoring the distinction between Class I and Class II consequences

Class I without harmonised standards → notified body needed. Class II → notified body always needed. The cost difference between Module A and Module B+C can be tens of thousands of euros. Misclassification in either direction has financial and legal consequences.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Automated cross-reference against 26 categories. Output: Default, Important Class I, Important Class II, or Critical, with matched category and rationale.

Technical Documentation

Annex VII file with the classification and conformity assessment path embedded.

Risk Assessment

Cybersecurity risk assessment per Article 13(2)–(3). Assessment depth reflects classification level.

User Information

Annex II information sheet with support period and vulnerability reporting contact.

Declaration of Conformity

EU Declaration per Article 28 and Annex V, citing the applicable conformity assessment module.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I Part II point (5).

Notification Template

ENISA/CSIRT notification template per Article 14. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Key dates with conformity assessment deadlines.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Regulatory classification consultancy

€3,000–8,000

Review of product portfolio against Annex III/IV

4–8 weeks

Deliverable: classification memo

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history