My product has a VPN function but it is not a standalone VPN product. Does Annex III Class I category 5 apply?

Article 7(1) of Regulation (EU) 2024/2847 states that a product is classified as Important if it "has the core functionality of a product category set out in Annex III." If VPN is not the core functionality of your product — for example, it is a secondary feature in a networking appliance — the classification depends on whether another Annex III category matches the primary function. CRACheck asks you to identify the core functionality and maps it accordingly.

What are the 4 categories in Class II?

Annex III Class II lists: (1) hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments, (2) firewalls and intrusion detection and prevention systems, (3) tamper-resistant microprocessors, and (4) tamper-resistant microcontrollers. Class II products must always use Module B+C, Module H, or European cybersecurity certification — Module A is never available under Article 32(3).

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Annex III of Regulation (EU) 2024/2847 lists 19 categories of Important products in Class I and 4 categories in Class II. If your product falls into one of these categories, Article 32(2) or 32(3) restricts which conformity assessment procedures you can use. The wrong procedure invalidates your Declaration of Conformity. This is the complete list and the assessment logic.

Q: Does a Class I product always need a notified body?

Not necessarily. Article 32(2) allows Class I products to use Module A (self-assessment) if the manufacturer applies harmonised standards, common specifications, or a European cybersecurity certification scheme at assurance level "substantial" in full. A notified body is required only if the manufacturer has not applied these standards — or applied them only in part — in which case Module B+C or Module H is mandatory.

Q: My product integrates a Class II component (a firewall module). Does my product become Class II?

No. Article 7(1) second sentence of Regulation (EU) 2024/2847 states that the integration of a product with digital elements that has the core functionality of an Annex III category "shall not in itself render the product in which it is integrated" subject to the Class I or Class II conformity assessment procedures. The component is classified separately; the final product's classification depends on its own core functionality.

Article 7(1) of the Cyber Resilience Act defines Important products as those whose core functionality matches a category in Annex III. The classification is not voluntary — it is determined by the product's function, not its marketing label. Class I products under Article 32(2) can still use Module A self-assessment if they apply harmonised standards, common specifications, or a European cybersecurity certification scheme in full. If they do not, they must use Module B+C or Module H with a notified body. Class II products under Article 32(3) must always use Module B+C, Module H, or a European cybersecurity certification scheme at assurance level "substantial" — Module A is never available. CRACheck classifies your product and generates the documentation accordingly. €149. 15–25 minutes. 8 PDFs.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Product categories in Annex III (19 Class I + 4 Class II)

Art. 32

Determines which conformity assessment procedure applies based on classification

€15M

Maximum fine under Art. 64(2) for non-compliance with essential requirements

How CRACheck classifies your product and generates the correct documentation

Classification under the CRA is not a label you choose. It is determined by the core functionality of your product against the categories listed in Annex III and Annex IV. CRACheck runs this classification automatically.

Product description

You enter the product's core functionality, connectivity type, intended purpose, and user base.

Annex III cross-reference

CRACheck checks whether the product's core functionality matches any of the 19 Class I categories (identity management, browsers, password managers, VPNs, routers, OS, smart home products, etc.) or the 4 Class II categories (hypervisors, firewalls, tamper-resistant microprocessors/microcontrollers).

Annex IV cross-reference

CRACheck checks whether the product matches the 3 Critical product categories (hardware security boxes, smart meter gateways, smartcards/secure elements).

Classification result

CRACheck outputs the classification: Default, Important Class I, Important Class II, or Critical. The result is documented in the Product Classifier PDF.

Conformity assessment path

Based on the classification, CRACheck identifies which conformity assessment procedures under Article 32 are available: Module A (self-assessment), Module B+C (EU-type examination), Module H (full quality assurance), or European cybersecurity certification.

Documentation generation

CRACheck generates the 8-document dossier with the classification embedded in every relevant section: risk assessment, technical documentation, Declaration of Conformity, and obligations calendar.

Common mistakes

❌

ART. 7 · ANNEX III

Assuming classification is based on the product name, not its function

Article 7(1) defines Important products by their "core functionality" matching a category in Annex III. A product marketed as a "home hub" may fall under Class I category 16 (smart home general purpose virtual assistants) or category 17 (smart home products with security functionalities) regardless of its brand positioning. Classification follows function, not label.

❌

ART. 32(2)

Using Module A self-assessment for a Class I product without applying harmonised standards

Article 32(2) allows Module A for Class I products only if the manufacturer applies harmonised standards, common specifications, or a European cybersecurity certification scheme in full. If the manufacturer has not applied any of these — or applied them only in part — the product must go through Module B+C or Module H with a notified body.

❌

ART. 7(1)

Believing that integrating an Important product as a component makes the final product Important

Article 7(1) second sentence states that the integration of a product with digital elements which has the core functionality of an Annex III category "shall not in itself render the product in which it is integrated subject to the conformity assessment procedures referred to in Article 32(2) and (3)." The classification applies to the component, not automatically to the final product.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Automated cross-reference against Annex III Class I (19 categories), Class II (4 categories), and Annex IV Critical (3 categories). Output: Default, Important Class I, Important Class II, or Critical, with the matched category and rationale.

Technical Documentation

Annex VII file with the classification embedded in the product description section and the conformity assessment path recorded.

Risk Assessment

Cybersecurity risk assessment per Article 13(2)–(3), structured against Annex I. The assessment depth reflects the classification level.

User Information

Annex II information sheet. Includes the support period end-date and the security update type per Annex I Part I point (2)(c).

Declaration of Conformity

EU Declaration per Article 28 and Annex V. Cites the applicable conformity assessment procedure (Module A, B+C, or H) matching the product classification.

CVD Policy

Coordinated vulnerability disclosure policy per Annex I Part II point (5).

Notification Template

ENISA/CSIRT notification template per Article 14 (24h/72h/14d).

Obligations Calendar

Key dates including conformity assessment deadlines relative to 11 December 2027.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Regulatory consultancy for CRA classification + Annex VII documentation

€8,000–20,000

The classification analysis alone is typically €2,000–5,000

Separate engagement for each product or product variant

6–16 weeks for the first product

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history