What if my product falls between two Annex III categories?

Annex III categories are defined by function and intended use. If your product matches multiple categories, the higher classification applies — Regulation (EU) 2024/2847 follows a precautionary approach. CRACheck flags dual-match scenarios and applies the stricter classification.

What is the difference between Annex III and Annex IV?

Annex III lists Important products in two classes (Part I: Class I, Part II: Class II). Annex IV lists Critical products. Critical products require the strictest conformity assessment (Module H or equivalent). CRACheck checks your product against both annexes.

Can the classification change after the product is on the market?

Yes. Articles 7 and 8 of Regulation (EU) 2024/2847 empower the European Commission to adopt delegated acts modifying the Annex III and Annex IV lists. If your product category is reclassified, you must update your conformity assessment. CRACheck allows regeneration during the licence window.

What conformity assessment modules exist under Annex VIII?

Module A: internal control (self-assessment). Module B: EU-type examination by a Notified Body. Module C: conformity to EU type. Module H: full quality assurance with Notified Body involvement. Default products use Module A. Class I uses Module A with harmonised standards, or Module B+C without them. Class II and Critical require Module B+C or H.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Annex III of Regulation (EU) 2024/2847 lists Important products in two classes. Annex IV lists Critical products. If you classify wrong, you either pay for a Notified Body you do not need or you self-assess a product that legally requires third-party evaluation under Article 32. CRACheck auto-classifies and generates all 8 documents for €149.

The Cyber Resilience Act divides products with digital elements into four categories: Default, Important Class I, Important Class II, and Critical. The classification is not discretionary — it follows the product lists in Annex III (Part I for Class I, Part II for Class II) and Annex IV. Default products use Module A (internal control). Important Class I can use Module A only with harmonised standards. Important Class II and Critical require Notified Body involvement. CRACheck runs your product through both annexes, determines the category, and generates the 8 compliance documents in 15–25 minutes at €149.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

4 categories

Default, Important Class I, Important Class II, Critical — each with a different conformity assessment path

Annex III

21+ product categories across two classes (firewalls, IDS, routers, OS, microcontrollers, smart meters, industrial IoT)

Art. 32

Conformity assessment procedures: Module A, Module B+C, Module H — determined by your product's classification

How CRACheck classifies your product

Enter your product details

Describe the product type, its function, connectivity, intended use, and the environment it operates in.

CRACheck scans Annex III & IV

The classifier cross-references your product against Part I (Class I) and Part II (Class II) of Annex III, plus Annex IV (Critical). If the product does not match any listed category, it defaults to the Default category.

Receive your classification

CRACheck outputs: the category, the specific Annex III or IV entry matched, and the resulting conformity assessment module under Art. 32 + Annex VIII.

Generate the full documentation

Based on your classification, CRACheck generates the 8-document package including the Technical Documentation per Art. 31 + Annex VII, tailored to your conformity assessment path.

Review and download

8 PDFs in a ZIP file. If your product is Important Class II or Critical, CRACheck flags the Notified Body requirement and documents the information the Notified Body will need from your file.

Common mistakes

❌

ANNEX III, PART I

"My product is a sensor, so it's Default."

Annex III, Part I includes smart home products with security functionalities, industrial IoT devices, and products intended for use by children. A sensor connected to a network, collecting data in a home or industrial environment, may fall under Class I depending on its function and intended use.

❌

ART. 32

"Class I and Class II only differ in severity — the compliance process is the same."

Class I products can self-assess under Module A if they apply harmonised standards covering all essential requirements. Class II products cannot — they require Module B+C (EU-type examination + production control) or Module H (full quality assurance) involving a Notified Body. The cost and timeline differ by an order of magnitude.

❌

ART. 7 + ART. 8

"We just pick the category that seems closest."

Articles 7 and 8 of Regulation (EU) 2024/2847 empower the European Commission to adopt delegated acts amending Annex III and IV. The categories are legally defined, not approximate. A misclassification discovered by a market surveillance authority triggers corrective measures and potential fines under Art. 64.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

The primary deliverable. Determines your product's category based on Annex III (Part I: Class I, Part II: Class II) and Annex IV (Critical). Outputs the exact Annex entry matched, the applicable conformity assessment module, and whether Notified Body involvement is required.

Technical Documentation

Art. 31 + Annex VII package tailored to your classification.

Risk Assessment

Annex I, Part I + Part II cybersecurity risk assessment. Depth influenced by product classification.

User Information

Annex II instructions. Same structure regardless of classification.

Declaration of Conformity

Art. 28 + Annex V. References the conformity assessment module used.

CVD Policy

Art. 13(6) coordinated vulnerability disclosure. Applies to all categories.

Notification Template

Art. 14 ENISA notification. Same structure for all categories. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Timelines including classification-specific milestones.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 REGULATORY CONSULTANCY

Classification review — €2,000–€8,000

2–6 weeks turnaround

Does not include documentation

If the product is reclassified, the review starts over

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history