What products does the CRA cover?

It covers products with digital elements — any hardware or software that can connect to a device or network — placed on the EU market. Pure SaaS not sold as a product, products already governed by sector law like medical devices, and non-commercial open source are generally excluded.

What are the CRA risk classes?

Default (non-critical) products self-assess. Important Class I products may self-assess only if a harmonised standard is fully applied, else need a third party. Important Class II products always need a notified body. Critical products may additionally require European cybersecurity certification.

What is the conformity-assessment route for Class II?

Class II products such as hypervisors, industrial firewalls, and secure microcontrollers require third-party conformity assessment by a notified body — internal self-declaration is not sufficient regardless of which standards you apply.

What are the reporting deadlines?

Manufacturers must send an early warning about an actively exploited vulnerability or severe incident to ENISA within 24 hours, a fuller notification within 72 hours, and a final report within 14 days, alongside providing free security updates for the support period.

When does the CRA apply?

The regulation phases in: vulnerability and incident reporting obligations apply from around September 2026, and the full set of requirements including CE marking and conformity assessment apply from around December 2027.

EU Cyber Resilience Act (CRA) Applicability Checker

The EU Cyber Resilience Act sets mandatory cybersecurity requirements for almost every connected hardware and software product sold in the EU. This checker maps your product to its CRA risk class and tells you which conformity route, security obligations, and reporting deadlines apply.

How it works

The CRA classifies each product with digital elements into a risk tier, and the tier determines how you prove conformity:

Default       → self-assessment (internal control)
Class I       → self-assessment only if a harmonised standard is applied,
                otherwise third-party assessment
Class II      → notified-body (third-party) assessment is mandatory
Critical      → European cybersecurity certification may also be required

Password managers, VPNs, browsers, antivirus and home routers are Class I. Hypervisors, industrial firewalls and secure microcontrollers are Class II. Hardware security modules, smart-meter gateways and secure-element smartcards are Critical. Everything else connected is Default.

Notes and example

A vendor shipping a password manager lands in Important Class I: it can self-assess only if it fully applies a relevant harmonised standard, otherwise it needs a notified body. Regardless of class, every in-scope manufacturer must build secure-by-design, ship with no known exploitable vulnerabilities, provide free security updates for the support period (typically five years), run a coordinated vulnerability-disclosure process, report actively exploited vulnerabilities to ENISA within 24 hours, supply an SBOM, and affix CE marking. Treat the class lists as the Annex baseline — delegated acts can refine them, so confirm against the published regulation before finalising your compliance plan.