1. Important Products
These are the products that present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects (in terms of its intensity and ability to damage the health, security, or safety of users of such products) and should undergo a stricter conformity assessment procedure.
The Cyber Resilience Act classes important products in two categories depending on their level of criticality: Class I and Class II. Class II products hold a higher level of criticality and are thus subject to more stringent compliance measures, including assessment by external third parties.
Note that a product is defined as important by the CRA if the exploit of potential vulnerabilities can have harsh consequences and impact the whole product value chain.
Let’s explore the distinctions between these two classes and the types of products they encompass.
Class I
Class I products encompass essential functionalities but are deemed less critical compared to Class II counterparts. Products in Class I must either get an accredited 3rd-party lab to certify that they meet the requirements of the CRA or demonstrate that they already comply with another standard whose requirements have been harmonized with the CRA.
Examples of Class I products include:
- Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers
- Standalone and embedded browsers
- Password managers
- Software that searches for, removes, or quarantines malicious software
- Products with digital elements with the function of virtual private network (VPN)
- Network management systems
- Security information and event management (SIEM) systems
- Boot managers
- Public key infrastructure and digital certificate issuance software
- Physical and virtual network interfaces
- Operating systems
- Routers, modems intended for the connection to the internet, and switches
- Microprocessors with security-related functionalities
- Microcontrollers with security-related functionalities
- Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities
- Smart home general purpose virtual assistants
- Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems
- Internet connected toys covered by Directive 2009/48/EC of the European Parliament and of the Council that have social interactive features (e.g. speaking or filming) or that have location tracking features
- Personal wearable products to be worn or placed on a human body that have a health monitoring (such as tracking) purpose and to which Regulation (EU) 2017/745 or Regulation (EU) 2017/746 do not apply, or personal wearable products that are intended for the use by and for children
Class II
Class II products represent a higher level of criticality and thus require more rigorous compliance certification, including assessment by external third parties.
These products include:
- Hypervisors and container runtime systems that support virtualized execution of operating systems and similar environments
- Firewalls, intrusion detection and/or prevention systems intended for industrial use
- Tamper-resistant microprocessors
- Tamper-resistant microcontrollers
2. Critical Products
These products possess cybersecurity-related functionalities and carry a significant risk of causing adverse effects due to their potential to disrupt, control, or damage numerous other digital element-based products through direct manipulation.
Examples of such products include:
- Hardware Devices with Security Boxes
- Smart meter gateways within smart metering systems and other devices for advanced security purposes, including for secure cryptoprocessing
- Smartcards or similar devices, including secure elements
Given their critical nature, these products already commonly undergo various forms of certification. Under the CRA, they are explicitly required to obtain certification (EUCC certification scheme) at a 'substantial' assurance level, as defined by the EU Cybersecurity Act.
3. Default Category
All products that are not explicitly listed as either important or critical are in this category. It is estimated that this represents around 90% of all products with a digital element. For these products, compliance with the Cyber Resilience Act is done through a self-assessment.