CRA 3 product categories

The Cyber Resilience Act (CRA) classifies products with digital components into three distinct categories: default, important, and critical products. This categorization aims to adapt security measures based on the level of risk and potential impact each product category presents.

The CRA classifies products in three main product categories.

The 3 product categories of the Cyber Resilience Act

1 - Default category

The first product category of the Cyber Resilience Act is a default category. All products that are not explicitly listed as either important or critical are in this category. It is estimated that this represents around 90% of all products with a digital element. For these products, compliance with the Cyber Resilience Act is done through a self-assessment.

2 - Important products

The second product category of the Cyber Resilience Act is important products. These are the products that present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects (in terms of its intensity and ability to damage the health, security, or safety of users of such products) and should undergo a stricter conformity assessment procedure.

The Cyber Resilience Act classes important products in two categories depending on their level of criticality: Class I and Class II. Class II products hold a higher level of criticality and are thus subject to more stringent compliance measures, including assessment by external third parties.

Note that a product is defined as important by the CRA if the exploit of potential vulnerabilities can have harsh consequences and impact the whole product value chain.

Let’s explore the distinctions between these two classes and the types of products they encompass.

Class I

Class I products encompass essential functionalities but are deemed less critical compared to Class II counterparts. Despite this, they still require adherence to cybersecurity standards.

Examples of Class I products include:

  • Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers;
  • Standalone and embedded browsers;
  • Password managers;
  • Software that searches for, removes, or quarantines malicious software;
  • Products with digital elements with the function of virtual private network (VPN);
  • Network management systems;
  • Security information and event management (SIEM) systems;
  • Boot managers;
  • Public key infrastructure and digital certificate issuance software
  • Physical and virtual network interfaces;
  • Operating systems;
  • Routers, modems intended for the connection to the internet, and switches;
  • Microprocessors with security-related functionalities;
  • Microcontrollers with security-related functionalities;
  • Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities;
  • Smart home general purpose virtual assistants;
  • Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems;
  • Internet connected toys covered by Directive 2009/48/EC of the European Parliament and of the Council that have social interactive features (e.g. speaking or filming) or that have location tracking features;
  • Personal wearable products to be worn or placed on a human body that have a health monitoring (such as tracking) purpose and to which Regulation (EU) 2017/745 or Regulation (EU) 2017/746 do not apply, or personal wearable products that are intended for the use by and for children.

Get monthly updates on the CRA

Class II

Class II products represent a higher level of criticality and thus require more rigorous compliance measures, including assessment by external third parties.

These products include:

  • Hypervisors and container runtime systems that support virtualized execution of operating systems and similar environments;
  • Firewalls, intrusion detection and/or prevention systems intended for industrial use;
  • Tamper-resistant microprocessors;
  • Tamper-resistant microcontrollers.

3 - Critical products

The third product category of the Cyber Resilience Act (CRA) is critical products. These products have a cybersecurity-related functionality and perform a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or damage many other products with digital elements through direct manipulation.

These products include:

  • Hardware Devices with Security Boxes;
  • Smart meter gateways within smart metering systems and other devices for advanced security purposes, including for secure cryptoprocessing;
  • Smartcards or similar devices, including secure elements.

These products, due to their criticality, already widely use various forms of certification, and are also covered by the European Common Criteria-based cybersecurity certification scheme (EUCC).

Cyber Resilience Act synthesis

Read online
Download the pdf

Related content

Discover more from The Embedded Kit

Subscribe now to keep reading and get access to the full archive.

Continue reading