Introduction: Product Classification, the First Gate of CRA Compliance
When the EU Cyber Resilience Act (CRA) officially entered into force on December 12, 2024, countless product managers and compliance officers faced their first question: “What category does my product belong to?”
This question may seem simple, but it directly determines your compliance path, time costs, and financial investment. Classification errors can lead to:
- Choosing the wrong compliance module, wasting tens of thousands of euros
- Compliance cycles extended by months or even years
- Disrupted product launch plans
This article will help you master the core principles of CRA product classification, avoid common misconceptions, and choose the correct compliance starting point for your product.
I. Overview of CRA Product Classification System
The CRA establishes a four-tier product classification system, arranged from lowest to highest risk level:
Products with Digital Elements
├── Class I: Default → Most products
├── Class II: Important Class I → Annex III Part I
├── Class III: Important Class II → Annex III Part II
└── Class IV: Critical → Annex III Part III
These four categories have significant differences in compliance requirements:
| Category | Compliance Module | Notified Body | Time Cycle | Cost Range |
|---|---|---|---|---|
| Default | Module A | Not required | 8-10 weeks | €10K-25K |
| Important I | Module A/B+C | Case-dependent | 12-16 weeks | €35K-85K |
| Important II | Module B+C/H | Required | 16-24 weeks | €55K-150K |
| Critical | EUCC | Required | 15-18 months | €120K-350K+ |
Significant Cost Gap: There’s more than a 10x cost difference and over a year’s time difference between Default and Critical categories.
II. Core Principle: Default is the Rule, Important is the Exception
Understanding the CRA classification system requires firmly remembering one core principle:
Default is the rule, Important/Critical is the exception.
This principle embodies three key understandings:
2.1 Understanding 1: 90%+ of Products Belong to Default
The Default category is the CRA’s default classification. Any product not explicitly listed in Annex III should be presumed to be in the Default category. This is not a “minimum standard” but a “normal starting point.”
2.2 Understanding 2: Network Functions Don’t Trigger Classification Upgrades
Many product teams mistakenly believe that “having network connectivity” proves their product is in the Important category. This is a huge misconception.
Network connectivity, remote monitoring, and data processing are normal features of the Default category, not upgrade conditions. Even if your product has:
- Ethernet/WiFi/4G connectivity
- Cloud-based remote monitoring
- Data collection and analysis
These features still fall within the normal range of Default.
2.3 Understanding 3: Application Scenarios Don’t Determine Classification
Another common misconception is that products “used for critical infrastructure” are Critical.
Incorrect Understanding:
- “My energy storage system is used for the power grid, so it’s Critical”
- “My charging station is used for transportation networks, so it’s Important”
Correct Understanding:
- Application scenarios are unrelated to product classification
- Only products themselves listed in Annex III are considered for upgrades
- Energy storage systems used for power grids remain Default
III. Quick Decision Process: Three Steps to Determine Product Classification
The following process can help you quickly determine product classification:
Step 1: Default Assumption
Question: What category is this product?
Answer: ✅ Default Category (unless there's a special reason)
This is your starting point. Unless there’s a clear, regulation-based special reason, the product is Default.
Step 2: Special Reason Check
Consider upgrading classification only in extremely rare cases:
| Upgrade Condition | Assessment Points |
|---|---|
| Critical | Is the product itself a smart meter (with security functions) or hardware security module? |
| Important II | Is the product itself a security device like firewall/IDS/IPS/SIEM? |
| Important I | Is the product itself base software or network equipment like operating system/browser/router? |
Key Distinction: Is it “the product itself” or “integrated with/has”?
- Products integrating Linux operating system ≠ Operating system
- Products with network management functions ≠ Network equipment
- Products integrating firewall modules ≠ Security equipment
Step 3: Confirm Default
If the product’s primary function is any of the following → Default:
- Energy Storage (ESS)
- Inverting (Inverters)
- Charging (Charging Stations)
- Energy Management (EMS)
- Battery Management (BMS)
- Other industry application equipment
IV. Quick Assessment for Common Scenarios
Scenario 1: Products with Network Connectivity
| Product | Features | Classification | Reason |
|---|---|---|---|
| Energy Storage System | WiFi/Ethernet/4G connectivity | Default | Network connectivity is normal feature |
| Inverter | Ethernet connection to cloud | Default | Network connectivity is normal feature |
| Charging Station | 4G/LTE connectivity | Default | Network connectivity is normal feature |
| Energy Management System | Ethernet connectivity | Default | Network connectivity is normal feature |
Scenario 2: Products with Remote Monitoring
| Product | Features | Classification | Reason |
|---|---|---|---|
| Energy Storage System | Cloud remote monitoring | Default | Remote monitoring is normal feature |
| Inverter | Remote status monitoring | Default | Remote monitoring is normal feature |
| Charging Station | Remote charging monitoring | Default | Remote monitoring is normal feature |
Scenario 3: Products Processing Data
| Product | Features | Classification | Reason |
|---|---|---|---|
| Energy Storage System | Processing energy consumption data | Default | Operational data ≠ cybersecurity-specific data |
| Inverter | Processing power generation data | Default | Operational data ≠ cybersecurity-specific data |
| Charging Station | Processing charging data | Default | Operational data ≠ cybersecurity-specific data |
Scenario 4: Used for Critical Infrastructure
| Product | Features | Classification | Reason |
|---|---|---|---|
| Energy Storage System | Used for power grid | Default | Application scenario doesn’t determine classification |
| Inverter | Used for power grid | Default | Application scenario doesn’t determine classification |
| Charging Station | Used for transportation network | Default | Application scenario doesn’t determine classification |
Scenario 5: Products Integrating Security Components
| Product | Integrated Component | Classification | Reason |
|---|---|---|---|
| Energy Storage System | Integrated router module | Default | Product itself ≠ Router |
| Charging Station | Integrated firewall | Default | Product itself ≠ Firewall |
| Energy Management System | Integrated IDS/IPS | Default | Product itself ≠ IDS/IPS |
Scenario 6: Products with Authentication/Authorization Functions
| Product | Features | Classification | Reason |
|---|---|---|---|
| Energy Storage System | User login authentication | Default | Authentication is normal Default function |
| Inverter | Administrator authentication | Default | Authentication is normal Default function |
| Charging Station | RFID/NFC authentication | Default | Authentication is normal Default function |
Scenario 7: Products with Payment Functions
| Product | Primary Function | Auxiliary Function | Classification | Reason |
|---|---|---|---|---|
| Charging Station | Charging | Payment | Default | Charging is primary function |
| Payment Terminal | Payment | - | Important II | Payment is primary function |
| POS Machine | Payment | - | Important II | Payment is primary function |
Assessment Principle: Is payment the primary function or an auxiliary function?
V. Warnings About Common Classification Misconceptions
Misconception 1: “Has Network → Important”
Incorrect Understanding: The product has network connectivity, so it’s in the Important category.
Correct Understanding:
- Network connectivity is a normal feature of Default
- 90%+ of Default products have network connectivity
- Only “network infrastructure equipment” (like routers) themselves are Important
Misconception 2: “Used for Power Grid → Critical”
Incorrect Understanding: The product is used for critical infrastructure like power grids, so it’s Critical.
Correct Understanding:
- Application scenarios are unrelated to product classification
- Used for critical infrastructure ≠ Critical
- Only “smart meters (with security functions)” are explicitly listed as Critical
Misconception 3: “Integrated Router → Follow Router Classification”
Incorrect Understanding: The product integrates a component from the Important category, so it follows its classification.
Correct Understanding:
- Integrating Important products doesn’t follow classification
- Final product classification is based on the product’s own functions
- Integrating Linux doesn’t equal an operating system; integrating router modules doesn’t equal network equipment
Misconception 4: “Payment Function Makes Charging Stations Important”
Incorrect Understanding: Charging stations process payment data, so they’re Important.
Correct Understanding:
- Payment is an auxiliary function, charging is the primary function
- Payment data processing doesn’t constitute cybersecurity management functions
- Charging stations are not listed in Annex III
VI. Classification Decision Checklist
If you’re still hesitating, use the following checklist:
Default Category Confirmation Checklist
Confirm product is not in Annex III Part III:
- Product is not a smart meter with security functions
- Product is not a hardware security module with security functions
Confirm product is not in Annex III Part II:
- Product is not a security management system (SIEM, IDS/IPS)
- Product is not an identity and access management system
- Product does not manage other devices’ cybersecurity
Confirm product is not in Annex III Part I:
- Product is not an operating system
- Product is not network infrastructure equipment
- Product is not a cryptographic device
If all above are confirmed, the product is Default category.
VII. Compliance Path for Default Category
Once you’ve confirmed your product belongs to the Default category, you can choose the Module A compliance path:
Module A Requirements
| Item | Requirements |
|---|---|
| Technical Documentation | Prepared according to Annex VII requirements |
| Risk Assessment | Conduct cybersecurity risk assessment |
| Declaration of Conformity | Issue EU Declaration of Conformity |
| CE Marking | Affix CE marking |
Advantages of Module A
- No Notified Body Involvement: Self-declaration of conformity
- Controllable Costs: €10K-25K
- Shorter Cycle: 8-10 weeks
- High Flexibility: Compliance solutions can be customized according to product characteristics
VIII. Cost and Time Comparison
Choosing the correct classification affects not only compliance but also directly impacts cost and time:
| Comparison | Cost Savings | Time Savings |
|---|---|---|
| Default vs Important I | €25K-60K | 4-6 weeks |
| Default vs Important II | €45K-125K | 8-14 weeks |
| Default vs Critical | €110K-325K | 12-15 months |
Conclusion: Correct classification as Default can save significant resources for enterprises.
IX. Summary
The core principles of CRA product classification can be summarized as:
Three Principles to Remember
-
Default is the Rule, Not the Exception
- 90%+ of products are Default
-
Network Functions Don’t Trigger Upgrades
- Network, monitoring, data processing are normal Default features
-
Application Scenarios Don’t Determine Classification
- Used for critical infrastructure ≠ Critical
Three Common Errors
- ❌ “Has network → Important”
- ❌ “Used for power grid → Critical”
- ❌ “Integrated router → Follow router classification”
Three Correct Understandings
- ✅ “Energy storage/inverting/charging → Default”
- ✅ “Network connectivity/monitoring → Default normal features”
- ✅ “Recommend Module A → Save cost and time”
X. Common Questions
Q: What if I’m unsure about the classification?
A: Start with Default, unless the product clearly meets Important/Critical criteria. Incorrectly upgrading classification is more costly than incorrectly downgrading.
Q: What if customers require NB certification?
A: Explain that Default is fully compliant, and Module A meets CRA requirements. NB certification is not a necessary condition for the Default category.
Q: When can classification be upgraded?
A: Only consider upgrading classification when the product’s primary function itself is cybersecurity.
Q: How to judge “primary function”?
A: Look at the product’s design purpose: Energy storage? Inverting? Charging? If these, it’s Default. If cybersecurity management, consider Important/Critical.
Master the Default classification principles and choose the right compliance starting point for your product. Correct classification makes everything easier.