Cybersecurity

CRA Product Classification Made Simple: A Visual Guide to Determine Your Product Category

Product classification is the first step in CRA compliance. Master the Default classification principles and choose the right compliance path for your product.

11 min read
CRA Product Classification Made Simple: A Visual Guide to Determine Your Product Category

Introduction: Product Classification, the First Gate of CRA Compliance

When the EU Cyber Resilience Act (CRA) officially entered into force on December 12, 2024, countless product managers and compliance officers faced their first question: “What category does my product belong to?”

This question may seem simple, but it directly determines your compliance path, time costs, and financial investment. Classification errors can lead to:

  • Choosing the wrong compliance module, wasting tens of thousands of euros
  • Compliance cycles extended by months or even years
  • Disrupted product launch plans

This article will help you master the core principles of CRA product classification, avoid common misconceptions, and choose the correct compliance starting point for your product.


I. Overview of CRA Product Classification System

The CRA establishes a four-tier product classification system, arranged from lowest to highest risk level:

Products with Digital Elements
├── Class I: Default              → Most products
├── Class II: Important Class I    → Annex III Part I
├── Class III: Important Class II   → Annex III Part II
└── Class IV: Critical             → Annex III Part III

These four categories have significant differences in compliance requirements:

CategoryCompliance ModuleNotified BodyTime CycleCost Range
DefaultModule ANot required8-10 weeks€10K-25K
Important IModule A/B+CCase-dependent12-16 weeks€35K-85K
Important IIModule B+C/HRequired16-24 weeks€55K-150K
CriticalEUCCRequired15-18 months€120K-350K+

Significant Cost Gap: There’s more than a 10x cost difference and over a year’s time difference between Default and Critical categories.


II. Core Principle: Default is the Rule, Important is the Exception

Understanding the CRA classification system requires firmly remembering one core principle:

Default is the rule, Important/Critical is the exception.

This principle embodies three key understandings:

2.1 Understanding 1: 90%+ of Products Belong to Default

The Default category is the CRA’s default classification. Any product not explicitly listed in Annex III should be presumed to be in the Default category. This is not a “minimum standard” but a “normal starting point.”

2.2 Understanding 2: Network Functions Don’t Trigger Classification Upgrades

Many product teams mistakenly believe that “having network connectivity” proves their product is in the Important category. This is a huge misconception.

Network connectivity, remote monitoring, and data processing are normal features of the Default category, not upgrade conditions. Even if your product has:

  • Ethernet/WiFi/4G connectivity
  • Cloud-based remote monitoring
  • Data collection and analysis

These features still fall within the normal range of Default.

2.3 Understanding 3: Application Scenarios Don’t Determine Classification

Another common misconception is that products “used for critical infrastructure” are Critical.

Incorrect Understanding:

  • “My energy storage system is used for the power grid, so it’s Critical”
  • “My charging station is used for transportation networks, so it’s Important”

Correct Understanding:

  • Application scenarios are unrelated to product classification
  • Only products themselves listed in Annex III are considered for upgrades
  • Energy storage systems used for power grids remain Default

III. Quick Decision Process: Three Steps to Determine Product Classification

The following process can help you quickly determine product classification:

Step 1: Default Assumption

Question: What category is this product?
Answer: ✅ Default Category (unless there's a special reason)

This is your starting point. Unless there’s a clear, regulation-based special reason, the product is Default.

Step 2: Special Reason Check

Consider upgrading classification only in extremely rare cases:

Upgrade ConditionAssessment Points
CriticalIs the product itself a smart meter (with security functions) or hardware security module?
Important IIIs the product itself a security device like firewall/IDS/IPS/SIEM?
Important IIs the product itself base software or network equipment like operating system/browser/router?

Key Distinction: Is it “the product itself” or “integrated with/has”?

  • Products integrating Linux operating system ≠ Operating system
  • Products with network management functions ≠ Network equipment
  • Products integrating firewall modules ≠ Security equipment

Step 3: Confirm Default

If the product’s primary function is any of the following → Default:

  • Energy Storage (ESS)
  • Inverting (Inverters)
  • Charging (Charging Stations)
  • Energy Management (EMS)
  • Battery Management (BMS)
  • Other industry application equipment

IV. Quick Assessment for Common Scenarios

Scenario 1: Products with Network Connectivity

ProductFeaturesClassificationReason
Energy Storage SystemWiFi/Ethernet/4G connectivityDefaultNetwork connectivity is normal feature
InverterEthernet connection to cloudDefaultNetwork connectivity is normal feature
Charging Station4G/LTE connectivityDefaultNetwork connectivity is normal feature
Energy Management SystemEthernet connectivityDefaultNetwork connectivity is normal feature

Scenario 2: Products with Remote Monitoring

ProductFeaturesClassificationReason
Energy Storage SystemCloud remote monitoringDefaultRemote monitoring is normal feature
InverterRemote status monitoringDefaultRemote monitoring is normal feature
Charging StationRemote charging monitoringDefaultRemote monitoring is normal feature

Scenario 3: Products Processing Data

ProductFeaturesClassificationReason
Energy Storage SystemProcessing energy consumption dataDefaultOperational data ≠ cybersecurity-specific data
InverterProcessing power generation dataDefaultOperational data ≠ cybersecurity-specific data
Charging StationProcessing charging dataDefaultOperational data ≠ cybersecurity-specific data

Scenario 4: Used for Critical Infrastructure

ProductFeaturesClassificationReason
Energy Storage SystemUsed for power gridDefaultApplication scenario doesn’t determine classification
InverterUsed for power gridDefaultApplication scenario doesn’t determine classification
Charging StationUsed for transportation networkDefaultApplication scenario doesn’t determine classification

Scenario 5: Products Integrating Security Components

ProductIntegrated ComponentClassificationReason
Energy Storage SystemIntegrated router moduleDefaultProduct itself ≠ Router
Charging StationIntegrated firewallDefaultProduct itself ≠ Firewall
Energy Management SystemIntegrated IDS/IPSDefaultProduct itself ≠ IDS/IPS

Scenario 6: Products with Authentication/Authorization Functions

ProductFeaturesClassificationReason
Energy Storage SystemUser login authenticationDefaultAuthentication is normal Default function
InverterAdministrator authenticationDefaultAuthentication is normal Default function
Charging StationRFID/NFC authenticationDefaultAuthentication is normal Default function

Scenario 7: Products with Payment Functions

ProductPrimary FunctionAuxiliary FunctionClassificationReason
Charging StationChargingPaymentDefaultCharging is primary function
Payment TerminalPayment-Important IIPayment is primary function
POS MachinePayment-Important IIPayment is primary function

Assessment Principle: Is payment the primary function or an auxiliary function?


V. Warnings About Common Classification Misconceptions

Misconception 1: “Has Network → Important”

Incorrect Understanding: The product has network connectivity, so it’s in the Important category.

Correct Understanding:

  • Network connectivity is a normal feature of Default
  • 90%+ of Default products have network connectivity
  • Only “network infrastructure equipment” (like routers) themselves are Important

Misconception 2: “Used for Power Grid → Critical”

Incorrect Understanding: The product is used for critical infrastructure like power grids, so it’s Critical.

Correct Understanding:

  • Application scenarios are unrelated to product classification
  • Used for critical infrastructure ≠ Critical
  • Only “smart meters (with security functions)” are explicitly listed as Critical

Misconception 3: “Integrated Router → Follow Router Classification”

Incorrect Understanding: The product integrates a component from the Important category, so it follows its classification.

Correct Understanding:

  • Integrating Important products doesn’t follow classification
  • Final product classification is based on the product’s own functions
  • Integrating Linux doesn’t equal an operating system; integrating router modules doesn’t equal network equipment

Misconception 4: “Payment Function Makes Charging Stations Important”

Incorrect Understanding: Charging stations process payment data, so they’re Important.

Correct Understanding:

  • Payment is an auxiliary function, charging is the primary function
  • Payment data processing doesn’t constitute cybersecurity management functions
  • Charging stations are not listed in Annex III

VI. Classification Decision Checklist

If you’re still hesitating, use the following checklist:

Default Category Confirmation Checklist

Confirm product is not in Annex III Part III:

  • Product is not a smart meter with security functions
  • Product is not a hardware security module with security functions

Confirm product is not in Annex III Part II:

  • Product is not a security management system (SIEM, IDS/IPS)
  • Product is not an identity and access management system
  • Product does not manage other devices’ cybersecurity

Confirm product is not in Annex III Part I:

  • Product is not an operating system
  • Product is not network infrastructure equipment
  • Product is not a cryptographic device

If all above are confirmed, the product is Default category.


VII. Compliance Path for Default Category

Once you’ve confirmed your product belongs to the Default category, you can choose the Module A compliance path:

Module A Requirements

ItemRequirements
Technical DocumentationPrepared according to Annex VII requirements
Risk AssessmentConduct cybersecurity risk assessment
Declaration of ConformityIssue EU Declaration of Conformity
CE MarkingAffix CE marking

Advantages of Module A

  • No Notified Body Involvement: Self-declaration of conformity
  • Controllable Costs: €10K-25K
  • Shorter Cycle: 8-10 weeks
  • High Flexibility: Compliance solutions can be customized according to product characteristics

VIII. Cost and Time Comparison

Choosing the correct classification affects not only compliance but also directly impacts cost and time:

ComparisonCost SavingsTime Savings
Default vs Important I€25K-60K4-6 weeks
Default vs Important II€45K-125K8-14 weeks
Default vs Critical€110K-325K12-15 months

Conclusion: Correct classification as Default can save significant resources for enterprises.


IX. Summary

The core principles of CRA product classification can be summarized as:

Three Principles to Remember

  1. Default is the Rule, Not the Exception

    • 90%+ of products are Default
  2. Network Functions Don’t Trigger Upgrades

    • Network, monitoring, data processing are normal Default features
  3. Application Scenarios Don’t Determine Classification

    • Used for critical infrastructure ≠ Critical

Three Common Errors

  1. ❌ “Has network → Important”
  2. ❌ “Used for power grid → Critical”
  3. ❌ “Integrated router → Follow router classification”

Three Correct Understandings

  1. ✅ “Energy storage/inverting/charging → Default”
  2. ✅ “Network connectivity/monitoring → Default normal features”
  3. ✅ “Recommend Module A → Save cost and time”

X. Common Questions

Q: What if I’m unsure about the classification?

A: Start with Default, unless the product clearly meets Important/Critical criteria. Incorrectly upgrading classification is more costly than incorrectly downgrading.

Q: What if customers require NB certification?

A: Explain that Default is fully compliant, and Module A meets CRA requirements. NB certification is not a necessary condition for the Default category.

Q: When can classification be upgraded?

A: Only consider upgrading classification when the product’s primary function itself is cybersecurity.

Q: How to judge “primary function”?

A: Look at the product’s design purpose: Energy storage? Inverting? Charging? If these, it’s Default. If cybersecurity management, consider Important/Critical.


Master the Default classification principles and choose the right compliance starting point for your product. Correct classification makes everything easier.

Tags

#cybersecurity #CRA #product-classification #compliance #Default