European Commission adopts CRA implementing regulation on product risk categories

On 28 November 2025, the European Commission adopted the first implementing regulation under the Cyber Resilience Act (CRA), finalizing the detailed product classification that underpins the CRA’s risk‑based regime. The CRA applies to manufacturers of “products with digital elements” (PDEs) placed on the EU market, covering a broad spectrum of hardware and software, including IoT devices, components and certain standalone software. While all in‑scope PDEs must meet the CRA’s essential cybersecurity requirements, the new measure clarifies which products are treated as default, important or critical for the purposes of conformity assessment.

The regulation confirms that most PDEs will fall into the default (lowest risk) category, benefiting from less onerous conformity procedures. However, it also refines the definitions of “important” and “critical” classes, which trigger stricter assessment routes, including enhanced technical documentation, potential third‑party involvement and more intensive testing. These categorizations are central to manufacturers’ compliance strategies, as they determine the applicable conformity assessment modules and the extent of pre‑market scrutiny.

For “important” products, the Commission provides detailed guidance. “Smart home general purpose virtual assistants” in important class I are defined as PDEs whose core functionality is to communicate over the public internet, process tasks or questions based on natural language prompts (audio or written) and provide access to other services or control connected devices in a residential context. This category covers, for example, smart speakers with integrated virtual assistants and standalone virtual assistant software. In important class II, “firewalls” are described as PDEs that protect connected networks or systems from unauthorised access by monitoring and restricting data traffic, including network firewalls, web application firewalls, filters and anti‑spam gateways.

At the critical end of the spectrum, the regulation identifies “hardware devices with security boxes” as PDEs that securely store, process or manage sensitive data or perform cryptographic operations, consisting of multiple discrete components within a protected physical envelope that offers tamper evidence, resistance or response against physical attacks. Examples include physical payment terminals and hardware security modules used to generate and manage cryptographic keys. Similar descriptions and examples are provided for other categories such as connected toys, wearable health devices and password managers. Manufacturers intending to place PDEs on the EU market should assess, without delay, how their product portfolios map onto these categories to anticipate the applicable CRA obligations and adapt design, documentation, and conformity assessment processes accordingly.