The European Commission has adopted Implementing Regulation (EU) 2025/2392, providing the technical descriptions for the categories of important and critical products with digital elements under the Cyber Resilience Act (Regulation (EU) 2024/2847).
The CRA establishes a tiered regulatory framework, whereby the required level of assurance depends on a product’s core functionality and the associated cybersecurity risks. Articles 7 and 8 of the CRA define two categories:
- Important products (Annex III) → stricter conformity assessment
- Critical products (Annex IV) → potential mandatory EU cybersecurity certification or third-party assessment
These classifications determine which conformity assessment pathways under Article 32 apply, and therefore directly influence the level of oversight a product must undergo before being placed on the EU market.
As required by Article 7(4) of the CRA, the Implementing Regulation provides practical guidance on the CRA’s classification framework by defining, in functional and technical terms, what constitutes an operating system, a firewall, a secure element, or any of the consumer-facing devices listed under Annex III and IV CRA. The technical descriptions therefore serve as the mechanism that ensures consistent classification, uniform application of Article 32, and effective implementation of the CRA’s risk-based conformity assessment framework.
Class I and Class II important product categories are elaborated through descriptions that specify which devices fall within Annex III. These include smart home virtual assistants, smart home security devices (such as smart door locks, cameras and baby monitors), internet-connected toys with interactive or location-tracking capabilities, and personal wearables designed for health monitoring or for use by children.
The Regulation enters into force 21 December 2025 and applies directly across the EU.
Full text is available here.