Cyber Resilience Act: Technical Descriptions for Important and Critical Products Are Published

The European Commission has adopted Implementing Regulation (EU) 2025/2392, providing the technical descriptions for the categories of important and critical products with digital elements under the Cyber Resilience Act (Regulation (EU) 2024/2847).

The CRA establishes a tiered regulatory framework, whereby the required level of assurance depends on a product’s core functionality and the associated cybersecurity risks. Articles 7 and 8 of the CRA define two categories:

  • Important products (Annex III) → stricter conformity assessment
  • Critical products (Annex IV) → potential mandatory EU cybersecurity certification or third-party assessment

These classifications determine which conformity assessment pathways under Article 32 apply, and therefore directly influence the level of oversight a product must undergo before being placed on the EU market.

As required by Article 7(4) of the CRA, the Implementing Regulation provides practical guidance on the CRA’s classification framework by defining, in functional and technical terms, what constitutes an operating system, a firewall, a secure element, or any of the consumer-facing devices listed under Annex III and IV CRA. The technical descriptions therefore serve as the mechanism that ensures consistent classification, uniform application of Article 32, and effective implementation of the CRA’s risk-based conformity assessment framework.

Class I and Class II important product categories are elaborated through descriptions that specify which devices fall within Annex III. These include smart home virtual assistants, smart home security devices (such as smart door locks, cameras and baby monitors), internet-connected toys with interactive or location-tracking capabilities, and personal wearables designed for health monitoring or for use by children.

The Regulation enters into force 21 December 2025 and applies directly across the EU.

Full text is available here

See All News Here

Related News

Swedish Supreme Court Adds Nuance to Previous Ruling on Bulk Requests for Court Judgments and Decisions

NIS2 and the Swedish Regulation Jungle

EU Commission Proposes Tech Sovereignty Package with New Rules for Chips, Cloud Services and AI infrastructure