The CRA classifies products by risk, and each class has its own route to market — from a simple self-assessment to a mandatory external audit. Getting it wrong costs months of lead time and money.
Whether you're in scope hinges on two questions: does your product have digital elements (software or firmware), and do you place it on the European market? If the answer is yes to both, the CRA applies — whether you are a manufacturer, importer or distributor. Only pure SaaS services and products already covered by sector-specific legislation (such as medical devices under the MDR) are exempt. Use the tool below to find out exactly where your product stands:
1. Does your software or product fall under other specific EU legislation that already sets cybersecurity requirements?
MDR (medical), motor vehicles, civil aviation and defence have sector-specific laws that take precedence.
The four risk classes
The decision tree always ends in one of four classes. Here is what each class means for your route to market — from light to heavy:
Default category
Around 90% of all software. A self-assessment (Module A) suffices: you compile a technical file and an SBOM, without an external audit.
Important — Class I
VPNs, password managers, identity management, browsers. Self-assessment is allowed, provided you fully apply the harmonised EU standards — otherwise a notified body is required.
Important — Class II
Firewalls, IDS/IPS, hypervisors. An external audit by a notified body is always required, even when the standards are fully applied.
Critical
Smart meter gateways, hardware security modules (HSMs), smart cards. Mandatory certification via a European scheme (EUCC) with an external audit.
The difference between these classes is no formality. Where the default category can rely on an internal self-assessment, a notified-body track — mandatory from Class II — quickly demands months of lead time, external audit costs and tight release planning. Unsure between two classes? Have the assessment reviewed up front: an under-classification only surfaces at the audit, when course-correcting is expensive.
Real-World Scenarios & Cases
Theory is one thing; in practice the devil is in the details. Three situations we frequently encounter:
B2B SaaS Platforms
Pure SaaS (browser-only) falls outside the CRA product requirements. But as soon as your customer downloads an app or local agent to connect, that app and its backend do fall under the CRA.
The Importer Trap
Do you source systems from outside the EU and white-label them with your own logo? Then the CRA redefines your role as Manufacturer. You are fully liable for patches and the SBOM.
Class I & II Software
For important/critical software (VPNs, password managers, identity management) heavy rules apply. Often a notified body external audit is required to safeguard your release planning.
Still unsure about your obligations?
The decision tree shows the route; the free Quickscan tests how far along you are. Or build it all step by step in the 4-week Survival Challenge.