EU Cyber Resilience Act
What is the CRA default category?
The default category is the Cyber Resilience Act’s baseline tier — the roughly 90% of products that are neither “important” (Annex III) nor “critical” (Annex IV). Default-category products can demonstrate conformity by self-assessment.
Default vs important vs critical
Default-category products use conformity assessment by internal control. Important products (Annex III, class I and II) face stricter routes — applying harmonised standards or third-party assessment. Critical products (Annex IV) may require EU cybersecurity certification.
Most SME software and connected products land in the default category, which is why self-assessment is the realistic path for them — provided the evidence is in order.
Key points
- Default = the baseline tier (~90% of products).
- Allows conformity assessment by internal control (self-assessment).
- Important (Annex III) and critical (Annex IV) follow stricter routes.
- Classification drives your obligations — confirm yours.
Frequently asked questions
- Is my product in the CRA default category?
- Most products are, unless they appear in the CRA’s important (Annex III) or critical (Annex IV) lists. Classify your product to confirm — the free readiness check does this.
Related
General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.