EU Cyber Resilience Act

What is the CRA default category?

The default category is the Cyber Resilience Act’s baseline tier — the roughly 90% of products that are neither “important” (Annex III) nor “critical” (Annex IV). Default-category products can demonstrate conformity by self-assessment.

Default vs important vs critical

Default-category products use conformity assessment by internal control. Important products (Annex III, class I and II) face stricter routes — applying harmonised standards or third-party assessment. Critical products (Annex IV) may require EU cybersecurity certification.

Most SME software and connected products land in the default category, which is why self-assessment is the realistic path for them — provided the evidence is in order.

Key points

  • Default = the baseline tier (~90% of products).
  • Allows conformity assessment by internal control (self-assessment).
  • Important (Annex III) and critical (Annex IV) follow stricter routes.
  • Classification drives your obligations — confirm yours.

Frequently asked questions

Is my product in the CRA default category?
Most products are, unless they appear in the CRA’s important (Annex III) or critical (Annex IV) lists. Classify your product to confirm — the free readiness check does this.

Related

General information about the EU Cyber Resilience Act — not legal advice. Normproof provides tooling and audit-ready evidence; the manufacturer self-declares conformity. For your specific product, run the free readiness check or consult a qualified advisor.

See exactly what the CRA requires for your product.

Run the free readiness check — your category, obligations, and deadlines in 60 seconds.