Implementing Regulation (EU) 2025/2392 specifies the technical descriptions of important and critical products under the Cyber Resilience Act. Core functionality determines classification.
Key provisions
Core functionality as classification criterion
A product's core functionality determines its classification, not the components embedded within it. A smartphone that includes a password manager, for example, is not considered a password manager under the CRA. Likewise, an operating system with an integrated browser remains an operating system and is not classified as a browser.
Comprehensive security assessment remains mandatory
Regardless of classification, manufacturers must perform a comprehensive cybersecurity risk analysis in accordance with Article 13 of the CRA. This assessment must evaluate the security of the entire product, including all integrated components.
AVA_VAN levels for hardware components
For tamper-resistant microcontrollers, microprocessors and secure elements, the regulation uses the AVA_VAN levels from the Common Criteria. These levels serve as a common language to describe the required robustness (VAN.1 to VAN.5, with higher levels indicating stronger protection).
Manufacturers are not required to obtain Common Criteria certification; they may also demonstrate conformity through other evaluations or internal evidence.
Scope
The implementing regulation specifies the technical descriptions for all categories listed in Annex III (important products, classes I and II) and Annex IV (critical products) of the CRA. These include, among others, network components, security software, operating systems, smart home products, wearables and hardware security components.
The full list of product categories with their technical descriptions can be found in Annexes I and II of the regulation.
Relevance for manufacturers
Manufacturers should use the technical descriptions to determine whether their products qualify as important or critical. That classification determines the conformity assessment procedure to be applied under Article 32 of the CRA.
Independent of classification, there is an obligation to carry out a risk-based cybersecurity assessment in accordance with Article 13 of the CRA. Documentation should be prepared in good time before the application date on 11 December 2027.
Conclusion
Implementing Regulation (EU) 2025/2392 clarifies the CRA's product categories and reduces interpretive leeway. The clarification that a product's core functionality is decisive for classification, together with the introduction of AVA_VAN levels for hardware components, are the main provisions.
The new implementing regulation reduces room for interpretation but does not automatically make correct classification easy. If you want to understand how the CRA applies to your products and which next steps make sense, we can discuss this together in a non-binding conversation.
Further links