Implementing Regulation (EU) 2025/2392 specifies the technical descriptions of important and critical products under the Cyber Resilience Act. Core functionality determines classification.
The regulation closes interpretative gaps left by the CRA (Regulation (EU) 2024/2847). For manufacturers, correct classification of their products is crucial, as it determines the conformity assessment procedure to be applied.
Key provisions
Core functionality as a classification criterion
A product's core functionality determines its classification, not its embedded components. A smartphone with an integrated password manager therefore does not become a password manager within the meaning of the CRA. Likewise, an operating system that includes a browser remains an operating system and is not classified as a browser.
Comprehensive security assessment remains mandatory
Regardless of classification, manufacturers must carry out a comprehensive cybersecurity risk analysis under Article 13 of the CRA. The security of the entire product, including all integrated components, must be assessed.
AVA_VAN levels for hardware components
For tamper-resistant microcontrollers, microprocessors and secure elements, the regulation uses the AVA_VAN levels from the Common Criteria. These serve as a common language to describe the required robustness level (VAN.1 to VAN.5, with higher levels indicating stronger protection).
Manufacturers are not required to carry out Common Criteria certification; they can also demonstrate conformity through other evaluations or internal evidence.
Scope
The implementing regulation specifies the technical descriptions for all categories listed in Annex III (important products, class I and II) and Annex IV (critical products) of the CRA. These include, among others, network components, security software, operating systems, smart home products, wearables, and hardware security components.
The complete list of product categories with their technical descriptions can be found in Annexes I and II of the regulation.
Relevance for manufacturers
Manufacturers should, based on the technical descriptions, check whether their products should be classified as important or critical. This determines the conformity assessment procedure to be applied under Article 32 of the CRA.
Regardless of classification, there is an obligation to carry out a risk-based cybersecurity assessment under Article 13 of the CRA. Documentation should be prepared in good time before the application date on 11 December 2027.
Conclusion
Implementing Regulation (EU) 2025/2392 specifies the CRA's product categories and reduces interpretative leeway. The clarification that a product's core functionality is decisive for classification, and the introduction of AVA_VAN levels for hardware components, are the main provisions.
The new implementing regulation reduces interpretative leeway but does not automatically make correct classification easier. If you would like to understand how the CRA applies to your products and which next steps make sense, we can discuss this together in a non-binding conversation.
Further links