Implementing Regulation (EU) 2025/2392 specifies the technical descriptions of important and critical products under the Cyber Resilience Act. Core functionality is decisive for classification.
The regulation closes interpretation gaps left by the CRA (Regulation (EU) 2024/2847). For manufacturers, correct classification of their products is crucial because it determines the conformity assessment procedure to be applied.
Key provisions
Core functionality as classification criterion
A product’s core functionality determines its classification, not the components embedded within it. A smartphone that includes an integrated password manager therefore is not classified as a password manager for the purposes of the CRA. Likewise, an operating system with an integrated browser remains an operating system and is not classified as a browser.
Comprehensive security assessment remains mandatory
Regardless of classification, manufacturers must carry out a comprehensive cybersecurity risk analysis in accordance with Article 13 of the CRA. The security of the entire product, including all integrated components, must be assessed.
AVA_VAN levels for hardware components
For tamper-resistant microcontrollers, microprocessors and secure elements, the regulation uses the AVA_VAN levels from Common Criteria. These serve as a common language to describe the required level of robustness (VAN.1 to VAN.5, with higher levels indicating stronger protection).
Manufacturers are not required to obtain Common Criteria certification; they may also demonstrate conformity through other evaluations or internal evidence.
Scope
The Implementing Regulation specifies the technical descriptions for all categories listed in Annex III (important products, classes I and II) and Annex IV (critical products) of the CRA. These include, among others, network components, security software, operating systems, smart home products, wearables, and hardware security components.
The complete list of product categories with their technical descriptions is set out in Annexes I and II of the regulation.
Relevance for manufacturers
Manufacturers should use the technical descriptions to determine whether their products qualify as important or critical. This classification determines the conformity assessment procedure to be applied in accordance with Article 32 of the CRA.
Irrespective of classification, there is an obligation to carry out a risk-based cybersecurity assessment under Article 13 of the CRA. Documentation should be prepared in good time ahead of the application date on 11 December 2027.
Conclusion
Implementing Regulation (EU) 2025/2392 clarifies the CRA’s product categories and reduces room for interpretation. The clarification that a product’s core functionality is decisive for classification, and the introduction of AVA_VAN levels for hardware components, are the key provisions.
