EU Commission: adopted Implementing Regulation (EU) 2025/2392 clarifying which products are "important" and "critical" under the Cyber Resilience Act.

With Implementing Regulation (EU) 2025/2392, the European Commission has taken a decisive step in the implementation of the Cyber Resilience Act (CRA), setting out in a timely manner which products fall into the "important" and "critical" risk categories.

Until now, the annexes of the CRA were limited to listing macro-categories such as "firewalls", "identity management systems" or "smart home devices", without a detailed technical definition. Manufacturers were therefore forced to interpret for themselves whether a given product should be placed in the basic risk level ("Default") or higher, with the obvious uncertainty about the type of conformity assessment to be applied.

Regulation 2025/2392 fills precisely this gap. For all 28 categories of products with digital elements that the CRA places in the three upper levels of risk – Class I important products, Class II important products and critical products – a precise technical description is now provided, which delimits the scope of application. Specifically, password managers are defined as software that stores, generates, and auto-fills credentials; smart home security products specifically include smart locks, home video surveillance systems, baby monitors, alarm systems, and sensors that perform security functions; and industrial automation and control systems are Class II only when they are used by individuals qualified as entities essential within the meaning of the NIS Directive 2.

These definitions are not a technical detail, but directly affect the applicable compliance regime. In fact, the CRA provides for four levels of risk: the Default level, to which the manufacturer's normal self-certification process applies, and three higher levels ("Important" Class I, "Important" Class II and "Critical") for which the assessment obligations are raised. For important Class I products, self-assessment is theoretically possible, but only if the manufacturer fully applies the relevant harmonised standards once they have been published. For important Class II products and critical products, on the other hand, self-certification is no longer allowed: a conformity assessment by a notified body is always required and, for critical products, the prospect of a European cybersecurity certification also opens up.

The new implementing regulation, which entered into force on 29 November 2025, also has the merit of better drawing the boundary for some families of industrial products, distinguishing between monitoring systems, which remain in a lower risk range, and safety control systems used by critical operators, which require a more stringent level of supervision. For manufacturers, the message is clear: you can no longer just consider your product as "off the radar" of the CRA based on generic evaluations. It is necessary to deal with the new technical definitions and verify which risk class each product actually falls into, and then set up the conformity assessment path and compliance strategy accordingly.