Skip to main content

CRA Software Categories: Default, Important, or Critical? Here's What It Means.

Not all software is treated the same under the Cyber Resilience Act. The CRA groups products with digital elements into categories based on their potential cybersecurity risk. This affects how you prove you're compliant.

Default Category (Most Software)

If your game, app, or uncritical software component isn't specifically listed as "important" or "critical," it falls here. For these, you'll generally perform a self-assessment (internal control procedure, also known as Module A) to declare conformity (Article 32 Paragraph 1; Annex VIII Part I). This involves creating technical documentation and an EU declaration of conformity.

Important Products with Digital Elements (Annex III)

These are products that could cause significant disruption or harm if compromised. Think identity management software, operating systems, browsers, VPNs, or smart home security devices (Article 7 Paragraph 2; Annex III).

Class I (e.g., Operating Systems, Browsers, Password Managers)

If you fully apply specific EU-recognized standards or certifications, you might still do a self-assessment. If not, you'll need a third-party conformity assessment (Article 32 Paragraph 2).

Class II (e.g., Firewalls, Hypervisors)

These always require a third-party conformity assessment from a Notified Body (Article 32 Paragraph 3).

Critical Products with Digital Elements (Annex IV)

This is the highest risk category, covering things like certain hardware security modules or smartcard software (Article 8; Annex IV). These products will likely require mandatory European cybersecurity certification in the future. If such a certification isn't yet specified for them, they follow the stricter third-party assessment rules similar to Class II important products (Article 8 Paragraph 1; Article 32 Paragraph 4).

Key Takeway

For most typical game and app developers focused on uncritical software, the self-assessment route will be the primary concern. But always check if your product's core function matches anything in Annex III.