Product Lists (Annex III & IV)
Overview
The Cyber Resilience Act (CRA) defines specific product categories in Annex III and Annex IV that are subject to special conformity assessment procedures. This page contains the complete lists of all product categories specified therein, including descriptions, required assessment procedures, and a relevance assessment for BAUER GROUP.
The classification logic (decision tree, assessment procedure per category) is described on the Product Classification page.
LEGAL BASIS
Art. 7 CRA defines the categories "Important products with digital elements" (Annex III) and "Critical products with digital elements" (Annex IV).
Art. 24(1)-(3) CRA establishes the conformity assessment procedures per category:
- Class I (Annex III Part I): Internal control (Module A) where harmonised standards are applied, otherwise EU type examination (Module B+C)
- Class II (Annex III Part II): EU type examination (Module B+C) or Comprehensive quality assurance (Module H)
- Critical (Annex IV): European cybersecurity certificate (EUCC) at assurance level "substantial" or higher
Art. 7(3) CRA empowers the Commission to adopt delegated acts amending Annexes III and IV.
Annex III -- Important Products with Digital Elements
Part I -- Class I
Class I products may be assessed via Internal control (Module A) where harmonised standards are applied in full. Without harmonised standards, an EU type examination (Module B+C) is required.
| No. | Product Category | Description | Conformity Module |
|---|---|---|---|
| 1 | Identity management systems and privileged access management software | Systems for managing digital identities and controlling privileged access rights (Privileged Access Management, PAM) | Module A* / B+C |
| 2 | Standalone and embedded browsers | Web browsers as standalone applications or as components embedded in other products | Module A* / B+C |
| 3 | Password managers | Software for the secure storage, management, and automatic entry of passwords and credentials | Module A* / B+C |
| 4 | Software that searches for, removes, or quarantines malicious software (antimalware) | Security software that detects, isolates, and removes malware | Module A* / B+C |
| 5 | Products with digital elements with the function of a virtual private network (VPN) | Products that provide virtual private network functionality | Module A* / B+C |
| 6 | Network management systems | Systems for monitoring, configuring, and managing network infrastructure | Module A* / B+C |
| 7 | Security information and event management (SIEM) systems | Systems for collecting, correlating, and analysing security-relevant events in real time | Module A* / B+C |
| 8 | Boot managers | Software that controls the start-up process of a system and enables selection of the operating system to be loaded | Module A* / B+C |
| 9 | Public key infrastructure and digital certificate issuance software | Software for managing cryptographic keys and for issuing, managing, and verifying digital certificates | Module A* / B+C |
| 10 | Physical and virtual network interfaces | Hardware and software network interfaces that enable communication within networks | Module A* / B+C |
| 11 | Operating systems | Software that manages the basic functions of a computer and enables the execution of applications | Module A* / B+C |
| 12 | Routers, modems intended for the connection to the internet, and switches | Network hardware intended for connecting to the internet, including routers, modems, and switches | Module A* / B+C |
| 13 | Microprocessors with security-related functionalities | Microprocessors that implement security-related functionalities | Module A* / B+C |
| 14 | Microcontrollers with security-related functionalities | Microcontrollers that implement security-related functionalities | Module A* / B+C |
| 15 | ASICs and FPGAs with security-related functionalities | Application-specific integrated circuits (ASICs) and field-programmable gate arrays (FPGAs) with security-related functionalities | Module A* / B+C |
| 16 | Smart home virtual assistants with general purpose | Voice-controlled or AI-based assistants for use in the smart home with general-purpose functionality | Module A* / B+C |
| 17 | Smart home products with security functionalities | Smart home products with security functionalities, including door locks, cameras, baby monitoring systems, and alarm systems | Module A* / B+C |
| 18 | Internet-connected toys with social interactive features or location tracking | Internet-connected toys covered by Directive 2009/48/EC with social interactive features or location tracking | Module A* / B+C |
| 19 | Personal wearable products for health monitoring purposes | Products worn on the body for monitoring health-related parameters | Module A* / B+C |
* Module A only where harmonised standards are applied in full or where conforming with EU cybersecurity certification
Part II -- Class II
Class II products require mandatory third-party assessment: EU type examination (Module B+C) or Comprehensive quality assurance (Module H).
| No. | Product Category | Description | Conformity Module |
|---|---|---|---|
| 1 | Hypervisors and container runtime systems supporting virtualised execution of operating systems | Hypervisors and container runtime systems that support the virtualised execution of operating systems | Module B+C / H |
| 2 | Firewalls, intrusion detection and/or prevention systems | Network security systems for monitoring, detecting, and preventing attacks and unauthorised access | Module B+C / H |
| 3 | Tamper-resistant microprocessors | Microprocessors with physical protection against tampering and readout (tamper-resistant) | Module B+C / H |
| 4 | Tamper-resistant microcontrollers | Microcontrollers with physical protection against tampering and readout (tamper-resistant) | Module B+C / H |
Annex IV -- Critical Products with Digital Elements
Critical products require a European cybersecurity certificate (EUCC) at assurance level "substantial" or higher.
| No. | Product Category | Description | Conformity Module |
|---|---|---|---|
| 1 | Hardware devices with security boxes (HSMs, smartcards, etc.) | Hardware security modules (HSMs), smartcards, and comparable devices that perform cryptographic operations in a protected environment | EUCC |
| 2 | Smartcard readers | Devices for reading and processing smartcard data for authentication, signature, or encryption | EUCC |
| 3 | Sensor and actuator components for robots and robot controllers (industrial applications) | Sensors and actuators used in robots and robot controllers for industrial applications | EUCC |
| 4 | Smart meters within the meaning of Article 2(23) of Directive (EU) 2019/944 | Electronic metering systems for measuring energy consumption under the Electricity Internal Market Directive | EUCC |
| 5 | All devices and software components belonging to Advanced Metering Infrastructure (AMI) | All devices and software that are part of the advanced metering infrastructure | EUCC |
Conformity Module Overview
| Product Category | Module A (Self) | Module B+C (Type) | Module H (Quality) | EUCC |
|---|---|---|---|---|
| Standard (not in Annex III/IV) | ✅ | - | - | - |
| Class I (Annex III Part I) | ✅* | ✅ | - | - |
| Class II (Annex III Part II) | - | ✅ | ✅ | - |
| Critical (Annex IV) | - | - | - | ✅ |
* Only where harmonised standards are applied in full
Detailed information on the individual modules:
- Internal control (Module A) -- Self-assessment
- EU type examination (Module B+C)
- Comprehensive quality assurance (Module H)
- European cybersecurity certificate (EUCC)
BAUER GROUP Relevance Assessment
The following table assesses the relevance of each product category from Annex III and IV for BAUER GROUP.
Annex III Part I -- Class I
| No. | Product Category | Relevance | Rationale |
|---|---|---|---|
| 1 | Identity management systems / PAM | To be assessed | If IAM solutions or PAM software are offered |
| 2 | Standalone and embedded browsers | Not relevant | BAUER GROUP does not manufacture browsers |
| 3 | Password managers | To be assessed | If credential management solutions are offered |
| 4 | Antimalware software | Not relevant | BAUER GROUP does not manufacture antimalware software |
| 5 | VPN products | To be assessed | If VPN functionality is integrated in products |
| 6 | Network management systems | To be assessed | If network monitoring tools are offered |
| 7 | SIEM systems | Not relevant | BAUER GROUP does not manufacture SIEM systems |
| 8 | Boot managers | Not relevant | BAUER GROUP does not manufacture boot managers |
| 9 | PKI and certificate issuance software | To be assessed | If certificate management solutions are offered |
| 10 | Physical and virtual network interfaces | To be assessed | If network components with firmware are manufactured |
| 11 | Operating systems | To be assessed | If OS-level products or embedded operating systems |
| 12 | Routers, modems, switches | To be assessed | If network hardware with firmware is offered |
| 13 | Microprocessors (security-related) | To be assessed | If microprocessors with security functions are developed |
| 14 | Microcontrollers (security-related) | Relevant | ESP32/STM32 firmware with security-related functions |
| 15 | ASICs / FPGAs (security-related) | To be assessed | If ASICs or FPGAs with security functions are used |
| 16 | Smart home virtual assistants | Not relevant | BAUER GROUP does not manufacture smart home assistants |
| 17 | Smart home products with security functionalities | Not relevant | BAUER GROUP does not manufacture smart home security products |
| 18 | Internet-connected toys | Not relevant | BAUER GROUP does not manufacture toys |
| 19 | Health monitoring wearables | Not relevant | BAUER GROUP does not manufacture health wearables |
Annex III Part II -- Class II
| No. | Product Category | Relevance | Rationale |
|---|---|---|---|
| 1 | Hypervisors / container runtime | Not relevant | BAUER GROUP uses containers but does not offer a runtime |
| 2 | Firewalls / IDS / IPS | To be assessed | If security products with firewall/IDS functionality |
| 3 | Tamper-resistant microprocessors | Not relevant | BAUER GROUP does not manufacture tamper-resistant processors |
| 4 | Tamper-resistant microcontrollers | Not relevant | BAUER GROUP does not manufacture tamper-resistant controllers |
Annex IV -- Critical
| No. | Product Category | Relevance | Rationale |
|---|---|---|---|
| 1 | HSMs, smartcards, etc. | Not relevant | BAUER GROUP uses HSMs but does not manufacture them |
| 2 | Smartcard readers | Not relevant | BAUER GROUP does not manufacture smartcard readers |
| 3 | Robot sensors and actuators (industrial) | To be assessed | If industrial robotics components are manufactured |
| 4 | Smart meters (Directive (EU) 2019/944) | To be assessed | If energy metering devices are manufactured |
| 5 | Advanced Metering Infrastructure (AMI) | To be assessed | If AMI components are manufactured |
Relevance Summary
| Relevance Status | Number of Categories |
|---|---|
| Relevant | 1 |
| To be assessed | 14 |
| Not relevant | 13 |
| Total | 28 |
RECOMMENDATION
The relevance assessment should be carried out individually for each BAUER GROUP product line and documented in the respective Product Description. The assessment in the table above serves as initial guidance.
KEEP THIS LIST UPDATED
The product lists in Annex III and Annex IV may be amended by delegated acts of the European Commission pursuant to Art. 7(3) CRA. These lists must therefore be reviewed regularly for updates and compared against the currently applicable version of Regulation (EU) 2024/2847. Amendments may include the addition of new product categories as well as the reclassification of existing categories.
Next Steps
- Perform classification -- Use the decision tree on the Product Classification page
- Review relevance -- Compare each BAUER GROUP product against the lists above
- Determine assessment procedure -- Select the correct conformity module
- Document -- Record the classification in the Product Description
- Risk assessment -- Create a Risk Assessment for each classified product