Product Classification Record
LEGAL DOCUMENTATION
This record documents the CRA product classification decision. It must be completed before a product with digital elements is placed on the EU market and shall be retained for at least 10 years (Art. 13(12) CRA).
1. Product Identification
| Field | Value |
|---|---|
| Product Name | |
| Product Version | |
| Product Identifier | |
| Intended Purpose | |
| Product Owner | |
| Security Lead | |
| Assessment Date |
2. Scope Assessment
| Question | Answer | Reference |
|---|---|---|
| Does the product contain digital elements (software, firmware, hardware with data connection)? | [ ] Yes / [ ] No | Art. 3(1) |
| Is the product made available on the EU market? | [ ] Yes / [ ] No | Art. 2(1) |
| Does any sectoral exemption apply (medical, automotive, aviation, marine, military)? | [ ] Yes / [ ] No | Art. 2(2) |
| Is this non-commercial open-source software? | [ ] Yes / [ ] No | Art. 18–19 |
Scope Result: [ ] CRA applicable / [ ] CRA not applicable
If not applicable, state reason: ___
3. Product Classification
3.1 Annex IV Check (Critical Products)
| Annex IV Category | Applicable? |
|---|---|
| Hardware security modules (HSM) | [ ] Yes / [ ] No |
| Smart cards and similar devices (incl. secure elements) | [ ] Yes / [ ] No |
| Smart card readers | [ ] Yes / [ ] No |
| Sensor and actuator components for robots and robot controllers | [ ] Yes / [ ] No |
| Smart meters (as defined in Directive 2019/944) | [ ] Yes / [ ] No |
Annex IV Result: [ ] Listed (→ Critical) / [ ] Not listed (→ continue)
3.2 Annex III Check (Important Products)
| Annex III Category | Class | Applicable? |
|---|---|---|
| Identity management systems and privileged access software | I | [ ] Yes / [ ] No |
| Standalone browsers | I | [ ] Yes / [ ] No |
| Password managers | I | [ ] Yes / [ ] No |
| Malware detection/removal/quarantine software | I | [ ] Yes / [ ] No |
| VPN products | I | [ ] Yes / [ ] No |
| Network management systems | I | [ ] Yes / [ ] No |
| SIEM systems | I | [ ] Yes / [ ] No |
| Boot managers | I | [ ] Yes / [ ] No |
| Firewalls, IDS/IPS (non-industrial) | I | [ ] Yes / [ ] No |
| Routers, modems for internet access | I | [ ] Yes / [ ] No |
| Microcontrollers with security functions | I | [ ] Yes / [ ] No |
| Operating systems (non-server/desktop) | I | [ ] Yes / [ ] No |
| Hypervisors and container runtimes | II | [ ] Yes / [ ] No |
| Firewalls, IDS/IPS (industrial) | II | [ ] Yes / [ ] No |
| Tamper-resistant microcontrollers/microprocessors | II | [ ] Yes / [ ] No |
| OS for servers, desktops, mobile | II | [ ] Yes / [ ] No |
| PKI and certificate issuers | II | [ ] Yes / [ ] No |
| Industrial automation and control systems (IACS) | II | [ ] Yes / [ ] No |
| Industrial IoT (not subject to other sectoral regulation) | II | [ ] Yes / [ ] No |
Annex III Result: [ ] Class II / [ ] Class I / [ ] Not listed (→ Standard)
3.3 Classification Result
| Field | Value |
|---|---|
| Product Class | [ ] Standard / [ ] Class I / [ ] Class II / [ ] Critical |
| Conformity Path | [ ] Module A / [ ] Module A + hEN / [ ] Module B+C / [ ] Module H / [ ] EUCC |
| Justification |
4. Conformity Assessment Path
| Criterion | Decision |
|---|---|
| Are harmonised standards (hEN) fully applied? | [ ] Yes / [ ] No / [ ] N/A |
| Is third-party assessment required? | [ ] Yes / [ ] No |
| Selected assessment module | Module ___ |
| Notified body (if applicable) |
5. Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| Product Owner | |||
| Security Lead | |||
| Quality Manager |
TIP
Use the Scope Checker for interactive guidance through the classification process.