Back to Cyber Resilience ActCyber Resilience Act · Article 6

Important products with digital elements

Plain-English explainer

Article 6 introduces the 'important' product category — Class I and Class II — listed in Annex III. Important products carry stricter conformity assessment requirements than standard products. Class I includes things like password managers, network management tools, and identity management systems. Class II adds more critical functions such as hypervisors, public-key infrastructure, and certain industrial control systems. The Commission can update Annex III by delegated act.

What you must do

→ Check Annex III to determine whether your product is Class I or Class II.
→ Apply the correct conformity assessment route for your class (Article 32).

Official text

The authoritative text of Article 6 is published by the Publications Office of the European Union on EUR-Lex. We link directly to it rather than mirror it, so you always read the current consolidated version straight from the source.

Read Article 6 on EUR-Lex

Source: Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act). The only authentic version is the one published in the Official Journal of the European Union.

Tools that help you comply with this article

CRA Classification Checker

Regulation (EU) 2024/2847 (the Cyber Resilience Act) classifies products with digital elements into three bands — standard, Important (Class I/II), and Critical — each with different conformity assessment burdens. Misclassification is the most common CRA pitfall; most digital products qualify for CRA even when the team thinks only hardware does.