Back to Cyber Resilience ActCyber Resilience Act · Article 7

Critical products with digital elements

Plain-English explainer

Article 7 defines the highest-risk band: critical products listed in Annex IV. These products must be certified under European cybersecurity certification schemes (e.g. EUCC) before being placed on the market. The list is short and includes hardware devices with security-by-design functions, smartcards, secure elements, and similar.

What you must do

→ Check Annex IV — if listed, you must certify under an applicable EU cybersecurity scheme.
→ Engage with ENISA-recognised certification bodies early.

Official text

The authoritative text of Article 7 is published by the Publications Office of the European Union on EUR-Lex. We link directly to it rather than mirror it, so you always read the current consolidated version straight from the source.

Read Article 7 on EUR-Lex

Source: Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act). The only authentic version is the one published in the Official Journal of the European Union.

Tools that help you comply with this article

CRA Classification Checker

Regulation (EU) 2024/2847 (the Cyber Resilience Act) classifies products with digital elements into three bands — standard, Important (Class I/II), and Critical — each with different conformity assessment burdens. Misclassification is the most common CRA pitfall; most digital products qualify for CRA even when the team thinks only hardware does.