Class I vs. Class II: How to Know Where Your Product Fits

EU Cyber Resilience Act (CRA) Understanding the CRA
1

The CRA introduces a two-tier system for “important” products with digital elements—Class I and Class II—as defined in Article 7 and detailed in Annex III of the regulation.

Understanding the distinction is crucial because it determines the type of conformity assessment required. In short: Class I allows more flexibility (often self-assessment), while Class II usually requires notified bodies.

Class I: Lower Impact, but Still Important

Class I includes products that:

  • Perform security functions, but in a more isolated or user-facing context.
  • Are less critical in terms of central control or large-scale impact.

Examples from Annex III, Class I:

  • Password managers
  • VPN clients
  • Smart card readers
  • Desktop antivirus software
  • Software firewalls for end-user devices

These products might protect a single user or device, but they’re not central to managing entire networks or infrastructures.

Conformity route: In most cases, you can apply internal control procedures as outlined in Article 32(2)(a).

:small_orange_diamond: Class II: High-Risk, Central Roles

Class II covers products that:

  • Are central to managing, controlling, or securing broader systems.
  • Pose a significant cybersecurity risk if compromised (per Article 7(2)).

Examples from Annex III, Class II:

  • Operating systems
  • Cloud hypervisors
  • Identity and access management systems
  • Network management controllers
  • Security Information and Event Management (SIEM) systems
  • Virtual private network (VPN) gateways used in enterprises

These tools usually affect multiple systems, users, or services. A failure here could cascade through entire infrastructures.

Conformity route: Requires a more rigorous assessment, such as:

  • Type examination + internal production control (Article 32(2)(b)), or
  • Full quality assurance procedures (Article 32(3)).

How to Determine Your Class

Ask yourself:

  1. Does your product match a listed category in Annex III?
  2. Does it perform a core function in cybersecurity (access control, intrusion detection, endpoint protection)?
  3. Could it be used in a way that impacts multiple other systems if compromised?

If you’re unsure or fall into a grey area, err on the side of Class II. It’s safer from a regulatory standpoint and aligns with the precautionary approach the Commission takes in Article 7(3).

Need help deciding?

Drop a short description of your product here and we can figure it out together. This is a critical step for selecting your conformity path, and getting it right upfront saves a lot of headaches later.

2

First of all, thank you for the many entries regarding CRA that you have recently created. I think this will help many of us and make life with CRA a little easier.
I use devices with Balena OS which have the following tasks:

  • Primary: machine control (CODESYS runtime)
  • Primary: HMI via directly connected display and input devices
  • Secondary: router, separation of the machine network from the customer’s network
  • Secondary: remote maintenance gateway (Balena tunnel) where certain ports are also forwarded to the machine network in order to access e.g: Frequency converters

The devices have two network interfaces, one for the machine network and the other for the customer network or Internet.

I would not find my product in Appendix III now, as the primary task is to control my machine. In addition, the secondary tasks are already covered by the standard functions of Balena and should therefore be included in the CE declaration of Balena, or am I wrong?

3 Likes
3

Hey @stephanp,

thanks for your message. Nice to know you find this section useful :slight_smile:

  • Primary: machine control (CODESYS runtime)
  • Primary: HMI via directly connected display and input devices

Given the functionality, this is not in Annex III, so you should comply with the internal controls in Annex VI, cybersecurity requirements and vulnerability handling obligations in Annex I Parts I&II.

Besides, remember to check Recital 53 for the convergence with the machinery regulation to see if it applies to you and how these can be combined.

  • Secondary: router, separation of the machine network from the customer’s network
  • Secondary: remote maintenance gateway (Balena tunnel) where certain ports are also forwarded to the machine network in order to access e.g: Frequency converters

The way you are describing its role, I can match it to Annex III Class I.12 : Routers, modems intended for the connection to the internet, and switches

This could make your secondary product a Class I product because it’s its core functionality.

But balenaOS is assessed as an OS enabling different use cases, and we are not assessing it as a router directly because we can’t specify what a user will build on top of it: it is your configuration and services deployed that makes your product a router. And in any case, your product would still need its own CRA compliance, because it is a new digital product combining software and hardware components.

You can rely on balena’s Declaration of Conformity to make it the compliant OS on top of which you will build the routing or gateway functionalities. With balena you would comply with those requirements not related to routing (like security patches, vulnerabilities, software updates, etc), but you would need to complement with a Risk Assessment, etc., of the routing functions, and build your own declaration of conformity.

Finally, we are doing our best to help here, but please don’t take this as a legal advice, but as our interpretation of the regulation. Would love to hear your thoughts around it so we can all clarify this kind of things.

3 Likes
4

I think I have understood what you mean.

I agree with the following: my product is a machine that must comply with Regulation (EU) 2023/1230 as soon as it comes into force. This also involves a cyber security risk assessment and its own CRA-compliance

I’m not sure about the classification yet, I still have to go through this assessment and familiarize myself better. I will probably also hire an external consultant for this. In the meantime, the following:

My product does not integrate the core function of a router. I only forward some ports frome one network interface to another. The configuration is static and can only be changed by me, the manufacturer of the machine, trough a software update. See recital 45