On December 1, 2025, the European Commission officially published the implementing regulation EU 2025/2392 in the Official Journal, further clarifying the specific definitions and scope of "important" and "critical" digital product categories under the EU Cyber Resilience Act (Cyber Resilience Act, EU 2024/2847, referred to as "CRA"). The regulation came into effect on December 21, 2025, and applies directly to all EU member states.
1. Basic Regulatory Requirements
New regulations take effect:
Analysis of the Scope of Important and Critical Products under CRA
The CRA Act establishes uniform cybersecurity requirements for products containing digital elements. Among these, certain products with higher risks are classified as important (Important) or critical (Critical) products, and are subject to more stringent conformity assessment procedures. As a supporting implementation document of the CRA, this regulation further refines and clarifies the definitions of important and critical product categories.
• Important Products (Class I & II, totaling 23 categories)
Covering a wide range of commonly used software and hardware products, including:
Operating systems, browsers, password managers, VPNs, routers, smart door locks, baby monitors, security cameras, wearable health monitoring products, and more.
•Key Products (3 categories in total)
Involving critical infrastructure and high-security sectors, including:
Hardware devices with security modules, smart cards/security elements, and smart metering system gateways.
The regulation emphasizes that the core functionality of a product determines whether it falls into the category of important or critical products, rather than its additional features. Manufacturers must conduct a risk-based cybersecurity assessment of the product as a whole to ensure it meets cybersecurity requirements and select the appropriate conformity assessment procedures based on the product's core functionality, including necessary third-party testing and EU cybersecurity certification.
