On 28 November 2025, the European Commission adopted Commission Implementing Regulation (EU) 2025/2392 — a key milestone in the implementation of the Cyber‑Resilience Act (CRA). This Regulation clarifies and formalises the technical definitions of what the law considers “important” and “critical” products with digital elements.
With this update, manufacturers, developers, and suppliers across the EU (and those exporting to the EU) must carefully review whether their products fall under these newly defined categories — as that determines the level of cybersecurity conformity assessment and certification required.
What’s New? Defined Scope and Product Categories
Previously, the CRA defined broad categories (e.g. “identity management systems”, “network devices”, “smart home devices”) but left their technical scope relatively vague — leaving many manufacturers uncertain whether their products were in or out of scope. The new Regulation 2025/2392 closes that gap.
Precise technical descriptions: The Regulation provides detailed definitions for every category listed under the CRA’s Annexes — from identity-management systems, embedded browsers, VPN clients, and operating systems to secure elements, network interfaces, and virtual network adapters.
Clear classification of risk categories — “Important” vs “Critical” products. Products defined under these classes may require different conformity assessment procedures, including third-party evaluation or certification under EU cybersecurity schemes.
Unambiguous guidance for complex or hybrid products: The regulation clarifies that the “core functionality” of a product determines its classification — not ancillary or embedded features. For example, a software application embedding a browser does not automatically become a “browser application” under the regulation’s classification — unless the core functionality is that of a browser.
What This Means for Manufacturers & Suppliers
For any product with digital elements, the timing is critical. Manufacturers and suppliers should:
Re-evaluate product portfolios to determine whether their devices now fall under the CRA’s “Important” or “Critical” categories per the technical descriptions in 2025/2392.
Adjust compliance strategies — products in scope may require enhanced cybersecurity assessments, documentation, and possibly certification under EU cybersecurity certification schemes.
Review supply chains — components, embedded software or modules may trigger classification under CRA when integrated into the final product.
Update technical documentation and development processes to align with CRA requirements, including secure design, risk assessments, and security assurance procedures.
For more information, the complete Commission Implementing Regulation (EU) 2025/2392 is available via the link below:
At C-PRAV, we track regulatory changes across global markets — including cybersecurity frameworks like the CRA. If your product includes digital elements and is destined for the EU market, our team can guide you through classification, conformity assessment, testing and documentation to ensure full CRA compliance.
