Commission Implementing Regulation (EU) 2025/2392 adopted, setting technical descriptions for Annex III (important) and Annex IV (critical) product categories under the Cyber Resilience Act

The European Commission adopted Commission Implementing Regulation (EU) 2025/2392 to operationalize classification of ‘important products with digital elements’ (CRA Annex III) (and ‘critical products’ in Annex IV) by establishing technical descriptions for those categories. This directly affects Annex III compliance because classification as an Annex III ‘important product’ drives the applicable conformity assessment route (including stricter procedures for certain classes versus default self-assessment). Compliance teams should review product portfolios against the implementing regulation’s technical descriptions—focused on a product’s ‘core functionality’—to confirm Annex III applicability and the resulting conformity assessment obligations and documentation planning.