Cyber Resilience Act (Regulation (EU) 2024/2847) published/entered into force, establishing Annex III ‘important products’ framework and empowering implementing acts for categorisation

Regulation (EU) 2024/2847 (Cyber Resilience Act) is the binding baseline instrument establishing the Annex III ‘important products with digital elements’ construct and the associated additional/stricter compliance pathway (notably via conformity assessment) compared with default CRA products. For Annex III compliance, the CRA is the legal basis defining ‘important products’ and providing the Commission with powers to adopt further implementing/delegated acts that clarify or operationalize Annex III categorisation (e.g., technical descriptions later provided in Implementing Regulation (EU) 2025/2392). Compliance teams should treat this as the controlling text for Annex III obligations and track related implementing/delegated acts that refine Annex III application in practice.