Commission Implementing Regulation (EU) 2025/2392 adopted to provide technical descriptions for CRA Annex III (important) and Annex IV (critical) product categories

Commission Implementing Regulation (EU) 2025/2392 (of 28 November 2025) establishes the technical description of the categories of “important” and “critical” products with digital elements under the Cyber Resilience Act (Regulation (EU) 2024/2847). For Annex IV ‘critical products’, these technical descriptions are central for determining whether a product’s core functionality falls into an Annex IV category, which in turn drives the applicable conformity assessment route (typically requiring third-party involvement for critical products). Compliance teams should use this implementing regulation when classifying products against Annex IV and aligning technical documentation and conformity assessment planning accordingly.