Euralarm publishes Fact sheet on Cyber Resilience Act classification for fire safety and security products

New fact sheet clarifies “Important” and “Critical” product categories and conformity assessment obligations under the CRA.

Euralarm has published a new fact sheet to support manufacturers of electronic fire safety and security products in understanding their obligations under the EU Cyber Resilience Act (CRA). The document provides practical guidance on how products are categorised as “default,” Important Class I, Important Class II, or Critical, and explains the corresponding conformity assessment procedures required before products can be placed on the EU market.

The CRA, published in November 2024, introduces horizontal cybersecurity requirements for products with digital elements. While the essential cybersecurity requirements apply equally to all in-scope products, the regulation establishes specific categories of Important and Critical products that are subject to stricter conformity assessment procedures. Correct categorisation is therefore essential for manufacturers to determine whether self-assessment is permitted or whether involvement of a notified body is required.

Euralarm’s fact sheet focuses specifically on electronic fire safety and security products, an area where interpretation of the categories may raise practical questions. The document provides clear explanations and structured examples covering:

Smart home products with security functionalities (Important Class I)
Identity management systems and privileged access management products (Important Class I)
Hardware devices with security boxes (Critical products)

Through detailed examples - including intrusion detection systems, fire detection control panels, access control systems, biometric readers, and cloud-based alarm management software - the fact sheet clarifies when a product’s core functionality determines its categorisation. It also explains why most electronic fire safety and physical security products are expected to fall within the “default” category, and therefore may rely on self-assessment, provided compliance with the CRA essential requirements can be demonstrated.

Importantly, the document highlights that embedding security-related components (such as microcontrollers with security functions or cryptographic capabilities) does not automatically make a product “Important” or “Critical” if its core functionality does not meet the criteria defined in the Implementing Regulation.

The fact sheet also outlines how future harmonised standards under development—such as EN 62443-4-x and other horizontal standards—may support manufacturers in demonstrating conformity and benefiting from presumption of conformity where applicable.

The publication is part of Euralarm’s ongoing commitment to supporting the fire safety and security industry in adapting to evolving European regulatory requirements.

The full fact sheet can be downloaded via the button below.

Euralarm publishes Fact sheet on Cyber Resilience Act classification for fire safety and security products

Related topics

You may also be interested in

Fact Sheet on Important and critical products defined by the Cyber Resilience Act

Guideline on Precautionary measures for protecting vital installations and facilities

Euralarm presents guideline on contracting cloud service

Guia de Contratación de Servicios en la Nube para el Acceso Remoto Seguro a Sistemas de Alarma y para la Transmisión Segura de Alarmas

Compliance Newsletter November 2024

New Position Paper on proposals for definition of CRA important products