The European Commission has adopted Implementing Regulation (EU) 2025/2392, which defines the technical descriptions of categories of important and critical products with digital elements under the Cyber Resilience Act (Regulation (EU) 2024/2847). This regulation aims to strengthen cybersecurity across the EU by clarifying which products require stricter conformity assessments and, in some cases, mandatory third-party certification.

Key Points

• Scope of Regulation
  The rules apply to products with digital elements whose core functionality falls under categories listed in Annexes III and IV of the Cyber Resilience Act. These include operating systems, VPNs, routers, smart home devices, and more.

• Important Products
  Examples include:

  • Identity management systems and privileged access management tools
  • Standalone and embedded browsers
  • Password managers
  • Antivirus and antimalware software
  • VPN clients and servers
  • Network management systems
  • Smart home assistants and security devices

• Critical Products
  These require the highest level of security assurance and may need European cybersecurity certification. Examples include:

  • Hardware security modules
  • Smart meter gateways
  • Smartcards and secure elements

• Compliance Requirements
  Manufacturers must:

  • Conduct comprehensive cybersecurity risk assessments
  • Implement essential cybersecurity requirements proportionate to risk
  • Follow specific conformity assessment procedures for important or critical products