Which CRA class are you?
Answer three questions about your product and see whether the CRA treats it as default, important, or critical — and what that means.
Is it on the CRA's ‘critical’ list — a smart-meter gateway, a smartcard secure element, or a hardware device with a security box (HSM)?
Is it core security infrastructure — an operating system, an industrial firewall, a tamper-resistant microcontroller, or a public-key / identity-management system?
Does it perform a security function others rely on — password manager, VPN, network management, firewall, antivirus / EDR, or a standalone browser?
Self-assessment (internal control)
Where most products land. You self-declare conformity — but still owe the full essential requirements: an SBOM, vulnerability handling, secure-by-default settings, and a technical file.
Indicative only — the CRA's classification lists are the final word, not this tool. Proofwright pins your class to your product and keeps the evidence each route demands.
It's live.
See the real thing at Proofwright.