Is my product in scope? / Password manager
Password managers under the CRA: Important Class I
Password managers are named in Annex III Class I. The product category exists to concentrate secrets, so the CRA holds it to the elevated 'important product' regime: stricter conformity route, same hard deadlines.
What this means for you specifically
- ▸Both standalone apps and browser-extension password managers fall in the category; the extension form factor adds the browser attack surface to your risk assessment.
- ▸Self-assessment only with fully applied harmonised standards; otherwise third-party assessment — plan the timeline, notified-body capacity in 2027 is a known bottleneck.
- ▸Zero-knowledge architecture claims go in the technical file with evidence: independent audits, crypto design docs, threat model.
- ▸Breach-class incidents in this category are automatic 'severe incident' candidates under Art. 14 — your 24h/72h reporting process needs legal review in advance.
The pitfall that catches most teams
Underestimating class: 'we're just a small utility app' does not matter — Annex III classification is functional, and password management is on the list.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.