Is my product in scope? / VPN product
VPN products under the CRA: Important Class I
VPN products are explicitly listed in Annex III Class I — 'important products'. On top of all default obligations, your conformity route changes: self-assessment is only allowed if you fully apply harmonised standards; otherwise a notified body must assess.
What this means for you specifically
- ▸Applies to consumer VPN apps and VPN client software alike; the classification follows the product's function, not its size.
- ▸Harmonised standards for CRA classes are still being finalised (CEN/CENELEC work ongoing) — track them, because they determine whether you can self-assess.
- ▸Expect your crypto choices, key handling and logging design to be central in the technical documentation.
- ▸The reporting obligations hit you like everyone else from 11 Sept 2026 — but a VPN vendor's 'actively exploited vulnerability' is front-page news; rehearse the 24h flow.
The pitfall that catches most teams
Planning for default-class self-assessment and discovering at CE-marking time that missing harmonised standards force you into a notified-body queue. Those queues will be long in 2027.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.