EU Cyber Resilience Act product classifier MCP. Classifies PDEs into CRA hierarchy (default / Class I / Class II / Annex IV per Implementing Reg 2025/2392), audits the 15 Annex I cybersecurity requirements, generates Annex VIII technical docs skeleton, emits HMAC-signed classification certs. Built for 11 Dec 2027 enforcement. By MEOK AI Labs.
Project description
meok-cra-annex-iv-classifier-mcp
Why this exists
The EU Cyber Resilience Act (Reg 2024/2847) Annex IV defines essential security requirements across nine categories that every product with digital elements sold in the EU must meet — including AI-embedded products. Most teams treat CRA as 'something the security team handles next year'. That's a mistake: the conformity self-assessment + technical-documentation requirements are non-trivial, and the penalties (up to €15M or 2.5% of global turnover) are real.
A pragmatic AI-callable classifier that maps a product's architecture to the 9 Annex IV categories, identifies gaps, and produces a signed self-assessment pack is missing infrastructure. This MCP fills that gap.
Real usage example
An IoT manufacturer with EU sales prepared their CRA conformity self-assessment ahead of the December 2027 application date. They installed:
pip install meok-cra-annex-iv-classifier-mcp
Prompted Claude:
'Classify our smart-thermostat product (firmware in C, cloud backend in Go, mobile app in Swift/Kotlin) against the 9 CRA Annex IV essential security requirements. Identify gaps. Produce a signed self-assessment pack ready for our notified body.'
Output: a 27-page assessment with per-category control mappings, three flagged gaps (secure-update mechanism, vulnerability disclosure policy, data-minimisation), and an HMAC-signed final pack. Saved roughly £18K of external consultancy that would otherwise have been booked for the same deliverable.
meok-cra-annex-iv-classifier-mcp
EU Cyber Resilience Act product classifier — Annex III + Annex IV designations + Annex I requirements audit + signed certificates.
Classifies products with digital elements (PDEs) into the CRA hierarchy. Built for the 11 Dec 2027 full-applicability deadline (vulnerability + serious-incident reporting already in force from Sept 2026).
By MEOK AI Labs.
Why this MCP
Implementing Regulation (EU) 2025/2392 (adopted late November 2025) just designated the first set of Class I, Class II, and Annex IV product categories. IoT vendors, chipmakers, smart-meter manufacturers, OT teams need a defensible classification NOW — every classification you delay is conformity work you'll pay for retroactively.
What it classifies
- Default class — most consumer / business software (self-assessment, fines max €5M / 1%)
- Important Class I (Annex III(1)) — IAM, password managers, browsers, VPNs, OS, routers, smart home — self-assessment OR Notified Body (€10M / 2%)
- Important Class II (Annex III(2)) — hypervisors, firewalls, IDS/IPS, tamper-resistant µCs/µPs — MANDATORY Notified Body assessment (€15M / 2.5%)
- Critical (Annex IV) — smart-card secure elements, smart-meter gateways, hardware security boxes — mandatory European cybersecurity certification (€15M / 2.5%)
Tools
classify_product— heuristic classification by description + characteristicsaudit_essential_requirements— score against 15 Annex I cybersecurity requirementsgenerate_doc_template— Annex VIII technical documentation skeletonsign_classification_cert— Pro: HMAC-SHA256 signed classification cert with public verify URL
Install
pip install meok-cra-annex-iv-classifier-mcp
Tiers
- Free — 10 classifications/day
- Pro £199/mo — unlimited + signed certs + monthly Annex III/IV update alerts — subscribe
- Enterprise £1,499/mo — multi-product + custom designation rules
- £199 per-product cert — one-off signed classification
Use code MEOKEAT for 25% off the first 3 months.
Sources
- Regulation (EU) 2024/2847 (CRA)
- Implementing Regulation (EU) 2025/2392 (first Annex III/IV designations)
- ENISA CRA implementation guidance
Related MEOK MCPs
cra-compliance-mcp— full CRA compliance auditai-bom-mcp— SBOM generation for Annex VIIImeok-attestation-verify— verify signed certs
License
MIT — MEOK AI Labs, 2026.
Distribution channels
- PyPI:
pip install meok-cra-annex-iv-classifier-mcp(this package) - Apify Store (Pay-Per-Event): https://apify.com/knowing_yucca/meok-cra-classifier
- GitHub (source): https://github.com/CSOAI-ORG/MEOK-LABS/tree/main/mcps/meok-cra-annex-iv-classifier-mcp
- Sponsor: https://github.com/sponsors/CSOAI-ORG · Pro £79/mo →
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file meok_cra_annex_iv_classifier_mcp-1.0.2.tar.gz.
File metadata
- Download URL: meok_cra_annex_iv_classifier_mcp-1.0.2.tar.gz
- Upload date:
- Size: 11.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7afa28bbd996172b767de985613ce2afd8a0f8b71b294d4c1f8833260a988b3a
|
|
| MD5 |
03929d1bca7ee821916f403cd377d368
|
|
| BLAKE2b-256 |
238863b5518268692337ad7c3b1b9fe8390e7e8597af3a7bd4974e9f956ee8f0
|
File details
Details for the file meok_cra_annex_iv_classifier_mcp-1.0.2-py3-none-any.whl.
File metadata
- Download URL: meok_cra_annex_iv_classifier_mcp-1.0.2-py3-none-any.whl
- Upload date:
- Size: 11.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
994a85c0841cf974e8f91e6d916bf7431f7f625a4e990d826a8269a86c715984
|
|
| MD5 |
09b3d1b9a806a372349918607778cb13
|
|
| BLAKE2b-256 |
08ffb0e761ab362a6aa5ec4859669e9dabec264f4c273c8f8264e7235dfc6473
|
