Class II: The Highest Bar for Containers
Container runtimes (Docker, containerd, CRI-O) and hypervisors (KVM, VMware, Hyper-V) are classified as Important Products Class II under the CRA. This means potential third-party conformity assessment β the most rigorous compliance tier before Critical products.
Why Class II?
Container runtimes and hypervisors provide the isolation boundary between workloads. A vulnerability here compromises everything running on top. The CRA recognizes this elevated risk.
ETSI EN 304 635: Hypervisors and Container Runtime Systems
This standard covers:
- Type 1 and Type 2 hypervisors
- Container runtimes (Docker Engine, containerd, CRI-O, Podman)
- Container orchestration platforms (when bundled as a product)
- Virtual machine monitors
Requirements
Security Isolation
- Process isolation between containers/VMs must resist escape attacks
- Memory isolation must prevent cross-tenant data leaks
- Network isolation must enforce per-workload policies
- Storage isolation must prevent unauthorized accessVulnerability Management
- CVE response within 24 hours for actively exploited vulnerabilities
- Regular security updates for the runtime lifecycle
- SBOM for all bundled components
Conformity Assessment Options
For Class II products, manufacturers can either:
- Use harmonized standards (EN 304 635) β self-assessment allowed if standards are applied
- Third-party assessment β required if not following harmonized standards
Impact on Kubernetes Platforms
If you sell a Kubernetes distribution or managed Kubernetes:
Your Product Stack β CRA Classification:
βββ Container Runtime (containerd) β Class II
βββ Kubernetes Control Plane β Depends on product positioning
βββ Networking (Cilium/Calico) β May fall under networking standards
βββ Storage (CSI drivers) β Part of the product's digital elements
βββ Your Application Layer β Default or Class I depending on functionKey question: If you bundle containerd into your product, do YOU become the manufacturer responsible for Class II compliance?
Answer: Yes, if youβre the entity placing the product on the market. You inherit the containerd compliance obligation.
Practical Steps
- Audit your runtime stack β identify all components that constitute βcontainer runtimeβ in your product
- Engage with ETSI β follow EN 304 635 development for specific requirements
- Assess third-party needs β determine if you can use harmonized standards or need external assessment
- Harden your runtime β seccomp profiles, AppArmor/SELinux, rootless containers
- Document extensively β technical documentation is mandatory for all CRA products
Running container platforms that may fall under CRA Class II? I help organizations assess and prepare for compliance. Get in touch.