Which technical measures does a manufacturer need to implement?

The CRA establishes a set of essential cybersecurity requirements relating to the properties of products with digital elements. Such requirements are objective-oriented and technology-neutral and apply horizontally to all products with digital elements.

The specific technical implementation of the essential requirements is dependent on the cybersecurity risk assessment that each manufacturer is required to undertake and take into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements, in accordance with Article 13(12). For further information on the risk assessment, see the section 4.1 Risk-based approach and risk-assessment.

The manufacturer is required to detail in its technical documentation the means used to ensure that the product complies with the essential cybersecurity requirements, including instances where certain essential cybersecurity requirements are not applicable to the product with digital elements, in accordance with Article 13(4).

In order to facilitate the assessment of conformity with the essential requirements, the Commission adopted a standardisation request addressed to CEN, CENELEC and ETSI (the European Standardisation Organisations), requesting the development of harmonised standards in the technical areas covered by the CRA.

The CRA Standardisation Request requests, inter alia, the development of horizontal harmonised standards covering the product-related essential requirements laid down in Annex I, Part I of the CRA, with a view to support “(i) the development of further, granular vertical harmonised standards for specific products or product types, and (ii) [to] support manufacturers in defining and implementing the security requirements applicable to their respective products, including particularly for products not covered by existing or planned vertical standards” (Annex II, section 2.1 of CRA SR). For more information, see 6.10 When will harmonised standards to support CRA compliance be ready?

It should be noted that the use of harmonised standards is voluntary. Manufacturers may demonstrate conformity with the essential requirements via other technical means and are required to document them in their technical documentation.