When will harmonised standards to support CRA compliance be ready?

The Commission standardisation request (M/606) addressed to CEN, CENELC and ETSI foresees the development of a set of harmonised standards to support CRA compliance, distinguishing between horizontal (product-agnostic) standards and vertical (product-specific) standards.

Horizontal standards are meant to provide a coherent generic framework, methodology and taxonomy to support the development of further, granular vertical harmonised standards for specific products or product types, as well as to support manufacturers in defining and implementing the security requirements applicable to their respective products. The Commission requested the development of 15 horizontal standards, which the European Standardisation Organisations (ESOs) have clustered in 3 deliverables:

A harmonised European standard on designing, developing and producing products with digital elements in such a way that they ensure an appropriate level of cybersecurity based on the risks, to be adopted by the ESOs by 30 August 2026;
A harmonised European standard covering the essential cybersecurity requirements relating to the properties of products with digital elements as set out in Part I of Annex I, to be adopted by the ESOs by 30 October 2027;
A harmonised European standard on vulnerability handling for products with digital elements, to be adopted by the ESOs by 30 August 2026.

Vertical standards are meant to be product specific and to cover a specific set of risks appropriate to a particular intended purpose and reasonably foreseeable use. The Commission requested the development of 26 vertical standards (which the ESOs are addressing through 31 separate deliverables) to be adopted by the ESOs by 30 October 2026. The vertical standards under development cover the categories of important and critical products with digital elements set out in Annexes III and IV of CRA.

In accordance with Article 27(6), where a harmonised European standard is adopted by the ESOs, the Commission shall assess it in accordance with Regulation (EU) No 1025/2012 for the purpose of publishing its reference in the Official Journal of the European Union.

Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.