CRA FAQ

A harmonised standard is a standard adopted by one of the European Standardisation Organisations (ESOs). Certain (but not all) harmonised standards are referenced in the Official Journal of the European Union by the European Commission. Harmonised standards referenced in this way provide products that conform with them a presumption of conformity with the requirements covered by those standards. Harmonised standards may be referenced with restrictions, in which case they only provide partial presumption of conformity. The presumption of conformity provided by harmonised standards referenced in the Official Journal of the European Union is why it is expected that most organisations will choose to implement such standards when they exist, to comply with the CRA.

However, not all harmonised standards are referenced. Those that are not referenced are often foundational standards upon which other standards build. In general, only the vertical (product-specific) standards are referenced, though sometimes horizontal standards that cover generic requirements may be referenced with restrictions.

The ORC WG maintains a list of harmonised standards requested by the European Commission to the ESOs.

The Commission standardisation request (M/606) addressed to CEN, CENELC and ETSI foresees the development of a set of harmonised standards to support CRA compliance, distinguishing between horizontal (product-agnostic) standards and vertical (product-specific) standards.

Horizontal standards are meant to provide a coherent generic framework, methodology and taxonomy to support the development of further, granular vertical harmonised standards for specific products or product types, as well as to support manufacturers in defining and implementing the security requirements applicable to their respective products. The Commission requested the development of 15 horizontal standards, which the European Standardisation Organisations (ESOs) have clustered in 3 deliverables:

• A harmonised European standard on designing, developing and producing products with digital elements in such a way that they ensure an appropriate level of cybersecurity based on the risks, to be adopted by the ESOs by 30 August 2026;

• A harmonised European standard covering the essential cybersecurity requirements relating to the properties of products with digital elements as set out in Part I of Annex I, to be adopted by the ESOs by 30 October 2027;

• A harmonised European standard on vulnerability handling for products with digital elements, to be adopted by the ESOs by 30 August 2026.

Vertical standards are meant to be product specific and to cover a specific set of risks appropriate to a particular intended purpose and reasonably foreseeable use. The Commission requested the development of 26 vertical standards (which the ESOs are addressing through 31 separate deliverables) to be adopted by the ESOs by 30 October 2026. The vertical standards under development cover the categories of important and critical products with digital elements set out in Annexes III and IV of CRA.

In accordance with Article 27(6), where a harmonised European standard is adopted by the ESOs, the Commission shall assess it in accordance with Regulation (EU) No 1025/2012 for the purpose of publishing its reference in the Official Journal of the European Union.

As stated in the Blue Guide, harmonised standards do not replace legally binding essential requirements. A technical specification given in a harmonised standard is not an alternative to a relevant essential or other legal requirement but only a possible technical means to comply with it. In risk-related harmonisation legislation this means in particular that manufacturers always, even when using harmonised standards the references of which are published in the Official Journal of the European Union ("OJ"), remain fully responsible for assessing all the risks of their product in order to determine which essential (or other) requirements are relevant. After this assessment a manufacturer may then choose to apply technical specifications given in harmonised standards the references of which are published in the OJ to implement 'risk reduction measures' which are specified by harmonised standards. In risk-related harmonisation legislation, harmonised standards the references of which are published in the OJ most commonly provide certain means to reduce or remove risks, while manufacturers remain fully responsible for the risk assessment to identify relevant risks and to identify relevant essential requirements, in order to select suitable harmonised standards the references of which are published in the OJ or other specifications.

Thus, even where the manufacturer uses a harmonised standard (where its reference is published in the OJ and which aims to cover certain risks) to satisfy essential requirements, the cybersecurity risk assessment has to be carried out and they must check whether the harmonised standard covers all risks of the product. In accordance with Article 27, where a manufacturer correctly applies a harmonised standard the reference of which is published in the OJEU which covers all the risks relevant to the product with digital elements, the product benefits from the presumption of conformity.^[1]

As stated in Article 27(1) of CRA and section 4.1.2.2 of the Blue Guide, where a harmonised standard covers only part of the essential requirements identified as relevant by manufacturers or only certain aspects thereof, they additionally have to use other relevant technical specifications or develop solutions in accordance with general engineering or scientific knowledge laid down in engineering and scientific literature in order to meet the essential requirements of the CRA. In a similar way when manufacturers choose not to apply all the provisions given in a harmonised standard, and which normally would provide presumption of conformity, they need, on the basis of their own cybersecurity risk assessment, to indicate in their technical documentation how the compliance is reached or that relevant essential requirements are not relevant for the product.

The CRA standardisation request requests the development of a set of harmonised standards that are intended to provide either horizontal or product-specific information to manufacturers to support their compliance with the CRA. See also 6.10 When will harmonised standards to support CRA compliance be ready?

Yes, manufacturers are free to integrate components that are important or critical products that have not been designed in accordance with harmonised standards -- regardless of whether such harmonised standards are available or not.

The application of harmonised standards is a means to demonstrate compliance, but is not the only means to do so.

Furthermore, as discussed in entries 4.4.1 What does the CRA prescribe when integrating components? and 4.4.3 In order to exercise due diligence, should a manufacturer only integrate components that bear the CE marking?, the manufacturer is not required to integrate only components that bear the CE marking.