Cyber Resilience Act Update: Standardisation Request

The European Commission recently sent a request to European standardisation bodies CEN, Cenelec and ETSI to create harmonised standards for products with digital elements to support the implementation of the Cyber Resilience Act.

What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is a new EU legislation that entered into force in December 2024. This marked the start of a 36-month transition period which will allow manufacturers time to ensure compliance with the new regulation.

The CRA aims to improve baseline cybersecurity standards for products with digital elements made available on the EU internal market. Products with digital elements are defined as products with hardware and/or software components and any associated remote data processing solutions. Examples of products that are in scope include smart devices, IoT devices, network management systems and microprocessors. Manufacturers of products that fall under the scope of the CRA will have to ensure their products adhere to the essential cybersecurity requirements and vulnerability handling requirements outlined in the legislation. Harmonised standards are one way to demonstrate compliance with the legislation.

What are harmonised standards?

A harmonised standard is a European standard developed by recognised European Standards Organisations like the European Committee for standardisation (CEN), European Committee for Electrotechnical Standardisation (Cenelec) and European Telecommunications Standards Institute (ETSI). Manufacturers can use a relevant harmonised standard to demonstrate a product complies with an EU legislation like the CRA. The CRA is a first of its kind regulation, so no harmonised standards currently exist that specifically cover the CRA essential requirements. This is why the EU Commission have sent the standardisation request.

What are the details of the standardisation requests?

The EU Commission have requested the European Standardisation Bodies to create a total of 41 standards. The 41 standards have been split into two categories; 15 horizontal standards and 25 vertical standards.

The horizontal standards can be applied to all products that fall under the scope of the CRA. For example, a request has been made for ‘[European] standard(s) on making products with digital elements available on the market with a secure by default configuration’ will outline the standard a product must reach to be secure by default, but it will not contain information specific to a product type. The horizontal standards follow the essential requirements and vulnerability handling requirements outlined in Annex I of the CRA text.

The vertical standards are specific to product types that fall into the Important Class I, Important Class II and Critical Class categories. These standards only apply to a specific product type for example; ‘European standard(s) on essential cybersecurity requirements for standalone and embedded browsers’ is a standard that only applies to standalone or embedded browsers (an important class I product).

The vertical standards will be important for products that fall into important class I as complying with a harmonised standard allows manufacturers to avoid a third party compliance assessment, instead they can conduct a self-assessment. For important class II and critical class products, a third party assessment will still be necessary but harmonised standards will give guidance on what cybersecurity standards manufacturers should achieve to pass the assessment. Vertical standards for critical class products (standards 39-41) will be developed in a restricted setting to protect sensitive information.

 Deadlines

The adoption deadlines for some of the standards are very close to the end of the transition period and may not give manufacturers enough time to use the harmonised standards to demonstrate conformity for products launching soon after the transition period deadline.

The horizontal standards that will be adopted first are:

• Standard 1 ‘European standard(s) on designing, developing and producing products with digital elements in such a way that they ensure an appropriate level of cybersecurity based on the risks’.
• Standard 15 ‘European standard(s) on vulnerability handling for products with digital elements’.

These standards will be adopted on 30^th August 2026, whereas all other horizontal standards will be adopted on 30^th October 2027. It is important standard 15 comes earlier than others as vulnerability handling requirements will come into force 21 months into the transition period on 11^th September 2026. However, the deadline of 30^th August 2026 does not give manufacturers much time to begin using the harmonised standard before vulnerability handling is required. Similarly, the deadline of 30^th October 2027 is very close to the 36 month transition period deadline, which ends on 11^th December 2027.

All vertical standards have an adoption deadline of 30^th October 2026. This gives manufacturers more than a year to start using vertical standards to demonstrate conformity with the CRA. This is necessary as the conformity assessment process for important and critical class products is longer and more involved than the process for default category products.

Conclusion

The request for standardisation was sent on 3^rd February 2025 so we only have the titles of the standards, and the adoption deadline dates so far. The Commission outlines in their request that the Standardisation Bodies should prepare a work programme to be submitted two months after the request. If this work programme is made public this might give us more insight into the contents of the standards and their proposed timelines. The Commission also stated that relevant European stakeholders should be included in the standardisation process including SMEs. This should allow manufacturers, distributors, open-source community and other groups affected by the CRA to have some input on the creation of the standards. Finally, the request specified the standards will include technical specifications relevant to cybersecurity requirements. This will be a welcome clarification for manufacturers, as many have noted the CRA text does not delve into detail when it comes to technical specifications and that delegated acts would be needed to clarify this.