Manufacturers of products with digital elements must implement the product-related cybersecurity precautions and cyber resilience measures from December 11, 2027 (Art. 71 para. 1 CRA).
The manufacturer can demonstrate compliance with the cybersecurity-related requirements, e.g. by applying harmonized standards (see recital 53 of the CRA), which serve as technical specifications of the legal requirements.
With the Implementing decision C(2025)618 of February 3, 2025, the three European standardization organizations (ESO: CEN, Cenelec, ETSI) are requested to create 41 standards.
The mandate (Standardization request M/606) expires on November 30, 2027. All relevant standards are expected by then. However, some standards are still due this year.
The CRA and its proposed standards landscape distinguish between horizontal and vertical standards. Horizontal standards are understood to be standards for all categories of products with digital elements, while vertical standards focus on a specific category or specific product types in a particular sector.
Horizontal requirements
Entries 1 to 15 in Annex I of C(2025)618 correspond to the CRA, Annex I, Part I "Cybersecurity requirements relating to the characteristics of products with digital elements", specifically (1) and (2) a) to (2) m).
- (1) is covered by EN 40000-1-2:2025 ("Principles for cyber resilience"). The vocabulary is covered by EN 40000-1-1:2025. We do not expect these two standards to have any presumption of conformity and therefore no listing in the Official Journal of the EU.
- For (2) a) to (2) m), a reference to identify the standard is not yet known. However, we know that the EN 18031 series serves as the basis for this standard prEN XXX (WI=JT013091). The EN 18031 series was previously created specifically for the cybersecurity requirements of the Radio Equipment Directive 2014/53/EU and its Delegated Regulation (EU) 2022/30 in August 2024.
- For (2) a) to (2) m) there will also be some supporting technical reports and technical specifications, such as for threats and cybersecurity objectives (WI=JT013097, Threats and Security Objectives).
The treatment of vulnerabilities(CRA, Annex I, Part II, (1) to (8)) will be mapped by prEN XXX (WI=JT013090).
Vertical requirements
18 of the vertical standards come from the technical committee: ETSI TC CYBER WG EUSR. This covers wearables, internet-enabled toys, routers, smart home products, VPNs, browsers and password managers, for example.
Those important product groups (CRA, Annex III) that can be found in industrial automation (IACS) as "security profiles" and in the other sectors are covered by both technical committees with sector-specific standards, e.g. routers, VPNs.
For the router product group, this specifically means that CLC/TC 65X WG 3 produces a standard (EN 62443-5-XX) for industrial automation (IACS) and ETSI CYBER-EUSR develops another standard (EN 304 627) for products outside the industrial OT sector, e.g. consumer products.
CENELEC provides 13 standards. The vertical harmonized standards for OT products are developed by CENELEC TC 65X WG 03.
CEN supplies 7 standards, so in addition to the horizontal standards mentioned above, CEN also contributes sectoral standards for topics such as data protection. With the standards for smart meter gateways (WI=JT013102), hardware devices with security boxes (WI=00224293) and smart cards (WI=00224289), CEN also develops standards for critical products(CRA, Annex IV).
Do you have questions about horizontal or vertical requirements? We will be happy to provide you with even more support. Simply send us an e-mail with your question or use our contact form.
Author's note
This article has been machine translated into English.
TERMS AND ABBREVIATIONS
European Committee for Standardization (CEN),
European Committee for Electrotechnical Standardization (Cenelec)
European Telecommunications Standards Institute (ETSI)
Industrial Automation and Control Systems (IACS)
Operational Technology (OT)
European Standardization Organization (ESO)
