Standards

CRA does not dictate any specific standard or methodology for compliance. However, harmonized standards are in the process of being produced. And once published, manufacturers are expected to look towards those in order to demonstrate compliance.

When will the harmonized standards be ready? We found:

Horizontal standards are meant to provide a coherent generic framework, methodology and taxonomy to support the development of further, granular vertical harmonised standards for specific products or product types, as well as to support manufacturers in defining and implementing the security requirements applicable to their respective products.

  • A harmonised European standard on designing, developing and producing products with digital elements in such a way that they ensure an appropriate level of cybersecurity based on the risks, to be adopted by the ESOs by 30 August 2026;
  • A harmonised European standard covering the essential cybersecurity requirements relating to the properties of products with digital elements as set out in Part I of Annex I, to be adopted by the ESOs by 30 October 2027;
  • A harmonised European standard on vulnerability handling for products with digital elements, to be adopted by the ESOs by 30 August 2026.

Vertical standards are meant to be product specific and to cover a specific set of risks appropriate to a particular intended purpose and reasonably foreseeable use. The Commission requested the development of 26 vertical standards (which the ESOs are addressing through 31 separate deliverables) to be adopted by the ESOs by 30 October 2026.

Source FAQs on the Cyber Resilience Act.

Manufactures already following existing recognized standards, can perform a gap analysis between what they are already doing and the requirements to become complaint with CRA.

ENISA have made a publication that maps CRA requirements to existing standards. See Cyber Resilience Act Requirements Standards Mapping - Joint Research Centre & ENISA Joint Analysis.