top of page
  • Facebook
  • X
  • Linkedin

CRA Standardization Request

Regulation (EU) 2024/2847, known as the Cyber Resilience Act (CRA), establishes cybersecurity requirements for products with digital elements throughout their lifecycle.

​

To support compliance, the European Commission has issued a standardization request (Mandate M/606) to CEN, CENELEC, and ETSI for the development of harmonized standards. These standards are essential: products that comply with them are presumed to meet the CRA's requirements.​

Scope

CEN, CENELEC and ETSI, the European Standardization Organizations, play a central role in implementing the CRA.Through their technical committees, they are developing horizontal and vertical standards that address the Act’s essential cybersecurity requirements.

​

These standards aim to:

  • Ensure a consistent and robust approach to cyber resilience across the EU Single Market,

  • Support the principles of cybersecurity-by-design and by-default,

  • Adapt to specific sectoral use cases and risk analysis.

What are harmonized standards?

Harmonized standards are European standards developed by CEN, CENELEC, or ETSI at the request of the European Commission.

​

  • Voluntary in nature, they offer a reliable method for manufacturers, economic operators, and conformity assessment bodies to demonstrate compliance with EU legislation.

  • Alternative technical solutions may also be used to meet legal requirements.​

​​

Structure of the CRA Standardization Work

To address the CRA’s broad scope, the standardization work is divided into two categories:

​

Horizontal Standards

  • Product-agnostic and framework-oriented.

  • Provide a foundational approach to cybersecurity applicable across sectors.

  • Serve as a basis for more detailed vertical standards.

  • Help manufacturers define and implement baseline security measures, especially for products not yet covered by sector-specific standards.

​

The cornerstone is the ‘Principles of Cyber Resilience’ standard, developed by CEN-CLC/JTC 13 WG9 (entry 1 in Annex I). It provides a framework for all key elements listed in Section 1 of the Annex and guides the development of all related cybersecurity standards under the CRA.

​

Vertical Standards

  • Product-specific, focusing on the unique cybersecurity needs of different digital product categories.

  • Should be based on risk analysis and reflect differences in intended purpose and foreseeable use

  • Should reflect the state-of-the-art in the specific sectors.

​

By developing these harmonized standards, the European Standardization Organizations are helping ensure that digital products across the EU are secure by design and resilient to evolving cyber threats, strengthening trust in the European Digital Single Market.​

Ancre 1

Technical Committees making
standards for the CRA

CEN-CLC/JTC 13

Cybersecurity

and

Data Protection

CEN/TC 224

Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment

ETSI TC Cyber

ETSI for Cyber Security and its standardisation activities

CLC TC 47 X

Semiconductors and Trusted Chips Implementation

CLC TC 65X

Industrial-process measurement, control and automation

bottom of page