EU Cyber Resilience Act FAQ Harmonised Standards and Common Specifications

They are technical conformity tools for showing how a product with digital elements and the manufacturer's processes meet the CRA's essential cybersecurity requirements.

Harmonised standards are European standards requested and assessed through the EU standardisation system. Common specifications are Commission implementing acts that can be used only as an exceptional fallback where the Article 27 conditions are met. European cybersecurity certification schemes can support CRA conformity only to the extent the relevant certificate or EU statement of conformity covers the CRA requirements.

No. Applying harmonised standards is voluntary, but the manufacturer must still demonstrate conformity with the CRA's essential cybersecurity requirements.

If a manufacturer does not use a relevant harmonised standard, or uses only part of it, the technical documentation needs to explain the other solutions and technical specifications used for the requirements not covered by the standard.

No. For a harmonised standard to create CRA presumption of conformity, its reference must be published in the Official Journal of the European Union for the relevant coverage.

A non-harmonised international, European, ISO, IEC, or ETSI standard may still be useful evidence, but it does not by itself create CRA presumption of conformity. The Blue Guide also warns that where a European standard is based on ISO or IEC text, the presumption attaches to the European version published by reference in the OJEU, not automatically to the source international text.

It means authorities should presume conformity with the specific CRA essential cybersecurity requirements covered by the applied harmonised standard, common specification, or qualifying certification evidence.

The presumption is not product-wide unless the applied conformity tool covers all relevant CRA requirements and risks for that product and the manufacturer's processes. If coverage is partial, the presumption is partial.

No. The cybersecurity risk assessment remains the starting point for deciding which CRA essential requirements are relevant to the product.

The Commission FAQ says that even when a harmonised standard is used, the manufacturer remains responsible for assessing product risks, selecting suitable standards or other specifications, and checking whether the standard covers all relevant risks.

Then only that part benefits from presumption of conformity.

For the remaining requirements or risks, the manufacturer must use other technical specifications or solutions, explain them in the technical documentation, and show why those solutions meet the applicable CRA requirements.

The Commission says M/606 requests a set of harmonised standards in support of CRA compliance, with both horizontal and vertical standards.

Horizontal standards are intended to provide a common framework, methodology, taxonomy, and processes such as vulnerability handling. Vertical standards are product-specific and focus on risks tied to particular intended purposes and reasonably foreseeable uses, especially for important and critical product categories in CRA Annexes III and IV.

No. M/606 starts and frames the standards-development work; it is not the same as an OJ-published harmonised standard.

Even after an ESO adopts a European standard, Article 27(6) requires the Commission to assess it before publishing its reference in the Official Journal. Until the relevant reference is published, the standard does not create CRA presumption of conformity.

The product can still be compliant, but the manufacturer must demonstrate conformity by other means.

The absence of a harmonised standard can also affect route selection. For important products of class I, if relevant harmonised standards, common specifications, or qualifying certification schemes do not exist, Article 32(2) requires a third-party conformity assessment route for the corresponding essential cybersecurity requirements.

Only in the fallback situations set out in Article 27.

The Commission may adopt common specifications after it has requested harmonised standards and the request was not accepted, the standards were not delivered on time, or the standards do not comply with the request. Article 27 also requires that no relevant OJ-published harmonised-standard reference exists and no such reference is expected within a reasonable period.

No. Common specifications are an exceptional fallback tool, not the normal first-line standardisation route.

If common specifications are adopted and applied, they can create presumption of conformity for the CRA requirements they cover. If a manufacturer does not apply them, Annex VII still requires the technical documentation to describe the alternative solutions and relevant technical specifications used.

Not for the overlapping essential cybersecurity requirements.

When the reference of a harmonised standard is published in the Official Journal, Article 27(6) requires the Commission to repeal the common specifications, or parts of them, that cover the same CRA requirements.

Yes, but that route does not carry the same presumption.

The Blue Guide says manufacturers may use other standards, non-OJ European standards, international standards, other technical specifications, or their own specifications. The practical consequence is a heavier evidence burden: the technical file must show in more detail how those choices meet the CRA requirements.

They can create presumption of conformity only for the CRA requirements covered by the certificate or EU statement of conformity.

Article 27(8) gives this limited presumption for products and manufacturer processes covered by a European cybersecurity certification scheme under Regulation (EU) 2019/881. Article 27(9) separately lets the Commission specify schemes that can be used to demonstrate CRA conformity; where such a scheme issues a European cybersecurity certificate at assurance level at least substantial, the manufacturer does not have to carry out a separate third-party CRA conformity assessment for the corresponding requirements.

No. The certificate must be under a relevant European cybersecurity certification scheme, must cover the corresponding CRA requirements, and Article 27(9) requires the Commission to specify which schemes can be used to demonstrate CRA conformity.

A certificate or EU statement of conformity that covers only some requirements gives evidence only for those requirements. It does not prove unrelated CRA requirements, unsupported product functions, vulnerability-handling processes, or technical documentation completeness.

Yes, because harmonised standards are voluntary. But for important and critical products, route selection may change.

For important products of class I, Article 32(2) moves the corresponding requirements into Module B plus C or Module H if the manufacturer has not applied, has applied only in part, or cannot use relevant harmonised standards, common specifications, or qualifying certification schemes at assurance level at least substantial. Class II and critical products have their own third-party or certification routes under Article 32.

Yes. The Commission FAQ says manufacturers may integrate important or critical components that were not designed in accordance with harmonised standards, whether or not such standards are available.

That does not remove the integrator's CRA work. The manufacturer of the final product still needs to assess component risks, decide whether the final product itself has the core functionality of an important or critical category, and keep technical documentation showing how the final product meets the CRA requirements.

It must identify the conformity tools applied in full or in part, and it must identify the gaps.

Annex VII requires a list of applied OJ-published harmonised standards, Article 27 common specifications, and European cybersecurity certification schemes. If they are partly applied, the documentation must specify which parts. If they are not applied, it must describe the solutions adopted to meet the CRA requirements and list other relevant technical specifications.

The manufacturer must take those changes into account for continuing conformity.

CRA Article 13(14) requires procedures for series production to remain in conformity and specifically mentions changes in harmonised standards, common specifications, and certification schemes by reference to which conformity is declared or verified. The Blue Guide adds that revised harmonised standards may have OJEU coexistence periods, after which only the revised standard gives presumption for new conformity assessments.

Yes. OJ publication creates the legal effect, but that legal effect can be restricted, prevented, or withdrawn.

The Blue Guide explains that the Commission may publish a reference with restrictions or later maintain, restrict, or withdraw the reference. Under the CRA safeguard process, if non-compliance is attributed to shortcomings in harmonised standards, common specifications, or certification schemes, the Commission may trigger the relevant standardisation objection or amendment process.

Record the exact version, OJ reference status where relevant, requirements covered, parts applied, product functions covered, processes covered, tests or assessments performed, and remaining risks or requirements handled by other means.

The key evidence limit is coverage. A standard, common specification, certificate, or EU statement of conformity supports only the CRA requirements it covers. Technical documentation should therefore map each applicable Annex I requirement to the applied conformity tool or to another documented solution, rather than treating a standard name or certificate as blanket proof.