EU Cyber Resilience Act FAQ Harmonised Standards and Common Specifications

They are the CRA's main technical conformity tools.

Article 27 gives harmonised standards, common specifications, and certain European cybersecurity certification schemes a specific legal role in demonstrating conformity with the CRA's essential cybersecurity requirements. They do not change the requirements themselves, but they can create a presumption of conformity for the requirements they cover.

No.

The CRA does not require manufacturers to use harmonised standards. They are a voluntary means of demonstrating conformity. If the manufacturer does not use them, it still has to show compliance with the essential cybersecurity requirements by other technical means and document that approach in the technical documentation.

No.

For harmonised standards, the legal effect depends on publication of the reference in the Official Journal of the European Union. If the reference is not published there, the standard does not create a CRA presumption of conformity. The Blue Guide also explains that the legal effect attaches to the relevant European version published by reference in the Official Journal, not simply to the existence of an ISO or IEC base standard.

It means the product and the manufacturer's processes are presumed to comply with the specific CRA essential cybersecurity requirements covered by the relevant harmonised standard, common specification, or certification scheme.

That presumption is limited. It applies only to the requirements, or parts of requirements, that the conformity tool actually covers.

No.

The Commission FAQ, drawing on the Blue Guide, states that harmonised standards do not replace the legally binding requirements and do not remove the manufacturer's duty to assess the product's risks and determine which CRA requirements are relevant. The manufacturer still has to check whether the standard actually covers the risks of the product.

Then the presumption of conformity extends only to the covered part.

The manufacturer still has to address the remaining risks and requirements through other measures and describe that in the technical documentation. The same logic applies where the manufacturer applies only part of a harmonised standard rather than all of the relevant provisions.

Potentially, yes for route selection, but not automatically for full product-wide presumption of conformity.

The draft guidance says an important product of class I can remain eligible for the internal control procedure if all applicable requirements of the relevant conformity tool are applied and its scope covers at least the risks related to the product's core functionality. But where the product has additional functions with additional risks, the manufacturer still has to address those risks separately, and the presumption of conformity remains limited to the parts actually covered.

According to the Commission FAQ, horizontal standards are product-agnostic standards intended to provide a generic framework, methodology, and taxonomy for CRA compliance. Vertical standards are product-specific and are meant to address the risks associated with particular intended purposes and reasonably foreseeable uses, especially for Annex III and Annex IV categories.

The absence of a harmonised standard does not prevent CRA compliance.

Manufacturers can still demonstrate conformity through other technical means. In parallel, Article 27 allows the Commission to adopt common specifications in certain fallback situations, and for important products of class I the absence of the relevant conformity tools can affect which conformity assessment route is available.

Only in the fallback situations set out in Article 27.

The CRA allows common specifications where the Commission has already requested harmonised standards and the request was not accepted, the standards were not delivered on time, or the standards do not comply with the request, and no relevant Official Journal reference exists or is expected within a reasonable period.

Not for the overlapping subject matter.

When the reference of a harmonised standard is published in the Official Journal, the Commission must repeal overlapping common specifications, or overlapping parts of them, that cover the same essential cybersecurity requirements.

Yes.

The Blue Guide explains that conformity can also be demonstrated through other standards or technical specifications, including international standards, European standards whose references are not published in the Official Journal, or the manufacturer's own specifications. But those routes do not create a presumption of conformity, so the manufacturer has to demonstrate compliance more directly in the technical documentation.

They can support CRA conformity in two ways.

First, Article 27(8) gives a presumption of conformity insofar as the EU statement of conformity or certificate under the scheme covers the relevant CRA requirements. Second, where the Commission specifies a scheme under Article 27(9), a European cybersecurity certificate at assurance level at least substantial eliminates the obligation to carry out a separate third-party CRA conformity assessment for the corresponding requirements.

Yes.

The use of harmonised standards is voluntary. Important and critical products can still be compliant without them, but that can affect the conformity assessment route. In particular, important products of class I move out of the internal control route when the relevant harmonised standards, common specifications, or specified certification schemes are not applied or do not exist.

Yes.

The Commission FAQ says manufacturers are free to integrate important or critical components that do not follow harmonised standards. Harmonised standards are one way to demonstrate compliance, not a condition for integrating a component.

It must identify what was applied and what was not.

Annex VII requires the manufacturer to list the harmonised standards, common specifications, and European cybersecurity certification schemes applied in full or in part. If they were only partly applied, the documentation must specify which parts were used. If they were not applied, the documentation must describe the other solutions adopted and list other relevant technical specifications used to meet the CRA requirements.

The manufacturer has to take those changes into account.

Article 13(14) requires manufacturers to ensure that series products remain in conformity and to adequately take account of changes in the standards, common specifications, or certification schemes by reference to which conformity is declared or verified. The Blue Guide also explains that revised harmonised standards can involve coexistence periods and that manufacturers should monitor Official Journal publications and assess whether updates are needed.

No.

The CRA expressly allows enforcement action where a product's non-compliance is attributed to shortcomings in harmonised standards, common specifications, or certification schemes. In those cases, the Commission can trigger the relevant safeguard or amendment process for the conformity tool itself.

No.

The standardisation request starts the standards-development process, but it does not itself create presumption of conformity. Even after a European standard is adopted by the ESOs, Article 27(6) requires the Commission to assess it before publishing its reference in the Official Journal. The Blue Guide explains that the publication of the reference in the Official Journal is what starts the presumption of conformity, and that publication is not automatic.

No.

Common specifications are an exceptional fallback tool, not a general first-line or automatically mandatory substitute for harmonised standards. Under Article 27(2), the Commission may adopt them only after a standardisation request has already been made and that process has failed, been delayed or not complied with the request, and only where no relevant Official Journal reference has been published or is expected within a reasonable period. Recital 85 explains that this reasonable period should not exceed one year after the drafting deadline. If a manufacturer does not apply the common specifications, it must document what other solutions it uses to meet the CRA requirements.

No.

Article 32(2) says that if the manufacturer has not applied, or has applied only in part, the relevant harmonised standards, common specifications or European cybersecurity certification schemes, the product and the manufacturer's processes must be submitted for the corresponding requirements to one of the third-party conformity assessment routes. The draft guidance adds that, to remain eligible for internal control, all applicable requirements of the relevant harmonised standard need to be applied and its scope needs to cover at least the risks related to the product's core functionality.

No.

Under the draft guidance, the certification-scheme route in Article 27 has CRA effect only where the Commission has specified the relevant European cybersecurity certification scheme by delegated act under Article 27(9). Even then, any presumption of conformity is limited to the requirements actually covered by the certificate or EU statement of conformity. And only the issuance of a European cybersecurity certificate at assurance level at least substantial removes the obligation to carry out a separate third-party CRA conformity assessment for the corresponding requirements.

No.

As an inference from Article 27 and the Blue Guide, CRA presumption of conformity attaches to the European standard version whose reference is published in the Official Journal for the relevant legal coverage. A standard harmonised under another Union act, or an ISO or IEC base text on its own, can still be used as another technical specification, but it does not automatically create CRA presumption of conformity under the CRA.

The legal effect can narrow or end.

The Blue Guide explains that the Commission may publish a reference with restrictions, or later maintain, restrict or withdraw the reference after the relevant objection procedures. When a standard is revised, the Official Journal often sets a coexistence period during which both the old and revised references still give presumption of conformity. After the withdrawal date, only the revised standard continues to do so. Manufacturers therefore need to monitor Official Journal publications and take account of those changes for future conformity work and for ongoing series production.