Do CRA common specifications stay in place once a relevant harmonised standard is published?
Not for the overlapping essential cybersecurity requirements.
When the reference of a harmonised standard is published in the Official Journal, Article 27(6) requires the Commission to repeal the common specifications, or parts of them, that cover the same CRA requirements.
Can a manufacturer rely on non-harmonised standards or its own technical specifications instead?
Yes, but that route does not carry the same presumption.
The Blue Guide says manufacturers may use other standards, non-OJ European standards, international standards, other technical specifications, or their own specifications. The practical consequence is a heavier evidence burden: the technical file must show in more detail how those choices meet the CRA requirements.
How do European cybersecurity certification schemes interact with CRA presumption of conformity?
They can create presumption of conformity only for the CRA requirements covered by the certificate or EU statement of conformity.
Article 27(8) gives this limited presumption for products and manufacturer processes covered by a European cybersecurity certification scheme under Regulation (EU) 2019/881. Article 27(9) separately lets the Commission specify schemes that can be used to demonstrate CRA conformity; where such a scheme issues a European cybersecurity certificate at assurance level at least substantial, the manufacturer does not have to carry out a separate third-party CRA conformity assessment for the corresponding requirements.
Does any EU cybersecurity certificate automatically replace CRA conformity assessment?
No. The certificate must be under a relevant European cybersecurity certification scheme, must cover the corresponding CRA requirements, and Article 27(9) requires the Commission to specify which schemes can be used to demonstrate CRA conformity.
A certificate or EU statement of conformity that covers only some requirements gives evidence only for those requirements. It does not prove unrelated CRA requirements, unsupported product functions, vulnerability-handling processes, or technical documentation completeness.
Can important or critical CRA products be compliant without harmonised standards?
Yes, because harmonised standards are voluntary. But for important and critical products, route selection may change.
For important products of class I, Article 32(2) moves the corresponding requirements into Module B plus C or Module H if the manufacturer has not applied, has applied only in part, or cannot use relevant harmonised standards, common specifications, or qualifying certification schemes at assurance level at least substantial. Class II and critical products have their own third-party or certification routes under Article 32.
Can a manufacturer integrate important or critical components that were not designed using harmonised standards?
Yes. The Commission FAQ says manufacturers may integrate important or critical components that were not designed in accordance with harmonised standards, whether or not such standards are available.
That does not remove the integrator's CRA work. The manufacturer of the final product still needs to assess component risks, decide whether the final product itself has the core functionality of an important or critical category, and keep technical documentation showing how the final product meets the CRA requirements.
What must CRA technical documentation say about harmonised standards, common specifications, and certification schemes?
It must identify the conformity tools applied in full or in part, and it must identify the gaps.
Annex VII requires a list of applied OJ-published harmonised standards, Article 27 common specifications, and European cybersecurity certification schemes. If they are partly applied, the documentation must specify which parts. If they are not applied, it must describe the solutions adopted to meet the CRA requirements and list other relevant technical specifications.
What happens if CRA standards, common specifications, or certification schemes change after series production starts?
The manufacturer must take those changes into account for continuing conformity.
CRA Article 13(14) requires procedures for series production to remain in conformity and specifically mentions changes in harmonised standards, common specifications, and certification schemes by reference to which conformity is declared or verified. The Blue Guide adds that revised harmonised standards may have OJEU coexistence periods, after which only the revised standard gives presumption for new conformity assessments.
Can OJ-published CRA harmonised standards be restricted, withdrawn, or challenged?
Yes. OJ publication creates the legal effect, but that legal effect can be restricted, prevented, or withdrawn.
The Blue Guide explains that the Commission may publish a reference with restrictions or later maintain, restrict, or withdraw the reference. Under the CRA safeguard process, if non-compliance is attributed to shortcomings in harmonised standards, common specifications, or certification schemes, the Commission may trigger the relevant standardisation objection or amendment process.
What evidence limits should CRA teams record when relying on standards, common specifications, or certification schemes?
Record the exact version, OJ reference status where relevant, requirements covered, parts applied, product functions covered, processes covered, tests or assessments performed, and remaining risks or requirements handled by other means.
The key evidence limit is coverage. A standard, common specification, certificate, or EU statement of conformity supports only the CRA requirements it covers. Technical documentation should therefore map each applicable Annex I requirement to the applied conformity tool or to another documented solution, rather than treating a standard name or certificate as blanket proof.
What are important products with digital elements under the CRA?
Important products are products with digital elements whose core functionality matches a product category in CRA Annex III.
Annex III is split into class I and class II. The class matters because it changes the conformity assessment route under Article 32. Class I can sometimes use internal control, while class II must use one of the stricter Article 32(3) routes.
What are critical products with digital elements under the CRA?
Critical products are products with digital elements whose core functionality matches a product category in CRA Annex IV.
Annex IV is narrower than Annex III. It currently identifies critical categories such as hardware devices with security boxes, smart meter gateways and other advanced-security devices, and smartcards or similar devices including secure elements. For classification work, teams should still use the official Annex IV text and the technical descriptions in Commission Implementing Regulation (EU) 2025/2392 rather than relying on product labels alone.
How should a manufacturer decide whether a product is important or critical?
Start with the product's core functionality: the main features and technical capabilities without which the product would not meet its intended purpose.
Then compare those features and capabilities with the CRA Annex III or Annex IV category and the corresponding technical description in Implementing Regulation (EU) 2025/2392. Marketing category names, deployment environment, and partial feature overlap are not enough on their own.
Does a product become important or critical just because it includes an important or critical component?
No. The CRA says that integrating a product with the core functionality of an Annex III category does not by itself make the larger product subject to the important-product conformity routes.
The Commission FAQ applies the same practical logic to integrated important or critical components. A news app with an embedded browser, a laptop with a secure element, or a product that integrates an operating system still has to be classified by the core functionality of the product as a whole.
Can a product have extra functions and still be an important or critical product?
Yes. Additional or ancillary functions do not stop a product from being important or critical if the product's core functionality still matches a listed Annex III or Annex IV category.
The Commission FAQ gives examples: operating systems may include simple ancillary applications, and routers may integrate firewall functionality, without losing their operating-system or router core functionality. The reverse is also true: a product that can perform some SIEM-like functions is not automatically a SIEM if its actual core functionality is different.
What is the conformity assessment consequence for a class I important product?
A class I important product can use the Article 32(1) procedures, including internal control based on module A, only when the Article 32(2) trigger is not met.
If the manufacturer has not applied, has applied only in part, or cannot use relevant harmonised standards, common specifications, or applicable European cybersecurity certification schemes at assurance level at least substantial for the relevant essential requirements, Article 32(2) requires either module B plus C or module H.
What conformity assessment routes apply to class II important products?
Class II important products must use one of the Article 32(3) routes.
Those routes are module B plus C, module H, or, where available and applicable, a European cybersecurity certification scheme under Article 27(9) at assurance level at least substantial. Module A is not the ordinary route for class II, except for the separate free-and-open-source software rule in Article 32(5).
What conformity assessment routes apply to critical products?
Critical products follow Article 32(4). The first route is a European cybersecurity certification scheme in accordance with Article 8(1), if the Article 8(1) conditions are met.
If those conditions are not met, the critical product uses one of the Article 32(3) procedures: module B plus C, module H, or an available and applicable European cybersecurity certification scheme under Article 27(9) at assurance level at least substantial.
Article 8(1) describes the certification route for critical products; Article 32(4) gives the fallback to Article 32(3) where Article 8(1) conditions are not met.
Does important or critical status change the cybersecurity requirements themselves?
No. Important or critical status mainly changes the conformity assessment route before placing the product on the market.
The substantive CRA cybersecurity obligations still come from the essential cybersecurity requirements, the manufacturer's risk assessment, vulnerability handling obligations, technical documentation, and related manufacturer duties. Important and critical products do not get a separate Annex I; they get stricter assurance paths where the CRA requires them.
If only the core functionality drives classification, is only that core function assessed?
No. Core functionality determines the product class and route, but the conformity assessment still covers the product as a whole.
The draft Commission guidance explains that additional or ancillary functions can create additional cybersecurity risks. A manufacturer may be allowed to use internal control for a class I product where a harmonised standard covers the core functionality, but the manufacturer still has to address risks outside that standard's coverage.
Points 131 and 135 to 139 explain whole-product assessment and limits on presumption of conformity when a standard covers only part of the product's risks.