List of Harmonised Standards and Technical Specifications

Annex VIII lists the harmonised standards whose references have been published in the EU Official Journal for the purposes of Article 7. Only standards that appear in this list (or in the Official Journal notices referenced by this list) provide the formal presumption of conformity under Article 8.

The list is dynamic — it is updated by the Commission as new harmonised standards are developed by European standardisation organisations (CEN, CENELEC, ETSI) pursuant to standardisation mandates, and as the references to those standards are published in the Official Journal. Standards can also be removed from the list if an Article 9 formal objection is upheld.

Manufacturers should treat Annex VIII as a starting point and always cross-reference with the current Official Journal — the authoritative source. Standards published after the regulation's entry into force but before the manufacturer's conformity assessment was completed should be considered if they provide better coverage of essential requirements.

At the time of the CRA's application date in September 2026, the following standards are expected to feature in Annex VIII or in the associated Official Journal references, based on mandates issued to standardisation bodies:

ETSI EN 303 645 — Cyber Security for Consumer Internet of Things. Covers the majority of Annex I requirements for consumer IoT products, including default credential requirements, update mechanisms, CVD requirements, and data protection basics. This is the most directly relevant standard for consumer IoT manufacturers.

IEC 62443 series — Industrial Automation and Control Systems Security. Covers security management, system requirements, and component requirements for industrial environments. Multiple parts of this series may be individually referenced for specific Annex I requirements in industrial product contexts.

ISO/IEC 27001 — Information Security Management Systems. Not directly a product security standard, but evidence of ISO 27001 certification for the product development and operation function supports demonstrating vulnerability management and organisational security processes.

Common Criteria (ISO/IEC 15408) — Evaluation criteria for IT security. Relevant for Class I and Class II products where structured security evaluation is required.

ETSI and CEN/CENELEC are developing CRA-specific harmonised standards pursuant to Commission standardisation mandates. Key standards under development include:

ETSI EN 18031 series — A multi-part CRA-specific standard covering the essential requirements in Annex I. This series is being developed with direct reference to the CRA's essential requirements and is expected to become the primary harmonised standard for most product categories.

ETSI EN 303 645 revision — An updated version of the consumer IoT standard aligned with CRA requirements and providing explicit mapping to CRA Annex I requirements.

CEN/CENELEC standards — Potentially covering industrial, medical, and automotive-adjacent product categories not addressed by ETSI standards.

Manufacturers should monitor ETSI's published work programme and CEN/CENELEC's standards development schedule for progress updates on these standards. Engaging in the public consultation processes for these standards is an opportunity to influence the technical requirements and to gain early understanding of the compliance pathways they will establish.

Standards not listed in Annex VIII — including international ISO/IEC standards, US NIST frameworks, and industry-specific security standards — can still be used as compliance evidence. They do not provide the formal presumption of conformity, but they demonstrate the manufacturer's technical approach and the state of the art considerations applied.

For example, referencing NIST SP 800-193 (Platform Firmware Resiliency Guidelines) in technical documentation for a server product demonstrates that the firmware security approach meets recognised best practices, even though this US standard does not appear in Annex VIII.

When using non-listed standards as compliance evidence, manufacturers should explicitly map the standard's requirements to the relevant CRA essential requirements in their technical documentation. An unsupported assertion that 'we comply with NIST SP 800-193' without a mapping to Annex I requirements is unlikely to satisfy a market surveillance authority.

When a harmonised standard is revised and the new version is listed in Annex VIII while the old version's listing remains active, manufacturers typically have a transition period to migrate to the new version. During the transition period, both versions provide the presumption of conformity. After the old version's reference is withdrawn from the Official Journal, only the new version provides the presumption.

Manufacturers should plan for standard version transitions as part of their ongoing compliance management. The transition period is usually at least 12 months but should be confirmed in the Official Journal notice accompanying the new version's publication.

For products with long market lifetimes, multiple standard version transitions may occur during the product's support period. Each transition requires an assessment of whether the product continues to meet the requirements of the current standard version.