Presumption of Conformity, Harmonised Standards, and Common Specifications

Harmonised standards are European standards (EN standards) developed by European standardisation organisations - CEN, CENELEC, or ETSI - following a mandate from the European Commission. Unlike general ISO or IEC standards, harmonised standards are specifically aligned with the essential requirements of EU legislation and, once published in the EU Official Journal, carry the legal presumption of conformity benefit.

For the CRA, the Commission will issue standardisation mandates to ETSI and CEN/CENELEC to develop harmonised standards covering the essential requirements in Annex I. These standards will provide detailed, product-category-specific technical specifications for how to meet each requirement.

Prior to harmonised standards becoming available, manufacturers may use existing technical specifications such as ETSI EN 303 645 (consumer IoT), IEC 62443 (industrial automation), or ENISA guidelines as supporting evidence, though these do not provide the formal presumption of conformity.

Harmonised standards applicable to the CRA will be published in the EU Official Journal with references indicating which essential requirements they cover. Manufacturers should monitor the Official Journal regularly to identify newly published standards relevant to their product categories.

The European Commission's standardisation database also provides searchable access to published harmonised standards by regulation. ETSI's portal and CEN/CENELEC's standards catalogue list standards under development, giving manufacturers advance notice of upcoming standards they may wish to follow.

For product categories where no harmonised standard yet exists, manufacturers must use alternative means to demonstrate compliance - typically through technical documentation, third-party testing, or reference to relevant ISO/IEC standards - while accepting that no formal presumption of conformity applies.

Manufacturers are not required to apply harmonised standards in their entirety. Where a standard covers requirements that are not applicable to a specific product, or where a manufacturer has achieved compliance through different technical means, partial application is permissible. However, the presumption of conformity only applies to the requirements actually covered by the portions of the standard that are applied.

Where a manufacturer deviates from a harmonised standard - for example, by using a different cryptographic algorithm than specified - they must document the deviation and provide alternative evidence that the essential requirement is met. This documentation forms part of the technical file that must be maintained under Annex VII.

Audit trails and version control of standard references are important: where a harmonised standard is revised, manufacturers should assess whether the updated version affects their compliance position.

Where harmonised standards are not yet available or are considered inadequate, Article 27 allows the Commission to adopt 'common specifications' - implementing acts that set out the technical requirements manufacturers may use as an alternative compliance pathway. Common specifications also provide a presumption of conformity for the requirements they cover.

Common specifications are typically used as a transitional measure while the standardisation process catches up with new regulatory requirements, or in areas where the standardisation bodies have not produced suitable standards within a reasonable timeframe. They have the same legal status as harmonised standards for the purposes of the presumption of conformity but are issued by the Commission rather than developed through the European standardisation process.

Article 27 establishes a legal presumption: where a product conforms to a harmonised standard published in the EU Official Journal under Article 7, it is presumed to comply with the essential requirements of Annex I that are covered by that standard. This is a procedural advantage with significant practical value.

Without the presumption, a manufacturer facing scrutiny from a market surveillance authority would need to affirmatively prove compliance with each essential requirement. With the presumption, the burden shifts - the authority must demonstrate that the product fails to meet the requirement despite application of the standard.

The presumption applies to the specific requirements covered by the harmonised standard. Standards typically include an annex or scope statement identifying which regulatory requirements they address. Manufacturers should carefully check this mapping to confirm which essential requirements are covered.

The presumption of conformity is not unlimited. It applies only to:

1. The specific harmonised standard actually applied (not merely referenced)
2. The essential requirements that the standard covers
3. The version of the standard that is currently referenced in the Official Journal

A manufacturer who applies an outdated version of a harmonised standard, or who applies only parts of the standard, benefits from the presumption only to the extent of their actual compliance. Where a product deviates from the standard's requirements - even in minor ways - the presumption may be weakened or lost for the affected requirements.

The presumption also operates at the product level, not the batch level. If a manufacturer discovers a defect in a specific production batch that results in products not meeting the standard, the presumption does not protect those units even if the product design meets the standard.

Article 27 extends the presumption of conformity to products conforming to common specifications adopted under Article 7(4). Common specifications are Commission implementing acts that provide technical requirements as an alternative to harmonised standards, typically used where harmonised standards are not yet available or are considered insufficient.

From the manufacturer's perspective, common specifications and harmonised standards are functionally equivalent for presumption purposes - both create the same legal presumption when applied. The procedural differences are on the standards development side: harmonised standards are developed by European standardisation organisations through consultation processes, while common specifications are adopted directly by the Commission.

Manufacturers monitoring the compliance landscape should track both the Official Journal harmonised standards references and any Commission implementing acts adopting common specifications.

For products in the default product class (not listed in Annex III), Article 25 allows self-certification through Module A internal control. The presumption of conformity from Article 27 supports this self-certification pathway - a manufacturer who applies a harmonised standard and self-certifies has strong legal grounds for the CE marking.

For Annex III Class I products, third-party involvement is required (either a quality assurance review of technical documentation or a third-party audit). Even in these cases, application of a harmonised standard streamlines the third-party assessment because the assessor can verify conformance to the standard rather than independently evaluating compliance with each essential requirement.

For Annex III Class II products, the most stringent third-party assessment is required, but harmonised standards still reduce the assessment workload by providing a structured framework for evaluation.

The presumption of conformity is based on the product's compliance with the harmonised standard at the time of assessment. Manufacturers must maintain their compliance over time - particularly as standards are updated and as new vulnerabilities are discovered.

When a harmonised standard is revised and the new version is published in the Official Journal, manufacturers typically have a transition period to update their products and documentation to the new standard. During the transition period, compliance with the old version continues to create the presumption. After the transition period expires, only the new version maintains the presumption.

Manufacturers should establish a process for monitoring standard updates and assessing whether product updates are required to maintain compliance with current versions.

Article 27 gives the European Commission the power to raise a formal objection to a harmonised standard where it considers that the standard does not fully satisfy the essential requirements it is intended to cover. This power exists as a quality-control mechanism over the standardisation process - ensuring that harmonised standards actually provide the level of protection the CRA requires.

An objection under Article 27 can result in the partial or full withdrawal of a standard's presumption of conformity. Once an objection is raised and implemented through the Official Journal, manufacturers relying on the objected standard can no longer benefit from the presumption of conformity for the disputed requirements. They must find alternative evidence of compliance.

The Commission's objection power is distinct from minor technical corrections to standards, which are handled through the normal standardisation revision process. Article 27 applies where there is a substantive disagreement about whether a standard meets the regulation's requirements.

Before raising a formal objection, the Commission consults with member states and stakeholder committees. This process typically involves the Standing Committee established under the relevant standardisation regulation, and may include consultation with the relevant standardisation body.

If the Commission decides to proceed with the objection, it issues an implementing act withdrawing or restricting the reference to the harmonised standard in the Official Journal. This act takes effect from its publication date, though transitional provisions may allow manufacturers a period to adjust.

The standardisation body is then responsible for revising the standard to address the Commission's concerns. The revised standard may be submitted for a new Official Journal reference, restoring the presumption of conformity once the Commission is satisfied that the deficiencies have been resolved.

For manufacturers, Article 27 creates a risk that must be managed as part of their compliance strategy. A harmonised standard on which they have based their CE marking and technical documentation could be partially or fully invalidated, requiring them to reassess compliance and potentially update products or documentation.

Manufacturers should monitor the EU Official Journal and Commission communications for any Article 27 proceedings. Best practice is to maintain technical documentation that demonstrates compliance with the underlying essential requirements independently - not solely by reference to the harmonised standard. This provides resilience against standard objections.

Where a standard is objected to, manufacturers should assess whether the objection affects their specific product's compliance. Not all objections will affect every product - an objection to a specific requirement may not be relevant to products that are compliant with that requirement through other means.

It is important to distinguish Article 27 formal objections from the routine process of harmonised standard revision. Standards are regularly updated by standardisation bodies to reflect new technical developments, emerging threats, and improved understanding of security requirements. These routine revisions do not involve the Commission's formal objection process.

When a harmonised standard is revised through normal standardisation processes, the new version is published in the Official Journal, the old version's reference is typically withdrawn after a transition period, and manufacturers migrate to the new version during the transition period. This is a normal part of the compliance lifecycle and should be planned for.

Article 27 proceedings are more exceptional and represent a finding by the Commission that the standard is substantively deficient. They are expected to be relatively rare events rather than routine occurrences.