Harmonised Standards and Presumption of Conformity

Harmonised standards are European standards (EN standards) developed by European standardisation organisations — CEN, CENELEC, or ETSI — following a mandate from the European Commission. Unlike general ISO or IEC standards, harmonised standards are specifically aligned with the essential requirements of EU legislation and, once published in the EU Official Journal, carry the legal presumption of conformity benefit.

For the CRA, the Commission will issue standardisation mandates to ETSI and CEN/CENELEC to develop harmonised standards covering the essential requirements in Annex I. These standards will provide detailed, product-category-specific technical specifications for how to meet each requirement.

Prior to harmonised standards becoming available, manufacturers may use existing technical specifications such as ETSI EN 303 645 (consumer IoT), IEC 62443 (industrial automation), or ENISA guidelines as supporting evidence, though these do not provide the formal presumption of conformity.

The legal presumption of conformity is the central benefit of using harmonised standards. When a manufacturer applies a harmonised standard, their product is presumed to comply with the essential requirements covered by that standard. National market surveillance authorities cannot require the manufacturer to prove compliance with those requirements through additional evidence — the burden shifts to the authority to demonstrate non-compliance.

This presumption applies only to the extent that the harmonised standard actually covers the relevant essential requirements. A standard may cover only a subset of Annex I requirements, in which case the presumption applies to those requirements and the manufacturer must find other means to address the remainder.

The presumption of conformity is also rebuttable — if a product is found to present a risk despite being manufactured to a harmonised standard, authorities can still take action. The standard provides evidence of compliance but is not an absolute shield.

Harmonised standards applicable to the CRA will be published in the EU Official Journal with references indicating which essential requirements they cover. Manufacturers should monitor the Official Journal regularly to identify newly published standards relevant to their product categories.

The European Commission's standardisation database also provides searchable access to published harmonised standards by regulation. ETSI's portal and CEN/CENELEC's standards catalogue list standards under development, giving manufacturers advance notice of upcoming standards they may wish to follow.

For product categories where no harmonised standard yet exists, manufacturers must use alternative means to demonstrate compliance — typically through technical documentation, third-party testing, or reference to relevant ISO/IEC standards — while accepting that no formal presumption of conformity applies.

Manufacturers are not required to apply harmonised standards in their entirety. Where a standard covers requirements that are not applicable to a specific product, or where a manufacturer has achieved compliance through different technical means, partial application is permissible. However, the presumption of conformity only applies to the requirements actually covered by the portions of the standard that are applied.

Where a manufacturer deviates from a harmonised standard — for example, by using a different cryptographic algorithm than specified — they must document the deviation and provide alternative evidence that the essential requirement is met. This documentation forms part of the technical file that must be maintained under Annex VII.

Audit trails and version control of standard references are important: where a harmonised standard is revised, manufacturers should assess whether the updated version affects their compliance position.

Where harmonised standards are not yet available or are considered inadequate, Article 7 allows the Commission to adopt 'common specifications' — implementing acts that set out the technical requirements manufacturers may use as an alternative compliance pathway. Common specifications also provide a presumption of conformity for the requirements they cover.

Common specifications are typically used as a transitional measure while the standardisation process catches up with new regulatory requirements, or in areas where the standardisation bodies have not produced suitable standards within a reasonable timeframe. They have the same legal status as harmonised standards for the purposes of the presumption of conformity but are issued by the Commission rather than developed through the European standardisation process.