Harmonised Standard

A Harmonised Standard is a technical standard developed by one of the three European Standards Organisations — CEN, CENELEC, or ETSI — following a mandate issued by the European Commission. Once the standard is published in the Official Journal of the EU (OJEU), any product that complies with it benefits from a legal presumption of conformity with the EU legislation the standard supports. This presumption-of-conformity mechanism is central to the New Legislative Framework (NLF) that underpins most EU product regulation, including the Cyber Resilience Act. Harmonised Standards provide manufacturers with a concrete technical pathway to compliance, translating the CRA's high-level essential requirements into specific, testable technical specifications.

For the CRA, ETSI and CEN-CENELEC are the primary bodies tasked with developing relevant harmonised standards. Work is ongoing to develop standards that map to the Annex I essential cybersecurity requirements, covering areas such as secure by design, vulnerability handling, cryptographic requirements, and update mechanisms. Until a harmonised standard is published in the OJEU for a specific CRA requirement, manufacturers must demonstrate compliance through other means — such as applying common technical specifications issued by the Commission, engaging a Notified Body, or documenting their own technical approach. Manufacturers should monitor ETSI's CRA-related work items (including extensions to EN 303 645) and CEN-CENELEC's work programme for emerging standards relevant to their product category.

When a manufacturer applies a harmonised standard whose reference has been published in the OJEU, they gain a legal presumption that their product satisfies the CRA essential requirements covered by that standard. This shifts the burden of proof: instead of having to demonstrate compliance from first principles, the manufacturer simply needs to document that the harmonised standard has been applied. This significantly simplifies the conformity assessment process — for default-class and some Class I products, full conformity can be demonstrated through self-declaration based on harmonised standard compliance alone, without third-party involvement. However, if a manufacturer departs from any part of the standard, they must provide alternative technical justification for the requirements covered by that part.

While CRA-specific harmonised standards are still being developed, several existing standards provide useful reference points for manufacturers:

• ETSI EN 303 645 — Cyber Security for Consumer Internet of Things, widely considered the current best-practice baseline for IoT products and likely to inform CRA harmonised standards for consumer device categories.
• IEC 62443 series — Industrial automation and control system security, relevant for Important Class products in industrial sectors.
• ISO/IEC 27001 — Information security management, relevant to organisational security processes underlying vulnerability handling.
• ISO/IEC 29147 and ISO/IEC 30111 — Vulnerability disclosure and handling standards that map directly to CRA Article 13 obligations.

Manufacturers should track the ETSI TC CYBER and CEN-CENELEC JTC 13 work programmes for new CRA mandated standards.