On 3 April, the Standardization Request for the Cyber Resilience Act (CRA) was officially accepted by CEN, CENELEC, and ETSI. In response to Mandate M/606 from the European Commission, the three European Standardization Organizations have committed to delivering harmonized standards well in advance – at least one year before the CRA enters into application.
These standards are vital to implementing the CRA and ensuring a consistent and robust approach to cybersecurity across the European Single Market, especially in the face of rapidly evolving digital threats.
The development of these standards is led by several technical committees, which play a central role in defining harmonized European Standards aligned with the essential cybersecurity requirements defined in the CRA. Their work supports manufacturers and developers in embedding cybersecurity-by-design and by-default principles into their products and systems – fully aligned with European values and regulatory expectations.
Two Classes of Standards
To meet the CRA’s diverse needs, the standardization effort will be divided into two classes:
- Horizontal standards: Product-agnostic and framework-oriented, providing foundational guidance applicable across sectors.
- Vertical standards: Product-specific, offering targeted requirements for particular categories of digital products.
Committees Involved
At CEN and CENELEC, the following groups are leading the work:
- CEN-CLC/JTC 13 WG 9 and WG 6
- CEN/TC 224 WG 17
- CLC/TC 65X WG 3
- CLC/TC 47X
At ETSI, a dedicated group has been established within ETSI TC CYBER. This new entity, the ETSI EUSR, will be responsible for delivering all standardization outputs assigned to ETSI under the CRA mandate.
In a short introductory video, Ben Kokx, convenor of the CEN-CLC/JTC 13 WG 9, explains the purpose of the horizontal standards and extends an open invitation to stakeholders to join the CRA standardization efforts and contribute to shaping Europe's cybersecurity future.
