Sitemap

Sign in

Medium Logo
Write

Sign in

Cyber Resilience Act: When will requirements finally get more specific?

Outlook & timeline for harmonised standards and additional EU commission guidance

Sarah Fluchs
12 min readMay 19, 2025

When talking about CRA compliance, the single most frequent complaint is “but this is all so vague. How do we know how to interpret XYZ”?
This complaint is totally understandable. Just take the essential requirements in Annex I: They only fill one and a half pages, most requirements only have two to three lines.

Example?
Products with digital elements must “protect the integrity of stored, transmitted or otherwise processed data […] commands, programs and configuration against any manipulation or modification not authorised by the user […]”

Now what does “protect the integrity” mean? Is a checksum enough? A four-eyes principle? Does protection have to be provided by cryptographic means?

Same problem applies to so many questions. Scope. Remote data processing. Definition of important / critical products. Due diligence for third-party components. Substantial modifications. Risk assessment… The list goes on.

There are two default answers to these questions: “This is about to be defined in a harmonized standard” and “the EU commission is planning to publish more guidance on that.” . This is understandably a source of frustration for manufacturers who want to begin their CRA compliance journey NOW. Because changing product strategies, characteristics, and development all take time, so December 2027 isn’t that far off…

So let’s talk turkey: What harmonised standards and guidance can we expect — and, most importantly: WHEN?!

This article summarizes what we currently know about contents and timeline of harmonised standards (Part 1) and further guidance by the EU commission (Part 2), followed by a 3-step-guide to move towards CRA compliance in a smart way given the limited information we have (Part 3).

Disclaimer: The information in this article comes from the EU commission’s first CRA expert group meeting as well as my participation in CEN / CENELEC and ISA standardisation activities and conversations with other experts. Minutes and slides from the expert group meeting are public, documents from standardisation aren’t as there are still ongoing discussions.

Part 1: Harmonised Standards

Harmonised standards promise to provide clarity and legal certainty. That’s because the “presumption of conformity” applies to some of these standards. Presumption of conformity means: If you comply with this standard, you can assume that you also comply with the related CRA requirements. There’s also partial presumption of conformity for standards that only cover some of the CRA requirements.

The European standardisation organisations received a standardisation request by the European commission specifying which harmonised standards are to be developed and what topics they should cover (read more about how all that works here).

Based on this standardisation request, they have now developed a work programme defining the standards to be drafted along with due dates, and assigned this work to working groups. Drafting is in progress for all of these standards, and timelines are ambitious given the formal commenting and voting process European standards must follow.

Standard types

Manufacturers are familiar with the principles of harmonised standards and presumption of conformity from other EU product legislation that includes CE markings. The Machinery Directive, for example, has over 800 harmonised standards, for different types of machines.

A breakdown into three types A, B, and C has proven its worth — and the CRA standards follow the same principle. If you understand these three types, understanding the planned horizontal standards becomes much easier:

Type A standards (horizontal framework)

Type A standards define principles, terms or framework conditions. They apply to all products, but do not specify any CRA requirements, so the presumption of conformity does not apply to them: meeting a type A standard is not sufficient to meet the CRA.

However, that doesn’t mean they don’t matter if you want to benefit from the presumption of conformity. There is a principle of coherence saying that the more specific type B and C standards can only deviate from type A standards if duly justified. So they can be seen overaching guidance for more detailed standards that do imply a presumption of conformity.

Planned type A standards for the CRA?
Of the 41 items requested in the EU commission’s standardization request, 15 are horizontal, but only one is type A. It is supposed to specify the first sentence from Annex I: “Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.”

This type A standard on “principles of cyber resilience” will likely contain

  • requirements for cybersecurity risk management,
  • requirements for “product cybersecurity activities” beyond risk management that ensure cybersecurity is considered throughout the product lifecycle. These will include the usual suspects like security requirements establishment, secure development, secure implementation, secure production, security verification and validation, monitoring, secure decommissioning, and due diligence for third party components.

All of these requirements will deliberately be kept neutral to accomodate different approaches for different product types outlined in type C standards.

Timeline?
The type A standard for the CRA will be published by 30 August 2026. A draft for working-group internal commenting already exists, commenting by the CEN / CENELEC member states’ national standardisation committees (“enquiry”) is scheduled to begin at the end of August 2025.

Type B standards (horizontal standards)

Type B standards specify product-agnostic CRA requirements. These can be requirements where it is not necessary to differentiate between different products, or a larger class of similar products is grouped together. This is why they are often referred to as “horizontal standards” — because they apply across a wide range of products.

The presumption of conformity can apply to these standards, but sometimes it doesn’t because these standards are still rather generic, and sometimes there’s only a partial presumption of conformity, which means it only applies to a part of the CRA’s essential requirements.

Planned type B standards for the CRA?
Of the 41 items requested in the EU commission’s standardisation request, 15 are horizontal, and 14 type B. This doesn’t mean there will be 14 standards, because sometimes more than one item can be covered in a single standard.

The planned type B standards are mainly process standards, meaning that they contain requirements to processes rather than the product. There will be

  1. a standard for vulnerability handling (Annex I, Part 2). It will be based on EN ISO/IEC 29147:2020 and EN ISO/IEC 30111:2019 and accordingly contain requirements for vulnerability handling phases like we know from these standards — for example sharing, preparation, discovery, triage, remediation, gaining of awareness, promotion of deployments, and post release.
    The discussion if this standard will provide a presumption of conformity is still ongoing.
  2. a standard on generic cybersecurity requirements, specifying the 13 essential requirements outlined in Annex I, Part 1 (2) without reference to a specific product type.
    It is likely (but not finally decided yet) that this standard will build upon the EN 18031 standard series, which is the harmonised standard for the Radio Equipment Directive Delegated Act (RED-DA).
    This standard will not provide a presumption of conformity — but it’s the basis for the type C standards that do. However, type C standards will be granted some flexibility to ensure pre-existing standards can become type-C standards.

Timeline?

  • By 30 Aug 2026, the type B standard on vulnerability handling will be published. A draft is almost ready: CEN/CENELEC member committee commenting (“enquiry”) is scheduled to begin in October 2025.
  • By 30 Oct 2027, the type B standard on generic cybersecurity requirements will be published. CEN/CENELEC member committee commenting (“enquiry”) is scheduled to begin in December 2025.

Type C standards (vertical standards)

Type C standards specify CRA requirements for a specific product category — ideally all CRA requirements. They are also known as “vertical standards” — they go into great depth vertically for a product.

Type C standards typically provide a presumption of conformity. These are the tangible references that product managers want: If they follow the type C standard for their product, they can assume that they meet the CRA.

Type C standards cannot deviate from the principles outlined in type A and B standards unless the deviations are duly justified (“coherence principle”).

Planned type C standards for the CRA?

In CRA context, type C standards are those that specify the essential requirements in Annex I, Part 1, for a specific product type.

Given the huge number of product categories in scope of the CRA, only vertical standards for the important or critical products (Annex III and IV) are in the harmonized standard work programme for the time being. This still covers about dozens of product categories.

Also, a “broader vertical standard” is planned for the entire industrial / OT product category. The basis for this will probably be ISA/IEC 62443–4–2, 62443–4–1, and 62443–3–3. The necessary work to align ISA/IEC 62443 with CRA essential requirements is already being done in CEN / CENELEC TC65X WG3. This means that the relevant parts of the ISA/IEC 62443 standard series may differ from the international version when adopted as harmonised European standards.

Although not strictly necessary from a European standardisation perspective, the CEN/CENELEC working group does try to feed these changes back into the ISA/IEC version of the standard to avoid the European version differring from the international version.

More vertical standards may (and probably will) follow, but are not explicitly planned yet. For what it’s worth: The 800 harmonized standards for the machinery directive didn’t materialize overnight either…

Timeline?

  • Type C standards for important / critical products according to CRA Annex III / IV are due to be published by 30 Oct 2026.
  • There are no standardisation requests and hence no due dates defined by the European commission for any other type C standards yet. But for the broader vertical standard for OT based on the ISA/IEC 62443 series, the standardisation organisations plan for 30 Oct 2026.

The below image comes from the minutes of the CRA Expert group and summarizes the three different standard types and their due dates for publishing.

Part 2: Additional guidance

Harmonised standards are only one source of information, and they only address the CRA’s essential requirements outlined in Annex I.

But what about all the other questions? Those about scope, about due diligence, about remote processing solutions — and who tells me if my product counts as a “microcontroller with security-related functionalities”, for example?

That’s where further guidance by the EU Commission comes in. There are two categories of “further guidance”:

Guidance mandated in the CRA

Firstly, there are guidelines that are mandated in the CRA (Article 26) and must therefore definitively be drawn up. More specifically, there will be “implementing acts” or “delegated acts” on the following topics:

  1. Scope: guidance will help determine when remote data processing solutions and free and open-source software is in scope of the CRA, and probably do the same for some more edge cases. Also, a delegated act will define the important and critical products. There already is a public draft.
  2. Support periods: the support period is the period during which free security updates must be provided, and manufacturers can determine the length of the period themselves. Guidance will indicate reasonable support periods for specific product categories.
  3. Interplay with other legislation: Guidance will help manufacturers navigate overlapping requirements with other EU acts, especially RED (which is pressing for many manufacturers since the RED deadline is Aug 1, 2025), DORA, AI Act, and machinery regulation.
  4. Substantial modification: this matters because it’s the only way the CRA may apply to legacy products — if they’re subject to “substantial modification”. Guidance will clarify what modification qualify as “substantial”.

Guidance not mandated by the CRA

In addition, the EU Commission has identified some more fields based on industry feedback where guidance may be needed. There’s no guarantee and no deadline for this guidance, but the drafting work has begun in the CRA Expert Group:

  1. Reporting obligations: which incidents exactly need to be reported and with how much detail?
  2. Due diligence: manufacturers need to do “due diligence” regarding the product security in their supply chain — what exactly does that mean?
  3. Risk assessment: risk assessments based on the intended purpose and reasonably foreseeable use of the product must be carried out for all CRA-affected products. This is uncharted territory for many product manufacturers, especially smaller ones.

Timeline

The technical descriptions for important and critical products actually have a due date according to Article 7: 11 December 2025. So it’s no surprise they came out first.

For the other guidance documents, there is no specific due date. But the Commission has done a prioritization they shared during the CRA Expert Group meeting, and this indicates what will come out first — I’m guessing roughly “later this year”:

  • all guidance around scope, remote data processing solutions and open source, and
  • guidance around risk assessments.

Timeline summary

Admittedly, this was a lot of information. Below is a summary of the timeline based on what we know from the CRA legal text, the EU Commission’s standardisation request, and the CRA expert group meeting minutes.

In a nutshell, this is all we currently know about if, when, and how CRA requirements are going to become more specific.

Part 3: How to act now based on limited information

If you’re a product manufacturer and you want to act now, waiting for a published harmonised standard is not an option — you’d have to wait for another year.

But there’s enough information to make informed decisions and take actions NOW. No need to wait. Here’s the mixed strategy that makes sense based on the current information:

  1. The essential requirements (annex I) are your bible. We know there won’t be harmonised standards for most products anytime soon. And even if there are harmonised standards, you’ll not be forced to comply with them. But no matter what, you will always have to comply with the CRA essential requirements. They are your bible. Trace back everything you do for CRA compliance to these essential requirements.
  2. Do your risk assessment. We know that risk assessments are the most powerful tool in CRA. The CRA itself says it: All the essential requirements are to be applied “based on risk”. Risk assessments will be a basic principle in the type A harmonised standard (and therefore trickle down into all other harmonised standards). The EU commission treats risk assessment guidance with priority.
    If you don’t know how to interpret an essential requirement, how much security is “enough” for your product fo meet a certain essential requirement: Ask your risk assessment. It has the power to tell you, and if you do and document it thoroughly, you’re allowed (and asked!) to make your decisions based on your risk assessment.
  3. Follow standards that will be the basis for harmonised standards. And if you’ve consulted your essential requirements and your risk assessment and you’re still in doubt “what others would do” — take a look into EN 18031. It’s very likely going to be the basis for the upcoming type B standard, which will be the basis for upcoming harmonised standards that provide presumption of conformity. One of its jewels are the decision trees that help you decide if and to what extent a requirement is applicable to your product.
    And if you’re in the industrial space, you can also consult ISA/IEC 62443–4–1, -4–2, and -3–3.
    But stick to the essential requirements, don’t get distracted by additional things that may be in these standards.

And finally: Despite all the understandable frustration about standards and guidance coming out too late — all this is also an opportunity. If there was a type C standard tomorrow, manufacturers would have to live with it.

This way, they are allowed to interpret CRA requirements for their own products in a practical, sensible way — based on risk. For sustainable, responsible cybersecurity decisions, these are the best circumstances that can happen to you. You don’t have to struggle with standard requirements that don’t work for your product. You can find some that work — as long as they reduce risk and align with the CRA’s essential requirements.

And should you have the capacity, dear manufacturers: contribute your learnings from your cybersecurity and risk assessment journey to the development of type B and C standards. The time is now.

Because ultimately, the person who can best decide what the most reasonable state of the art for the cybersecurity of your products is:

You.

Cyber Resilience WHAT? Read a 5-minute introduction to the EU Cyber Resilience Act here.

This article was part of the monthly Security Briefings for Hard Hats” [in German].

European Union
Cybersecurity
Cyber Resilience Act
Standardization
Product Development

--

--

Sarah Fluchs
Sarah Fluchs

Written by Sarah Fluchs

456 followers
75 following

Friction generates heat — true for writing and engineering. Fluchsfriction generates writings on security engineering. Heated debates welcome! CTO@admeritia

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech