Summary

This article examines the alignment and differences between the EU Cyber Resilience Act (CRA) and international cybersecurity standards such as ISO/IEC 27001. It discusses the implications these may have for global businesses in terms of compliance and operational adjustments.

Relevant CRA Provisions

• Recital (79)
• Recital (83)
• Recital (87)
• Recital (81)
• Recital (84)
• Article 27

Detailed Explanation

The CRA aims to enhance the cybersecurity of products with digital elements within the EU. It establishes essential cybersecurity requirements and provides mechanisms for demonstrating conformity with these requirements. The CRA encourages the use of harmonised standards, common specifications, and European cybersecurity certification schemes to facilitate compliance. International standards, such as ISO/IEC 27001, that align with the CRA’s essential cybersecurity requirements are also considered to facilitate compliance, especially for microenterprises, small and medium-sized enterprises, and those operating globally.

The CRA allows for the adoption of common specifications by the Commission as a fallback solution when harmonised standards are not available or delayed. These common specifications provide an alternative means for manufacturers to demonstrate conformity with the essential cybersecurity requirements. The CRA also integrates with existing EU regulations, such as those for vehicles and aviation, to avoid overlap and ensure a consistent approach to cybersecurity across different sectors.

Obligations for Stakeholders

Manufacturers: Must ensure their products with digital elements comply with the essential cybersecurity requirements. They are encouraged to use harmonised standards, common specifications, or European cybersecurity certification schemes to demonstrate conformity. If they choose not to use these means, they must document how they achieve compliance otherwise.

Global Businesses: Need to align their cybersecurity practices with both the CRA and international standards like ISO/IEC 27001. They may need to make operational adjustments to ensure compliance with the CRA’s requirements, particularly if they operate within the EU market.

European Standardisation Organisations: Are requested by the Commission to draft harmonised standards for the essential cybersecurity requirements. They must ensure these standards are market-driven, based on consensus, and take into account the public interest and policy objectives.

Commission: Is responsible for requesting the drafting of harmonised standards, adopting common specifications where necessary, and ensuring the alignment of the CRA with existing EU regulations and international standards.