Summary

The EU Cyber Resilience Act (CRA) emphasizes the importance of interoperability and standardization to enhance cybersecurity across digital products and services, ensuring seamless integration and compliance with global standards. The CRA facilitates the development of harmonized standards and supports manufacturers, particularly microenterprises and small and medium-sized enterprises, in achieving conformity with these standards.

Relevant CRA Provisions

• Recital (30)
• Recital (83)
• Recital (80)
• Recital (79)
• Article 26
• Article 33

Detailed Explanation

The CRA promotes interoperability and standardization through several key mechanisms. Recital (30) highlights the alignment of essential cybersecurity requirements with existing standards under Directive 2014/53/EU, ensuring a smooth transition and integration of new regulations. Recital (83) underscores the role of the European standardisation framework in developing market-driven, consensus-based standards that presume conformity with the CRA’s essential cybersecurity requirements. In cases where harmonized standards are delayed or blocked, the Commission may establish common specifications as a fallback solution (Recital 83).

Recital (80) stresses the importance of timely development and availability of harmonized standards, particularly for class I products with digital elements, to avoid bottlenecks in conformity assessments. Recital (79) provides for a presumption of conformity for products that meet harmonized standards, facilitating easier compliance for manufacturers, especially SMEs operating globally.

Article 26 mandates the Commission to publish guidance to assist economic operators, with a focus on SMEs, in applying the Regulation. This guidance includes aspects such as the scope of the Regulation, application of support periods, and compliance for manufacturers subject to other Union legislation. Article 33 requires Member States to support SMEs through awareness-raising, training, and regulatory sandboxes, and allows SMEs to use simplified technical documentation for conformity assessment.

Obligations for Stakeholders

Manufacturers: Must comply with essential cybersecurity requirements and harmonized standards. They can leverage guidance and support measures provided by the Commission and Member States, particularly if they are SMEs.

Member States: Should facilitate the implementation of the CRA by organizing awareness-raising and training activities, establishing communication channels for SMEs, and supporting testing and conformity assessment activities. They may also set up cyber resilience regulatory sandboxes to aid innovative product development.

Commission: Is obligated to publish comprehensive guidance for economic operators, maintain a list of delegated and implementing acts, and advertise financial support available to SMEs under existing Union programmes.