Summary

The EU Cyber Resilience Act (CRA) promotes the use of international cybersecurity standards to enhance global interoperability and security consistency across digital products and services. It encourages the adoption of harmonised standards that align with international standards, facilitating compliance for companies, especially microenterprises and small and medium-sized enterprises.

Relevant CRA Provisions

• Recital (79)
• Recital (83)
• Recital (87)
• Article 27

Detailed Explanation

The CRA aims to facilitate the assessment of conformity with its requirements by encouraging the use of harmonised standards that translate the essential cybersecurity requirements into detailed technical specifications. These standards are adopted in accordance with Regulation (EU) No 1025/2012. The CRA also recognises the importance of international standards that align with its cybersecurity objectives. When drafting harmonised standards, the Commission is directed to take into account existing European and international standards to simplify their development and implementation. This approach ensures that products with digital elements can achieve a presumption of conformity with the essential cybersecurity requirements, thereby facilitating global compliance and interoperability.

Obligations for Stakeholders

Manufacturers: Are encouraged to apply harmonised standards, common specifications, or European cybersecurity certification schemes to facilitate the assessment of conformity with the essential cybersecurity requirements. If they choose not to apply these means, they must indicate in their technical documentation how compliance is otherwise achieved.

Commission: Shall request European standardisation organisations to draft harmonised standards for the essential cybersecurity requirements. It may adopt implementing acts establishing common specifications only under specific conditions, such as when harmonised standards are not available or delayed. The Commission must also consider existing international standards when preparing standardisation requests.

European Standardisation Organisations: Are requested by the Commission to draft harmonised standards that align with the essential cybersecurity requirements and take into account existing international standards.