Summary

The EU Cyber Resilience Act (CRA) emphasizes the role of European and international standards bodies in developing and implementing harmonized cybersecurity standards, ensuring interoperability, and facilitating the conformity assessment process for products with digital elements.

Relevant CRA Provisions

Detailed Explanation

The CRA recognizes the importance of European and international standards bodies in creating a cohesive cybersecurity framework. Recital (83) highlights that the European standardisation framework, based on the New Approach principles, is the default method for developing standards that ensure conformity with the essential cybersecurity requirements of the CRA. These standards should be market-driven, consider public interest, and be based on consensus. In cases where harmonized standards are not available or delayed, the Commission may adopt common specifications as an exceptional measure.

Recital (79) stresses the presumption of conformity for products with digital elements that comply with harmonized standards, which translate the essential cybersecurity requirements into detailed technical specifications. It also emphasizes the importance of international standards that align with the CRA’s cybersecurity protection levels to facilitate global compliance, especially for microenterprises and small and medium-sized enterprises.

Recital (80) underscores the importance of timely development and availability of harmonized standards to avoid bottlenecks and delays in conformity assessments. Article 27 formalizes the presumption of conformity for products and processes that meet harmonized standards or common specifications, ensuring a streamlined compliance process.

Obligations for Stakeholders

Manufacturers: Must ensure that their products with digital elements comply with harmonized standards or common specifications to benefit from the presumption of conformity.

Notified Bodies: Required to assess conformity with the essential cybersecurity requirements, using harmonized standards where available, and applying common specifications when necessary.

European and International Standards Bodies: tasked with developing harmonized standards that align with the CRA’s essential cybersecurity requirements, ensuring interoperability and facilitating global compliance.