The Cyber Resilience Act's essential cybersecurity requirements in Annex I are stated at a high level — secure by design and by default, protection against unauthorised access, vulnerability handling, secure update mechanisms, and similar principles. Article 27 provides that products complying with harmonised standards published in the Official Journal of the European Union enjoy a presumption of conformity with the essential requirements covered by those standards. The harmonised standards do the heavy lifting. They translate the Annex I principles into testable, implementable specifications. In April 2025 the three European Standardisation Organisations — CEN, CENELEC, and ETSI — officially accepted Standardisation Request M/606 from the European Commission, undertaking to deliver 41 harmonised standards by Q3 2026 ahead of the CRA's substantive application date in December 2027. The work is organised mainly through CEN-CLC JTC 13.
What is JTC 13?
CEN-CLC Joint Technical Committee 13 is the European technical body responsible for cybersecurity standardisation. Established before the CRA was finalised, JTC 13 had pre-existing workstreams on cybersecurity management, secure development, and product security evaluation. The CRA created a focused mandate. JTC 13/WG 9 — Horizontal Cybersecurity for Products with Digital Elements — is the dedicated working group developing the horizontal standards that apply across all PDEs. Other JTC 13 working groups handle product-specific standards for individual Annex III categories, and ETSI develops vertical standards in its TC CYBER. The coordination between CEN-CLC and ETSI is structured through joint task forces and shared editorial oversight to prevent overlapping or contradictory specifications.
What does Standardisation Request M/606 actually demand?
Request M/606 lists 41 standards across three categories. The horizontal standards apply to all PDEs and operationalise the Annex I essential requirements. The vertical standards apply to specific Annex III product categories — firewalls, password managers, smart locks, and so on — and refine the horizontal requirements for that category's threat surface. The supporting standards provide common technical building blocks such as vulnerability handling, SBOM generation, and security assurance frameworks. The Commission's deadline of Q3 2026 reflects the operational reality that manufacturers need standards in place during 2026 to choose Module A self-assessment (which requires applied standards in full) for the December 2027 application date.
What are the horizontal standards?
The horizontal standards include four foundational documents under development by JTC 13/WG 9:
# Horizontal CRA harmonised standards (in development, JTC 13/WG 9)
prEN 18031 (draft, multipart)
Generic state-of-the-art for activities manufacturers must
execute to develop and maintain secure products. Covers:
- secure by design lifecycle
- secure by default deployment
- vulnerability handling
- update mechanisms
- secure communications
prEN 18032 (draft, multipart)
Vulnerability handling requirements. Covers:
- vulnerability disclosure policy
- intake, triage, and analysis
- coordinated disclosure
- update distribution
- vulnerability information transparency
prEN 18033 (draft, multipart)
Catalogue of product security controls. Provides:
- reference control set for Annex I
- mapping to ISO/IEC 27001 / 62443 / 15408
- selection guidance for product categories
prEN ISO/IEC 27402 (in adoption)
Cybersecurity for IoT - baseline requirements. Adapts
ISO/IEC 27402 for use as harmonised standard under CRA.
The standards are being developed in alignment with existing international frameworks — IEC 62443 for industrial systems, ISO/IEC 15408 (Common Criteria) for security assurance, ISO/IEC 27402 for IoT baseline, and ETSI EN 303 645 for consumer connectable products — so that products certified under those frameworks can demonstrate substantial conformity with the harmonised standards once published.
How are the vertical standards organised?
Vertical standards target specific Annex III categories. Examples in development include a standard for password managers (Annex III Class I), updates to ETSI EN 303 645 for connected consumer products (Annex III Class I smart home), prEN for firewalls and IDS/IPS (Annex III Class II), and a smart card application layer standard (Annex IV critical). The vertical standards reference the horizontal standards for shared requirements and add category-specific elements — for instance, the password manager standard specifies vault encryption, master password derivation, and breach detection integration that would be redundant in a general-purpose horizontal control catalogue.
What is the consultation process?
CEN-CENELEC operates a public commenting and balloting process. Working drafts are circulated to national mirror committees in each Member State, which gather feedback from national stakeholders and represent national positions in JTC 13. The public consultation platform is hosted at labs.etsi.org/rep/stan4cra, with progress and information about CRA standards activities at stan4cra.eu. Industry stakeholders — software vendors, hardware OEMs, cybersecurity consultancies, open-source foundations, and trade associations — can submit comments through their national mirror committee or through industry liaison memberships in JTC 13. The Commission monitors the process and can issue editorial corrections if a draft fails to align with the Annex I requirements it is intended to support.
What is the relationship to EUCC?
The European Cybersecurity Certification scheme on Common Criteria (EUCC) — operational since February 2025 under the Cybersecurity Act framework — provides a parallel route to demonstrate cybersecurity assurance through formal Common Criteria evaluation. For Annex IV critical products, the CRA requires both conformity assessment under a module (B+C or H) and a European cybersecurity certification under Article 8. EUCC is the primary certification scheme available, with assurance levels EAL2 through EAL7 mapping to the CRA's tiered requirements. The harmonised standards under M/606 do not duplicate EUCC requirements but provide the underlying state of the art that EUCC evaluations reference. Manufacturers of critical products typically need both: harmonised standards application for Annex I conformity, and EUCC certification for the additional Article 8 obligation.
What happens if standards are delayed?
The Q3 2026 deadline is ambitious. Standardisation typically takes three to five years per document; M/606 compresses 41 standards into roughly eighteen months from acceptance. Three risks deserve attention. First, if standards slip beyond December 2027 — the substantive application date of the CRA — manufacturers eligible for Module A self-assessment based on harmonised standards application may not have the standards available to apply, forcing them into Module B+C or Module H with Notified Body involvement they had not planned for. Second, late publication leaves limited operational time between standard availability and product compliance, increasing the risk that products in the market in December 2027 lack the documentation to demonstrate conformity. Third, the Commission has indicated that it may rely on technical specifications under Article 27(3) as an interim measure if harmonised standards slip — these provide a similar presumption of conformity but lack the consultation pedigree of formal harmonised standards.
How should manufacturers track the work?
Three tactical recommendations. First, engage with the national mirror committee in your principal Member State of establishment to receive working drafts and comment opportunities. Second, monitor the STAN4CRA platform for draft publication and Commission notifications. Third, structure internal evidence collection so that controls implemented in 2025-2026 can be mapped to the harmonised standards as they are published, rather than waiting for publication before beginning evidence work. The Annex I essential requirements are stable; the harmonised standards add specificity but do not change the underlying obligations.
How Safeguard Helps
Safeguard maintains a continuously updated control mapping between internal product security controls and the draft harmonised standards under M/606, so as standards are published the evidence pack already aligns. The platform's policy gates can enforce control baselines drawn from prEN 18031, prEN 18032, and prEN 18033 working drafts inside CI/CD pipelines, generating attestations that survive subsequent standard finalisation. Where a product falls into a vertical category with its own standard — firewalls, password managers, smart locks — Safeguard tracks the specific vertical requirements alongside the horizontal baseline. As Notified Bodies are designated from June 2026 and begin Module B+C and Module H assessments, the platform's evidence export aligns with both the harmonised standards and the underlying Annex I essential requirements, so the assessment dossier holds together regardless of which conformity route is chosen.