Harmonised standards
When a product conforms to a harmonised standard published in the Official Journal of the EU, the manufacturer benefits from a presumption of conformity with the Cyber Resilience Act (Regulation (EU) 2024/2847) essential requirements that standard covers. Instead of proving compliance requirement by requirement, you reference the standard and show your product meets it.
Info: For Important Class I products, applying harmonised standards that cover all relevant CRA requirements is the condition for using self-assessment (Module A) instead of third-party conformity assessment. See Conformity assessment for details.
EN 18031 series
The EN 18031 series was originally developed for the Radio Equipment Directive (RED) and published in February 2025. It is the first set of standards cited in the Official Journal as relevant to CRA compliance.
| Standard | Scope | What it covers |
|---|---|---|
| EN 18031-1 | Common security requirements for radio equipment | Secure design, authentication, access control, cryptography |
| EN 18031-2 | Internet-connected radio equipment | Network security, secure communication, update mechanisms |
| EN 18031-3 | Equipment processing financial data | Additional protections for payment and financial information handling |
Warning: The European Commission has noted that EN 18031 alone may not cover every CRA Annex I requirement. Manufacturers should perform a gap analysis against the full list of essential requirements and document any gaps separately in their technical file.
Other commonly referenced standards
These are not yet formally harmonised under the CRA, but they are widely used in technical documentation and strengthen a conformity case:
| Standard | What it covers |
|---|---|
| IEC 62443-4-1 | Secure product development lifecycle |
| IEC 62443-4-2 | Technical security requirements for industrial automation components |
| ISO/IEC 27001 | Information security management systems |
| ETSI EN 303 645 | Baseline security for consumer IoT devices |
Tip: Referencing these in your technical documentation shows due diligence, even without a formal presumption of conformity.
Full vs partial conformity
When you declare a standard, you need to specify whether conformity is full or partial:
- Full: your product meets every requirement in the standard. You get the full presumption of conformity for the CRA requirements it covers.
- Partial: your product meets some requirements but not all. You must provide a deviation justification explaining which clauses are not met and why. The uncovered requirements need to be addressed through other evidence in your technical file.
Declaring standards in CRA Evidence
Standards are managed at the product level and inherited by all versions automatically.
- Go to your product page
- Open Compliance Documents
- Find Harmonised Standards (Annex VII, section 5)
- Click Add Standards
- Enter the standard reference (e.g. EN 18031-1), a title, and the conformity level
- For partial conformity, add the deviation justification
Standards you declare here will be included in your EU declaration of conformity and technical documentation exports.
Info: If a specific version needs different standards than the product default, you can override them at the version level.
Timeline
| When | What |
|---|---|
| 2024 | Standardisation requests issued to CEN, CENELEC, and ETSI |
| February 2025 | EN 18031 series published and cited in the Official Journal |
| 2025 to 2026 | Additional CRA-specific standards under development |
| December 2027 | Essential requirements become enforceable; full set of harmonised standards expected |
What if no standard covers your product?
You can still demonstrate conformity through:
- Common specifications adopted by the European Commission
- European cybersecurity certification schemes under the EU Cybersecurity Act
- Direct evidence in your technical documentation proving each essential requirement is met individually
No harmonised standard does not mean no obligation. It means more work building the evidence case in your technical file.
Official sources
Help us improve. What was missing or unclear?