Harmonised standard

Article 27(1) of Regulation (EU) 2024/2847:

"Products with digital elements which are in conformity with harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I covered by those standards or parts thereof."

Harmonised standards are the primary mechanism for demonstrating compliance with the essential cybersecurity requirements. Key points:

• Voluntary — manufacturers are not required to apply harmonised standards, but non-use means they must demonstrate compliance through other means
• Presumption of conformity — only for the specific requirements covered by the standard; does not extend to requirements the standard does not address
• Partial application — a manufacturer may apply only the relevant parts of a harmonised standard

At the time of publication of Regulation (EU) 2024/2847, no CRA-specific harmonised standards yet exist. The Commission has issued standardisation requests to CEN, CENELEC, and ETSI to develop harmonised standards. Until such standards are published in the OJEU:

• Common specifications may be adopted by the Commission as an interim measure (Art. 27(3))
• Manufacturers may rely on relevant existing technical standards (e.g. ETSI EN 303 645, IEC 62443 series, ISO/IEC 27001) where they map to Annex I requirements, but these do not create a formal presumption of conformity

Where harmonised standards do not exist or do not sufficiently cover the essential requirements, the Commission may adopt implementing acts laying down common specifications (Art. 27(3)). Compliance with common specifications creates the same presumption of conformity as harmonised standards.