Cyber Resilience Act Harmonized Standards: A Framework for Secure by Design
The EU Cyber Resilience Act (CRA) shifts cybersecurity risk from consumers to producers of digital products through mandatory security requirements. For most vendors, the CRA’s high-level obligations and penalties are already clear (and covered in our introductory post). The practical challenge is execution: what evidence will be considered sufficient, what documentation will be expected, and how is conformity assessed. This uncertainty about the implementation expectations quickly becomes a business risk with the looming deadline of December 2027 for full compliance. In this article, we will cover how new harmonized standards reduce this risk by providing a pragmatic route to demonstrate compliance.
Product Classification and Conformity Paths
The CRA groups products into four classes based on cybersecurity risk and potential impact: Common/Default, Important Class I, Important Class II, and Critical. Currently, only Critical products (such as smartcards and smart meters) have an established pathway to assessment and conformity through the European Common Criteria-based cybersecurity certification scheme (EUCC), with evaluations performed by accredited IT Security Evaluation Facilities (ITSEFs) such as Keysight.
Figure 1: Cyber Resilience Act Conformity Paths and Standards per Product Class
To provide a pathway to CRA conformity for manufacturers of Default and Important products, the European Commission issued standardization request M/606 in March 2025 to the three European Standards Organizations (ESOs): CEN, CENELEC and ETSI. These organizations were mandated to deliver a set of EU-wide harmonized standards for CRA compliance, with an initial joint report due in February 2026. Harmonized standards serve as CRA’s implementation layer by translating essential requirements into concrete, testable technical expectations.
One of the most urgent gaps is Important Class I, where conformity is expected to rely on vertical standards (i.e., product-type-specific requirements). These standards are being developed within ETSI (ETSI CYBER-EUSR) and follow the EN 304 6xx numbering, where “xx” corresponds to the relevant M/606 line item for a given product type.
Keysight is an ETSI member and contributes to standardization by collaborating with industry partners and sharing expertise in device security topics such as secure boot. That expertise is incorporated into the standards as testable requirements. Using the ETSI EN 304 623 vertical standard for boot managers as an example, the steps and evidence needed for compliance correspond to the relevant sections of the harmonized standard (Figure 2).
Figure 2: Boot Manager Steps to Compliance per Standard Clause
Vertical standards are not a “checkbox” exercise. However, their structure and consolidation of security best practices can significantly streamline security assessments. Over time, these standards are expected to expand to additional verticals, such as connected machinery and AI infrastructure.
For common products, self-assessment guidance will be delivered by CENELEC JTC 13 WG9 through the horizontal standards family. The overall framework is defined under EN 40000-1 and provides a template manufacturers can use to make products secure by design — or to self-assess conformity.
- Secure development lifecycle
- Vulnerability assessment
- Secure by default configuration
- Confidentially, integrity and access authorization for data stored or transmitted
- Minimization of personal data processing
- Resilience of products and minimization of the impact on other devices if compromised
- Limiting the attack surface
- Logging of internal activity
- Data sanitization
No device can be entirely secure, so the CRA Annex I Part II has 8 essential requirements for vulnerability handling to reduce the window of opportunity for adversaries. The corresponding standard is scheduled for delivery August 2026.
Keysight is a key stakeholder in the EU CRA standards ecosystem and an active ETSI member. We contribute to the standardization process by collaborating with industry partners to share expertise in device security topics. This expertise is directly incorporated into standards in the form of testable requirements. We track and contribute to the evolving standards to help ensure our products and services provide the measurements needed to test and assess products for CRA alignment.
Related Posts