ETSI Pilots Early CRA Standards Feedback for Key Digital Products
In a noteworthy move to enhance transparency and stakeholder participation, ETSI has launched early-stage informal consultations on the vertical standards supporting the Cyber Resilience Act (CRA). These preliminary drafts, currently published as “INTERIM DRAFTS (v0.0.x)”—are publicly accessible in the OPEN AREA folder of ETSI’s DocBox platform.
The initiative aligns with the principles of openness in international standardization, inviting feedback from industry stakeholders, SMEs, open-source contributors, and academia well before the typical development stages. This proactive consultation model aims to refine the standards before their expected finalization in the second half of 2026.
Scope and Characteristics of the Early CRA Standards
The CRA standardization process is based on a two-tiered structure:
-
Horizontal standards (Lines 1–15): Broad requirements and lifecycle obligations
-
Vertical standards (Lines 16–41): Specific to product categories
ETSI’s current focus is on the vertical CRA standards, which will define cybersecurity requirements for important and critical product types under the CRA’s Annex III and IV. The standards under consultation include products such as:
-
Password Managers (EN 304 618)
-
Antivirus Software (EN 304 619)
-
Boot Managers (EN 304 623)
-
Operating Systems (EN 304 626)
-
Routers, Modems, and Switches (EN 304 627)
While these documents are in an early format and “subject to substantial changes,” ETSI encourages concrete and actionable input to help shape these harmonized standards in line with the CRA’s essential cybersecurity requirements.
Broader Standardization Strategy and Deadlines
This early-phase engagement reflects a broader coordination strategy among European Standards Organizations (ESOs) — ETSI, CEN, and CENELEC — to develop a total of 41 deliverables under Standardization Request M/606 issued by the European Commission. These include both foundational horizontal standards and product-specific vertical standards.
In parallel with the standard development:
-
Technical descriptions of important/critical products are due by 11 December 2025.
-
CSIRTs’ rules on notification withholdings are also expected by 11 December 2025.
-
The Single Reporting Platform by ENISA must be operational by 11 September 2026.
Encouraging Inclusive Stakeholder Participation
This open consultation complements the objectives of the CRA and the STAN4CRA project, promoting early contributions from diverse actors to ensure that cybersecurity standards are both robust and practical. ETSI emphasizes the importance of contributions from:
-
Industry operators and manufacturers
-
Open-source communities
-
SMEs and academia
-
Governmental authorities
To review or comment on the drafts, visit ETSI’s STAN4CRA GitLab portal: https://labs.etsi.org/rep/stan4cra
Relevance to Regulatory Compliance
Given that these CRA vertical standards underpin the technical foundations for legal conformity under the Cyber Resilience Act, stakeholders should begin early alignment with these evolving documents. This development ties directly into our expertise in Global Regulatory Updates, where staying ahead of regional cybersecurity frameworks is essential for ongoing compliance readiness.
Impact Assessment
-
Technical Standards? ❌ No
-
Type Approval & Market Access? ❌ No
-
Imports, Customs, Trade, or Market Surveillance? ❌ No
-
Spectrum Management? ✅ Yes
