CRA Harmonised Standards — Status & List

How Article 27 actually works

Art. 27(1)

Presumption of conformity for products meeting harmonised standards

Art. 27(2)

Common specifications by implementing act if standards delay

Art. 27(8)

EU cybersecurity certification under Reg 2019/881 also presumes conformity

Four routes to demonstrate conformity — with or without harmonised standards

The CRA gives manufacturers four ways to demonstrate conformity with the essential cybersecurity requirements of Annex I. They are not mutually exclusive.

Route 1 — Harmonised standards (Article 27(1))

Apply a harmonised standard whose reference is published in the Official Journal under Regulation (EU) No 1025/2012. The product is presumed to comply with the essential requirement(s) covered by that standard. This is the cheapest route once the references exist.

Route 2 — Common specifications (Article 27(2))

If the standardisation request is not accepted, standards are delivered late, or do not comply with the request, and no reference is expected within a reasonable period, the Commission may adopt common specifications by implementing act. Products following common specifications enjoy the same presumption of conformity (Art. 27(5)).

Route 3 — European cybersecurity certification scheme (Article 27(8))

Products certified under a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881 are presumed to comply with the essential requirements to the extent covered by the certificate or statement of conformity. A delegated act under Art. 27(9) specifies which schemes qualify. Implementing Regulation (EU) 2024/482 adopts the EUCC (Common Criteria-based scheme).

Route 4 — Document compliance directly (no standard)

If you choose not to apply harmonised standards, common specifications or schemes — or only part of them — you must describe in your technical documentation how you meet each essential cybersecurity requirement (Annex VII, point 5). For Class I products, this rules out Module A self-assessment: you must use Module B+C or Module H (Art. 32(2)).

When standards arrive: re-baseline your dossier

Once a harmonised standard reference is published, you may switch to Route 1 and re-baseline your technical documentation. Article 13(14) requires manufacturers to adequately take into account ‘changes in the harmonised standards, European cybersecurity certification schemes or common specifications’.

Member State objection procedure

If a Member State considers that a common specification does not entirely satisfy the essential cybersecurity requirements, it informs the Commission with a detailed explanation. The Commission may amend the implementing act (Art. 27(7)).

Common mistakes

❌

FALSE WAIT

“We will wait for the standards to be published”

11 December 2027 does not move. If references are not yet in the Official Journal, you still have to demonstrate conformity — either via Route 2 (common specifications), Route 3 (EU cybersecurity certificate), or Route 4 (direct documentation). The longer you wait, the smaller your buffer for the conformity assessment itself.

❌

STANDARD CONFUSION

“ISO/IEC 27001 makes us CRA-compliant”

ISO/IEC 27001 is an organisational information security management standard. The CRA imposes product-level requirements in Annex I, Part I. Even if Article 27 eventually references parts of relevant international standards, a current 27001 certificate does not by itself meet the product-level essential requirements (secure by default, attack-surface reduction, data integrity, etc.). Document the gap.

❌

CERTIFICATION OVERREACH

“Our Common Criteria certificate covers everything”

A CC certificate covers what its Security Target says it covers. Article 27(8) gives presumption of conformity only to the extent the certificate covers the essential requirements. For products outside Annex III/IV, Article 27(9) requires a delegated act to specify how the scheme is recognised. Map your CC scope to Annex I, Part I before relying on it.

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Is it a hardware or software product (or component) with digital elements?

Art. 3(1) — “product with digital elements”

Can it connect directly or indirectly to a device or network?

Art. 2(1) — logical or physical data connection

Will it be placed or made available on the EU market in the course of a commercial activity?

Art. 3(21)(22) + Recital 15

Is it NOT excluded? (not a medical device, not a motor vehicle, not certified aviation, not marine equipment, not national security/defence-only, not a spare part)

Art. 2(2)–(7)

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT

149 €

/ product

8-document CRA dossier (ZIP)
Product Classifier + Technical Documentation
Risk Assessment + User Information
10 regenerations · 30 days
1 licence = 1 product

Buy licence →

PROFESSIONAL PACK

1,199 €

70 generations · 1 key

For multi-product catalogues

70 generations with a single key
70 complete dossiers (8 documents each)
Switch product between generations
Ideal for importers with large catalogues
For consultants billing CRA compliance

Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

📖 STANDARDS GAP ANALYSIS BY A CONSULTANCY

€10,000–€30,000

Gap analysis mapping your product to draft harmonised standards and to Annex I, Part I. Useful for high-stakes products; expensive when the standards keep evolving.

CRACHECK — SAME OUTPUT

€149

CRACheck lists every Annex I, Part I item, lets you mark how each one is met (harmonised standard, common specification, certificate, or direct documentation) and produces the Annex VII technical-documentation entry.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

→ Full text on EUR-Lex (CELEX 32024R2847)
→ HTML version (article-by-article)
→ Official PDF (81 pages)
→ All 24 EU language versions

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

Which harmonised standards are published today?

As of May 2026, references to harmonised standards specifically supporting Regulation (EU) 2024/2847 have not yet been published in the Official Journal of the European Union. The Commission has issued a standardisation request to CEN, CENELEC and ETSI under Regulation (EU) No 1025/2012; drafting and consultation are ongoing. Recital 80 acknowledges that timely development before 11 December 2027 is ‘particularly important’. We track updates weekly — see the Regulatory Monitor at the top of this page.

What happens if standards are not ready by 11 December 2027?

Article 27(2) provides the fallback: the Commission may adopt common specifications by implementing act if (a) the standardisation request is not accepted, (b) standards are not delivered within the deadline, or (c) standards do not comply with the request, and no reference is expected within a reasonable period. Products complying with those common specifications enjoy the same presumption of conformity (Art. 27(5)).

Can I rely on the EUCC for CRA compliance?

The European Common Criteria-based cybersecurity certification scheme (EUCC) was adopted by Commission Implementing Regulation (EU) 2024/482. Recital 82 and Article 27(9) allow the Commission to specify by delegated act how the EUCC provides a presumption of conformity with CRA essential requirements, and a certificate at assurance level ‘substantial’ may eliminate the need for third-party conformity assessment under the CRA for the corresponding requirements (Art. 27(9)).

What goes in Annex VII if I do not apply standards?

Annex VII, point 5 requires ‘a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications […] or European cybersecurity certification schemes — and, where those have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements’. CRACheck produces both lists from your inputs.

Is this a subscription?

No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.

Can I request a refund?

Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.

What if the regulation changes before I file my dossier?

Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.

Harmonised standards under Article 27 of Regulation (EU) 2024/2847: what they do, who drafts them, and how to operate before the references are published in the Official Journal