Standards Development

Scope

This document (standard) provides a framework covering all elements defined in section 1 of Annex II of the standardization request and sets out principles and specifications for the planning, design, development, production, delivery and maintenance of products with digital elements in such a way that they ensure an appropriate level of cybersecurity based on the risks, in accordance with the
manufacturers’ obligations under article 13 of the CRA and in support of the compliance with the essential requirements of Annex I of the CRA.
In addition, this standard will, amongst others, include general principles terminology on product security addressing the full life cycle, risk management concepts – including threat modelling – and an abstract, high-level description of processes related to compliance to the extent that they support compliance with the CRA essential cybersecurity requirements, including but not limited to the manufacturers’ obligations within the intended context under article 13 of the CRA.

Purpose

On April 16th 2024 the European Commission published a draft standardisation request to European Standards Organisations in support of Union policy on cybersecurity requirements for products with digital elements. The request is part of the preparatory measures in view of the adoption of the legislative proposal COM/2022/454 (Proposal for a REGULATION OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020).
The Standardisation request requests a series of 15 horizontal standards (1-15) to provide a coherent generic framework, methodology and taxonomy that can be used to develop further product-specific standards according to market needs and a set of 26 vertical standards (16-41) for important or critical categories of products in the Cyber Resilience Act, covering a specific set of risks appropriate to a given intended purpose and foreseeable use.
To facilitate consistency, implementability and a harmonised approach among the requested deliverables, the first requested item (1) European standard or standardisation deliverable should serve as a framework covering all elements defined in section 1 of Annex II of the request and shall set out specifications for the planning, design, development, production, delivery and maintenanceof products with digital elements in such a way that they ensure an appropriate level of cybersecurity based on the risks in accordance with the manufacturers’ obligations under article 13 of the CRA and in support of the compliance with the essential requirements of Annex I of the CRA. These elements serve as requirements for all European standards under the standardisation request, this standard aims to provide the common elements on the basis of which all deliverables should be developed, as to achieve consistency and implementability of all deliverables.
This standard will, amongst others, include general principles terminology on product security, addressing the full life cycle, CRA risk assessment concepts, methods, such as threat modelling - and an abstract, high-level description of processes related to the CRA compliance, including but not limited to the manufacturers’ obligations under article 13 of the CRA.
This standard shall be consistent with the Cyber Resilience Act and where applicable with other European and harmonised standards developed or under development in the various relevant sectors. Notably, those related to products covered by existing EU safety legislation, such as the Machinery Regulation, the AI Act and Chips Act, or EU cybersecurity certification schemes developed or under development under Regulation (EU) 2019/881.

This standard shall not be overly prescriptive of the technical work as to allow adequate efficiencies in the process, provided the content meets the essential requirements in question.
The standardisation request provides, that all standards developed under it, should be drafted in such a way that they may be published in the Official Journal of the EU for potential harmonisation. In conclusion, this standard will be developed in such a way that it may be published in the Official Journal of the EU for potential harmonisation.