Harmonised standards are the technical specifications that turn the Cyber Resilience Act's broad Annex I requirements into concrete, testable provisions. This page explains what they are and tracks every draft under the European Commission's standardisation request M/606: the product category, the body drafting it, its current status, and a link to each public draft.
Summary
- No CRA harmonised standard is published in the Official Journal yet (as of 4 June 2026), so the Article 27 presumption of conformity is not available for any product category.
- ETSI's product drafts and the first CEN standards are furthest along. The EN 304 6xx drafts are public to read now, and several CEN standards (the horizontal EN 40000 vocabulary, principles and vulnerability-handling parts, plus the secure-element standards EN 50764/50765/50766 and prEN 18330) have closed their public enquiry and are under approval.
- The rest is earlier: the EN 50770 OT profiles, the EN 40000 generic-security-requirements part, EN 50767, and the unnumbered CEN/TC 224 identity and critical-hardware work are still pre-enquiry.
- You do not need to wait. Read the matching draft to anticipate the requirements and build the Annex I evidence the CRA requires regardless of which standard applies.
What a harmonised standard is
The Cyber Resilience Act sets out its essential cybersecurity requirements in broad legal terms. A harmonised standard is a technical specification, drafted by a European standardisation organisation at the European Commission's request, that turns those requirements into concrete, testable provisions. Some standards are specific to a product type (for example routers, or antivirus software); others are horizontal and apply across categories.
A harmonised standard takes legal effect only once the Commission publishes its reference in the Official Journal of the European Union (OJEU). From that point, a product that conforms to the standard is presumed to meet the requirements that standard covers. In practice that does two things:
- it gives manufacturers a recognised, auditable way to demonstrate compliance; and
- for important products in Class I, applying a published harmonised standard lets the manufacturer self-assess by internal control instead of engaging a notified body. It does not remove the third-party assessment that Class II and critical products need, and ordinary products outside those tiers can already self-assess on their own.
Status, as of 4 June 2026: no CRA harmonised standard has been approved or had its reference published in the Official Journal yet. Every standard in the tables below is still a draft, so the presumption of conformity is not available for any product category. Approval (ratification as an EN) and the separate Official Journal citation are two later milestones, and nothing has reached either; the first standards are expected to be delivered in the second half of 2026, with citation to follow. Use the drafts to anticipate the requirements, not as a finished basis for conformity.
How the standards are being developed
The Commission asked the two European standardisation organisations to draft these standards through standardisation request M/606:
- ETSI (Technical Committee CYBER, CYBER-EUSR) is drafting the standards for most important software and connected-product categories. These carry EN 304 6xx references and are the furthest along; their drafts are public in the ETSI CYBER-EUSR open consultation folder, with project history in the ETSI Labs STAN4CRA repositories, and are linked individually below.
- CEN and CENELEC are drafting the horizontal standards (the EN 40000 series), the operational-technology profiles (EN 50770 series), the semiconductor standards (EN 5076x), and the identity and secure-element work in CEN/TC 224. These have no single public folder; status is tracked through the DIN/DKE CRA standardisation projects matrix, the CEN/CENELEC standards search, and STAN4CRA technical work.
A draft moves through working-group versions and a public CEN Enquiry (for ETSI, an open consultation and approval vote), then ratification as an EN. CEN-CENELEC may skip a separate formal vote and publish directly after a positive Enquiry. Ratification is still not the finish line: the Commission must then cite the reference in the Official Journal, and only that citation triggers the presumption of conformity. As of June 2026 several CEN drafts have closed their public enquiry (the EN 40000 vocabulary, principles and vulnerability-handling parts, and the secure-element standards) and ETSI's EN 304 627 is at final draft; none is ratified or cited. The first standards are expected to be delivered in the second half of 2026, with Official Journal citation to follow on a timetable the Commission has not yet confirmed.
How to read the status
| Status | Meaning |
|---|---|
| In development | Work item active; no public draft confirmed in our sources. |
| Mature draft | A public mature draft is available (linked in the table). |
| Final draft | A final draft is available, close to the formal vote. |
| Enquiry closed | The draft has been through its public CEN enquiry (a comment-and-vote round) and is being finalised for approval. The text is not free: a draft copy can usually be bought from a national standards body such as DIN, but there is no free public PDF, which is why these rows show "n/a" for the draft. |
| Approved (EN ratified) | Adopted as an EN by CEN-CENELEC or ETSI, but not yet cited in the Official Journal, so no presumption of conformity yet. |
| Published in OJEU | Reference in the Official Journal; presumption of conformity applies. |
The tables below are grouped by CRA conformity tier. Horizontal standards apply to every product; the product-specific standards are split into Important Class I, Important Class II, and Critical, because the tier decides the conformity route. The standard reference shows who drafts it: EN 304 6xx = ETSI; EN 40000 = CEN-CLC/JTC 13; EN 50770 = CLC/TC 65X operational-technology profiles that run alongside the ETSI standards for the same functions; EN 5076x = CLC/TC 47X; EN 18330 = CEN/TC 224.
No standard has reached "Approved (EN ratified)" or "Published in OJEU". Status reflects the most recent public evidence on the date shown at the top of this page.
Horizontal standards
The EN 40000 series, drafted by CEN-CLC/JTC 13, applies to every product with digital elements, on top of any product-specific standard in the sections below.
| M/606 | Standard | Topic | Status |
|---|---|---|---|
| n/a | EN 40000-1-1 | Vocabulary and terminology | Enquiry closed |
| 1 | EN 40000-1-2 | Principles for cyber resilience | Enquiry closed |
| 2-14 | EN 40000-1-4 | Generic security requirements | In development |
| 15 | EN 40000-1-3 | Vulnerability handling | Enquiry closed |
Important products: Class I
These cover the Annex III Class I categories. Applying a published harmonised standard lets a Class I manufacturer self-assess by internal control; without one, conformity has to be shown another way.
| M/606 | Standard | Product category | Status | Latest public draft |
|---|---|---|---|---|
| 16 | Reference not yet assigned | Identity management, privileged access management, authentication readers | In development | n/a |
| 17a/b | EN 304 617 | Embedded and standalone browsers | Mature draft | V0.1.1 · Apr 2026 |
| 18 | EN 304 618 | Password managers | In development | Not yet public |
| 19 | EN 304 619 | Antivirus / antimalware | Mature draft | V0.0.26 · Apr 2026 |
| 20a | EN 304 620 | Virtual private networks (VPN) | Mature draft | V0.1.9 · Apr 2026 |
| 20b | prEN 50770-4 | OT VPN | In development | n/a |
| 21a | EN 304 621 | Network management systems | Mature draft | V0.1.3 · Apr 2026 |
| 21b | prEN 50770-2 | OT network management systems | In development | n/a |
| 22a | EN 304 622 | SIEM | In development | Not yet public |
| 22b | prEN 50770-6 | OT SIEM | In development | n/a |
| 23 | EN 304 623 | Boot managers | Mature draft | V0.1.1 · May 2026 |
| 24 | EN 304 624 | PKI / certificate issuance software | In development | Not yet public |
| 25a | EN 304 625 | Physical and virtual network interfaces | Mature draft | V0.0.14 · Apr 2026 |
| 25b | prEN 50770-3 | OT physical and virtual network interfaces | In development | n/a |
| 26 | EN 304 626 | Operating systems | Mature draft | V0.2.0 · Apr 2026 |
| 27a | EN 304 627 | Routers, modems, switches | Final draft | V1.0.0 · Jun 2026 |
| 27b | prEN 50770-5 | OT routers, modems, switches | In development | n/a |
| 28-29 | EN 50765 | Microprocessors and microcontrollers with security functions | Enquiry closed | n/a |
| 30 | EN 50767 | ASICs and FPGAs with security functions | In development | n/a |
| 31 | EN 304 631 | Smart home virtual assistants | Mature draft | V0.2.1.4 · Apr 2026 |
| 32 | EN 304 632 | Smart home products with security functionalities (e.g. security cameras) | Mature draft | V0.2.1.4 · Apr 2026 |
| 33 | EN 304 633 | Internet-connected toys | Mature draft | V0.2.3.3 · Apr 2026 |
| 34 | EN 304 634 | Personal wearables | Mature draft | V0.2.6 · Apr 2026 |
Important products: Class II
Class II products always need third-party (notified-body) assessment; a harmonised standard does not unlock self-assessment for them.
| M/606 | Standard | Product category | Status | Latest public draft |
|---|---|---|---|---|
| 35 | EN 304 635 | Hypervisors and container runtime systems | Mature draft | V0.0.15 · Apr 2026 |
| 36a | EN 304 636 | Firewalls / IDS / IPS | Mature draft | V0.1.0 · Apr 2026 |
| 36b | prEN 50770-1 | OT firewalls / IDS / IPS | In development | n/a |
| 37-38 | EN 50766 | Tamper-resistant microprocessors and microcontrollers | Enquiry closed | n/a |
Critical products
Critical products (Annex IV) must use a European cybersecurity certification scheme where one is mandated, or otherwise the same third-party routes as Class II. A harmonised standard does not remove that requirement.
| M/606 | Standard | Product category | Status |
|---|---|---|---|
| 39 | Reference not yet assigned | Hardware devices with security boxes | In development |
| 40 | Reference not yet assigned | Smart meter gateways (CEN-CLC/JTC 13 WG 6) | In development |
| 41a | EN 50764 | Platforms of smartcards and secure elements | Enquiry closed |
| 41b | EN 18330 / prEN 18330 | Smartcards and secure elements, application layer | Enquiry closed |
Frequently asked questions
Are any CRA harmonised standards in force yet?
No. As of 4 June 2026 no CRA harmonised standard has been approved (ratified as an EN) or had its reference published in the Official Journal, so the Article 27 presumption of conformity is not available for any product category. Every standard listed here is still a draft. The horizontal EN 40000 drafts (public enquiry closed) and ETSI's EN 304 6xx drafts are the furthest along, but approval and the separate Official Journal citation are later steps. The first standards are expected to be delivered in the second half of 2026, with citation to follow on a date the Commission has not yet confirmed.
Do I have to wait for a harmonised standard to comply with the CRA?
No. A harmonised standard is one route to demonstrate conformity, not the only one. CRA obligations apply on the regulation's own timeline whether or not a standard exists. You can meet the Annex I essential requirements directly and record how in your technical documentation. A published standard simply gives a recognised, auditable way to show conformity with the requirements it covers, and for important Class I products it opens the internal-control self-assessment route.
What does "presumption of conformity" actually give me?
Under Article 27, a product that conforms to a harmonised standard whose reference is published in the Official Journal is presumed to meet the Annex I requirements that standard covers. In practice it gives you a defensible, recognised basis for your conformity claim, and for important Class I products it lets you self-assess by internal control instead of engaging a notified body. It does not change the third-party assessment that Class II and critical products require under Article 32.
Where can I read the draft standards?
It depends on who is drafting it. The ETSI EN 304 6xx drafts are published for free in the ETSI CYBER-EUSR open consultation folder, linked per standard in the tables above. The CEN/CENELEC drafts (EN 40000, EN 50770, EN 5076x, and the CEN/TC 224 work) are different: there is no free public folder. You can see that a draft exists and buy a copy from a national standards body (DIN, NEN, AFNOR, BSI, and so on), but the text is not published for free, and once a draft's public enquiry closes even the free comment access ends. That is why those rows show "n/a" for the latest public draft.
Can I rely on a mature or final draft before it is published?
Use it to anticipate the requirements, not as a finished legal basis. A mature or final draft is usually close to the final wording, but it can still change at the formal vote or in the Commission's assessment, and the presumption of conformity does not apply until the reference appears in the Official Journal. Reading it now is still the fastest way to prepare.
What is the difference between the EN 304 6xx and EN 40000 standards?
The EN 304 6xx standards, drafted by ETSI, are product-specific: each targets one category such as browsers, operating systems, or routers. The EN 40000 series, drafted by CEN-CLC/JTC 13, is horizontal: it sets principles, generic security requirements, and vulnerability-handling rules that apply across categories. A single product may need to read both a horizontal standard and the one for its category.
Do any of these standards cover critical products, not just important ones?
Yes. Most of the tracked standards cover important products, but a few cover critical ones: the secure-element platform standard (EN 50764), plus the work on hardware devices with security boxes, smart meter gateways, and smartcards. Critical products must use a European cybersecurity certification scheme where one is mandated, or otherwise the same third-party assessment routes as Class II products. The Critical products section above lists them separately. A harmonised standard does not let a critical product skip that assessment the way it can for an important Class I product.
When will the standards be published in the Official Journal?
There is no confirmed publication date for any CRA harmonised standard. The ETSI EN 304 6xx drafts are closest, several at mature or final-draft stage, but each still has to clear its formal vote and the Commission's assessment before a reference can be cited. Treat the status column here as the current state and check the standards bodies' trackers linked above for movement.