List of Harmonised Standards & Common Specifications Applied to Software
A key part of demonstrating compliance with the Cyber Resilience Act (CRA) is explaining the technical basis for your security measures. Your Technical Documentation must include a section detailing any official standards or specifications you've used.
What to List in Your Documentation
Annex VII, point 5, requires you to include a list of the following if you've used them to meet the CRA's essential cybersecurity requirements:
- Harmonised Standards: These are standards developed by European standardisation organisations following a request from the Commission. When their references are published in the Official Journal of the European Union, applying them provides a "presumption of conformity" with the requirements they cover (Article 27, Paragraph 1).
- Common Specifications: These are technical specifications established by the Commission as a fallback if harmonised standards are not available or suitable. Applying these also provides a presumption of conformity (Article 27, Paragraphs 2, 5).
- European Cybersecurity Certification Schemes: If you've used a relevant scheme adopted under the Cybersecurity Act to demonstrate conformity, you must reference it.
How to Document It
For your app, game, or software, this section should be a clear list.
- Be Specific: Reference the exact standard number, its version, and the date (e.g., "EN XXXX:2026").
- Partial Application: If you have only applied certain parts or clauses of a standard, your technical documentation must specify which parts have been applied.
Using these official standards is the most straightforward way to demonstrate compliance, and clearly documenting their use is essential.
Key Takeway
Your Technical Documentation must contain a specific list of any harmonised standards, common specifications, or EU cybersecurity certification schemes you have applied to meet the CRA's requirements. Be precise about which standards and which parts you used.