I thought the CRA would be focussed on broad horizontal standards? What are these vertical standards and why are they so strict?

[jmaris]

Proposal for a question for the Q&A: I thought the CRA would be focussed on broad horizontal standards? What are these vertical standards and why are they so strict?

Proposed Answer:

The CRA classified types of digital products based on the risk they pose. For higher risk Class I and II products, to achieve a presumption of conformity through compliance with standards, manufacturers must also comply with the relevant vertical standards, as per Articles 7 and 32 of the Cyber Resilience Act.

A list of Class I and II products can be found in Annex III of the CRA. You can find a list of requested vertical standards the European Commission have requested in Annex I of the CRA Standardisation Request.

[GoetzGoerisch]

IMHO those horizontal standards will give a guidance but will not satisfy the presumption of conformity for all non classified products. e.g. machines.

These will need vertical standards going forward for the presumption of conformity.

[tobie]

That’s my understanding too, @GoetzGoerisch.

[jmaris]

IMHO those horizontal standards will give a guidance but will not satisfy the presumption of conformity for all non classified products. e.g. machines.

These will need vertical standards going forward for the presumption of conformity.

As I recall, CENCENELEC are aiming for presumption of conformity, at least with the vulnerability management standard.

[oej]

Hmmm. I don't think the CRA actually REQUIRES compliance with any horisontal or vertical standard. It's one way to prove that your product is compliant. There may develop other ways to do that apart from just following the CRA law itself, like partnerships with foreign frameworks for IoT cybersecurity.

We have to be careful here. I have a feeling that many standard bodies would love that everyone says that following the standards is the only way.

[jmaris]

@tobie @GoetzGoerisch @oej I have updated and rephrased the answer, removing parts that are not relevant to the question to reduce the risk of error or misunderstanding, and have clarified that this covers cases where manufacturers want to benefit from a presumption of conformity through compliance with standards.

[tobie]

Am I right in my understanding that:

• Harmonised standards only allow manufacturers to self-assess Class I Important Products but not Class II
• Manufacturers of open source software can self-assess both class I and Class II Important Products granted their doc is publicly available?

If so, the answer should say that.

[jmaris]

Am I right in my understanding that:

* Harmonised standards only allow manufacturers to self-assess _Class I Important Products_ but not _Class II_

* Manufacturers of open source software can self-assess both class I and Class II Important Products granted their doc is publicly available?

If so, the answer should say that.

That is my understanding but I'm not 100% sure. I'll double check.

[oej]

We may also want to mention how this list can be changed and how to monitor for the latest version. By dec 2027 there may already be additions and removals.