The European Telecommunications Standards Institute (ETSI) is one of the three European Standards Organizations (ESOs) and alongside CEN and CENELEC responsible for developing and defining voluntary standards at the European level – CEN with focus on general standards, CENELEC on electrotechnical standards, and ETSI on telecommunications. The role of ESOs is to support EU regulation and policies through the production of harmonised European Standards (ENs) and other deliverables. The standards developed by ESOs are the only ones that can be recognized as ENs.

CRA Standards Diagram

Below is a mapping of the European standards for the CRA to the ESO technical committees responsible for the standards. For more about the ESO’s, committees and types of standards see also the ESOs Overview.

CRA Work Items

CRA M/606 ID Venue Work Item Standard reference Standard title
    CEN-CLC/JTC 13 WG 9 JT013095 ΕΝ 40000-1-1 Cybersecurity requirements for products with digital elements - Vocabulary
1.1 2 to 14 CEN-CLC/JTC 13 WG 9 PT1 JT013089 ΕΝ 40000-1-2:2025 Cybersecurity requirements for products with digital elements - Principles for cyber resilience
1.11 2 to 14 CEN-CLC/JTC 13 WG 9 PT3 JT013090 ΕΝ 40000-1-3 Cybersecurity requirements for products with digital elements - Vulnerability Handling
  2 to 14 CEN-CLC/JTC 13 WG 9 PT2 JT013091 ΕΝ 40000-1-4 Cybersecurity requirements for products with digital elements - Generic Security Requirements
  2 to 14 CEN-CLC/JTC 13 WG 9 JT013097 TR 40000-1-5 Cybersecurity requirements for products with digital elements - Threats and Security Objectives
  2 to 14 CEN-CLC/JTC 13 WG 6 JT0130XX TS TTTTTTT Guidance for the application of EN 18037 in support of the CRA
  2 to 14 CEN-CLC/JTC 13 WG 6 JT0130XX TR TTTTTT Documentation of the EN 18037 assessment results for the Consumer IoT market sector
III.1.1 16 CEN/TC 224 WG 17   EN TTTTTTT Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers: criteria to fulfill with the essential requirements from regulation 2024/2487 (CRA)
III.1.2 17 ETSI CYBER-EUSR DEN/CYBER-EUS-006 EN 304 617 Essential cybersecurity requirements for browsers
III.1.3 18 ETSI CYBER-EUSR DEN/CYBER-EUS-007 EN 304 618 Essential cybersecurity requirements for password managers
III.1.4 19 ETSI CYBER-EUSR DEN/CYBER-EUS-0018 EN 304 619 Essential cybersecurity requirements for software that searches for, removes, or quarantines malicious software
111.1.5 20a ETSI CYBER-EUSR DEN/CYBER-EUS-005 EN 304 620 Essential cybersecurity requirements for virtual private networks (VPNs)
111.1.5 20b CLC/TC 65X WG 3 81652 ΕΝ 62443-5-XX Security Profile for products with digital elements with the function of virtual private network (VPN)
III.1.5+6+7 20b+21b+22b CLC/TC 65X WG 3 79830 EN IEC 62443-3-3:2019 Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels
III.1.5+6+7 20b+21b+22b CLC/TC 65X WG 3 81487 EN IEC 62443-4-1:2018 Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements
III.1.5+6+7 20b+21b+22b CLC/TC 65X WG 3 79973 EN IEC 62443-4-2:2019 Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components
III.1.6 21a ETSI CYBER-EUSR DEN/CYBER-EUS-009 EN 304 621 Essential cybersecurity requirements for network management systems
III.1.6 21b CLC/TC 65X WG 3 81650 ΕΝ 62443-5-XX Security Profile for network management systems (based on IEC 62443)
1.1.7 22a ETSI CYBER-EUSR DEN/CYBER-EUS-0010 EN 304 622 Essential cybersecurity requirements for Security information and event management (SIEM) systems
III.1.7 22b CLC/TC 65X WG 3 81654 ΕΝ 62443-5-XX Security Profile for security information and event management (SIEM) systems (based on IEC 62443)
III.1.8 23 ETSI CYBER-EUSR DEN/CYBER-EUS-008 EN 304 623 Essential cybersecurity requirements for boot managers
III.1.9 24 ETSI CYBER-EUSR DEN/CYBER-EUS-0015 EN 304 624 Essential cybersecurity requirements for public key infrastructure and digital certificate issuance software
ΙΙΙ.Ι.10 25a ETSI CYBER-EUSR DEN/CYBER-EUS-0017 EN 304 625 Essential cybersecurity requirements for physical and virtual network interfaces
ΙΙΙ.Ι.10 25b CLC/TC 65X WG 3 81651 ΕΝ 62443-5 Security Profile for physical and virtual network interfaces (based on IEC 62443)
III.1.11 26 ETSI CYBER-EUSR DEN/CYBER-EUS-0012 ΕΝ 304 626 Essential cybersecurity requirements for operating systems
III.1.12 27a ETSI CYBER-EUSR DEN/CYBER-EUS-0013 EN 304 627 Essential cybersecurity requirements for routers, modems intended for the connection to the internet, and switches
III.1.12 27b CLC/TC 65X WG 3 81653 ΕΝ 62443-5 Security Profile for routers, modems intended for the connection to the internet, and switches (based on IEC 62443)
III.1.13+14 28, 29 CLC/TC 47X WG 1 80923 ΕΝ 50765 Essential cybersecurity requirements for microprocessors and microcontrollers with security-related functionalities
III.1.15 30 CLC/TC 47X/WG CRA   EN 50767 Essential cybersecurity requirements for application specific integrated circuits (ASIC) and field- programmable gate arrays (FPGA) with security-related functionalities
III.1.16 31 ETSI CYBER-EUSR DEN/CYBER-EUS-0011 EN 304 631 Essential cybersecurity requirements for smart home general purpose virtual assistants
III.1.17 32 ETSI CYBER-EUSR DEN/CYBER-EUS-0014 EN 304 632 Essential cybersecurity requirements for smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems
III.1.18 33 ETSI CYBER-EUSR DEN/CYBER-EUS-004 ΕΝ 304 633 Essential cybersecurity requirements for Internet connected toys covered by Directive 2009/48/EC that have social interactive features (e.g. speaking or filming) or that have location tracking features
III.1.19 34 ETSI CYBER-EUSR DEN/CYBER-EUS-003 EN 304 634 Essential cybersecurity requirements for personal wearable products to be worn or placed on a human body that have a health monitoring (such as tracking) purpose and to which Regulation (EU) 2017/745 or Regulation (EU) 2017/746 do not apply or personal wearable products that are intended for the use by and for children
1.1.1 35 ETSI CYBER-EUSR DEN/CYBER-EUS-0016 EN 304 635 Essential cybersecurity requirements for hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments
III.11.2 36a ETSI CYBER-EUSR DEN/CYBER-EUS-0020 EN 304 636 Essential cybersecurity requirements for firewalls, intrusion detection and/or prevention systems
III.11.2 36b CLC/TC 65X WG 3 81649 ΕΝ 62443-5 Security Profile for firewalls and intrusion detection and prevention systems (based on IEC 62443)
III.II.3+4 37, 38 CLC/TC 47X WG 2 80924 EN 50766 Cybersecurity requirements for tamper-resistant microprocessors and microcontrollers
IV.1 39 CEN/TC 224 WG 17 002242XX EN TTTTT Cybersecurity requirements for Hardware Devices with Security Boxes
IV.2 40 CEN-CLC/JTC 13 WG 6 JT013102 prEN 40000-x-x Cybersecurity requirements for products with digital elements - Smart Meter Gateway
IV.3 41a CLC/TC 47X WG 3 80922 EN 50764 Cyber Resilience of EUCC certified platforms of Smart Cards and Similar Devices Including Secure Elements
IV.3 41b CEN/TC 224 WG 17   prEN 18330 Cybersecurity requirements for smartcards or similar devices, including secure elements - Application layer
    ETSI CYBER-EUSR DEN/CYBER-EUS-0019 EN 304 642 Cybersecurity Requirements for Network Functions of Telecommunications Systems

We welcome suggestions and updates! Please open an issue or post a pull request.