Cyber Resilience Act implementation via EUCC and its applicable technical elements

Based on a comparative analysis between the CRA and the EUCC, this reports develops a proposal for a way forward, including where needed technical elements, that would allow the certification under EUCC to cover the essential cybersecurity requirements and conformity assessment obligations of the CRA, and therefore to use EUCC certification to demonstrate conformity with the CRA in a seamless way.

The European Union has reinforced its approach to cybersecurity regulation with the Cyber Resilience Act (CRA), a comprehensive legislative framework that introduces horizontal cybersecurity requirements for all products with digital elements placed on the EU market. The CRA entered into force on 10 December 2024. It aims to address growing cybersecurity risks across sectors by laying out a set of essential requirements to ensure products are designed, developed, and maintained with security as a priority, thus enhancing the resilience of the EU’s digital landscape. The CRA applies to all products with digital elements and categorizes them by risk level, including "important" and "critical" products that are subject to stricter cybersecurity obligations. 

To provide manufacturers with flexible means of compliance, the CRA offers multiple pathways to demonstrate adherence to its essential requirements. These include European cybersecurity certification schemes, such as the EU Common Criteria (EUCC), as well as harmonized standards and recognized conformity assessment procedures. The CRA establishes a “presumption of conformity” for products that have been certified under a recognized European cybersecurity certification scheme, such as the EUCC, provided the certification meets at least a “substantial” assurance level, as specified in Article 27 of the CRA. However, obtaining an EUCC certification is not mandatory in order to obtain CRA compliance, even for products classified as important or critical. It is simply one pathway available to manufacturers who wish to leverage the EUCC’s structured conformity processes as a means of meeting the CRA requirements. 

This study seeks to examine the technical aspects of implementing the CRA through the EUCC as a European cybersecurity certification scheme, focusing on its technical elements and provides potential conclusions that could be considered by the European Commission when establishing presumption of conformity. However, this study should not be read as providing guidelines for establishing presumption of conformity with the CRA, as the establishment of such presumption would require a formal legal act under the CRA in line with article 27(9). 

It is important to note that this analysis is only exploratory at this stage and it shall not pre-empt any forthcoming decisions of the European Commission acting within its legal mandate under the CRA. This report represents a best-effort analysis by its authors and only represents their views. The report and its conclusions aim to serve as a basis for further discussion and to support the update of relevant PPs aiming to achieve CRA compliance. 

ENISA strongly encourage industry stakeholders, including manufacturers, conformity assessment bodies, cybersecurity experts, and sectoral organizations, to actively engage with this report by conducting pilot implementations and evaluating its applicability in real-world scenarios. The insights gained from these practical applications will be invaluable in refining the alignment between EUCC certification and CRA compliance. To this end, ENISA welcomes industry feedback on the feasibility, challenges, and benefits of using EUCC as a pathway to meet CRA requirements. We invite stakeholders to share their findings, propose refinements, and collaborate in shaping the future of cybersecurity certification in Europe. ENISA remains committed to an open and constructive dialogue and is eager to work alongside industry to ensure that the CRA framework is both practical and effective in enhancing cybersecurity across the EU market.