Time to speak: Contributing to the CRA Standards feedback process
By Simon Phipps
As the Cyber Resilience Act (CRA) moves closer to implementation, much of the attention has focused on the regulation itself. But what’s equally important, and often overlooked, is the process that will define how these rules are applied in practice: the development of harmonised standards.
These standards are not just technical details; they will shape what “compliance” looks like for years to come. They will decide what counts as secure development, vulnerability handling, or how the different products can demonstrate compliance. And for the open source community, they represent a unique opportunity to ensure that the rules reflect how open collaboration actually works.
Why engagement matters
If the people who build, maintain, and steward open source software don’t participate in the standardisation process, decisions risk being made without understanding the realities of open development. This could lead to frameworks that are hard to apply, create unnecessary barriers, or discourage participation in open projects, impacting not only Open Source developers, but all downstream manufacturers who use Open Source components and code
By contributing feedback, open source communities and developers can help shape standards that are practical, inclusive, and effective**.**
A shared responsibility
The CRA’s success depends on collaboration between policymakers, industry, and the open source ecosystem. Contributing to the standards process is a concrete way to make that collaboration real. It’s not about bureaucracy, it’s about ensuring that Europe’s approach to digital trust and resilience is built on open, transparent, and sustainable foundations.
How to get involved
Horizontal standards
Manufacturers seeking presumed conformity with the Cyber Resilience Act will likely rely on standards currently under development. These horizontal standards addressing aspects common to all manufacturers, are being formalised by CEN/CENELEC JTC 13 WG 9 across four project teams (PT1-PT4).
Each team’s deliverable is released for public review upon completion. The following parts of pEN 40000, “Cybersecurity requirements for products with digital elements,” have been released to date:
- PT1 - pEN 40000-1-2 Principles for cyber resilience
- PT2 - Not yet public
- PT3 - Not yet public
- PT4 - pEN 40000-1-1 Vocabulary
Where To Review
You can comment on this via your national standards organisation, in most cases after creating an account and logging in:
| Country | PT1 | PT2 | PT3 | PT4 |
|---|---|---|---|---|
| Belgium - NBN | PT1 | PT4 | ||
| UK - BSI | PT1 | PT4 | ||
| Germany - DIN | PT1 | PT4 | ||
| Estonia - EVS (no login needed) | PT1 | PT4 | ||
| Spain - UNE | PT1 | PT4 |
Vertical Standards
The process to contribute to vertical standards is different at this stage and was covered by Jordan Maris in our last CRA Monday session, “From closed rooms to open dialogue: how to participate in CRA vertical standards”, through ETSI labs it is possible to contribute and give direct feedback to the teams working on those vertical standards. At this stage, the process for contributing to vertical standards differs.
The standards shaping CRA compliance are being written now, and open source voices need to be part of that conversation. Whether through national standards bodies or open consultation channels, every contribution matters. Getting involved today helps establish a regulatory framework that will foster open collaboration.