Skip to main content
🎀 Speaking at KubeCon EU 2026 Lessons Learned Orchestrating Multi-Tenant GPUs on OpenShift AI View Session
🎀 Speaking at Red Hat Summit 2026 GPUs take flight: Safety-first multi-tenant Platform Engineering with NVIDIA and OpenShift AI Learn More
ETSI EN 304 Standards: The Technical Backbone of CRA Compliance
DevOps

ETSI EN 304: CRA Compliance Standards

ETSI TC Cyber is developing 18 vertical product standards (EN 304 617-642) for CRA compliance. Overview of each standard and which products they cover.

LB
Luca Berton
Β· 2 min read

ETSI EN 304: The Standards Behind the CRA

ETSI TC Cyber Working Group EUSR is developing 18 product-specific (β€œvertical”) standards that define the technical requirements for CRA compliance. Understanding these standards is critical for manufacturers.

The 18 Standards

Important Products β€” Class I (Self-Assessment Possible)

StandardProduct Category
EN 304 617Browsers
EN 304 618Password Managers
EN 304 620Virtual Private Networks (VPNs)
EN 304 621Network Management Systems (NMS)
EN 304 623Boot Managers
EN 304 625Physical and Virtual Network Interfaces
EN 304 626Operating Systems (OS)
EN 304 627Routers, modems, and switches
EN 304 631Smart home general purpose virtual assistants
EN 304 632Smart home products with security functionalities
EN 304 633Internet connected toys
EN 304 634Personal wearable products

Important Products β€” Class II (Third-Party Assessment May Be Required)

StandardProduct Category
EN 304 619Antivirus software
EN 304 622Security Information and Management Systems (SIEM)
EN 304 624PKI and digital certificate issuance software
EN 304 635Hypervisors and container runtime systems
EN 304 636Firewalls, IDS/IPS

Critical Products

StandardProduct Category
EN 304 642Network functions of telecommunications systems

Standard Development Process

ETSI TC Cyber WG EUSR
  ↓ drafts standards
Public Consultation
  ↓ industry feedback
Final Draft
  ↓ ETSI approval
Published Standard
  ↓ referenced in EU Official Journal
Harmonized Standard (presumption of conformity)

Working Groups Involved

  • ETSI TC Cyber WG EUSR β€” leads 18 product standards
  • CEN/TC 13 β€” additional horizontal standards
  • CLC/TC 65X WG 14 β€” industrial automation aspects
  • CLC/TC 45X WG 3 β€” additional electrical safety

How Standards Map to CRA Requirements

Each EN 304 standard addresses:

  1. Security properties β€” specific to the product category
  2. Vulnerability handling β€” aligned with CRA Article 11
  3. Technical documentation β€” what must be documented
  4. Testing methods β€” how to verify compliance
  5. SBOM requirements β€” component documentation specifics

Timeline

  • 2024-2025: Initial drafts published for public comment
  • 2025-2026: Standards finalized and published
  • 2026: Standards referenced as harmonized standards
  • 2027: Full CRA enforcement (standards provide presumption of conformity)

What If No Harmonized Standard Exists?

If ETSI standards aren’t ready by enforcement date, manufacturers can:

  1. Apply common specifications adopted by the European Commission
  2. Conduct their own risk assessment against CRA essential requirements
  3. Use third-party assessment to demonstrate conformity

Staying Current

Need guidance navigating ETSI standards for CRA compliance? I help organizations map their products to the right standards. Get in touch.

Related Articles

Git Worktrees: Work on Multiple Branches at Once
DevOps

Git Worktrees: Work on Multiple Branches at Once

Git worktrees let you check out multiple branches simultaneously in separate directories. Stop stashing and switching -- work on your feature, hotfix, and review in parallel.

Podman vs Docker in 2026: Which One Should You Use
DevOps

Podman vs Docker in 2026: Which One Should You Use

A practical comparison of Podman and Docker in 2026 covering rootless containers, Kubernetes integration, CI/CD workflows, and when each tool is the right choice.

Quay robot accounts for container registries
DevOps

Quay Robot Accounts for CI/CD Container Pulls

How to create and use Quay.io robot accounts for secure, automated container image pulls in CI/CD pipelines without exposing personal credentials.

Fix: OpenClaw in Docker β€” Connection Refused, Port Mapping, and Network Issues
DevOps

OpenClaw Docker: Connection Refused Fix

Running OpenClaw in Docker and getting connection refused? Common issues with port mapping, bind addresses, DNS resolution, and WebSocket upgrades.

All Articles
Luca Berton Ansible Pilot Ansible by Example Open Empower K8s Recipes Terraform Pilot CopyPasteLearn ProteinLens TechMeOut