The implementation landscape around the Cyber Resilience Act (CRA) is evolving rapidly. While the regulation itself entered into force in 2024, the ecosystem surrounding it – including guidance documents, harmonised standards, certification schemes, and conformity assessment procedures – is now taking shape at a remarkable pace.
For companies working with products containing digital elements, 2026 has become a crucial year for understanding how CRA requirements will be interpreted and applied in practice. From draft guidance published by the European Commission to major developments in standardisation and certification, several important milestones have already been reached.
This overview is prepared based on insights and analysis provided by Michael Beine (Bureau Veritas), contributor to the CRACoWi project activities related to certification, standardisation, and CRA implementation developments.
1. Draft CRA Guidance Published by the European Commission
In March 2026, the European Commission published the draft guidance on the Cyber Resilience Act, with the commenting period ending in April 2026. The final version is expected towards the end of 2026 or beginning of 2027:
- It provides interpretations of CRA legal text from official source of truth.
- A must-read for everybody seeking clarity and interpretation of CRA.
- In some cases, the additional level of detail creates follow-up questions, which will hopefully be addressed in the final revision
This draft guidance is particularly important because it provides interpretations of the CRA legal text directly from the official source. For many stakeholders, it is currently one of the most valuable documents available for understanding how certain provisions of the regulation may be interpreted in practice.
The document also demonstrates the complexity of implementing the CRA. While the guidance clarifies several topics, the additional level of detail has, in some areas, also created follow-up questions from industry and standardisation groups. Many stakeholders are now expecting that some of these open points will be addressed in the final revision.
The draft guidance can be accessed through the European Commission’s official channels under the Draft Commission guidance on the Cyber Resilience Act
2. RED-DA Cybersecurity Requirements will be Repealed – It is Official
Another major development became official in 2026. To avoid overlapping regulatory requirements, the cybersecurity-related provisions under Article 3.3 d/e/f of the Radio Equipment Directive (RED-DA) will be deactivated on the date the CRA becomes fully applicable: 11 December 2027.
This confirms an important signal from the legislator: there is currently no indication that the CRA timeline will be delayed. The transition towards CRA remains firmly on track.
The repeal was adopted through Delegated Regulation (EU) 2026/339 published on EUR-Lex: Delegated regulation – EU – 2026/339 – EN – EUR-Lex
3. Standardisation is Moving Forward Rapidly – prEN 40000-1-2 Drafting is Completed
Standardisation activities around the CRA are accelerating significantly.
The drafting of the first horizontal CRA standard, prEN 40000-1-2 “Cybersecurity requirements for products with digital elements – Part 1-2: Principles for cyber resilience”, has been completed and entered final review. If the formal vote is positive, publication could follow by the end of October 2026.
This is an important milestone because horizontal standards are expected to play a key role in supporting harmonised approaches to CRA compliance across industries.
At the same time, discussions around sector-specific standards continue intensely.
More info: Post | LinkedIn
4. Debate Around “Broad Verticals” and IEC 62443 – “Broad verticals will not be cited in the OJEU“
One statement made by the European Commission during the ENISA Conference in March 2026 created significant discussion within standardisation working groups and the OT industry.
According to comments shared publicly after the event, the Commission stated that “broad verticals will not be cited in the Official Journal of the European Union (OJEU).”
This has raised concerns among stakeholders working on adapting IEC 62443 standards for CRA presumption of conformity, particularly in industrial and operational technology environments.
The standards EN IEC 62443-4-1 and EN IEC 62443-4-2 remained in public consultation (Enquiry phase) until the end of April 2026. However, discussions around how these standards may ultimately be referenced under the CRA framework are still ongoing.
At this stage, it is clear that the final approach to sector-specific harmonisation is still evolving.
The last word is probably not yet said about this.
More info: Post | LinkedIn
5. CSA2 draft regulation proposes new Certification Schemes for CRA
The proposed update of the Cybersecurity Act (commonly referred to as CSA2) also represents an important step in aligning the EU cybersecurity certification framework with the CRA.
The proposal aims to facilitate the creation and adaptation of certification schemes supporting CRA requirements. This is particularly relevant for products that may require third-party conformity assessment procedures.
The proposal for the revised EU Cybersecurity Act has been published under the European Commission’s “Shaping Europe’s Digital Future” initiative.
CSA2 aims to boost the creation and adaptation of Certification Schemes for the CRA.
More info: Proposal for a Regulation for the EU Cybersecurity Act | Shaping Europe’s digital future
6. EUCC Implementing Act Expected by End of 2026
The European Commission has also indicated plans for an implementing act approving the EU Common Criteria (EUCC) scheme for CRA purposes. This would support conformity assessment procedures for critical products with digital elements, including categories such as payment terminals, smart cards, and smart meter gateways.
While no publicly available implementing act reference has yet been identified, this would represent another major step towards operationalising CRA conformity assessment mechanisms.
7. „fast track“ procedure for NoBo under RED-DA
Another important discussion currently taking place involves a potential “fast-track” procedure for the nomination of Notified Bodies (NoBos) under the CRA.
According to publicly shared information from discussions between the European Commission and ADCO CRA, the proposal would simplify nomination procedures for organisations already designated under RED-DA.
The objective appears straightforward: ensuring that a sufficient number of Notified Bodies are available before the CRA becomes fully applicable at the end of 2027.
More info: Post | LinkedIn
Help Is on the Way for SMEs
As the Cyber Resilience Act (CRA) moves closer to full implementation, many SMEs are still trying to understand what the regulation means in practice and how to prepare for compliance. The good news is that support is already taking shape across Europe.
Several EU-funded initiatives, including CRACoWi and other projects within the CRA Cluster, are actively developing practical tools, guidance materials, and training resources designed to help organisations navigate the new cybersecurity requirements.
Within CRACoWi, the first support resources are already becoming available. This includes tools such as the CRA Scope Assesment, helping organisations better understand whether and how the CRA applies to their products, as well as the CRAcademy initiative, offering webinars, workshops, and educational materials focused on CRA implementation and cybersecurity compliance.
And this is only the beginning. Additional tools, guidance documents, training materials, and practical support mechanisms are currently under development and will continue to evolve over the coming months.
If you want to stay informed about the latest developments, upcoming training sessions, and new CRA support resources, make sure to follow the CRACoWi project and subscribe to the newsletter.
You can also explore the broader ecosystem of initiatives by visiting the CRA Cluster projects working towards practical CRA implementation across Europe: CRA Cluster
A Regulatory Ecosystem Taking Shape
What becomes increasingly clear is that the CRA is no longer only a legal text. The broader implementation ecosystem (guidance documents, harmonised standards, certification schemes, conformity assessment procedures, and institutional coordination) is now actively developing.
For companies across Europe, especially SMEs, staying informed about these developments will be essential over the coming months. The pace of change is high, and many practical aspects of compliance are still being refined in parallel with the regulation’s rollout.
Projects such as CRACoWi are therefore becoming increasingly relevant, not only because they raise awareness about the CRA, but because they help organisations translate evolving regulatory requirements into practical implementation steps.
About the Author
Michael Beine is a cybersecurity and regulatory compliance expert at Bureau Veritas Consumer Product Services Germany, with more than 20 years of experience in the testing, inspection, and certification industry. His work focuses on cybersecurity requirements for connected products, IoT security, industrial automation, and European regulatory frameworks, including the Cyber Resilience Act (CRA) and RED Delegated Act. Within the CRACoWi project, he contributes to activities related to certification schemes, standardisation, and practical implementation of cybersecurity compliance requirements.
