CRA Sandwich
Posted on by Claus Haldrup

CRA harmonized standards sandwich and EN IEC 62443/A11

This article explores the CRA standards sandwich and specifically where EN IEC 62443/A11 fits.

The citation of EN IEC 62443/A11 in the OJEU is currently anticipated for late 2026 or early 2027.

The CRA standards sandwich

The CRA uses the principle called Lex Specialis, which means that more specific rules prevail over more general ones. Let’s illustrate this with Image #1:

CRA Standards sandwich
Image #1: The standards sandwich for the technical product requirements.

Layer one of the sandwich, EN 40000-1-2 (and the vocabulary in EN 40000-1-1), provides the product-agnostic (horizontal)  principles for cyber resilience that all PwDE must meet.

Layer two provides the product-agnostic (horizontal) catalog of technical security controls that all PwDE must meet.

With layer three, we’ve moved from being product-agnostic to, in this example, the broad group of OT industrial products, as defined by EN IEC 62443/A11. This is also often described as a “broad vertical” or “sector vertical“.

Finally, layer four contains harmonized, product-specific vertical standards. EN IEC 62443/A11 is being developed specifically for “Important class I/II” OT/ICS products under the CRA. 

Presumption of conformity

Given this sandwich construction, how is the presumption of conformity achieved in various scenarios with an OT industry product?

The path to Presumption of Conformity follows the Lex Specialis principle. In our multi-layered sandwich, the law expects you to use the standard that is most tailored to your product to ensure the highest level of relevant security.

Here illustrated for the product, not the processes:

"Default"

You can technically claim presumption of conformity using only EN 40000-1-x. However, for OT IACS, you should  include EN IEC 62443/A11 for two reasons:

    • Annex ZZ in the A11 amendment: It includes a detailed mapping table that establishes a “presumption of conformity”
    • Liability & Best Practice: If an incident occurs, “state‑of‑the‑art” (62443) is the yardstick by which your risk assessment will be judged. Using the horizontal standard alone for a complex OT device is often viewed as “doing the bare minimum,” which is a weak defense in IACS cybersecurity.

"Important C-I" but no product-vertical

The same as for “Default” because no relevant harmonized product-specific vertical is available.

"Important C-I" and a product vertical

The CRA follows the logic of the New Legislative Framework: If a vertical (product‑specific) harmonized standard exists and is cited in OJEU, it becomes the primary presumption path for that product category.

Note that the A11‑amended EN IEC 62443 standards also are being used as the foundational technical basis for multiple CRA vertical standards.

Wrap-up

EN IEC 62443/A11 covers a broad range of industrial products and is more specific than EN 40000-1-x but less specific than harmonized product verticals. It is thus not a pure “horizontal” standard, nor a pure “vertical” standard. It is often described as a “broad vertical” for OT IACS.

See also the next article EN IEC 62443-4-2/A11: A closer look.

Graphics created with AI-support

Proudly powered by WordPress