The EU’s Cyber Resilience Act (CRA) sets clear cybersecurity requirements for products with digital components. In practice, however, it is not always obvious what constitutes a “product”.
In many technical environments, such as mobile networks, functions are spread across multiple systems, modules and suppliers. Security depends on how these interact, not solely on an individual component.
This means that provisions designed for separate products need to be translated before they can be applied in operational systems. Otherwise, different stakeholders risk interpreting and implementing the requirements in different ways – leading to higher costs and reduced interoperability between systems.
We spoke to Bengt Sahlin, Research Leader in Networking Security at Ericsson Research, who has worked on security standardisation in mobile networks for more than two decades, including within 3GPP and ETSI.
Bengt Sahlin, Research Leader in Networking Security at Ericsson Research
The requirements themselves are clear. The challenge is translating them into systems where functions are distributed and dependencies are complex, Bengt says.
From legal requirements to technical implementation
Security has been standardised in telecoms for many years. Since the early 2010s, the focus within 3GPP has increasingly shifted towards security in network functions, rather than just in the communication between them. This has led to an established framework, GSMA NESAS, for assessing the security of network equipment. Much is already in place.
The CRA adds a clear requirement to demonstrate that products comply with the law, consistently and in a way that can be verified.
– We already have good methods and processes. What we need now is to align them with a regulatory framework built around products and compliance, says Bengt.
A key difference from previous security initiatives in the sector lies in what drives them. Industry security standards have traditionally emerged in response to practical business needs – standardising what is useful in order to build functioning networks. The CRA, by contrast, is rooted in legislation. That changes what is required to demonstrate compliance.
Ericsson takes the initiative for a new standard
To address this, Ericsson took the initiative for a new vertical standard within ETSI: EN 304 642. Bengt Sahlin leads the work.
The standard is a proposal under the Cyber Resilience Act and focuses on security requirements for network functions in telecommunication systems. The proposal quickly gained strong backing. Today, Nokia, Samsung, ZTE, Huawei, Maketh Secure and Palo Alto Networks are involved in the work, contributing technical expertise.
– We may have been slightly ahead of the curve in starting work on this standard, but it is not just Ericsson driving it. Many other manufacturers see the same need, says Bengt.
Rather than developing entirely new requirements from scratch, the standard builds on established security frameworks and structures them in a way that makes them applicable under the CRA.
– When the industry agrees on how security requirements should be applied, the differences in how systems are built are reduced. That leads to more stable systems, faster responses to vulnerabilities and greater confidence in the services we rely on, says Bengt.
Industry and the Commission seek a common path
At present, there is no standardisation request from the European Commission that specifically covers this standard. However, the Commission has responded positively to the work, and Bengt believes it is likely that a formal request will follow once the mandatory standards for the CRA’s critical and important product categories are in place.
The Commission issues requests for new standards, and we welcome that dialogue at every stage. The earlier industry can be involved, the better the chances of developing standards that work in practice, says Bengt.
The EN 304 642 initiative is an example of how an industry can take responsibility for, and accelerate, the process of turning legal requirements into applicable technical solutions. Bengt also believes the model could spread. Similar vertical standards have been developed under the General Product Safety Regulation, and he expects a similar development under the CRA.
– It will not end with this standard. More will be needed, and industry is best placed to identify where they are required.
Facts: What is a vertical standard?
A vertical standard describes how legal requirements should be applied within a specific technical domain.
The CRA sets overarching requirements that apply to all products with digital components. How these are put into practice depends on how systems are designed.
A vertical standard clarifies what the provisions mean in a particular sector, describes how they should be implemented, and sets out how compliance can be verified. It provides a common framework for organisations developing and delivering technology within the same field.
How to initiate a standard within ETSI
To launch a standardisation project, support is required from at least four member organisations within ETSI, along with a defined need, a clear scope and a responsible technical group.
The initiative is often driven by industry participants, but it requires formal backing from ETSI members. The process depends on participants contributing and reaching consensus. It often begins with identifying a shared problem, developing a proposal and bringing together the relevant parties.
For companies, this is an opportunity to influence how regulation is turned into practical reality.
CRA in practice – next steps
From September 2026, the CRA requirements will begin to be phased in. For many companies, this means that working methods, systems and products need to be reviewed well in advance. The challenge is particularly significant for smaller organisations that may lack the resources to assess for themselves what the legislation actually requires.
A sector-specific standard makes it easier to know what needs to be done. That is one of the main reasons we are working on this, says Bengt.
To make the regulatory framework more tangible, CRA Day will be held on 4 May in Kista. During the event, participants will receive an overview of the legislation and what it means in practice, insights into harmonised and sector-specific standards, guidance on how compliance can be ensured, and the opportunity to put questions directly to experts from Sweden and across the EU.
For organisations affected by the CRA, it is an opportunity to move from broad requirements to practical action.
See agenda, speakers and registration (due by April 23, 2026).
