Think about the last time you connected a new device to your home Wi-Fi, a smart TV, a baby monitor, a thermostat, or perhaps a doorbell camera.
You probably didn’t stop to wonder whether its software could be compromised by a stranger sitting in a car outside your home.
But someone, somewhere, is paid to think about exactly that.
And from late 2027 onwards, EU law will require that the maker of that device think about it too, long before it ever reaches a shop shelf.
The Cyber Resilience Act, Regulation (EU) 2024/2847, is the EU’s landmark legislation on the cybersecurity of products with digital elements.
It covers an enormous range of goods: from laptops and routers to industrial sensors and smart home gadgets. Its core message is straightforward. If you want to sell a connected product in Europe, it must be secure by design, not patched up as an afterthought.
But here is where many businesses, especially small and medium-sized ones, feel a sense of unease. The regulation sets out essential requirements in broad, outcome-based language. It tells you what must be achieved, not how to achieve it.
That is where European harmonised standards come in, and they matter enormously.
A harmonised standard, developed by bodies such as CEN, CENELEC, or ETSI under a mandate from the European Commission, gives a manufacturer something invaluable: legal certainty.
Comply with the standard, and the law presumes you have met the corresponding essential requirements of the regulation. You do not need to invent your own proof.
The standard is your map.
“A harmonised standard gives a manufacturer something invaluable: legal certainty. Comply with the standard, and the law presumes you have met the corresponding essential requirements”
Let us make this concrete with a few everyday examples:
Consider a Maltese company that makes smart meters for residential use.
Under the CRA, these devices must have unique default passwords, support security updates throughout their lifecycle, and protect the data they transmit.
EN 303 645, the European standard for cybersecurity in consumer IoT, provides exactly the technical detail needed to meet those requirements.
Follow EN 303 645, and the presumption of conformity kicks in. The regulator does not need to be convinced; the standard has already done the convincing.
Or take a software firm developing a mobile app that interfaces with medical wearables.
The CRA requires that such software be delivered free of known exploitable vulnerabilities, and that a ‘software bill of materials’, essentially a list of all the components inside the product, is maintained. Standards under the EN ISO/IEC 27000 series on information security management, along with ETSI EN 303 645, provide tested frameworks for both.
Rather than starting from a blank page, developers can align their practices with these standards and demonstrate compliance far more efficiently.
A third example: a local importer bringing industrial routers into Malta from a non-EU manufacturer.
The importer has obligations under the CRA too, including verifying that the product bears the correct CE marking and that the necessary technical documentation exists.
Familiarity with the relevant harmonised standards means the importer knows precisely what to look for in that documentation, and can have an intelligent conversation with their supplier rather than simply hoping for the best.
Standards, in other words, are not dry technical documents reserved for engineers. They are practical tools that translate legal obligation into actionable steps.
They represent the consolidated wisdom of thousands of industry and academic experts, reviewed and updated as technology evolves.
They save businesses time, reduce legal risk, and when it comes to cybersecurity, help protect consumers from genuine harm.
Malta, like every EU member state, has an obligation to transpose all European standards into national standards and to withdraw any conflicting ones.
This work is carried out by the MCCAA’s Standards and Metrology Institute. But the institute’s role goes beyond transposition. It actively participates in European standardisation committees, feeding Malta’s perspective on the standards that will shape our digital economy for years to come.
The CRA’s compliance deadlines are approaching faster than many businesses realise. Getting familiar with the relevant standards now, rather than scrambling in the final months, is not just prudent.
It is the difference between a smooth market entry and a costly last-minute redesign.
If your business is working towards CRA compliance, or if you simply want to understand which standards apply to your product, the Standards and Metrology Institute is ready to help.
You can buy the relevant European standards, receive guidance on which ones apply to your sector, and connect with Malta’s network of standardisation experts.
Contact the MCCAA Standards and Metrology Institute at [email protected] or visit the website below. Our team is here to make sure that, when it comes to cybersecurity standards, Maltese businesses are never left navigating alone.
George Cutajar is director general, Standards and Metrology Institute, MCCAA.