EU ETSI Draft Cybersecurity Standards: What the New Proposals Mean for Manufacturers — and How to Prepare Now

In early 2026, the European Telecommunications StandardsInstitute (ETSI) released a suite of draft cybersecurity standards intended to operationalize the EU’s forthcoming Cyber Resilience Act (CRA).These drafts, now open for consultation, are a critical bridge betweenhigh-level legal requirements and the concrete technical controls manufacturerswill be expected to implement. For organizations placing products with digitalelements on the European Union market, the direction of travel isunmistakable: cybersecurity compliance is becoming more prescriptive, moretechnical, and more auditable.

What the draft standards cover

ETSI’s draft portfolio spans a wide range of product andsoftware categories, including routers, modems and switches, operating systems,browsers, VPNs, anti-malware tools, network management systems, SIEM platforms, boot managers, network interfaces, and public key infrastructure components. Rather than redefining policy objectives, these drafts translate CRAprinciples—such as secure by design, secure by default, and lifecycle vulnerability management—into detailed technical requirements.

Importantly, ETSI is publishing these materials transparently through its open document portal, where manufacturers can review evolving drafts, track updates, and understand how specific security controlsare being framed. This open workspace signals that the standards are still taking shape, but it also provides early visibility into what future“harmonised standards” are likely to look like once formally adopted.

Why this matters for manufacturers

Under the Cyber Resilience Act, most products with digital elements—whether consumer devices, industrial equipment, or standalone software—will need to demonstrate conformity before being placed on the EU market. Once ETSI’s standards are harmonised and cited in the EU’s Official Journal, compliance with them will offer a presumption of conformity with relevant CRA requirements. In practical terms, that can significantly reduce regulatory uncertainty and simplify CE-marking strategies.

However, the flip side is increased expectation. Manufacturers will need to show evidence that cybersecurity is embedded throughout the product lifecycle. That includes design-phase threat modelling, secure development practices, robust access control, update and patch mechanisms, vulnerability disclosure processes, and post-market monitoring. For companies accustomed to treating cybersecurity as an optional feature or post-launch add-on, the new framework represents a structural shift.

Practical implications on the ground

The draft standards suggest several immediate impacts for affected manufacturers:

• Design and architecture choices will increasingly be scrutinized for security robustness, particularly for connected and remotely manageable products.
• Technical documentation will need to demonstrate how specific ETSI-defined controls are implemented, tested, and maintained.
• Lifecycle obligations—including vulnerability handling and security updates—will become enforceable expectations, not best practices.
• Supply chain alignment will matter, as software components and third-party modules must not undermine overall product compliance.

How manufacturers can start preparing now

Although the CRA’s core obligations are expected to apply from 2027, preparation should begin well before then. Manufacturers should consider:

• Monitoring ETSI drafts closely, using the open ETSI cyber standards workspace to follow changes and anticipate final requirements.
• Running gap assessments comparing current products and development processes against draft security controls or prepare using other well established cyber standards.
• Strengthening secure-by-design processes, including threat modelling, and security testing as standard engineering steps.
• Building compliance evidence early, so technical files and conformity documentation evolve alongside the product—not after it.
• Engaging with notified bodies and conformity assessment experts to validate interpretations and avoid late-stage redesigns.

Conclusion

ETSI’s draft cybersecurity standards mark a turning point in how digital product compliance will be assessed in Europe. For manufacturers, they offer both a roadmap and a warning: those who engage early and adapt development practices now will be far better positioned to achieve smooth market access once the Cyber Resilience Act takes full effect.