In response to the rise of hybrid threats, Europe is accelerating the alignment of cybersecurity requirements for Products with Digital Elements (PWDEs). Published in October 2024, the European Regulation known as the Cyber Resilience Act (CRA) establishes a set of technical and organizational cybersecurity requirements for any product placed on the EU market that integrates digital elements and is connected or connectable. Its objective is to harmonize and strengthen the cybersecurity of these products (both hardware and software), from design through their entire lifecycle.
The CRA places particular emphasis on products used in sensitive environments, with two categories: “Critical” and “Important”, which notably include identification and authentication products used for identity management and access control.
This European regulation will come into force in the first half of 2027. To support its implementation, the European Commission published an implementing decision last February requesting the three European Standardization Organizations (CEN, CENELEC and ETSI) to develop 41 harmonized standards, including Standard No. 16, dedicated to electronic physical security PWDEs and access control.
In this context, SPAC Alliance created the HESTIA working group to contribute actively to the development of the future Harmonized Standard No. 16.
The impact of the CRA on the market
Compliance with the CRA’s cybersecurity requirements will be necessary to obtain CE marking starting in 2027. The impact of this regulation is therefore strategic for all security stakeholders in Europe.
- Manufacturers and software publishers: risk analysis, documentation, security by design, security updates, cybersecurity assessments, vulnerability management, and mandatory compliance or even certification depending on the product class.
- Integrators and importers: use of compliant components, supply chain security, and clear allocation of responsibilities related to updates and maintaining deployed products in a secure condition.
- End users: strengthened cybersecurity levels for electronic physical security and access control systems, wider deployment of sovereign open technologies and standards, improved interoperability, and greater transparency on security levels and vulnerability handling.
The CRA therefore provides the tools needed to raise and harmonize security levels across Europe. PWDE compliance will be essential for critical, essential and important entities aiming to meet the requirements of the NIS2 and CER directives.
Harmonized Standard No. 16
Of the 41 standards expected, the first 15 apply to all products (horizontal standards). The others address specific use cases (vertical standards), such as Standard No. 16, which targets identity management systems, including authentication and access control readers, including biometric systems.
The goal of the European Standardization Organizations is to translate the CRA’s essential requirements into technical, applicable and verifiable specifications for each product and use case. The expected outcome is a clear reference framework for manufacturers and software publishers, as well as for integrators, importers and end users.
SPAC Alliance and its members have long supported national and European institutions to help align regulatory expectations with operational realities. SPAC Alliance therefore positioned itself early in 2025 to support the development of Standard No. 16 by creating a dedicated working group: the HESTIA project.
“Without a clear standard, each stakeholder may interpret requirements differently. Without a harmonized reference, coherent and consistent conformity assessment is impossible. Standard No. 16 must become a shared language, understood both by industry and by conformity assessment bodies.”
Mickaël Wajnglas, Secretary General, SPAC Alliance
HESTIA: a structured pre-standardization initiative
HESTIA is a pre-standardization project that came to life thanks to the collective support of SPAC Alliance members, enabling the Alliance to win the NCC-FR (ANSSI) and Bpifrance call for projects, with sponsorship from our founding member STid. Funded under the France 2030 program and managed within our professional trade association, this project had two clear objectives:
- The drafting of a pre-standardization technical specification defining the structure, scope and requirements of the future European harmonized standard for cybersecurity in access control, identity management and, more broadly, electronic physical security products. The aim was to start integrating market requirements aligned with the CRA and ANSSI recommendations.
- The submission of the New Work Item (NWI), the formal request to create the standard within the European standardization bodies, including the technical specification, in order to initiate the development of the future European standard and secure an active role in its elaboration.
In parallel, under the HESTIA project, our founding member CLR Labs (also the leader of the HESTIA working group) positioned itself as both rapporteur and editor of Standard No. 16 following a CEN-CENELEC call for tenders.
SPAC Alliance also played an active role in public consultations and expert group discussions led by the European Commission, contributing to clarifying the material and software scope of the harmonized standards.
HESTIA: a collective success
The HESTIA pre-standardization project officially concluded on 1 October 2025.
After eight months of work, SPAC Alliance and its members succeeded in:
- Drafting a complete pre-standardization specification.
- Participating in the European Commission consultations.
- Submitting the NWI to AFNOR.
- Positioning CLR Labs as rapporteur and editor of the future European standard within the Working Group (WG) 17 of Technical Committee (TC) 224 of the European Committee for Standardization (CEN).
- Joining the CEN expert group involved in drafting the future standard.
Today, Standard No. 16 is under development within WG 17 CEN/TC 224.
The HESTIA project enabled the market to unite around a strategic and structuring initiative and positioned SPAC Alliance as a leading contributor to the future European cybersecurity standard for electronic physical security products.
What comes next
By bringing together experts, industry and institutions, the HESTIA working group has laid the foundations for a rigorous, comprehensive standard that ensures the highest levels of security. This is a major milestone for the physical and cyber security ecosystem, and a source of pride for SPAC Alliance and its members.
This collective achievement supports and strengthens the Alliance’s long-term standardization strategy. It also paves the way for the final stage of our strategic roadmap: the EN standardization of the SSCP protocol (Smart & Secure Communication Protocol), an additional step toward building Europe’s security sovereignty.
If you wish to learn more about the CRA, product categories, essential requirements or conformity assessment methods, a comprehensive training document is available in our library for members of the SPAC Alliance Club. It’s the perfect time to join us!
