‍Short answer

Five things. No matter which standard you follow - EN 303 645, IEC 62443, ISO 27001 - the CRA has obligations that exist in none of them. The good news: they're all operational procedures, not engineering challenges.

Long answer

The five CRA-only requirements

1. ‍24h/72h vulnerability reporting to ENISA - notify within 24 hours of discovering an actively exploited vulnerability, full report within 72 hours. ISO 27001 has incident management, but it's internal. This is reporting to a specific EU authority on a hard deadline. Starts september 2026.
2. Software Bill of Materials (SBOM) -a machine-readable list of your product's components, at minimum top-level dependencies. No existing standard requires this.
3. Declared support period - publicly commit to a support period (minimum 5 years or product lifetime, whichever is shorter) with security updates guaranteed throughout.
4. EU Declaration of Conformity + CE marking - formal declaration and CE mark on the product (or website for software). A paperwork step, not a technical one.
5. Post-market surveillance - ongoing cooperation with market surveillance authorities, including product recalls if a vulnerability breaks compliance.

Why this matters

If you're already certified against ISO 27001 + a product standard (EN 303 645 or IEC 62443), you've done ~90% of the work. These five gaps are what's left - and none of them require rearchitecting your product.

Related

• What it takes to be CRA compliant?
• ‍Do I need CRA compliance?
• Can I self-assess my connected product security?
• EN 303 645 practical guide

‍