Harmonized standards for the Cyber Resilience Act explained: EN 40000-1-1 (terminology), EN 40000-1-2 (principles for cyber resilience) and EN 40000-1-3 (vulnerability handling).
Positioning of EN 40000 in the context of EU cybersecurity regulation
The Cyber Resilience Act (CRA) defines basic requirements for the cybersecurity of products with digital elements in Annex I. These requirements are deliberately formulated at an abstract level and address both technical product characteristics and organizational obligations across the entire product lifecycle.
The standards in the EN 40000 series are designed as horizontal standards to support the Cyber Resilience Act. They structure and specify the requirements formulated in the CRA without being legally binding themselves. The aim of the series is to create a uniform reference framework for interpreting the CRA requirements, especially with regard to risk assessment, security principles and vulnerability handling.
Current standardization status and distinction between EN and prEN
The standards of the EN 40000 series are currently (as of the end of 2025) mostly at draft or discussion stages within the European standardization bodies. The standardization process typically begins with a prEN (preliminary European standard or draft standard), which serves public discussion, commenting and consensus-building. A prEN is formally not yet a binding standard but an intermediate status that can be converted into an EN (European Standard) after internal revision and approval by the national standards organizations.
An EN, by contrast, is an adopted European standard that has been officially taken over by the member standards organizations (e.g., DIN in Germany) - including uncritical adoption into national standards collections. EN standards therefore stand on a legally and practically higher level than prENs: they are stable references for regulation, contract drafting or harmonization. prEN texts can vary substantially in content, are not binding as drafts and are subject to change. Manufacturers should therefore always keep the draft status and possible deviations from the final EN in mind when using prEN content.
In the case of the EN 40000 series, several parts are currently available as prENs. These drafts can be viewed via the DIN standards portal, which allows early technical orientation but does not replace the later formal consolidation into an EN.
In practice, working with prEN drafts raises questions: What can already be used, what is still provisional and where are the risks? If you want to clarify this distinction for your CRA preparation, a short alignment discussion can help.
Structure of the EN 40000 series
The series is modular and covers different layers of cybersecurity:
prEN 40000-1-1 - vocabulary
This standard defines central terms in the context of the cybersecurity of products with digital elements. It provides a common vocabulary required for the consistent application of the other standards. Substantively, it contains only term definitions and no normative requirements for products or processes.
prEN 40000-1-2 - principles for cyber resilience
This part describes fundamental principles of cyber resilience, including risk-based approaches, security by design, secure by default and transparency. The standard formulates general guiding principles and places them along the product lifecycle. Substantively, it corresponds in large parts to the abstract requirements from Annex I Part I No. 1 of the Cyber Resilience Act.
prEN 40000-1-3 - vulnerability handling
EN 40000-1-3 specifies the requirements for handling vulnerabilities across the entire product lifecycle. The focus is on organizational and procedural aspects of vulnerability handling, including receipt, assessment, remediation, communication and tracking of vulnerabilities. The standard incorporates established concepts such as coordinated vulnerability disclosure, SBOMs, regular testing as well as update and information processes and frames them in a CRA-compliant manner. Substantively, it particularly addresses the obligations from Annex I Part II of the Cyber Resilience Act.
prEN 40000-1-4 - generic security requirements
EN 40000-1-4 will be the central technical standard of the horizontal EN 40000 series. While the preceding parts define terms, principles and processes, this part will specify the generic security requirements for products with digital elements in the sense of the CRA.
The standard builds systematically on the EN 18031 standards series, which was originally developed for the Radio Equipment Directive (RED). Substantively, EN 40000-1-4 is structured along the 13 essential requirements from Annex I Part I No. 2 of the Cyber Resilience Act.
Contribution to presumption of conformity
It is important to clearly differentiate between normative alignment and legal effect:
Neither EN 40000-1-1 nor EN 40000-1-2 are suitable to establish a presumption of conformity under the Cyber Resilience Act. EN 40000-1-1 is a pure vocabulary without requirements. EN 40000-1-2 describes general principles that correspond in content to the statutory minimum requirements but do not translate them into verifiable, product-specific requirements.
EN 40000-1-3 does address concrete obligations for vulnerability handling but is also designed as a horizontal process standard. It should not be assumed that it alone establishes a presumption of conformity for specific products. Rather, it is expected to be used as a reference for the "state of the art" and as guidance for appropriate organizational measures.
The EN 40000 standards provide orientation but do not replace product-specific evidence. We are happy to discuss, without obligation, what role the EN 40000 series can realistically play in your conformity strategy - and where complementary standards or measures are required.
Relationship to other standards and norms
The EN 40000 series does not stand alone but complements the existing standards landscape. Content overlaps exist, among others, with IEC 62443-4-1 (secure development lifecycle), ISO/IEC 27001-related processes, ETSI standards in the radio domain as well as ISO/IEC standards for vulnerability disclosure and handling. Unlike many of these standards, EN 40000 is explicitly tailored to European product regulation and the CRA.
Practical note on availability
The EN 40000 standards are currently at the draft stage. The relevant draft standards can partly be viewed free of charge via the DIN standards portal. This gives manufacturers and other interested parties the opportunity to review and contextualize content early without yet having to invest in paid standard documents.
Available from DIN Media:
- DIN EN 40000-1-1:2025-11 (Draft) - Vocabulary https://www.dinmedia.de/en/draft-standard/din-en-40000-1-1/396310000
- DIN EN 40000-1-2:2025-11 (Draft) - Principles for Cyber Resilience https://www.dinmedia.de/en/draft-standard/din-en-40000-1-2/396310071
- DIN EN 40000-1-3:2026-02 (Draft) - Vulnerability Handling https://www.dinmedia.de/de/norm-entwurf/din-en-40000-1-3/398007938
The standards can also be obtained via other national standards bodies (AFNOR, BSI, UNI etc.).
Current standardization status (December 2025)
The Deutsche Kommission Elektrotechnik Elektronik Informationstechnik (DKE) provides a regularly updated overview of CRA standardization projects. This documents the status of horizontal and vertical standardization projects for the Cyber Resilience Act as of December 2025.
The horizontal harmonized European standards of the EN 40000-1 series are at different stages of development:
| Norm | Title | Status (Dec. 2025) |
|---|---|---|
| EN 40000-1-1 | Vocabulary | Draft (prEN) available |
| EN 40000-1-2 | Principles for cyber resilience | Draft (prEN) available |
| EN 40000-1-3 | Vulnerability handling | Draft (prEN) in preparation |
| EN 40000-1-4 | Generic security requirements | Draft (prEN) in preparation |
In addition, supporting documents are being developed:
- TR 40000-1-5: Technical report on threats and security objectives
- Further technical specifications and reports on the application of EN 18037 in the CRA context
At the same time, extensive work is underway on vertical harmonized standards for specific product categories. The DKE overview lists more than 30 vertical standardization projects coordinated by ETSI, DIN and DKE. These cover product areas such as:
- Network components (routers, switches, firewalls, VPN systems)
- Software products (browsers, password managers, operating systems, hypervisors)
- Smart-home and consumer products (smart locks, cameras, wearables, toys)
- Industrial components (microcontrollers, ASICs, FPGAs, smart meter gateways)
- Security components (hardware security modules, smartcards, secure elements)
For the OT area (operational technology), CRA-specific security profiles are also being developed based on the IEC 62443 standards series (EN 50XXX series), which connect established industrial cybersecurity requirements with the CRA essential requirements.
Guidance for manufacturers
For manufacturers of machinery, equipment and devices, the EN 40000 series should primarily be understood as a framework for orientation. It provides structured terminology and a consistent concept of terms and principles to classify cybersecurity requirements from the Cyber Resilience Act. Actual implementation and evidence of conformity, however, continue to be carried out through product-specific technical measures, established development processes and - where required - further, more specific standards.
Outlook
With the entry into force of the Cyber Resilience Act, the EN 40000 series will gain importance mainly as a reference framework for interpreting legal requirements. Even though the standards - particularly in their current prEN form - do not directly establish a presumption of conformity, they help to clarify what is understood as appropriate organizational and technical practice in the CRA context.
It is expected that the horizontal standards of the EN 40000 series will be supplemented by product-specific vertical standards in the future. Only at that level is it realistic to expect standards that may exert stronger legal effect for specific product categories.
For manufacturers, this means that EN 40000 should be seen less as an implementation standard and more as an orientation and classification instrument that helps to systematically structure CRA requirements and to anticipate regulatory developments early.
The EN 40000 standards are an important reference for interpreting the Cyber Resilience Act, but they are not a shortcut to compliance. If you would like to understand how to use EN 40000 sensibly to structure your CRA implementation, this can be clarified together in a non-binding discussion.