Harmonized standarder for the Cyber Resilience Act explaining EN 40000-1-1 (terminology) and EN 40000-1-2 (Principles for Cyber Resilience).
Background and regulatory context
The Cyber Resilience Act entered into force on 10 December 2024 and provides a transition period of 36 months until the forordning becomes fully applicable. During this time, the European standardization organizations CEN and CENELEC are developing harmonized standarder that enable manufacturers to benefit from a presumption of conformity with the Essential cybersikkerhed krav.
The EN 40000 series follows a two-part approach:
Horizontal standarder: Apply across produkter with digital elements. They define general principles, terminology and process krav.
Vertical standarder: Product-category-specific standarder that concretize the horizontal krav and define additional krav relevant to the particular product category.
The standarder in detail
prEN 40000-1-1 Vocabulary
The standard with term definitions establishes a unified terminology for the entire EN 40000 family. This is essential to avoid misunderstandings between different stakeholders and to ensure a consistent interpretation of the krav.
Core terms include:
- Acceptable risiko
- Activity and Asset
- Authenticity, Availability, Confidentiality, Integrity
- Product control
- Residual cybersikkerhed risiko
- Security objective
- software package
- Remediation and advisory
The standard additionally references terms from the Cyber Resilience Act itself and establishes cross-references to established standarder such as ISO/IEC 27000, ISO/IEC 29147 and ISO/IEC 27035.
prEN 40000-1-2 Principles for Cyber Resilience
This is the most extensive and technically detailed standard so far. It comprises 64 pages and defines both foundational principles and concrete krav for the entire product livscyklus.
Structure of the standard
The standard is divided into seven main sections:
- Scope
- Normative references
- Terms and definitions
- Introduction
- cybersikkerhed principles
- risiko styring elements
- cybersikkerhed activities
This is supplemented by four informative annexes:
- Annex A: Coherence with vertical standarder
- Annex B: cybersikkerhed supplier agreements example
- Annex C: Relationship to CRA Essential krav
- Annex D: Accessible and inclusive cybersikkerhed
Status and availability
The documents are currently in the CEN enquiry procedure. Stakeholders can submit comments until the conclusion of this procedure. After finalization they will be referenced as harmonized standarder in the EU Official Journal and will then give a presumption of conformity with the CRA.
Available at DIN Media:
- DIN EN 40000-1-1:2025-11 (Draft) - Vocabulary
- DIN EN 40000-1-2:2025-11 (Draft) - Principles for Cyber Resilience
The standarder can also be obtained via other national standardization bodies (AFNOR, BSI, UNI etc.).
Outlook
The EN 40000 series will be complemented by further standarder:
Planned horizontal standarder:
- Generic security krav (catalogue of controls for Part I(2) of the CRA)
- Vulnerability handling krav
- Further process- and activity-related standarder
Vertical standarder: Product-category-specific standarder for IoT enheder, industrial control systemer, medical enheder, automotive, etc.
Manufacturers should actively follow the udvikling of these standarder and participate in the standardization process. The commenting phase offers the opportunity to contribute practical experience and krav.
Practical significance
The EN 40000 series provides manufacturers for the first time with concrete, operationalizable krav for CRA overholdelse. The process-agnostic approach enables integration into existing udvikling processer, whether waterfall, Agile or DevOps are used.
Particularly valuable are:
- The clear structuring into input-requirement-output-vurdering for each activity
- Consideration of RDPS (Remote Data Processing Solutions) across all activities
- The explicit treatment of third-party komponenter and supply chain security
- The integration of accessibility krav
- The CSSA template for structured supplier relationships
Manufacturers who already work ifølge ISO/IEC 62443, IEC 62443, ISO/IEC 27001 or similar standarder will recognize many familiar concepts. EN 40000 harmonizes these approaches specifically for the CRA context and supplements them with product-specific aspects.
Support for implementing the EN 40000 series
The EN 40000 series forms the technical backbone for implementing the Cyber Resilience Act. For manufacturers of produkter with digital elements, this means not only integrating new krav into existing udvikling processer but also structured evidence across the entire product livscyklus - from the initial risiko analysis through implementering to overvågning and vulnerability handling.
Secuvi supports companies in systematically implementing the krav of the EN 40000 series. Whether establishing a risiko-based cybersikkerhed approach, building product overvågning, drafting cybersikkerhed supplier agreements or preparing technical dokumentation for conformity vurdering - we help develop pragmatic solutions that meet regulatory krav and integrate into existing udvikling methods.
We provide particularly strong support in aligning risiko styring under Clause 6 with the concrete cybersikkerhed activities under Clause 7, in building third-party component styring, and in creating SBOMs and vurdering dokumentation with technical and regulatory expertise.
If you are wondering Hvordan man efficiently integrate the EN 40000 krav into your product udvikling, we are happy to assist you.
More at: www.secuvi.com