Horizontal CRA standards EN 40000-1-1 & EN 40000-1-2

First horizontal CRA standards are available. prEN 40000-1-1 and prEN 40000-1-2 define the cross-product framework for risk management and cybersecurity activities.

Horizontal before vertical — the foundation for all product categories

While ETSI already published standards for specific product categories such as password managers, routers or operating systems, a cross-product baseline was missing until now. That gap is closed by the newly available horizontal standards from CEN/CENELEC.

The difference

• Horizontal standards (EN 40000) apply to all products with digital elements — regardless of category
• Vertical standards (ETSI EN 304 6xx) specify the horizontal requirements for specific product categories

Only the combination of both types of standards creates the presumption of conformity for the CRA.

prEN 40000-1-1 vocabulary

Establishes the common terminology for the entire standards family. It defines key terms such as Acceptable Risk, Residual Risk, Product Control and Security Objective — essential for consistent conformity assessment across all product categories.

prEN 40000-1-2 principles for cyber resilience

The technical core. The standard defines four fundamental principles:

• Risk-based approach
• Security by design
• Secure by default
• Transparency

These are concretized in:

• 6 risk management elements (product context, risk acceptance criteria, risk assessment, risk treatment, risk communication, risk monitoring)
• 11 cybersecurity activities across the entire product lifecycle (planning, requirements, architecture, implementation, V&V, production, issue management, monitoring, decommissioning, third-party management)

Each activity is structured into Input, Requirement, Output and Assessment Criteria — process-agnostic and thus applicable across different development methods.

Interaction with vertical standards

The ETSI standards for specific product categories build on this framework:

• Use cases concretize the product-context definition
• Threat models follow the risk assessment framework
• Product-specific mitigations implement the required controls
• Assessment criteria complement the horizontal provisions

Annex A gives vertical standards explicit guidance for achieving coherence.

Status and next steps

The documents are currently in the CEN enquiry procedure. Stakeholders can submit comments. After finalization, the standards will be referenced in the EU Official Journal.

Also in development in parallel:

• Generic security requirements (horizontal control catalog)
• Vulnerability handling requirements (horizontal)
• Further vertical standards by ETSI and other standards organizations

Recommendations

For manufacturers this is the right time:

1. Study the horizontal standards and submit comments
2. Implement a risk management framework according to EN 40000-1-2
3. Prepare for the final vertical standards for your product category

Those who already implement the horizontal requirements will be well positioned once the final product-specific standards are published.

Availability

The drafts can be obtained via DIN Media and other national standards bodies:

• DIN EN 40000-1-1:2025-11 (Draft) – Vocabulary
• DIN EN 40000-1-2:2025-11 (Draft) – Principles for Cyber Resilience

Further information on the vertical ETSI standards can be found in our article on the ETSI draft standards.

Support for implementation

The EN 40000 family forms the technical backbone for implementing the Cyber Resilience Act. Secuvi supports companies in systematically implementing the horizontal requirements — from establishing the risk management framework to product monitoring and the design of cybersecurity supplier agreements.

More at: www.secuvi.com