EN 40000 norm series for the Cyber Resilience Act

Harmonized standards for the Cyber Resilience Act explaining EN 40000-1-1 (terminology) and EN 40000-1-2 (Principles for Cyber Resilience).

Background and regulatory context

The Cyber Resilience Act entered into force on 10 December 2024 and provides a transition period of 36 months until the regulation becomes fully applicable. During this time, the European standardization organizations CEN and CENELEC are developing harmonized standards that enable manufacturers to benefit from a presumption of conformity with the Essential Cybersecurity Requirements.

The EN 40000 series follows a two-part approach:

Horizontal standards: Apply across products with digital elements. They define general principles, terminology and process requirements.

Vertical standards: Product-category-specific standards that concretize the horizontal requirements and define additional requirements relevant to the particular product category.

The standards in detail

prEN 40000-1-1 Vocabulary

The standard with term definitions establishes a unified terminology for the entire EN 40000 family. This is essential to avoid misunderstandings between different stakeholders and to ensure a consistent interpretation of the requirements.

Core terms include:

• Acceptable risk
• Activity and Asset
• Authenticity, Availability, Confidentiality, Integrity
• Product control
• Residual cybersecurity risk
• Security objective
• Software package
• Remediation and advisory

The standard additionally references terms from the Cyber Resilience Act itself and establishes cross-references to established standards such as ISO/IEC 27000, ISO/IEC 29147 and ISO/IEC 27035.

prEN 40000-1-2 Principles for Cyber Resilience

This is the most extensive and technically detailed standard so far. It comprises 64 pages and defines both foundational principles and concrete requirements for the entire product lifecycle.

Structure of the standard

The standard is divided into seven main sections:

1. Scope
2. Normative references
3. Terms and definitions
4. Introduction
5. Cybersecurity principles
6. Risk management elements
7. Cybersecurity activities

This is supplemented by four informative annexes:

• Annex A: Coherence with vertical standards
• Annex B: Cybersecurity supplier agreements example
• Annex C: Relationship to CRA Essential Requirements
• Annex D: Accessible and inclusive cybersecurity

Status and availability

The documents are currently in the CEN enquiry procedure. Stakeholders can submit comments until the conclusion of this procedure. After finalization they will be referenced as harmonized standards in the EU Official Journal and will then give a presumption of conformity with the CRA.

Available at DIN Media:

• DIN EN 40000-1-1:2025-11 (Draft) – Vocabulary
• DIN EN 40000-1-2:2025-11 (Draft) – Principles for Cyber Resilience

The standards can also be obtained via other national standardization bodies (AFNOR, BSI, UNI etc.).

Outlook

The EN 40000 series will be complemented by further standards:

Planned horizontal standards:

• Generic security requirements (catalogue of controls for Part I(2) of the CRA)
• Vulnerability handling requirements
• Further process- and activity-related standards

Vertical standards: Product-category-specific standards for IoT devices, industrial control systems, medical devices, automotive, etc.

Manufacturers should actively follow the development of these standards and participate in the standardization process. The commenting phase offers the opportunity to contribute practical experience and requirements.

Practical significance

The EN 40000 series provides manufacturers for the first time with concrete, operationalizable requirements for CRA compliance. The process-agnostic approach enables integration into existing development processes, whether waterfall, Agile or DevOps are used.

Particularly valuable are:

• The clear structuring into input-requirement-output-assessment for each activity
• Consideration of RDPS (Remote Data Processing Solutions) across all activities
• The explicit treatment of third-party components and supply chain security
• The integration of accessibility requirements
• The CSSA template for structured supplier relationships

Manufacturers who already work according to ISO/IEC 62443, IEC 62443, ISO/IEC 27001 or similar standards will recognize many familiar concepts. EN 40000 harmonizes these approaches specifically for the CRA context and supplements them with product-specific aspects.

Support for implementing the EN 40000 series

The EN 40000 series forms the technical backbone for implementing the Cyber Resilience Act. For manufacturers of products with digital elements, this means not only integrating new requirements into existing development processes but also structured evidence across the entire product lifecycle — from the initial risk analysis through implementation to monitoring and vulnerability handling.

Secuvi supports companies in systematically implementing the requirements of the EN 40000 series. Whether establishing a risk-based cybersecurity approach, building product monitoring, drafting cybersecurity supplier agreements or preparing technical documentation for conformity assessment — we help develop pragmatic solutions that meet regulatory requirements and integrate into existing development methods.

We provide particularly strong support in aligning risk management under Clause 6 with the concrete cybersecurity activities under Clause 7, in building third-party component management, and in creating SBOMs and assessment documentation with technical and regulatory expertise.

If you are wondering how to efficiently integrate the EN 40000 requirements into your product development, we are happy to assist you.

More at: www.secuvi.com