Home » EU Cyber Resilience Act: Standardisation Activities Update
Blog 19 min read

EU Cyber Resilience Act: Standardisation Activities Update

Mar 27, 2026 EU Cyber Resilience Act: Standardisation Activities Update

This blog was originally posted on 27th March, 2026. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY GISELLE CHIA, REGULATORY COMPLIANCE SPECIALIST, COMPLIANCE & RISKS

Key Insight

This blog provides a comprehensive overview of the standardisation progress under the EU Cyber Resilience Act (CRA) to help manufacturers prepare for full compliance by December 2027. It outlines the specific horizontal and vertical standards being developed by CEN, CENELEC, and ETSI to ensure products with digital elements meet essential cybersecurity and vulnerability handling requirements.

Introduction

The EU CRA Act took effect on 10 December 2024 and will be fully applicable from 11 December 2027. Manufacturers of products with digital elements need to start preparing as early as possible to ensure their products meet all CRA requirements by the deadline to avoid penalties or legal consequences, and damage to their market reputation. Harmonised standards are vital for manufacturers to establish presumption of conformity and demonstrate compliance with the CRA.

In April 2025, the three ESOs: CEN, CENELEC, and ETSI officially accepted Standardisation Request M/606 from the European Commission to develop a set of 41 EU-wide harmonised standards for CRA compliance by Q3 2026. The request covers both horizontal (product-agnostic) and vertical (product-specific) standards.

At CEN and CENELEC, four working groups are established to lead the work:

  • CEN-CLC/JTC 13 WG 9 and WG 6
  • CEN/TC 224 WG 17
  • CLC/TC 65X WG 3
  • CLC/TC 47X

At ETSI, a new ETSI EUSR is established within the ETSI TC Cyber to deliver the necessary harmonised standards.

Want to find out more about evolving cybersecurity regulations? Check out our webinar-on-demand ‘New Rules, New Risks: Latest Cybersecurity & Data Protection Impacts on Product Compliance‘.

Horizontal Standards

CEN and CENELEC are leading the development of horizontal standards. The EN 40000 series is the cornerstone of the CRA, primarily developed by CEN-CLC/JTC 13 WG 9 to provide a uniform horizontal framework that applies to all products with digital elements. The series, organised under the EN 40000-1-X sub-series, is structured into four core parts, each addressing a specific pillar of the CRA’s essential cybersecurity requirements. As of March 2026, three drafts have completed the public enquiry stage and are currently under approval: prEN 40000-1-1 (Vocabulary), prEN 40000-1-2 (Cyber Resilience Principles), and prEN 40000-1-3 (Vulnerability Handling). The final part of this series, prEN 40000-1-4 (Generic Security Requirements), is still under drafting.

prEN 40000-1-1 Cybersecurity Requirements for Products with Digital Elements – Vocabulary

This standard specifies the terms and definitions commonly used in the EN 40000 series. The draft is available at the German Institute for Standardization’s website, DIN Media: DIN EN 40000-1-1:2026-03 – Draft.

prEN 40000-1-2 Cybersecurity Requirements for Products with Digital Elements – Part 1-2: Principles for Cyber Resilience

This standard specifies general cybersecurity principles and risk management activities, covering every stage of the product lifecycle to ensure an appropriate level of cybersecurity based on the risks. 

The key contents include:

  • Generic cybersecurity principles applicable to all stages of the product lifecycle;
  • Requirements for risk assessment and treatment of cybersecurity risks; 
  • Requirements on activities that can be applied to ensure an appropriate level of cybersecurity at every stage of the product lifecycle. 

As the cornerstone of this series, it provides generic elements and considerations to support the development of vertical standards.

This is a process standard and implementation is demonstrated through documented process outputs.The draft is available at DIN Media: DIN EN 40000-1-2:2026-03 – Draft.

prEN 40000-1-3 Cybersecurity Requirements for Products with Digital Elements – Part 1-3: Vulnerability Handling

The standard supports Annex I, Part II of the CRA and provides specifications applicable to vulnerability handling processes to be put in place by manufacturers. The processes must at least allow to: 

  • Identify and document vulnerabilities, including by drawing up a software bill of materials (SBOM); 
  • Address and remediate vulnerabilities without delay, including by providing security updates;
  • Apply effective and regular tests and reviews of the security of product;
  • Share and publicly disclose information about fixed vulnerabilities; 
  • Put in place and enforce a policy on coordinated vulnerability disclosure; 
  • Facilitate the sharing of information about potential vulnerabilities, including by providing a contact address for the reporting of vulnerabilities; 
  • Provide for mechanisms to securely distribute updates in a timely and automatic manner;
  • Ensure that security updates are disseminated without delay and free of charge, and accompanied by advisory messages, including on potential action to be taken.

This is a process standard and implementation is demonstrated through documented process outputs as well as actions in the market (updates, notifications, recalls, etc.).

The draft is available at DIN Media: DIN EN 40000-1-3:2026-02 – Draft.

prEN 40000-1-4 Cybersecurity Requirements for Products with Digital Elements – Part 1-4: Generic Security Requirements

This standard specifies the generic technical cybersecurity requirements as well as assessment criteria to fulfil the essential requirements of Annex I, Part I, (2)(a) through (2)(m) of the CRA. Where appropriate, multiple alternative requirements are provided. Guidance will also be provided to support users of the standard in selecting the appropriate requirements to address the identified risks demonstrating the relation between cybersecurity threats and requirements. Importantly, it is built upon the EN 18031 series, augmented with additional security controls to cover the scope of CRA. Public enquiry of the draft is expected to take place from mid-July to mid-November 2026.  

This is a product standard and implementation is demonstrated through the product itself and/or supported by technical documentation.In March 2026, CEN and CENELEC co-hosted an online workshop, providing a practical exploration of how the standard establishes a coherent library of security controls, their objectives, and corresponding assessment criteria. Event details, presentation and recording can be accessed here: CRA Standards Unlocked: Deep Dive Session Security Controls – Generic security requirements.

Other Sector-Specific Standards

CEN-CLC/JTC 13 WG 6

CEN-CLC/JTC 13 WG 6 is in charge of developing prEN XXX Cybersecurity requirements for products with digital elements – Smart Meter Gateway. This standard provides requirements applicable to smart meter gateways within smart metering systems as defined in Article 2(23) of Directive (EU) 2019/944 and other devices for advanced security purposes, including for secure cryptoprocessing. WG6 is assessing which products can be covered by this standard.

CEN/TC 224 WG 17

CEN/TC 224 WG 17 is working on standards for strengthening the interoperability and security of personal identification and its related personal devices with secure elements, systems, operations and privacy in a multi-sectorial environment. 

prEN 18330 Cybersecurity requirements for smartcards or similar devices, including secure elements – Application layer is undergoing public enquiry until April 2026. The draft is available at DIN Media: DIN EN 18330:2026-03 – Draft.

prEN XXX Cybersecurity requirements for identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers and prEN XXX Cybersecurity requirements for Hardware Devices with Security Boxes are currently under drafting. 

CLC/TC 65X WG 3

CLC/TC 65X WG 3 is carrying out standardisation work for systems and elements used for industrial process measurement, control and automation at CENELEC level. Drafts are being prepared based on the existing IEC 62443 standard, including: 

  • prEN 50770-1 Security for Operational Technologies – Part 1: Security Profile for firewalls and intrusion detection and prevention systems 
  • prEN 50770-2 Security for Operational Technologies – Part 2: Security Profile for network management systems 
  • prEN 50770-3 Security for Operational Technologies – Part 3: Security Profile for physical and virtual network interfaces 
  • prEN 50770-4 Security for Operational Technologies – Part 4: Security Profile for products with digital elements with the function of virtual private network (VPN)
  • prEN 50770-5 Security for Operational Technologies – Part 5: Security Profile for routers, modems intended for the connection to the internet, and switches
  • prEN 50770-6 Security for Operational Technologies – Part 6: Security Profile for security information and event management (SIEM) systems

CLC/TC 47X

CLC/TC 47X focuses on semiconductors and trusted chips implementation. It is establishing a common framework for the design, manufacture, and use of semiconductor devices and trusted chips, with a focus on improving security, privacy, and resilience against cyber-attacks. The drafts are currently in the public enquiry phase:

  • prEN 50764:2026 Cybersecurity requirements for platforms of smartcards and similar devices including secure elements
  • prEN 50765:2026 Cybersecurity requirements for microprocessors and microcontrollers with security-related functionalities
  • prEN 50766:2026 Cybersecurity requirements for tamper-resistant microprocessors and microcontrollers

Smarter Sustainability Compliance

Cut through the noise of ESG regulations with AI-powered insights you can actually use.

Try Free

Vertical Standards

The ESTI EUSR is leading the development of vertical standards applicable to specific product categories. As of March 2026, the drafts are released for public consultation and freely accessible on the ETSI Open Area. The standards cover 18 product categories:

  • EN 304 617 Browsers
  • EN 304 618 Password managers
  • EN 304 619 Software that searches for, removes, or quarantines malicious software (Antivirus)
  • EN 304 620 Virtual Private Networks (VPNs)
  • EN 304 621 Network Management Systems (NMS)
  • EN 304 622 Security Information and Event Management (SIEM) systems
  • EN 304 623 Boot managers
  • EN 304 624 Public Key Infrastructure (PKI) and digital certificate issuance software
  • EN 304 625 Physical and virtual network interfaces
  • EN 304 626 Operating Systems (OS)
  • EN 304 627 Routers, modems intended for the connection to the internet, and switches
  • EN 304 631 Smart home general purpose virtual assistants
  • EN 304 632 Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems 
  • EN 304 633 Internet connected toys 
  • EN 304 634 Personal wearable products 
  • EN 304 635 Hypervisors and container runtime systems
  • EN 304 636 Firewalls, intrusion detection and/or prevention systems
  • EN 304 642 Network functions of telecommunications systems

Immediate Actions for Manufacturers

Despite the 2027 deadline, manufacturers cannot afford to wait until the harmonised standards are formally published. Given the complexity of product design, compliance processes, and supply chain adjustments required, taking early steps is crucial. 

All information on the CRA standards development activities are publicly available on the STAN4CR website. Additionally, CYBERSTAND.eu aims to assist EU stakeholders to engage in the CRA standardisation process. Manufacturers and affected stakeholders are advised to regularly utilise these resources to track updates, monitor deadlines, review new drafts, and actively participate in public consultations to stay informed and contribute their input to the standardisation process.

For further information on cybersecurity legislation, check out our guide ‘Product Safety in the Digital Age: Understanding New Cybersecurity Rules‘.

Stay Ahead Of Regulatory Changes in the EU Cyber Resilience Act

Want to stay ahead of regulatory developments in the EU Cyber Resilience Act?

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P, your key to unlocking market access, trusted by more than 300 of the world’s leading brands. C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

  • Accelerate time-to-market for products
  • Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
  • Enable business continuity by digitizing your compliance process and building corporate memory
  • Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
  • Save time with access to Compliance & Risks’ extensive Knowledge Partner network
C2P-Laptop-Heatmap

Simplify Corporate Sustainability Compliance

Six months of research, done in 60 seconds. Cut through ESG chaos and act with clarity. Try C&R Sustainability Free.

START TRIAL

Related Resources