Note : EN 40000-1-x series has not yet been published on OJEU. Most of the EN 40000-1-x are still in draft.
An evolving context
Cyber Resilience Act (CRA) is on its way! In order to help manufacturer, the European Union (EU) is creating a uniform framework of cybersecurity with the objective to increase overall level of cybersecurity.
The European Commission has a set of 41 standards in support of the CRA ! This includes both horizontal and vertical standards, aiming to help manufacturers in implementing the essential cybersecurity requirements.
Vertical Vs Horizontal – what is the difference ?
Vertical standards often refer to “product-specific” and intend to provide set of requirements for “Important” and “Critical” products as defined within the CRA (Annex III & IV). On top, vertical standards can provide presumption of conformity for product types considering the risks involved in their intended purpose or reasonably foreseeable use.
Figure 1 Example of upcoming vertical standards for the CRA – Source : vulnir.com/
On the other hand, horizontal standards provide a common a framework, promoting coherence and offer horizontal processes for compliance with the CRA. Horizontal standard are therefor considered as more “generic” which means they can apply to a vast majority of product, and more particularly to product classified as “default” within the CRA.
This approach can be useful because of its “flexibility” to address different technologies and industries in a more “sector neutral” manner. However, this can leave room for interpretation, which can make it difficult to implement requirements in practice.
This is where the EN 40000-1-x series is useful for manufacturer!
EN 40000-1-x horizontal series – The right toolbox for your default product
EN 40000-1-x series was specifically developed to close implementation gaps and provide appropriate guidance for consistent interpretation of regulatory requirements, specially when your product falls into the default category.
Four parts particularly handy for manufacturer :
- EN 40000-1-1 : Vocabulary and definitions
- (draft) EN 40000-1-2 : Principles for cybersecurity resilience, guidance for risk assessment and generic activities for product development and maintenance
- (draft) EN 40000-1-3 : Vulnerability handling process within product life cycle
- (no draft yet) EN 40000-1-4 : Generic security requirements, concrete controls and assessment criteria
A set of tools helping manufacturers covering CRA obligations :
Figure 2 EN 40000-1-x Vs CRA
A framework not starting from nowhere
EN 4000-1-x took its inspiration to multiple and well established frameworks.
EN 40000-1-2 applies for instance the same lifecycle logic as the one describe within the EN IEC 62443-4-1 (Secure development life cycle – SDLC) for industrial automation components, covering also threat analysis, secure design, implementation, verification and maintenance.
EN 40000-1-3 took good practices from ISO/IEC 31000 used for vulnerability handling and ISO/IEC 29147 used for vulnerability disclosure.
EN 40000-1-4 inherits from both of the EN 18031-x series (developed especially under the RED-DA regulation) and the EN IEC 62443-4-2. EN 40000 1-4 took the same structure and transposes it to the CRA framework creating a useful horizontal catalog of cyber mechanism applicable to large variety of products.
All those frameworks are no strangers to Serma making us your right interlocutor !
What SERMA Safety & Security can provide ?
Based on its strong experience on helping its customers within the RED-DA regulation, complex frameworks such as EN IEC 62443 or ISO 21434, SERMA Safety & Security is in a good place to guide you.
Here is an example of support we can provide in the case of a default product :
Figure 3 Serma Safety & Security services
Timeline for the EN 40000-1-x series
The development of EN 40000-1-x series is an ongoing process :
- August 2026: Expected delivery of EN 40000-1-2 and EN 40000-1-3.
- 30 October 2027: Targeted publication date for EN 40000-1-4
