Understand how the horizontal standards (EN 40000‑1‑x family) relate to the presumption of conformity under the CRA Regulation (EU) 2024/2847, what the pathway looks like, and what to do while harmonized standards are still being finalized.
Note: The relevance for (also) meeting harmonized product verticals for the presumption of conformity will be addressed in a later article. For now, the focus is only on the harmonized horizontal family EN 40000-1-x.
DISCLAIMER: At the time of writing, no harmonized standards for the CRA are cited in the Official Journal. This article is based on draft insights that I’ve collected from various sources. This is not in any way to be seen as legal advice.
CRA and harmonized standards
The CRA is the legal baseline. Harmonized standards — once cited in the Official Journal of the EU (OJEU) — are the practical mechanism that gives manufacturers a presumption of conformity with the CRA’s essential cybersecurity requirements.
Legal mechanics: how harmonized standards create presumption of conformity
Under the New Legislative Framework model embedded in the CRA, the Regulation sets essential requirements. Harmonized standards provide technical specifications that, if applied, allow a manufacturer to claim a presumption that those essential requirements are met. The chain is simple in principle:
Cyber Resilience Act (CRA)
The Path to Presumption of Conformity
Legislative Foundation
CRA sets essential requirements defined in Annex I and related Articles.
Technical Standards
Standards bodies (CEN/CENELEC/ETSI) develop standards that map to those requirements (the EN 40000‑1‑x family is the horizontal set intended to cover generic cybersecurity requirements for products with digital elements).
Harmonization
The Commission cites specific standards in the Official Journal (OJEU) to trigger legal harmonization.
Presumption of Conformity
Once cited in the OJEU, a manufacturer that applies the cited standard(s) in full can rely on a presumption of conformity for the aspects covered by those standards — simplifying conformity assessment and market surveillance interactions.
NOTE: That presumption is limited to the scope and clauses of the cited standard(s). If a product’s risk profile or intended use falls outside the standard’s scope, or the manufacturer deviates from the standard, the presumption does not apply.
What the EN 40000-1-x family is intended to do
The EN 40000‑1‑x series is being developed as a horizontal (product‑agnostic) set of standards to translate CRA Annex I requirements into implementable technical measures, testable criteria, and documentation practices.
EN 40000 Series: Horizontal Harmonized Standards for CRA
CEN / CENELEC JTC 13 Mandate M/606
EN 40000-1-1 Vocabulary
Shared terminology for all CRA standards
EN 40000-1-2 Cyber Resilience Principles (PT1)
Risk-based lifecycle processes (CRA Annex I Part I(1))
EN 40000-1-3 Vulnerability Handling (PT3)
CRA Annex I Part II (CVD, SBOM, updates, disclosure)
EN 40000-1-4 Security Requirements (PT2)
Maps CRA Annex I Part I (2)(a-m) to security objectives
TR 40000 1-5 Threats & Objectives
Common threat catalogue & objective framework
While standards are not yet cited: do not wait to act
Assuming that you’re able to access the draft EN 40000-1-x, treat these and related technical documents as best‑practice blueprints. Implement their measures where feasible to reduce risk and be ready to claim the presumption once a citation occurs.
Maintain robust technical documentation (Article 31) and a living cybersecurity risk assessment . These are mandatory irrespective of harmonized standards.
Also, prepare SBOM processes, vulnerability‑handling workflows, and update/versioning policies now — these are core CRA obligations and will be central to any harmonized standard clauses.
Act — do not wait!
Portfolio Mapping
Map product portfolios to the CRA definitions and identify which EN 40000‑1‑x parts will be most relevant.
Adopt Clauses
Adopt draft standard clauses into development and QA pipelines now — treat them as state‑of‑the‑art guidance.
Document
Strengthen documentation: ensure technical files, SBOMs, and vulnerability logs are structured correctly.
Conformity Routes
Plan conformity routes: decide which module you will use once harmonized standards are cited.
Monitor OJEU
Monitor OJEU and Commission communications; update declarations immediately after citation.
Portfolio Mapping
Map product portfolios to the CRA definitions and identify which EN 40000‑1‑x parts will be most relevant.
Adopt Clauses
Adopt draft standard clauses into development and QA pipelines now.
Document
Strengthen documentation: technical files, SBOMs, and logs.
Conformity Routes
Decide which conformity module you will use and prepare evidence.
Monitor OJEU
Monitor OJEU for the implementing decision; update declarations immediately.
When standards are cited
If you have already implemented the standard clauses, you will be able to rely on the presumption of conformity for the covered aspects — this simplifies market surveillance interactions and reduces the evidentiary burden. If you deviate from the standard, document the deviation and the compensating measures; the presumption will not apply to deviated clauses.
From the point of view of notified bodies and market surveillance authorities, the harmonized standards will provide a common technical yardstick, reducing interpretation variance and enabling more consistent assessments across Member States in the EU.
Wrap-up
Harmonized standards are the bridge between legal requirements and technical practice. The EN 40000‑1‑x family is designed to be that bridge for the CRA, but the legal effect — the presumption of conformity — only arrives with OJEU citation. For now, treat the standards as the authoritative technical roadmap: implement, document, and be ready to convert that technical work into a legal presumption as soon as the Commission cites the standards.
Finally, as mentioned at the start, for products classified as “Important” or “Critical”, meeting the harmonized horizontal standards is not enough to gain the presumption of conformity. I’ll return to harmonized product verticals in a later article.
See the next article EN 40000-1-x: A sneak-peek under the hood.
Graphics created with AI-support