Overview of the EN 40000 series, ETSI EN 304 6xx and EN 50770: structure, status and what they mean for manufacturers under the Cyber Resilience Act.
For manufacturers this does not create a single “CRA standard”, but rather a landscape of standards made up of several series: the horizontal EN‑40000 series for all products with digital elements, product‑specific ETSI standards for IT and consumer products, and the EN‑50770 series for OT products based on IEC 62443. This article explains which standards series are currently being developed, how they interact and what manufacturers should prepare before the listing in the Official Journal.
The presumption of conformity is the real lever behind harmonized standards. If a product with digital elements and the procedures defined by the manufacturer conform to a harmonized standard whose reference is published in the Official Journal, conformity with the essential requirements in Annex I is presumed to the extent that the standard covers those requirements.
If such a standard is missing, the Commission can adopt common specifications by implementing act. Compliance with those specifications can also satisfy the essential requirements. For manufacturers this means: the route via standards is the preferred, but not the only, path to the presumption of conformity.
Important: the CRA applies regardless of whether standards are harmonized in time. If a listed standard is missing, only the convenient proof route via the presumption of conformity is not available. The requirements themselves remain binding and must be demonstrated by the manufacturer through their own technical and organizational evidence.
What is standardization work for the CRA focused on?
Standardization work is underway in three areas, driven by the European standardization organizations CEN, CENELEC and ETSI. One horizontal area applies to all products with digital elements; two vertical areas address specific product groups: one for IT and consumer products and one for operational technology (OT).
| Stream | Standards series | Addressed products | Basis |
|---|---|---|---|
| Horizontal | EN 40000 series | All products with digital elements | Core requirements |
| Vertical IT/consumer | ETSI EN 304 6xx | IT and consumer products | Product specific |
| Vertical OT | EN 50770 series | OT products | based on IEC 62443 |
All three series are available as drafts as of April 2026 and are under development. Concrete harmonization or listing dates have not yet been set.
Horizontal standards the EN‑40000 series
The EN‑40000 series is the horizontal base. It is intended to apply to all products with digital elements, regardless of product category. Four parts form the normative core, supplemented by an informative technical report. For a detailed classification see EN‑40000 series.
| Part | Function |
|---|---|
| EN 40000‑1‑1 | Terms and definitions for the entire series |
| EN 40000‑1‑2 | Principles for cyber resilience |
| EN 40000‑1‑3 | Vulnerability handling |
| EN 40000‑1‑4 | Generic security requirements |
| EN TR 40000‑1‑5 | Threats and security objectives (informative) |
For manufacturers EN 40000‑1‑2, EN 40000‑1‑3 and EN 40000‑1‑4 are particularly relevant: principles and processes, vulnerability handling and generic security requirements will likely form the central areas of evidence.
Vertical standards for IT and consumer products the ETSI EN 304 6xx series
A vertical series under the name ETSI EN 304 6xx is being developed for IT and consumer products. It targets individual product types with their own product‑specific requirements. Product types listed in the status overview include browsers, password managers, VPN solutions, SIEM systems, operating systems, as well as routers and switches.
The drafts in this series are still at an early stage. They already show the planned structure and initial product‑specific directions, but should not yet be treated as a stable basis for requirements. See the first ETSI draft standards for the CRA for an overview.
Vertical standards for OT the EN‑50770 series
The EN‑50770 series is being developed for operational technology. It is particularly relevant for machine builders, automation vendors and suppliers of industrial components. The series defines security profiles for OT products, explicitly based on IEC 62443. Individual parts cover product groups such as VPN solutions, network management systems, SIEM systems, physical and virtual network interfaces, routers and switches, as well as firewalls, intrusion detection and intrusion prevention systems.
This OT strand is supported by annex adaptations (prAA) of selected IEC 62443 parts: IEC 62443‑3‑3 (system requirements), IEC 62443‑4‑1 (secure product development process) and IEC 62443‑4‑2 (technical component requirements). These serve as supporting standards for the vertical OT standards. The EN‑50770 series is also available as a draft as of April 2026.
How do IEC 62443 and EN 18031 fit in?
IEC 62443 is the established family of standards for the security of industrial automation and control systems and forms the basis of the OT strand. It is still formally open what role IEC 62443 will play within the CRA harmonization framework. In practice it remains a central reference point for OT manufacturers because the EN‑50770 series explicitly builds on IEC 62443. For the broader context see IEC 62443 for the CRA.
Another reference point is EN 18031. It is already used as a source of terminology in the current CRA draft standards. For manufacturers whose products communicate via radio, this provides a possible reference for the later transition from the Radio Equipment Directive to the CRA. What role EN 18031 plays in that transition depends on the CRA standards still to be issued. See EN 18031 and the Radio Equipment Directive for details. For connected consumer products there is also the ETSI EN 303 645 cybersecurity standard.
What does the status mean for manufacturers?
As long as no CRA standard is listed in the Official Journal of the European Union, the presumption of conformity via harmonized standards does not apply. But that does not mean manufacturers should wait. The essential requirements from Annex I of the Cyber Resilience Act remain applicable and must be demonstrated as part of the conformity assessment.
The current draft standards already indicate the direction in which later evidence will develop. Manufacturers can therefore already check which standards strand is relevant for their products and which existing evidence can be used for that purpose. It is decisive not only which standard will be harmonized later, but how evidence can be credibly provided until then.
A pragmatic approach for manufacturers is therefore:
- Classify the product as a product with digital elements under the CRA
- Check the product class: standard product, important product or critical product
- Determine the appropriate standards series: horizontal, IT/consumer specific or OT specific
- Assess existing evidence from IEC 62443, EN 18031, ETSI EN 303 645 or internal development processes
- Derive gaps with respect to Annex I, vulnerability handling and technical documentation
- Define an evidence strategy until the harmonized standards are listed
The most common pitfall is waiting for finished standards. The CRA’s start date does not depend on whether harmonized standards are already listed. Those who only build up vulnerability handling, secure development processes, technical documentation and product evidence later will lose the time needed to establish exactly these structures.
Conclusion and outlook
The CRA standards landscape is organized along three strands: horizontal via the EN‑40000 series, vertical via the ETSI EN 304 6xx series for IT and consumer products, and via the EN‑50770 series for OT. As of April 2026 all three are available as drafts; listing in the Official Journal is still pending. The message for manufacturers is clear: the direction is set, evidence until listing relies on Annex I, and it is worthwhile to build the underlying processes now. For the overall framework of the Cyber Resilience Act see overview page on the CRA.
CRA standards and evidence strategy classification
Which standards series will become relevant for your products, which existing evidence can be reused and how you can provide evidence until harmonized standards are listed cannot be answered in general terms. We classify your product portfolio along EN 40000, ETSI EN 304 6xx and EN 50770 and derive sensible next steps.
Discuss standards strategy
