Here you can find the 2026 updated mapping of standards, draft specifications, and workstreams relevant to CRA‑aligned products. The information is organised into four groups — Horizontal, Important Class I, Important Class II, and Critical— each highlighting a different level of scope and security relevance.
| Topic ID | Topic | Key standard(s) | Working group(s) | Relevant links and webinars |
|---|---|---|---|---|
| 1 | Principles for CyberResilience (Horizontal) | prEN 40000-1-2; prEN 40000-1-1 | CEN-CLC/JTC13 WG 9, PT1 | Webinar 'Standards supporting the Cyber Resilience Act' |
|
Horizontal baseline: cybersecurity principles + lifecycle risk-management activities for CRA-aligned products; uses shared vocabulary from prEN 40000-1-1. Status: Draft open to comments. Draft open to comments. Public enquiry (PE) from Oct 2025 to Jan 2026 (UNE). |
||||
| 2–14 | Generic Security Requirements (Horizontal) | prEN 40000-1-4 (Generic Security Requirements) | CEN-CLC/JTC13 WG 9, PT2 | Webinar 'Standards supporting the Cyber Resilience Act' Webinar 'Unlocking CRA Security Controls' |
|
Catalog of security requirements/controls manufacturers select & justify based on risk-management principles; intended as a common horizontal baseline and normative reference for vertical standards. Status: In development. |
||||
| 15 | Vulnerability handling (Horizontal) – PT3 | prEN 40000-1-3 (Vulnerability Handling) | CEN-CLC/JTC13 WG 9, PT3 | Webinar 'Standards supporting the Cyber Resilience Act' |
|
Defines vulnerability-handling and disclosure requirements across the product lifecycle (e.g., intake/triage, coordinated disclosure, fixes/updates and communications). Status: Draft open to comments. Public enquiry until 5th March 2026. |
||||
| Topic ID | Topic | Key standard(s) | Working group(s) | Relevant links and webinars |
|---|---|---|---|---|
| 16 | Identity management systems and privileged access management (PAM) software/hardware, incl. authentication & access control readers (incl. biometric readers) | No info. | CEN/TC 224 WG17 | |
| — | ||||
| 17a / 17b | Standalone (17b) and embedded browsers (17a) | EN 304 617 | ETSI CYBER EUSR | Draft ETSI EN 304 617 |
|
ETSI EUSR mature draft for browsers (standalone & embedded). Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 18 | Password managers | EN 304 618 | ETSI CYBER EUSR | Draft ETSI EN 304 618 |
|
ETSI EUSR mature draft for password managers. Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 19 | Software that searches for, removes, or quarantines malicious software | EN 304 619 | ETSI CYBER EUSR | Draft ETSI EN 304 619 |
|
ETSI EUSR mature draft for antivirus/antimalware products. Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 20a / 20b | Products with digital elements with the function of virtual private network (VPN) | EN 304 620 | ETSI CYBER EUSR (20a); CLC/TC 65X WG3 (20b) | Draft ETSI EN 304 620 Webinar 'CRA Standards Unlocked: from EN IEC 62443 to CRA' |
|
ETSI EUSR mature draft for VPN products. CENELEC T65X: OT mapping based on 62443 series (WI 81652- Vertical: prEN 50XXX-4). Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 21a / 21b | Network management systems | EN 304 621 | ETSI CYBER EUSR (21a); CLC/TC 65X WG3 (21b) | Draft ETSI EN 304 621 |
|
ETSI EUSR mature draft for network management systems. CENELEC T65X: OT mapping based on 62443 series (WI 81654- Vertical: prEN 50XXX-6). Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 22a / 22b | Security information and event management (SIEM) systems | EN 304 622 | ETSI CYBER EUSR (22a); CLC/TC 65X WG3 (22b) | Draft ETSI EN 304 622 Webinar 'CRA Standards Unlocked: from EN IEC 62443 to CRA' |
|
ETSI EUSR mature draft for SIEM systems. CENELEC T65X: OT mapping based on 62443 series (WI 81651- Vertical: prEN 50XXX-3). Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 23 | Boot managers | EN 304 623 | ETSI CYBER EUSR | Draft ETSI EN 304 623 |
|
ETSI EUSR mature draft for boot managers. Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 24 | Public key infrastructure (PKI) and digital certificate issuance software | EN 304 624 | ETSI CYBER EUSR | Draft ETSI EN 304 624 |
|
ETSI EUSR mature draft for PKI & certificate issuance software. Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 25 | Physical and virtual network interfaces | EN 304 625 | ETSI CYBER EUSR | Draft ETSI EN 304 625 |
|
ETSI EUSR mature draft for network interfaces. CENELEC T65X: OT mapping based on 62443 series (WI 81653- Vertical: prEN 50XXX-5). Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 26 | Operating systems | EN 304 626 | ETSI CYBER EUSR | Draft ETSI EN 304 626 |
|
ETSI EUSR mature draft for operating systems. Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 27 | Routers, modems intended for internet connection, and switches | EN 304 627 | ETSI CYBER EUSR | Draft ETSI EN 304 627 |
|
ETSI EUSR mature draft for routers/modems/switches. CENELEC T65X: OT mapping based on 62443 series (WI 81650- Vertical: prEN 50XXX-2). Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 28 | Microprocessors with security-related functionalities | EN50765 | CLC/TC 47X WG 1 | SEMI Presentation |
|
Referenced in SEMI presentation (Sept 17, 2025). Status: Public Enquiry (PE) / Enquiry ballot, a consultation and voting phase where comments are submitted through the national standards bodies. Expected due date PE: 2 May 2026. |
||||
| 29 | Microcontrollers with security-related functionalities | EN50765 | CLC/TC 47X WG 1 | SEMI Presentation |
|
Referenced in SEMI presentation (Sept 17, 2025). Status: Public Enquiry (PE) / Enquiry ballot, a consultation and voting phase where comments are submitted through the national standards bodies. Expected due date PE: 2 May 2026. |
||||
| 30 | ASIC and FPGA with security-related functionalities | EN50767 | CLC/TC 47X WG 4 | SEMI Presentation |
|
Referenced in SEMI presentation (Sept 17, 2025). Status: Public Enquiry (PE) / Enquiry ballot, a consultation and voting phase where comments are submitted through the national standards bodies. Expected due date PE: 2 May 2026. |
||||
| 31 | Smart home general purpose virtual assistants | EN 304 631 | ETSI CYBER-EUSR | Draft ETSI EN 304 631 |
|
ETSI EUSR mature draft for Smart home general purpose virtual assistants Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 32 | Smart home products with security functionalities (e.g., smart door locks, security cameras, baby monitors, alarm systems) | EN 304 632 | ETSI CYBER-EUSR | Draft ETSI EN 304 632 |
|
ETSI EUSR mature draft for Smart home products with security functionalities Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 33 | Internet connected toys (Directive 2009/48/EC) with social interaction or location tracking | EN 304 633 | ETSI CYBER-EUSR | Draft ETSI EN 304 633 |
| ETSI EUSR mature draft for Internet Connected toys. Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| 34 | Personal wearable products (non-MDR/IVDR) incl. children’s wearables with health monitoring purpose | EN 304 634 | ETSI CYBER-EUSR | Draft ETSI EN 304 634 |
|
ETSI EUSR interim draft for Personal wearable products. Status: ETSI is running Open Consultations for these CRA “vertical” drafts. One can: 1- Download the draft from the ETSI docbox “Open” folder. 2- Use ETSI’s provided commenting format and follow the commenting guidelines (both are also in the same folder). 3- Track/raise issues in the ETSI STAN4CRA GitLab project for the selected standard. |
||||
| Topic ID | Topic | Key standard(s) | Working group(s) | Relevant links and webinars |
|---|---|---|---|---|
| 35 | Hypervisors and container runtime systems that support virtualised execution of OS and similar environments | EN-304-635 | ETSI CYBER-EUSR | Draft ETSI EN 304 635 |
| ETSI docbox mature draft for virtualisation/container runtime. | ||||
| 36a / 36b | Firewalls, intrusion detection and prevention systems | EN-304-636; EN 62443-5-XX (reference listed) | ETSI CYBER EUSR (36a); CLC/TC 65X WG 3 (36b) | Draft ETSI EN 304 636 Webinar 'CRA Standards Unlocked: from EN IEC 62443 to CRA' |
| ETSI docbox mature draft for firewalls; additional reference to IEC/EN 62443-5-XX listed. CENELEC T65X: OT mapping based on 62443 series (WI 81649- Vertical: prEN 50XXX-1). | ||||
| 37 | Tamper-resistant microprocessors | EN50766; SESIP (EN 17927:2023); Under consideration: Common Criteria (EN 18045-3:2022); FiT CEM | CLC/TC 47X WG 2 | SEMI Presentation |
| References SESIP and potential Common Criteria/FiT CEM; SEMI presentation link provided. | ||||
| 38 | Tamper-resistant microcontrollers | EN50766; SESIP (EN 17927:2023); Under consideration: Common Criteria (EN 18045-3:2022); FiT CEM | CLC/TC 47X WG 2 | SEMI Presentation |
| References SESIP and potential Common Criteria/FiT CEM; SEMI presentation link provided. | ||||
| Topic ID | Topic | Key standard(s) | Working group(s) | Relevant links and webinars |
|---|---|---|---|---|
| 39 | Hardware devices with security boxes | CEN/TC 224 WG17 | Webinar 'CRA Standards Unlocked: HWSB ' | |
| Draft standard under comments from the commision (until w7 of 2026). Public enquiry (PE) expected to start last week of March and expecting approval end 2026. Common Criteria EUCC using PPs listed in SOGIS Website. | ||||
| 40 | Smart meter gateways within smart metering systems | CLC/TC JTC13 WG6 | ||
| Common Criteria EUCC using Protection Profile for Smart Meter Gateways (BSI-CC-PP-0073) | ||||
| 41a / 41b | Smartcards or similar devices, including secure elements | EN50764 (Common Criteria) | CLC/TC 47X WG 3 CEN/TC 224 WG17 | Webinar 'CRA Standards Unlocked' Presentation 'CRA Standards Unlocked' |
| References Common Criteria EUCC, and SOGIS PPs. Based on Common Criteria (EN 18045-3:2022)+ use case dependent Protection Profile: • PP0084 • PP0117 • PP099 • PP0104 • PP TPM | ||||
Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.
They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy.
They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy.
Based on your behavior on the website (where you click, how long you browse, etc.) we establish parameters and a profile for you to display ads that correspond to your interests. See the cookies we store in our Cookies Policy.