Public enquiry concerning the new draft standard prEN 40000-1-3 ‘Vulnerability Handling’, in support of the Cyber Resilience Act

As mentioned in a previous article, the drafting of harmonised horizontal standards (not specific to a product type) for the Cyber Resilience Act (CRA) is underway within Working Group 9 of Technical Committee CEN/CLC/JTC 13. The prEN 40000-1-1 (Vocabulary) and prEN 40000-1-2 (Principles of cyber resilience) standards have already been submitted for public enquiry. Since 11 December 2025, it has been the turn of standard prEN 40000-1-3 to reach the public enquiry stage. This means that the various European national mirror committees of CEN/CLC/JTC 13 will have to give their opinion on this draft standard, including the Belgian mirror committee AGORIA-ICT/CCLC013, for which Agoria is the sector operator. 

The prEN 40000-1-3 standard specifies the requirements and activities related to the vulnerability management process applicable to manufacturers of products with digital elements. The development of this standard is part of the European Commission's request for standardisation for the CRA and may therefore be eligible for harmonised standard status, thus offering a presumption of compliance with the CRA to manufacturers who apply it.

More specifically, this standard aims to address Part II of Annex I of the CRA, which contains 8 requirements relating to vulnerability handling. Given that product-specific (or “vertical”) standards will only cover aspects related to Part I of Annex I of the CRA, this horizontal standard is very important as it is the only CRA standard that will cover the vulnerability handling aspects. 

To consult these standards, visit the NBN portal dedicated to public standards and enquiries. Click on ‘European Draft Standards’ and enter the number ‘40000’ to access the horizontal standards of the Cyber Resilience Act. It is also possible to comment on them. If the NBN receives comments from Belgian organisations during the public enquiry, these will be forwarded to the relevant Belgian mirror committee AGORIA-ICT/CCLC013 at the end of the public enquiry.

Did you know that anyone can participate in this mirror committee?

If you would like to participate in the Belgian mirror committee for cybersecurity standardisation, to closely follow the development of the horizontal standards of the Cyber Resilience Act, and possibly contribute to their development, please contact Arnaud Martin. Participation in Belgian mirror committees is open to all interested parties who wish to actively defend their interests or keep abreast of the latest developments, and is included in the membership fee for Agoria member companies.