prEN 40000-10

SLOVENSKI STANDARD
01-julij-2026
Bistvene zahteve kibernetske varnosti za izdelke - 10. del: Izdelki z digitalnimi
elementi, ki se uporabljajo v sistemih upravljanja identitete in programski ter
strojni opremi za vodenje privilegiranega dostopa, vključno z bralniki za
preverjanje pristnosti in nadzor dostopa, vključno z biometričnimi bralniki
Essential cybersecurity requirements for products - Part 10: Products with digital
elements used in identity management systems and privileged access management
software and hardware, including authentication and access control readers, including
biometric readers
Grundlegende Anforderungen an die Cybersicherheit für Produkte mit digitalen
Elementen, die in Identitätsmanagementsystemen und Software und Hardware für die
Verwaltung des privilegierten Zugangs verwendet werden, einschließlich
Authentifizierungs- und Zugangskontrollleser, einschließlich biometrischer Leser
Ta slovenski standard je istoveten z: prEN 40000-10
ICS:
35.030 Informacijska varnost IT Security
35.240.15 Identifikacijske kartice. Čipne Identification cards. Chip
kartice. Biometrija cards. Biometrics
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
EUROPEAN STANDARD
NORME EUROPÉENNE
EUROPÄISCHE NORM
May 2026
ICS 35.030; 35.240.15
English Version
Essential cybersecurity requirements for products - Part
10: Products with digital elements used in identity
management systems and privileged access management
software and hardware, including authentication and
access control readers, including biometric readers
Grundlegende Anforderungen an die Cybersicherheit
für Produkte mit digitalen Elementen, die in
Identitätsmanagementsystemen und Software und
Hardware für die Verwaltung des privilegierten
Zugangs verwendet werden, einschließlich
Authentifizierungs- und Zugangskontrollleser,
einschließlich biometrischer Leser
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/TC 224.
If this draft becomes a European Standard, CEN members are bound to comply with the CEN/CENELEC Internal Regulations
which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

This draft European Standard was established by CEN in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and
United Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2026 CEN All rights of exploitation in any form and by any means reserved Ref. No. prEN 40000-10:2026 E
worldwide for CEN national Members.

Contents
European foreword . 6
Introduction . 7
1 Scope . 8
2 Normative references . 11
3 Terms, definitions, symbols and abbreviated terms . 12
3.1 Terms and definitions . 12
3.2 Symbols and abbreviated terms . 17
4 Product context . 18
4.1 Product functions. 18
4.2 Product architecture . 18
4.3 Operational environment . 19
4.3.1 Introduction . 19
4.3.2 General Description . 19
4.3.3 Connectivity Aspects . 19
4.4 Distribution of Security Functions . 20
4.5 Users . 20
4.6 Use Cases and security profiles . 20
5 Requirements on Products . 24
5.1 Introduction – Technical Guidance and Security Analysis . 24
5.1.1 General. 24
5.1.2 Requirement [REQ-TGSA-001] . 24
5.1.3 Requirement [REQ-TGSA-002] . 24
5.1.4 Requirement [REQ-TGSA-003] . 24
5.1.5 Requirement [REQ-TGSA-004] . 25
5.1.6 Requirement [REQ-TGSA-005] . 25
5.1.7 Requirement [REQ-TGSA-006] . 27
5.2 No known exploitable vulnerabilities . 27
5.2.1 Requirement [REQ-KEV-001] . 27
5.2.2 Requirement [REQ-KEV-002] . 28
5.2.3 Requirement [REQ-KEV-003] . 28
5.2.4 Requirement [REQ-KEV-004] . 28
5.2.5 Requirement [REQ-KEV-005] . 28
5.2.6 Requirement [REQ-KEV-006] . 29
5.2.7 Requirement [REQ-KEV-007] . 29
5.2.8 Requirement for the basic security profiles [REQ-KEV-008] . 29
5.2.9 Additional requirement for the substantial security profiles [REQ-KEV-009] . 29
5.2.10 Additional requirement for the high security profiles [REQ-KEV-010] . 29
5.2.11 Additional requirement for the high security profiles [REQ-KEV-011] . 30
5.3 Secure by design . 30
5.3.1 Requirement [REQ-SBD-001] . 30
5.3.2 Requirement [REQ-SBD-002] . 30
5.3.3 Requirement [REQ-SBD-003] . 30
5.3.4 Requirement [REQ-SBD-004] . 31
5.3.5 Requirement [REQ-SBD-005] . 31
5.4 Secure updates - Requirement [REQ-SU-001] . 31
5.5 Authentication and access control . 31
5.5.1 Requirement [REQ-AC-001] . 31
5.5.2 Requirement [REQ-AC-002] . 31
5.6 Integrity and Confidentiality . 32
5.6.1 Requirement [REQ-CON-001] . 32
5.6.2 Requirement [REQ-CON-002] . 32
5.6.3 Requirement [REQ-CON-003] . 32
5.7 Data minimisation . 32
5.7.1 Requirement [REQ-DM-001] . 32
5.7.2 Requirement [REQ-DM-002] . 33
5.7.3 Requirement [REQ-DM-003] . 33
5.8 Availability protection . 33
5.8.1 Requirement [REQ-AP-001] . 33
5.8.2 Requirement [REQ-AP-002] . 33
5.8.3 Requirement [REQ-AP-003] . 33
5.9 Impact minimisation . 34
5.9.1 Requirement [REQ-IM-001] . 34
5.9.2 Requirement [REQ-IM-002] . 34
5.10 Minimisation of attack surfaces . 34
5.10.1 Requirement [REQ-MAS-001] . 34
5.10.2 Requirement [REQ-MAS-002] . 34
5.10.3 Requirement [REQ-MAS-003] . 35
5.10.4 Requirement [REQ-MAS-004] . 35
5.10.5 Requirement [REQ-MAS-005] . 35
5.11 Exploitation mitigation mechanisms. 35
5.11.1 Requirement [REQ-EMM-001] . 35
5.11.2 Requirement [REQ-EMM-002] . 35
5.12 Logging and monitoring . 36
5.12.1 Requirement [REQ-LOG-001] . 36
5.12.2 Requirement [REQ-LOG-002] . 36
5.13 Data removal and transparency . 36
5.13.1 Requirement [REQ-DRT-001]. 36
5.13.2 Requirement [REQ-DRT-002]. 36
5.13.3 Requirement [REQ-DRT-003]. 37
5.13.4 Requirement [REQ-DRT-004]. 37
5.14 Vulnerability handling . 37
5.14.1 Requirement [REQ-VH-001] . 37
5.14.2 Requirement [REQ-VH-002] . 37
5.14.3 Requirement [REQ-VH-003] . 38
5.14.4 Requirement [REQ-VH-004] . 38
5.14.5 Requirement [REQ-VH-005] . 38
5.14.6 Requirement [REQ-VH-006] . 38
5.14.7 Requirement [REQ-VH-007] . 38
6 Conformity assessment against the normative requirements . 40
6.1 Introduction . 40
6.2 Conformity assessment against the normative requirements . 43
6.2.1 Technical Guidance Requirements (5.1) . 43
6.2.2 Security Analysis and Security Profile Level Requirements (5.2) . 52
6.2.3 Secure-by-Design Requirements (5.3) . 56
6.2.4 Cybersecurity Analysis Requirements (5.4) . 71
6.2.5 Vulnerability Management Requirements (5.5) . 75
6.2.6 Security Profile Requirements (5.6) . 81
Annex A (informative) Hardware products . 84
Annex B (informative) Software products . 87
Annex C (informative) Physical access control system . 90
C.1 General architecture of a PACS . 90
C.2 Detailed description of subsystems containing products . 90
C.2.1 Opening and locking devices including on/off-line connected locks . 90
C.2.2 Reading modules . 90
C.2.3 Local processing unit . 91
C.2.4 Door and I/O modules . 91
C.2.5 Centralized access management . 91
C.2.6 User interfaces . 92
Annex D (informative) Identity management system . 93
D.1 General architecture of an IDMS . 93
D.2 Detailed description of subsystems containing Products . 93
D.2.1 Identity repositories and directory services . 93
D.2.2 Identity enrolment and provisioning components . 93
D.2.3 Authentication services . 94
D.2.4 Authorization and policy management services . 94
D.2.5 Governance, audit, and compliance components . 94
D.2.6 User interfaces and self-service tools . 94
Annex E (normative) Threat levels and severity levels of the security analysis. 95
Annex F (informative) Security problem definition . 97
F.1 Synthesis . 97
F.2 Rationale . 97
F.3 Description of the technical operating environment . 97
F.4 Assets to be protected . 97
F.5 Threats . 97
F.6 Security functions . 97

F.7 Threats coverage . 97
Annex G (normative) Product interfaces . 98
Annex H (informative) Product communication protocols . 101
Annex I (normative) Attacks rating methodology . 102
Annex J (informative) Cryptographic specifications proposed document structure . 105
J.1 General description of the product . 105
J.2 Keys architecture . 105
J.3 List of the cryptographic dependencies . 105
J.4 Mapping between the security functions and the cryptographic mechanisms . 105
J.5 Detail of the cryptographic mechanisms . 105
Annex K (normative) Cryptography . 106
K.1 State of the Art Cryptography (CRY-SOTA) . 106
K.1.1 Requirement . 106
K.1.2 Assessment criteria . 106
K.2 Crypto agility . 108
K.2.1 Requirement . 108
K.2.2 Assessment criteria . 109
Annex L (normative) Risk registry . 111
Annex R (normative) Additional provisions for products relying on remote data processing
solutions (RDPS) . 124
R.1 Scope & Applicability . 124
R.2 RDPS as a product-boundary extension . 124
R.X Standard-specific identification of RDPS-dependent functions, RDPS interface(s), and
RDPS . 125
R.X.1 RDPS-dependent product functions . 125
R.X.2 RDPS interface(s) . 125
R.X.3 RDPS(s) . 125
R.3 Threat Model . 126
R.3.1 General . 126
R.3.2 Assets . 126
R.3.3 Threat catalogue . 126
R.3.4 Assets ↔ Threats mapping . 128
R.4 Security Requirements . 128
R.4.1 General . 128
R.4.2 Local product side requirements . 129
R.4.3 RDPS side requirements . 133
R.4.4 Threats ↔ Requirements mapping. 137
R.4.5 Mapping of CRA Annex I to Annex R requirements . 138
R.5 Security controls and mitigation guidance for RDPS requirements (informative) . 141
R.5.1 General . 141
R.5.2 Controls catalogue for REQ-RDPS-L-001 . 141
R.5.3 Controls catalogue for REQ-RDPS-L-002 . 141
R.6 Conformity assessment . 141
R.6.1 General . 142
R.6.2 Conformity assessment for REQ-RDPS-L-001 . 142
R.6.3 Conformity assessment for REQ-RDPS-R-001 . 143
R.6.4 Conformity assessment for REQ-RDPS-R-004 . 144
Annex ZA (informative) Relationship between this European Standard and the essential
requirements of Regulation (EU) 2024/2847 (CRA) aimed to be covered . 147
Bibliography . 149

European foreword
This document (prEN 40000-10:2026) has been prepared by Technical Committee CEN/TC 224
“Personal identification and related personal devices with secure element, systems, operations and
privacy in a multi sectorial environment”, the secretariat of which is held by AFNOR.
This document is currently submitted to the CEN Enquiry.
This document has been prepared under a standardisation request addressed to CEN by the European
Commission. The Standing Committee of the EFTA States subsequently approves these requests for its
Member States.
For the relationship with EU Legislation, see informative Annex ZA, which is an integral part of this
document.
Introduction
This document has been prepared in response to a standardisation request issued by the European
Commission in support of the implementation of Regulation (EU) 2024/2847 (Cyber Resilience Act, CRA).
The Cyber Resilience Act establishes horizontal cybersecurity requirements for products, including
requirements for the design, development and production of such products, as well as obligations for
economic operators throughout the lifecycle of those products. In particular, it lays down essential
cybersecurity requirements and conformity assessment procedures to ensure a high level of
cybersecurity within the Union.
This document specifies cybersecurity requirements and associated assessment provisions for identity
management systems that qualify as products and are classified as important products (Class 1) in
accordance with Commission Implementing Regulation (EU) 2025/2392.
The purpose of this document is to support manufacturers, conformity assessment bodies and other
relevant stakeholders in demonstrating conformity with the essential cybersecurity requirements set out
in Annex I of the Cyber Resilience Act for the category of products covered by its scope.
This document follows a risk-based approach, taking into account the specific characteristics, intended
use, and threat landscape applicable to identity management systems, including authentication,
authorisation, identity lifecycle management and access control functionalities. It defines relevant risk
profiles and maps them to corresponding cybersecurity requirements and assessment methods.

1 Scope
This document specifies cybersecurity requirements and associated assessment requirements for
identity management systems that qualify as products within the meaning of Regulation (EU) 2024/2847.
Such products are classified as important products (class 1) according to the implementing regulation
Commission Implementing Regulation (EU) 2025/2392.
Identity management systems are products that provide mechanisms for authentication or authorisation
and that may also provide mechanisms for the lifecycle management of identity credentials of natural
persons, legal persons, devices or systems, such as identity registration, provisioning, maintenance,
deregistration.
These systems include access management systems that control access of natural persons, legal persons,
devices or systems to digital resources or physical locations.
Privileged access management software is an access management system that controls and monitors
access rights to IT or OT systems and sensitive information within an organisation, including systems
enforcing differentiated access control policies for privileged users.
This category includes but is not limited to authentication and access control readers, biometric readers,
single sign-on software, federated identity management software, one-time password software,
hardware authentication devices such as transaction authentication number (TAN) generators,
authentication software and multi-factor authentication software.
This document covers:
• general description of the product belonging to that category and the product and/or components
such product with digital elements;
• description of their use case;
• security analysis;
• definition of applicable risk profiles to be considered for these product with digital elements;
• applicable cybersecurity requirements for each risk profile;
• applicable cybersecurity assessment and test requirements for each risk profile.
Products within the scope of this document:
The following non-exhaustive categories of products are within the scope of this document where their
primary or supporting function relates to identity management, authentication, authorisation, or logical
and physical access control to natural persons, legal persons, devices or systems.
Logical and Physical Identity lifecycle management
Products for:
• identity registration and enrolment;
• credential issuance, provisioning and activation;
• credential maintenance, suspension, revocation and deletion;
• identity wallets and digital credential containers;
• EUDI Wallet, EU Business Wallet;
• crypto asset Wallet;
• digital travel credential;
• middleware enabling the use, validation or verification of identity credentials;
• national or sectorial identity registries implemented as products;
• biometric databases;
• enrolment stations;
• digital transaction control components;
• mobile driving license;
• electronic identification products, including systems supporting digital product passport.
Logical and Physical Authentication
Products for:
• authentication software;
• multi-factor authentication (MFA) systems;
• two-factor authentication (2FA) systems;
• one-time password (OTP) software and hardware tokens;
• online authentication tokens;
• hardware authentication devices;
• single sign-on (SSO) systems;
• federated identity management systems;
• authentication and access control readers;
• biometric readers;
• presentation attack detection (PAD) software;
• identity attack detection (IAD) software;
• biometric matching software;
• automatic border control product;
• entry/exist product;
• ESTIA application.
Logical and Physical Biometric identity management
Products for:
• capture biometric data for enrolment purposes;
• perform biometric verification or identification;
• biometric matching;
• remote data processing system of biometric reference data;
• incorporate artificial intelligence components for biometric recognition, verification,
identification or fraud detection.
Logical and Physical Access management
Products for:
• logical access control systems;
• physical access control systems;
• access control readers and local control units;
• access control supervision and monitoring software;
• access management supervision systems;
• anti-intrusion systems;
• CCTV;
• smart lock.
Logical and Physical Privileged access management
• control and monitor access rights of privileged users;
• enforce differentiated access control policies;
• manage privileged credentials;
• monitor, record and audit privileged sessions;
• protect access to critical IT or OT systems and sensitive information.
Product not in the scope of this document:
All other important and critical products that are covered by harmonised standards as per the
standardisation request Mandate M/606 2025-02-03 such as:
• chip, Embedded OS, Applets;
• PKI products;
• cyber security products needed for securing IT infrastructures (VPN, SIEM….);
• all products that are classified as default such as the anti-fire detectors products.

2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
prEN 40000-1-3:2025, Cybersecurity requirements for products with digital elements - Part 1-3:
Vulnerability Handling
3 Terms, definitions, symbols and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardisation at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp/
— IEC Electropedia: available at https://www.electropedia.org/
3.1.1
asset
anything that has value to an individual, an organization or a government
[SOURCE: ISO/IEC 27035-3:2020, 3.1]
3.1.2
authenticity
property that an entity is what it claims to be
[SOURCE: EN ISO/IEC 27000:2020, 3.6]
3.1.3
availability
property of being accessible and usable on demand by an authorized entity
[SOURCE: EN ISO/IEC 27000:2020, 3.7]
3.1.4
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes
[SOURCE: EN ISO/IEC 27000:2020, 3.10]
3.1.5
integrity
property of accuracy and completeness
[SOURCE: EN ISO/IEC 27000:2020, 3.36]
3.1.6
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a probability or a frequency over a given time
period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
[SOURCE: ISO 31000:2018, 3.7]
3.1.7
remediation
change made to a product or service to remove or mitigate a vulnerability
Note 1 to entry: A remediation typically takes the form of a binary file replacement, configuration change, or
source code patch and recompile. Different terms used for “remediation” include patch, fix, update, hotfix, and
upgrade. Mitigations are also called workarounds or countermeasures.
[SOURCE: EN ISO/IEC 29147:2020, 3.7]
3.1.8
residual risk
cybersecurity risk remaining after risk treatment
[SOURCE: EN ISO/IEC 27000:2020, 3.57]
3.1.9
product with digital elements
(hereinafter called “product”)
software or hardware product and its remote data processing solutions, including software or
hardware components being placed on the market separately
[SOURCE: CRA, Article 3(1)]
3.1.10
hardware
physical electronic information system, or parts thereof capable of processing, storing or transmitting
digital data
[SOURCE: CRA, Article 3(5)]
3.1.11
software
part of an electronic information system which consists of computer code
[SOURCE: CRA, Article 3(4)]
3.1.12
intended purpose
use for which a product with digital elements is intended by the manufacturer, including the specific
context and conditions of use, as specified in the information supplied by the manufacturer in the
instructions for use, promotional or sales materials and statements, as well as in the technical
documentation
[SOURCE: CRA, Article 3(23)]
3.1.13
embedded software
software product with digital elements loaded in a hardware Product with digital element, and in which
it is executed
Note 1 to entry: an embedded software is a sub part of a hardware Product with digital elements
3.1.14
hardware product with digital elements
product with digital elements that have the shape of a hardware
Note 1 to entry: hardware Product with digital elements are tangible

Note 2 to entry: a hardware Product with digital element can be the environment on which a software Product
with digital element is executed and optionally loaded.
3.1.15
software product with digital elements
sequence or set of instructions in a programming language which can be executed on a hardware
and/or a software environment
Note 1 to entry: Software product with digital elements are intangible.

Note 2 to entry: A set of data is not a software product with digital elements.

Note 3 to entry: The hardware environment is a hardware product with digital elements, and the software
environment is a software product with digital elements.

Note 4 to entry: A software product with digital elements is not necessarily loaded in the hardware or software
environment on which it is executed.

Note 5 to entry: A software product with digital elements loaded in a hardware product with digital elements and
in which it is executed is an embedded software. The combination of both is another hardware product with
digital elements and is thus tangible
3.1.16
electronic information system
system including electrical or electronic equipment, capable of processing, storing or transmitting
digital data
[SOURCE: CRA, Article 3(7)]
3.1.17
risk assessment
overall process of risk identification, risk analysis and risk evaluation

[SOURCE: ISO 31073:2022, 3.3.8]
3.1.18
security analysis
process used to understand the nature of a risk and to determine the level of risk

[SOURCE: EN ISO/IEC 27005:2024, 3.2.5]
3.1.19
security profile
set of security requirements defined to address a specific level of risk associated with a product with
digital elements
3.1.20
use case
combination of an environment, a user category and a product feature, used to describe a typical usage
scenario.
3.1.21
categorisation
process of assigning a product with digital elements to a defined category, hardware or software based
on its primary characteristics and intended function
3.1.22
requirement
need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and
interested parties that the need or expectation under consideration is implied.

[SOURCE: ISO 24518:2015, 3.1.3]
3.1.23
cybersecurity risk
potential for loss or disruption caused by an incident and is to be expressed as a combination of the
magnitude of such loss or disruption and the likelihood of occurrence of the incident
[SOURCE: CRA, Article 3(37)]
3.1.24
significant cybersecurity risk
cybersecurity risk which, based on its technical characteristics, can be assumed to have a high
likelihood of an incident that could lead to a severe negative impact, including by causing considerable
material or non-material loss or disruption
[SOURCE: CRA, Article 3(38)]
3.1.25
attack potential
measure of the effort needed to exploit a vulnerability in a Product with digital elements

Note 1 to entry: The attack potential usually decreases over time, as expertise, knowledge and capabilities of
attacker willing to exploit that vulnerability increases.

[SOURCE: EN ISO/IEC
...