iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
CEN

prEN 40000-1-2

(Main)

Cybersecurity requirements for products with digital elements - Part 1-2: Principles for cyber resilience

Cybersecurity requirements for products with digital elements - Part 1-2: Principles for cyber resilience

This document specifies general cybersecurity principles and general risk management activities for all products with digital elements, hereafter also referred to as 'products'. This document covers every stage of the product lifecycle to ensure and maintain an appropriate level of cybersecurity based on the risks.
This document also provides generic elements to support the development of coherent product-category-specific standards (vertical standards).
This document:
—   establishes generic cybersecurity principles applicable to all stages of the product lifecycle;
—   specifies requirements for risk assessment and treatment of cybersecurity risks;
—   specifies requirements on activities that can be applied to ensure an appropriate level of cybersecurity at every phase of the product lifecycle;
—   provides elements and considerations for product category specific standards in order to facilitate a harmonized approach.
This document does not provide vertical product category specific activities and elements.

Cybersicherheitsanforderungen für Produkte mit digitalen Elementen - Grundsätze für die Cyberresilienz

Exigences de cybersécurité pour les produits comportant des éléments numériques - Partie 1-2 : Principes de cyberrésilience

Zahteve za kibernetsko varnost za izdelke z digitalnimi elementi - 1-2 del: Načela kibernetske odpornosti

General Information

Status
Not Published
Publication Date
28-Feb-2027
ICS
35.030 - IT Security
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Drafting Committee
CEN/CLC/JTC 13/WG 9 - Special Working Group on Cyber Resilience Act
Current Stage
4020 - Submission to enquiry - Enquiry
Start Date
09-Oct-2025
Due Date
31-Jan-2026
Completion Date
09-Oct-2025
Mandate
M/606 - on a standardisation request to European Standards Organisations in support of Union policy on cybersecurity requirements for products with digital elements
Ref Project
oSIST prEN 40000-1-2:2025 - Cybersecurity requirements for products with digital elements - Part 1-2: Principles for cyber resilience
prEN 40000-1-2:2025prEN 40000-1-2:2025
PreviousNext
Draft
prEN 40000-1-2:2025
English language
57 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-december-2025
Zahteve za kibernetsko varnost za izdelke z digitalnimi elementi - 1-2 del: Načela
kibernetske odpornosti
Cybersecurity requirements for products with digital elements - Part 1-2: Principles for
cyber resilience
Cybersicherheitsanforderungen für Produkte mit digitalen Elementen - Grundsätze für
die Cyberresilienz
Ta slovenski standard je istoveten z: prEN 40000-1-2
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD DRAFT
NORME EUROPÉENNE
EUROPÄISCHE NORM
October 2025
ICS 35.030
English version
Cybersecurity requirements for products with digital
elements - Part 1-2: Principles for cyber resilience
Anforderungen an die Cybersicherheit von Produkten
mit digitalen Bestandteilen - Grundsätze für die
Cyberesilienz
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 13.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

Contents Page
European foreword . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 Introduction . 6
5 Cybersecurity principles . 7
5.1 General . 7
5.2 Risk-based approach to cybersecurity . 7
5.2.1 Principle . 7
5.2.2 Guidance . 7
5.3 Security by design . 8
5.3.1 Principle . 8
5.3.2 Guidance . 8
5.4 Secure by default . 9
5.4.1 Principle . 9
5.4.2 Guidance . 9
5.5 Transparency . 9
5.5.1 Principle . 9
5.5.2 Guidance . 9
6 Risk management elements . 10
6.1 General . 10
6.2 Product context . 12
6.2.1 General . 12
6.2.2 Input . 13
6.2.3 Requirement . 14
6.2.4 Output . 14
6.2.5 Assessment criteria . 14
6.3 Risk acceptance criteria and risk management methodology . 14
6.3.1 General . 14
6.3.2 Input . 16
6.3.3 Requirement . 16
6.3.4 Output . 16
6.3.5 Assessment criteria . 16
6.4 Risk assessment . 17
6.4.1 General . 17
6.4.2 Asset and cybersecurity objective identification . 17
6.4.3 Threat identification . 18
6.4.4 Risk estimation . 19
6.4.5 Risk evaluation . 20
6.5 Risk treatment . 21
6.5.1 General . 21
6.5.2 Input . 22
6.5.3 Requirement . 22
6.5.4 Output . 22
6.5.5 Assessment criteria . 22
6.6 Risk communication . 23
6.6.1 General . 23
6.6.2 Input . 23
6.6.3 Requirement . 23
6.6.4 Output . 24
6.6.5 Assessment criteria . 24
6.7 Risk monitoring and review . 24
6.7.1 General . 24
6.7.2 Input . 24
6.7.3 Requirement . 24
6.7.4 Output . 25
6.7.5 Assessment criteria . 25
7 Cybersecurity activities . 25
7.1 General . 25
7.2 Product cybersecurity planning . 26
7.2.1 General . 26
7.2.2 Input . 26
7.2.3 Requirement . 26
7.2.4 Output . 26
7.2.5 Assessment criteria . 26
7.3 Product cybersecurity requirements . 26
7.3.1 General . 26
7.3.2 Input . 27
7.3.3 Requirement . 27
7.3.4 Output . 28
7.3.5 Assessment criteria . 28
7.4 Cybersecurity architecture and design . 28
7.4.1 General . 28
7.4.2 Input .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
EN ISO/IEC 27701:2025(Main)
Information security, cybersecurity and privacy protection - Privacy information management systems - Requirements and guidance (ISO/IEC 27701:2025)
SIST EN ISO/IEC 27701:2025

This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).
Guidance is also provided to assist in the implementation of the requirements in this document.
This document is intended for personally identifiable information (PII) controllers and PII processors holding responsibility and accountability for PII processing.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

  • Standard
    73 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27706:2025(Main)
Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of privacy information management systems (ISO/IEC 27706:2025)
SIST EN ISO/IEC 27706:2025

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701, in addition to the requirements contained within ISO/IEC 17021-1.
The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing PIMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing PIMS certification.
NOTE       This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Standard
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/CLC/TS 18072:2025(Main)
Requirements for Conformity Assessment Bodies certifying Cloud Services
SIST-TS CEN/CLC/TS 18072:2025

This TS provides requirements and ISO/IEC 17065 interpretations for Conformity Assessment Bodies (CABs) assessing Cloud Services
This TS is intended to be used by the National Accreditation Bodies (NABs), as well as CABs.

  • Technical specification
    45 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 18037:2025(Main)
Guidelines on a sectoral cybersecurity assessment
SIST EN 18037:2025

This document contains guidelines to be used in the process of drafting requirements of cybersecurity certification schemes for sectoral ICT services and systems. It includes all steps necessary to define, implement and maintain such requirements.

  • Standard
    65 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27555:2025(Main)
Information security, cybersecurity and privacy protection - Guidelines on personally identifiable information deletion (ISO/IEC 27555:2021)
SIST EN ISO/IEC 27555:2025

This document contains guidelines for developing and establishing policies and procedures for deletion of personally identifiable information (PII) in organizations by specifying:
—    a harmonized terminology for PII deletion;
—    an approach for defining deletion rules in an efficient way;
—    a description of required documentation;
—    a broad definition of roles, responsibilities and processes.
This document is intended to be used by organizations where PII is stored or processed.
This document does not address:
—    specific legal provision, as given by national law or specified in contracts;
—    specific deletion rules for particular clusters of PII that are defined by PII controllers for processing PII;
—    deletion mechanisms;
—    reliability, security and suitability of deletion mechanisms;
—    specific techniques for de-identification of data.

  • Standard
    34 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/CLC ISO/IEC/TS 23532-1:2024(Main)
Information security, cybersecurity and privacy protection - Requirements for the competence of IT security testing and evaluation laboratories - Part 1: Evaluation for ISO/IEC 15408 (ISO/IEC/TS 23532-1:2021)
SIST-TS CEN/CLC ISO/IEC/TS 23532-1:2025

This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing evaluations based on the ISO/IEC 15408 series and ISO/IEC 18045.

  • Technical specification
    29 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/CLC ISO/IEC/TS 23532-2:2024(Main)
Information security, cybersecurity and privacy protection - Requirements for the competence of IT security testing and evaluation laboratories - Part 2: Testing for ISO/IEC 19790 (ISO/IEC/TS 23532-2:2021)
SIST-TS CEN/CLC ISO/IEC/TS 23532-2:2025

This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing testing based on ISO/IEC 19790 and ISO/IEC 24759.

  • Technical specification
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27001:2023/A1:2024(Amendment)
Information security, cybersecurity and privacy protection - Information security management systems - Requirements - Amendment 1: Climate action changes (ISO/IEC 27001:2022/Amd 1:2024)
SIST EN ISO/IEC 27001:2023/A1:2025
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 18031-1:2024(Main)
Common security requirements for radio equipment - Part 1: Internet connected radio equipment
SIST EN 18031-1:2024

This document specifies common security requirements for internet-connected radio equipment. This document provides technical specifications for radio equipment, which concerns electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment.

  • Standard
    180 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 18031-2:2024(Main)
Common security requirements for radio equipment - Part 2: radio equipment processing data, namely Internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment
SIST EN 18031-2:2024

Common security requirements for radio equipment processing personal data or traffic data or location data being either internet connected radio equipment, radio equipment designed or intended exclusively for childcare; toys and wearable radio equipment. The standard provides technical specifications for radio equipment processing personal data, traffic data or location data, which concerns electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment, childcare, toys or wearable radio equipment.
The scope does not apply to 5G network equipment used by providers of public electronic communications networks and publicly available electronic communications services within the meaning of in Directive (EU) 2018/1972 of the European Parliament and of the Council as defined in that Regulation.

  • Standard
    220 pages
    English language
    sale 10% off
    e-Library read for
    1 day