{
  "catalog": {
    "uuid": "f5b2424f-d5a8-59be-80aa-52a282d49a68",
    "metadata": {
      "title": "prEN 40000-1-3: Cyber Resilience Act, Vulnerability Handling Requirements (CEN Enquiry draft)",
      "last-modified": "2026-07-07T00:00:00Z",
      "version": "2026-07-07",
      "oscal-version": "1.1.2",
      "props": [
        {
          "name": "marking",
          "value": "TLP:CLEAR"
        }
      ],
      "remarks": "Specifies requirements for vulnerability handling processes for products with digital elements, covering receipt, triage, remediation, and disclosure of vulnerabilities throughout a product's lifecycle. Status: Draft standard (prEN 40000-1-3:2025 (CEN Enquiry, October 2025)). Not yet cited in the Official Journal, so applying it does not yet confer presumption of conformity. Used as the working blueprint for a defensible, traceable vulnerability-handling process.. This standard is not yet cited in the Official Journal of the EU; presumption of conformity does not yet apply."
    },
    "groups": [
      {
        "id": "en-40000-1-3",
        "class": "harmonised-standard",
        "title": "EN 40000-1-3 clauses",
        "controls": [
          {
            "id": "clause-4-1",
            "title": "Vulnerability handling policy",
            "props": [
              {
                "name": "label",
                "value": "§4.1"
              },
              {
                "name": "cvd-article",
                "value": "PRE-1",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-4-1_smt",
                "name": "statement",
                "prose": "The manufacturer shall establish, maintain, and publish a policy describing its vulnerability handling process."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#pre-1",
                "rel": "related",
                "text": "PRE-1"
              }
            ]
          },
          {
            "id": "clause-4-2",
            "title": "Coordinated disclosure policy",
            "props": [
              {
                "name": "label",
                "value": "§4.2"
              },
              {
                "name": "cvd-article",
                "value": "PRE-2",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-4-2_smt",
                "name": "statement",
                "prose": "The manufacturer shall define and publish a coordinated vulnerability disclosure policy specifying how reporters are engaged."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#pre-2",
                "rel": "related",
                "text": "PRE-2"
              }
            ]
          },
          {
            "id": "clause-4-3",
            "title": "Operational security",
            "props": [
              {
                "name": "label",
                "value": "§4.3"
              },
              {
                "name": "cvd-article",
                "value": "PRE-3",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-4-3_smt",
                "name": "statement",
                "prose": "The manufacturer shall implement operational security controls protecting the vulnerability handling process from interference."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#pre-3",
                "rel": "related",
                "text": "PRE-3"
              }
            ]
          },
          {
            "id": "clause-4-4",
            "title": "Stakeholder communication",
            "props": [
              {
                "name": "label",
                "value": "§4.4"
              },
              {
                "name": "cvd-article",
                "value": "PRE-4",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-4-4_smt",
                "name": "statement",
                "prose": "The manufacturer shall define channels and procedures for ongoing communication with affected stakeholders."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#pre-4",
                "rel": "related",
                "text": "PRE-4"
              }
            ]
          },
          {
            "id": "clause-4-5",
            "title": "Secure communication channel",
            "props": [
              {
                "name": "label",
                "value": "§4.5"
              },
              {
                "name": "cvd-article",
                "value": "PRE-5",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-4-5_smt",
                "name": "statement",
                "prose": "The manufacturer shall provide a secure, authenticated channel for confidential vulnerability reports."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#pre-5",
                "rel": "related",
                "text": "PRE-5"
              }
            ]
          },
          {
            "id": "clause-5-1",
            "title": "Product identification",
            "props": [
              {
                "name": "label",
                "value": "§5.1"
              },
              {
                "name": "cvd-article",
                "value": "PRE-6",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-5-1_smt",
                "name": "statement",
                "prose": "The manufacturer shall maintain a register of products with digital elements and their version histories."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#pre-6",
                "rel": "related",
                "text": "PRE-6"
              }
            ]
          },
          {
            "id": "clause-5-2",
            "title": "Software component inventory",
            "props": [
              {
                "name": "label",
                "value": "§5.2"
              },
              {
                "name": "cvd-article",
                "value": "PRE-7",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-5-2_smt",
                "name": "statement",
                "prose": "The manufacturer shall produce and maintain a software bill of materials (SBOM) for each product."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#pre-7",
                "rel": "related",
                "text": "PRE-7"
              }
            ]
          },
          {
            "id": "clause-5-3",
            "title": "Hardware component inventory",
            "props": [
              {
                "name": "label",
                "value": "§5.3"
              },
              {
                "name": "cvd-article",
                "value": "PRE-8",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-5-3_smt",
                "name": "statement",
                "prose": "The manufacturer shall maintain an inventory of hardware components with security-relevant firmware versions."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#pre-8",
                "rel": "related",
                "text": "PRE-8"
              }
            ]
          },
          {
            "id": "clause-6-1",
            "title": "Security testing and review",
            "props": [
              {
                "name": "label",
                "value": "§6.1"
              },
              {
                "name": "cvd-article",
                "value": "PRE-9",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-6-1_smt",
                "name": "statement",
                "prose": "The manufacturer shall plan and execute periodic security tests and reviews of products."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#pre-9",
                "rel": "related",
                "text": "PRE-9"
              }
            ]
          },
          {
            "id": "clause-6-2",
            "title": "Update distribution",
            "props": [
              {
                "name": "label",
                "value": "§6.2"
              },
              {
                "name": "cvd-article",
                "value": "PRE-10",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-6-2_smt",
                "name": "statement",
                "prose": "The manufacturer shall operate mechanisms to distribute security updates to users reliably and securely."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#pre-10",
                "rel": "related",
                "text": "PRE-10"
              }
            ]
          },
          {
            "id": "clause-7-1",
            "title": "Vulnerability intake capability",
            "props": [
              {
                "name": "label",
                "value": "§7.1"
              },
              {
                "name": "cvd-article",
                "value": "RCP-1",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-7-1_smt",
                "name": "statement",
                "prose": "The manufacturer shall provide a publicly accessible, secure channel for receiving vulnerability reports."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#rcp-1",
                "rel": "related",
                "text": "RCP-1"
              }
            ]
          },
          {
            "id": "clause-7-2",
            "title": "Vulnerability monitoring",
            "props": [
              {
                "name": "label",
                "value": "§7.2"
              },
              {
                "name": "cvd-article",
                "value": "RCP-2",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-7-2_smt",
                "name": "statement",
                "prose": "The manufacturer shall monitor internal and external sources for vulnerability intelligence affecting its products."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#rcp-2",
                "rel": "related",
                "text": "RCP-2"
              }
            ]
          },
          {
            "id": "clause-7-3",
            "title": "Software impact assessment",
            "props": [
              {
                "name": "label",
                "value": "§7.3"
              },
              {
                "name": "cvd-article",
                "value": "RCP-3",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-7-3_smt",
                "name": "statement",
                "prose": "On receiving a report, the manufacturer shall identify all affected software components and versions."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#rcp-3",
                "rel": "related",
                "text": "RCP-3"
              }
            ]
          },
          {
            "id": "clause-7-4",
            "title": "Hardware impact assessment",
            "props": [
              {
                "name": "label",
                "value": "§7.4"
              },
              {
                "name": "cvd-article",
                "value": "RCP-4",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-7-4_smt",
                "name": "statement",
                "prose": "On receiving a report, the manufacturer shall identify all affected hardware components and firmware versions."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#rcp-4",
                "rel": "related",
                "text": "RCP-4"
              }
            ]
          },
          {
            "id": "clause-7-5",
            "title": "Coordinator involvement",
            "props": [
              {
                "name": "label",
                "value": "§7.5"
              },
              {
                "name": "cvd-article",
                "value": "RCP-5",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-7-5_smt",
                "name": "statement",
                "prose": "The manufacturer shall define when and how to engage a coordinator in multi-party vulnerability cases."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#rcp-5",
                "rel": "related",
                "text": "RCP-5"
              }
            ]
          },
          {
            "id": "clause-7-6",
            "title": "Regular security testing cycles",
            "props": [
              {
                "name": "label",
                "value": "§7.6"
              },
              {
                "name": "cvd-article",
                "value": "RCP-6",
                "ns": "https://cvdportal.com/ns/oscal"
              },
              {
                "name": "cvd-article",
                "value": "RCP-7",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-7-6_smt",
                "name": "statement",
                "prose": "The manufacturer shall conduct regular security testing and reviews of its products during the active support period."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#rcp-6",
                "rel": "related",
                "text": "RCP-6"
              },
              {
                "href": "./catalog-cvd-vuln-handling.json#rcp-7",
                "rel": "related",
                "text": "RCP-7"
              }
            ]
          },
          {
            "id": "clause-8-1",
            "title": "Initial assessment and triage",
            "props": [
              {
                "name": "label",
                "value": "§8.1"
              },
              {
                "name": "cvd-article",
                "value": "VRF-1",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-8-1_smt",
                "name": "statement",
                "prose": "The manufacturer shall perform initial assessment and triage of each received vulnerability report."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#vrf-1",
                "rel": "related",
                "text": "VRF-1"
              }
            ]
          },
          {
            "id": "clause-8-2",
            "title": "Vulnerability risk assessment",
            "props": [
              {
                "name": "label",
                "value": "§8.2"
              },
              {
                "name": "cvd-article",
                "value": "VRF-2",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-8-2_smt",
                "name": "statement",
                "prose": "The manufacturer shall assess the risk of each confirmed vulnerability using a documented scoring methodology."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#vrf-2",
                "rel": "related",
                "text": "VRF-2"
              }
            ]
          },
          {
            "id": "clause-9-1",
            "title": "Remediation decision",
            "props": [
              {
                "name": "label",
                "value": "§9.1"
              },
              {
                "name": "cvd-article",
                "value": "RMD-1",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-9-1_smt",
                "name": "statement",
                "prose": "The manufacturer shall document and justify a remediation decision for each confirmed vulnerability."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#rmd-1",
                "rel": "related",
                "text": "RMD-1"
              }
            ]
          },
          {
            "id": "clause-9-2",
            "title": "Remediation development",
            "props": [
              {
                "name": "label",
                "value": "§9.2"
              },
              {
                "name": "cvd-article",
                "value": "RMD-2",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-9-2_smt",
                "name": "statement",
                "prose": "The manufacturer shall develop effective remediation for confirmed vulnerabilities within defined timelines."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#rmd-2",
                "rel": "related",
                "text": "RMD-2"
              }
            ]
          },
          {
            "id": "clause-9-3",
            "title": "Remediation testing",
            "props": [
              {
                "name": "label",
                "value": "§9.3"
              },
              {
                "name": "cvd-article",
                "value": "RMD-3",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-9-3_smt",
                "name": "statement",
                "prose": "The manufacturer shall test remediation before release to verify effectiveness and absence of regression."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#rmd-3",
                "rel": "related",
                "text": "RMD-3"
              }
            ]
          },
          {
            "id": "clause-10-1",
            "title": "Security update release",
            "props": [
              {
                "name": "label",
                "value": "§10.1"
              },
              {
                "name": "cvd-article",
                "value": "RLS-1",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-10-1_smt",
                "name": "statement",
                "prose": "The manufacturer shall release security updates promptly and communicate availability to users."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#rls-1",
                "rel": "related",
                "text": "RLS-1"
              }
            ]
          },
          {
            "id": "clause-10-2",
            "title": "Security advisory publication",
            "props": [
              {
                "name": "label",
                "value": "§10.2"
              },
              {
                "name": "cvd-article",
                "value": "RLS-2",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-10-2_smt",
                "name": "statement",
                "prose": "The manufacturer shall publish machine-readable security advisories for disclosed vulnerabilities."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#rls-2",
                "rel": "related",
                "text": "RLS-2"
              }
            ]
          },
          {
            "id": "clause-11-1",
            "title": "Post-release monitoring",
            "props": [
              {
                "name": "label",
                "value": "§11.1"
              },
              {
                "name": "cvd-article",
                "value": "PRA-1",
                "ns": "https://cvdportal.com/ns/oscal"
              }
            ],
            "parts": [
              {
                "id": "clause-11-1_smt",
                "name": "statement",
                "prose": "The manufacturer shall continue monitoring for vulnerabilities in released products throughout their support lifetime."
              }
            ],
            "links": [
              {
                "href": "./catalog-cvd-vuln-handling.json#pra-1",
                "rel": "related",
                "text": "PRA-1"
              }
            ]
          }
        ]
      }
    ]
  }
}
