EN 40000-1-3
EN 40000-1-3: Cyber Resilience Act - Vulnerability Handling Requirements
Harmonized standard under CRA - confers presumption of conformity with Annex I vulnerability-handling requirements per Article 27(1)
What presumption of conformity means for manufacturers
When the European Commission cites EN 40000-1-3 in the Official Journal of the EU, manufacturers who fully apply this standard can presume they are meeting the CRA's essential vulnerability handling requirements under Annex I. This is a formal legal bridge: full application of the standard removes the burden of independently demonstrating compliance with the underlying regulatory requirements.
EN 40000-1-3 covers the complete vulnerability handling lifecycle, from policy establishment through coordinated disclosure. CVD Portal implements infrastructure for every clause in the standard, allowing manufacturers to satisfy all 24 requirements through a single platform.
“By fully applying EN 40000-1-3, a manufacturer may invoke presumption of conformity with CRA Annex I vulnerability handling requirements per Article 27(1) of the Cyber Resilience Act.”
Full clause coverage: 24 clauses, 24 satisfied
Every EN 40000-1-3 clause maps directly to CVD Portal features. Portal-managed artifacts are automatically verified. Tenant-managed artifacts are guided, drafted, and tracked through the obligations framework.
| Clause | Title & Description | Article | Portal Feature |
|---|---|---|---|
| §4.1 | Vulnerability handling policy The manufacturer shall establish, maintain, and publish a policy describing its vulnerability handling process. | PRE-1 Policy on Vulnerability Handling | Obligations tracker |
| §4.2 | Coordinated disclosure policy The manufacturer shall define and publish a coordinated vulnerability disclosure policy specifying how reporters are engaged. | PRE-2 Policy on Coordinated Vulnerability Disclosure | CVD policy page |
| §4.3 | Operational security The manufacturer shall implement operational security controls protecting the vulnerability handling process from interference. | PRE-3 Operational Security | Submission inbox |
| §4.4 | Stakeholder communication The manufacturer shall define channels and procedures for ongoing communication with affected stakeholders. | PRE-4 On-going Communication | Communication log |
| §4.5 | Secure communication channel The manufacturer shall provide a secure, authenticated channel for confidential vulnerability reports. | PRE-5 Secure Communication | PGP encryption |
| §5.1 | Product identification The manufacturer shall maintain a register of products with digital elements and their version histories. | PRE-6 Product Identification | Product registry |
| §5.2 | Software component inventory The manufacturer shall produce and maintain a software bill of materials (SBOM) for each product. | PRE-7 Identification of Software Components | SBOM manager |
| §5.3 | Hardware component inventory The manufacturer shall maintain an inventory of hardware components with security-relevant firmware versions. | PRE-8 Identification of Hardware Components | Hardware registry |
| §6.1 | Security testing and review The manufacturer shall plan and execute periodic security tests and reviews of products. | PRE-9 Planning Regular Tests and Reviews | Security reviews |
| §6.2 | Update distribution The manufacturer shall operate mechanisms to distribute security updates to users reliably and securely. | PRE-10 Mechanisms for Distribution | CSAF advisories |
| §7.1 | Vulnerability intake capability The manufacturer shall provide a publicly accessible, secure channel for receiving vulnerability reports. | RCP-1 Capability to Receive Reports | Public portal |
| §7.2 | Vulnerability monitoring The manufacturer shall monitor internal and external sources for vulnerability intelligence affecting its products. | RCP-2 Monitoring | Monitoring sources |
| §7.3 | Software impact assessment On receiving a report, the manufacturer shall identify all affected software components and versions. | RCP-3 Potentially Impacted Software Components | Threat intel |
| §7.4 | Hardware impact assessment On receiving a report, the manufacturer shall identify all affected hardware components and firmware versions. | RCP-4 Potentially Impacted Hardware Components | Hardware registry |
| §7.5 | Coordinator involvement The manufacturer shall define when and how to engage a coordinator in multi-party vulnerability cases. | RCP-5 Coordinator Involvement | Coordinator assign |
| §7.6 | Regular security testing cycles The manufacturer shall conduct regular security testing and reviews of its products during the active support period. | RCP-6RCP-7 Performing Regular Tests | Security reviews |
| §8.1 | Initial assessment and triage The manufacturer shall perform initial assessment and triage of each received vulnerability report. | VRF-1 Initial Assessment and Verification | Submission triage |
| §8.2 | Vulnerability risk assessment The manufacturer shall assess the risk of each confirmed vulnerability using a documented scoring methodology. | VRF-2 Vulnerability Risk Assessment | CVSS calculator |
| §9.1 | Remediation decision The manufacturer shall document and justify a remediation decision for each confirmed vulnerability. | RMD-1 Remediation Decision | Remediation panel |
| §9.2 | Remediation development The manufacturer shall develop effective remediation for confirmed vulnerabilities within defined timelines. | RMD-2 Remediation Development | Obligations tracker |
| §9.3 | Remediation testing The manufacturer shall test remediation before release to verify effectiveness and absence of regression. | RMD-3 Remediation Test | Obligations tracker |
| §10.1 | Security update release The manufacturer shall release security updates promptly and communicate availability to users. | RLS-1 Security Update Release | Obligations tracker |
| §10.2 | Security advisory publication The manufacturer shall publish machine-readable security advisories for disclosed vulnerabilities. | RLS-2 Release Information | CSAF advisories |
| §11.1 | Post-release monitoring The manufacturer shall continue monitoring for vulnerabilities in released products throughout their support lifetime. | PRA-1 Post-Release Actions | Obligations tracker |
How CVD Portal satisfies each clause
Vulnerability intake and CVD policy
CVD Portal provides a branded public submission portal, CVD policy page, PGP-encrypted communication, and full submission tracking with acknowledgment timers.
Product and component identification
SBOM upload and management, hardware component registry, and product identification records are maintained directly in the portal.
Security testing and update distribution
Scheduled security review tracking with configurable frequencies, reminder automation, and CSAF 2.0 advisory publication for update distribution.
Vulnerability monitoring and impact assessment
Monitoring source configuration, EU Vulnerability Database integration, threat intelligence, SBOM-based impact assessment, and coordinator assignment.
Triage and risk assessment
Built-in CVSS calculator, severity scoring, priority assignment, and reporter communication tracking per submission.
Remediation and disclosure
Structured remediation decisions, timelines, test tracking, CSAF advisory generation for machine-readable disclosure, and post-release monitoring records.
Achieve presumption of conformity with EN 40000-1-3
Deploy a compliant vulnerability handling process in minutes. Every EN 40000-1-3 clause covered out of the box.
Get Started for Free