In 2018, the average time from a vulnerability being disclosed to being exploited was 2.3 years. By June 2026, it had fallen to 8 hours. Nearly seven out of ten exploited vulnerabilities are now zero-days – attacks that happen on the same day the vulnerability becomes known, or even before.
That’s the reality the EU’s Cyber Resilience Act (CRA) is meant to address. From December 2027, every product with digital elements placed on the EU market will need to be secure by design, handle vulnerabilities in a structured way and be capable of incident reporting. To make the law work in practice, standards are needed. But not all standards carry the same weight – legally or practically.
We met with Angelo D’Amato, founder of Vulnir and rapporteur within CEN/CENELEC for two of the EU’s new horizontal CRA standards – one on generic security requirements and one on vulnerability handling.
For Angelo, the threat landscape makes the CRA’s timing critical. With attackers operating at machine speed, a purely reactive security posture is no longer viable – companies need automated support and proactive defences to keep up.
Angelo D’Amato, grundare av Vulnir och rapportör för två av EU:s horisontella CRA-standarder.
– The CRA is complex because there are conflicting interests at play. The Commission wants strong requirements. Manufacturers, who feed into the work through their national standardisation bodies, often want to soften them. Our job is to find the balance, so we end up with a standard that actually works for the market, Angelo says.
Horizontal and vertical – two different roles
The first thing to grasp is the difference between horizontal and vertical standards.
Horizontal standards set a common baseline. They describe the security requirements that apply across the board, and they serve two purposes.
- They support products that fall outside the more critical classes, which the CRA refers to as the default category.
- They also provide the foundation for the vertical standards.
Vertical standards are sector-specific and intended for presumption of conformity. They translate the general requirements into concrete requirements for a particular type of product – for example a router, an operating system, or a network function for telecoms.
The four horizontal standards
Within CEN/CENELEC JTC 13 WG 9, four horizontal standards are currently being developed. Together, they form the foundation for CRA compliance:
- prEN 40000-1-1 – Vocabulary, a shared terminology.
- prEN 40000-1-2 – Principles for Cybersecurity, high-level process requirements.
- prEN 40000-1-3 – Vulnerability Handling, requirements for handling vulnerabilities.
- prEN 40000-1-4 – Generic Security Requirements, which translates the essential legal requirements into a concrete catalogue of security controls.
Angelo leads the work on prEN 40000-1-2 and prEN 40000-1-3.
The first two standards are scheduled for publication in October 2026. The third, prEN 40000-1-3 by the end of December 2026 and prEN 40000-1-4 in October 2027 at the latest. The vertical standards are expected to be ready by March or April 2027.
Different legal weight
The second important difference to grasp is that the standards aren’t legally equivalent. The weight a standard carry depends on the EU’s New Legislative Framework (NLF), and on the category the product falls into.
The use of these standards remains voluntary. No product is required to follow a specific standard. Standards are a support tool to demonstrate that a product meets the law. What varies between the product categories is the legal effect a standard deliver, and what the alternatives are if the manufacturer chooses not to use one.
Read also: Inside ETSI TC CYBER – Kim Nordström on turning CRA law into finished standards
For products in the default category, conformity is assessed through self-declaration. The manufacturer is responsible for showing that the essential legal requirements are met with or without a harmonised standard. A harmonised standard can be used as support, but it carries no particular legal effect.
For important products in class I, presumption of conformity becomes especially valuable. If the Commission has cited a harmonised standard in the EU’s Official Journal, and the manufacturer follows it in full, the product is presumed to meet the legislation – and the manufacturer can issue a self-declaration. Anyone who chooses not to follow a harmonised standard must instead have a notified body assess whether the product meets the CRA’s requirements.
For important products in class II, third-party assessment by a notified body is always mandatory, whether or not the manufacturer follows a harmonised standard. Class II covers products where a security flaw could have wider systemic consequences.
This is where the horizontal standards can appear less important. But here Angelo makes a key point.
– prEN 40000-1-2 and prEN 40000-1-4 won’t carry presumption of conformity. But prEN 40000-1-3 is written to do exactly that. It is the only standard that will address the essential requirements related to vulnerability handling, and it will become the reference for every other standard under the CRA, both horizontal and vertical, Angelo says.
In other words: even companies whose main focus is a vertical standard need to keep an eye on how the vulnerability handling requirements are framed. They will apply broadly.
What’s what in the CRA’s product categories?
The CRA sorts products with digital elements into four categories:
| Category | Examples | Conformity assessment |
|---|---|---|
| Default category | Products not listed as important or critical (e.g. word processors, video games, smart home appliances) | Self-declaration |
| Important – class I | Web browsers, password managers, antivirus software, VPNs, routers, modems, smart home assistants, SIEM systems | Self-declaration if a harmonised standard is applied, otherwise notified body |
| Important – class II | Hypervisors, firewalls, telecoms network functions | Notified body required |
| Critical products | Hardware-based security boxes, smart meters, smart cards | Notified body required, possibly EU certification |
Source: ETSI’s vertical standardisation work (the EN 304 series), CRA Annex III and IV.
The standard as a common reference point
As noted, no standard delivers presumption of conformity for products in the default category. Unlike important and critical products, which are often covered by a sector-specific vertical standard, there’s no equivalent for the default category. That’s where the horizontal standards come in.
Because the CRA is written at a high level, manufacturers need something more concrete to work from. A horizontal standard fills that role by giving manufacturers and assessors a common reference point. That makes it easier to demonstrate that the requirements are met.
When manufacturers, notified bodies and market surveillance all work from the same standard, assessments become more predictable, and it becomes clear what is actually required.
– Just because a product falls into the default category doesn’t mean the risk is low. It could be installed in critical infrastructure, such as nuclear, energy or telecommunications systems. That’s exactly why it matters that all parties involved starts from the same place and contextualises the risk assessment and the product-specific risk profile, Angelo says.
Work with many voices
The complexity of the work shows in the numbers. The draft of prEN 40000-1-3 so far received 2,902 comments during its public enquiry – from national standardisation bodies, the Commission’s Harmonised Standards Consultants (HAS), and other stakeholders. As of June 2026, around 1,000 of those comments were still open.
– The views go in different directions. Some want to tighten the requirements; others want to soften them. Our job is to find wording that holds up legally, against the text of the law, Angelo says.
The fact that the process takes time is a consequence of how European standardisation is built. Standards aren’t decided by majority vote, but by consensus. That means objections can’t simply be voted down, they have to be addressed until the parties involved can accept the outcome, or find the right balance, because it is not always possible to satisfy everyone, requiring the application of a ‘good enough’ principle.
For companies that will apply the standard, the consensus is an important feature. A standard that’s been broadly endorsed by manufacturers, authorities and conformity assessment bodies becomes more predictable in practice. There’s less room for interpretation, and it’s easier for different parties to work from the same understanding.
– When a standard reaches that point – where everyone can stand behind the outcome – that’s when it has real value. The sharpest version doesn’t always win, but the most durable one does, Angelo says.
What should smaller companies prioritise?
For small and medium-sized companies, the CRA landscape can easily feel overwhelming. Angelo’s advice is to start in the right place.
– The CRA is built on proportionality. You don’t need to meet the most stringent requirements if the risk doesn’t justify it. But you do need to carry out a risk assessment to know where you actually stand, he says.
He sees a few recurring mistakes:
- Companies underestimate the scope. The CRA touches more parts of the business than many first realise.
- Some skip the risk assessment. That leads either to overengineering or to missing important measures.
- Some are hoping the application date will be pushed back, as happened with the cybersecurity requirements under the Radio Equipment Directive (RED), where the application date was moved from August 2024 to August 2025.
That last hope is particularly risky. At the 10th Cybersecurity Standardisation Conference in March 2026, the Commission was clear: no further postponement is planned.
– The CRA doesn’t require the product to be perfect. It requires you to reduce the number of vulnerabilities and handle them in a structured way. It’s about putting together a realistic roadmap and improving along the way, Angelo says.
A law that isn’t enforced is just a recommendation
To close, Angelo highlights something that often gets less attention in the compliance debate: market surveillance.
– We talk a lot about what manufacturers need to do. But if the EU institutions and the national authorities don’t have the resources for strong market surveillance, the rules effectively become suggestions. A law that isn’t enforced isn’t really a law, he says.
For Angelo, this is just as important a piece of the puzzle as the standardisation itself. Both are needed if the CRA is to have the effect the legislator intended.
The window is closing
December 2027 is getting closer. Vulnerabilities are being exploited faster than ever. And the standards that are meant to make the CRA workable are still under development.
– This is the moment when it’s being decided how this law will work in practice. Anyone who wants to shape it needs to be in the room now, Angelo says.
Engagement makes a difference
Standardisation work is open to more than just the big companies, Angelo points out. It’s often small and medium-sized players who have the specific knowledge that’s needed to make standards workable in practice.
– You don’t need to be an expert in everything. You just need to be willing to contribute what you actually know. That’s how we get standards that reflect reality, Angelo says.
Want to get involved in the future of cybersecurity standards?
Find out more about ITS’s working groups and how you can help shape the standardisation work on the CRA and other areas.
