CRA Vulnerability Handling:
7 Documents Manufacturers Need
for EN 40000-1-3
The EU Cyber Resilience Act doesn't just require a secure product at launch — it requires active vulnerability management for your product's entire support period. Here's exactly what that means in practice.
What is prEN 40000-1-3 — and why does it matter?
The CRA tells manufacturers what they must achieve. EN 40000-1-3 tells them how to do it in a way that satisfies regulators and auditors. It is a process-based standard developed by CEN/CENELEC Working Group 9, specifically designed to help manufacturers demonstrate compliance with the essential requirements of CRA Annex I, Part II — the section covering vulnerability handling obligations.
The standard is currently in draft form (prEN 40000-1-3) and under review until March 2026 and is expected to be finalized end of Summer 2026. Once officially adopted, the standard will become EN 40000-1-3. Due to its complexity, the time to start preparing is now.
78
Total requirements
across all phases
59
Mandatory requirements
apply to all manufacturers
29
Req. in Preparation phase
requirements — the heaviest phase
4
Req. Enhancements
risk-based additional requirements
The 6 phases of vulnerability handling
The standard organises vulnerability handling into six sequential phases — the complete lifecycle of a vulnerability, from setting up your processes to learning from past incidents.
01Preparation
Setting up your policies, processes, and capabilities
02Receipt
Receiving and monitoring vulnerability reports
03Verification
Assessing validity, applicability, and severity of vulnerabilities
04Remediation
Planning, developing, and testing fixes
05Release
Distributing updates and publishing advisories
06Post-Release
Monitoring effectiveness and applying lessons learned
Most of the work happens during Preparation
Of the 59 mandatory requirements, 29 fall in the Preparation phase. This is where you create your policies, set up your monitoring processes, build your SBOM, and establish your testing programme.
Start preparing now.
The rest of this article walks you through exactly what to prepare — and where to find free templates to get you started without delay.
7 documents manufacturers need
EN 40000-1-3 is a process standard — it defines specific activities and outputs, including documents and evidence you must produce. Here is what manufacturers need to create, in order of priority.
Vulnerability Handling Policy
Most Critical Internal PolicyYour end-to-end internal process document for handling vulnerabilities — from receipt through to post-release. It must reflect the activities specified across 48 requirements of EN 40000-1-3 in the receipt, verification, remediation, release, and post-release phases, covering what you will do at each phase, who is responsible, and within what timeframes.
For example, it must spell out that an acknowledgement will be sent to vulnerability reporters within a defined timeframe, how severity is assessed, and how and when security updates are released.
Get compliant template in Z-CMSCoordinated Vulnerability Disclosure (CVD) Policy
Publication RequiredAlso known as "Vulnerability Disclosure Policy"
The external-facing counterpart to the Vulnerability Handling Policy. It communicates to the outside world — researchers, customers, partners — how your organisation handles reported vulnerabilities. It must be publicly available on your website.
A practical example: your CVD policy might state "We acknowledge vulnerability reports within 5 business days." Internally, your Vulnerability Handling Policy will then document the exact process to make that happen.
Download our free templateSoftware Bill of Materials (SBOM)
CycloneDX SPDXYou are required to maintain an SBOM in a commonly used, machine-readable format — either CycloneDX or SPDX. It must contain a list of upstream interdependencies, including open source, to facilitate timely resolution of issues when a vulnerability is identified.
Maintaining your SBOM and actively monitoring the components it lists enables you to discover vulnerabilities on an ongoing basis, directly supporting requirements in the Receipt phase ([RCP-2-RQ-01], [RCP-2-RQ-02], [RCP-3-RQ-01]).
List of Hardware Components
Alongside the SBOM, manufacturers must maintain a documented list of hardware components contained in their products. Similar to the SBOM, this enables you to monitor vulnerabilities during the Receipt phase ([RCP-4-RQ-01]) and address them in a timely manner.
Download our free templateSecurity Test and Review Plan
Internal PolicyA risk-based document that defines how, how often, and through which methods you test and review the security of your products. It must specify which types of tests you perform, which tools and methodologies applied, and at what frequency.
Critically, this is not a document you create once and forget. You must maintain evidence that you are actually executing the plan. Auditors will want to see proof of ongoing activity, not just the plan itself.
Vulnerability Assessment Report
Internal Compliance EvidenceWhen a vulnerability is reported, you must document the steps you took to verify it — what you assessed, what evidence you gathered, and what conclusion you reached.
This record is your proof that verification was performed rigorously and systematically, rather than informally.
Download our free templateSecurity Advisory
Publication RequiredIf a vulnerability is reported to you, verified as affecting your product, and subsequently fixed, you are required to publish a security advisory on your website. It must be published in a human-readable format. A machine-readable format (CSAF) is only required if your risk assessment determines it is necessary.
It must include a description of the vulnerability, the affected product version(s), the severity and impact, and clear guidance for users on how to remediate it.
See example: Siemens Healthineers security advisories (external site)How these documents relate to each other
These documents are not independent items — they form a family, with the Vulnerability Handling Policy at the centre.
Core Document
Vulnerability Handling Policy
Defines how all activities must be carried out
CVD Policy
External face of the VH Policy
SBOM
Feeds vulnerability monitoring
Hardware Component List
Feeds vulnerability monitoring
Security Test & Review Plan
Defines ongoing testing activities
Vulnerability Assessment Report
Evidence trail per vulnerability
Security Advisory
Output when a vuln is resolved
The Vulnerability Handling Policy is the core document — it defines how vulnerability handling activities must be carried out. The CVD Policy is its public-facing summary, explaining to vulnerability reporters what to expect when they contact you. The SBOM and hardware component list feed your monitoring activities. The security test and review plan governs proactive vulnerability discovery. And the security advisory is the required output when a vulnerability has been resolved.
Getting the Vulnerability Handling Policy right is therefore the single most impactful step you can take — everything else flows from it.
The challenge of the Vulnerability Handling Policy
The Vulnerability Handling Policy is a tricky document to create correctly, because its content must map directly to the activities specified across 48 requirements of EN 40000-1-3. You cannot write a generic internal process document and call it done — the standard prescribes what must be covered, in what detail.
Creating a fully compliant policy from scratch requires studying the standard thoroughly, understanding the dependencies between sections, and translating 48 requirements into coherent internal procedures. For most manufacturers, this represents a significant time investment.
Z-CMS: pre-loaded, EN 40000-1-3-compliant template
Zealience's Z-CMS comes with a standard-driven policy generator, including a Vulnerability Handling Policy template. The template was built by our expert Dr. Guillaume Dupont, drawing on 10+ years of IoT cybersecurity and compliance experience. As a vulnerability researcher, he has gone through the whole process from vulnerability identification, disclosure to remediation. Rather than studying the standard yourself, you get a word-processor-like environment with guided workflows and built-in compliance insights — so you can focus on filling in your processes, not deciphering requirements.
The template is compliant with prEN 40000-1-3 by default. Z-CMS also includes a guided workflow that covers all phases of vulnerability handling.
Explore Z-CMS policy templatesGetting started today
EN 40000-1-3 may feel complex at first, but it becomes manageable when you understand that its 78 clauses map to a clear set of documents and recurring activities. Manufacturers who build their vulnerability handling processes now will be far better positioned when CRA obligations come into application.
Free templates — Zealience GitHub
Zealience GitHub — Free CRA Templates
Ready-to-use templates you can adapt for your organisation, available free of charge:
Guided compliance software — Z-CMS
Z-CMS — Guided Compliance Workflows
EN 40000-1-3-compliant guided workflows and built-in compliance insights:
Want to kickstart your EN 40000-1-3 compliance?
We are happy to present you Z-CMS in a live demo.