Skip to main content

Standards and regulatory alignment

The Standards hub (https://cvdportal.com/standards) explains how CVD Portal maps to the European standards and bodies that sit underneath the EU Cyber Resilience Act (CRA). Each page states plainly which standards confer a presumption of conformity and which are supporting references, so you can see where your evidence carries legal weight and where it is good practice.

What is on the hub

The hub links a page for each standard or body:

  • CEN/CENELEC EN 40000-1-3 (https://cvdportal.com/standards/en-40000-1-3) — the draft harmonised standard for CRA vulnerability handling, with a full clause-to-feature mapping. It is a CEN Enquiry draft, so it does not yet confer presumption of conformity. Once it is cited in the Official Journal of the EU, fully applying it will support presumption of conformity for the Annex I vulnerability-handling requirements under Article 27.
  • ENISA, the EUVD and Article 14 (https://cvdportal.com/standards/enisa) — how the platform aligns with ENISA's role: the Article 14 Single Reporting Platform, the European Vulnerability Database (EUVD), and national CSIRTs. The page shows a live EUVD feed, the same feed the platform uses for vulnerability monitoring.
  • ETSI EN 303 645 (https://cvdportal.com/standards/etsi-en-303-645) — the consumer-IoT cybersecurity baseline that accredited labs test against, with all 13 provisions mapped to CRA Annex I evidence and platform features.
  • ISO/IEC 27001 and IEC 62443 (https://cvdportal.com/standards/iso-62443-27001) — the information-security management system standard and the industrial (OT) security series, mapped to CRA process and product requirements.
  • OSCAL catalog (https://cvdportal.com/standards/oscal) — the CRA vulnerability-handling requirements expressed as a machine-readable OSCAL catalog for automated compliance tooling.
  • Notified bodies and testing labs (https://cvdportal.com/standards/notified-bodies) — a directory of EU conformity-assessment bodies and cybersecurity testing laboratories.

Which standards give a presumption of conformity?

Only a standard cited in the Official Journal of the EU confers a presumption of conformity with the CRA, and no CRA harmonised standard has been cited yet. EN 40000-1-3 is the emerging harmonised standard and is tracked as a draft. ETSI EN 303 645, ISO/IEC 27001 and IEC 62443 are supporting standards: applying them produces reusable evidence for a CRA technical file and is what accredited labs test against, but it does not by itself grant presumption of conformity. Each page states this clearly.

Notified bodies directory

The notified bodies page (https://cvdportal.com/standards/notified-bodies) lists EU conformity-assessment bodies and cybersecurity testing laboratories, filterable by country, standard and status. It also explains when you actually need a notified body.

Most products with digital elements use internal control (Module A): the manufacturer self-assesses, affixes the CE marking, and needs no notified body. A third-party conformity assessment, and therefore a notified body, applies to important products in Class II, critical products under Annex IV, and Class I products where the manufacturer does not fully apply the relevant harmonised standards. If you are unsure which route applies, run the free product classifier (https://cvdportal.com/classify) or the CRA self-assessment (https://cvdportal.com/cra-self-assessment).

The directory carries an important caveat. At the time of writing, the European Commission had not yet published notified bodies designated specifically under the CRA in the official NANDO database. The organisations listed are established conformity-assessment bodies and accredited testing laboratories that a manufacturer on a third-party route is likely to engage. None is presented as holding a CRA designation, and no NANDO number is shown for a body until one is confirmed. Always verify current designation status directly in NANDO before relying on any body for a CRA conformity assessment.