EN-304-617_v0.0.5.md

**Fail Criteria**: No centralized management OR limited policy categories OR delayed enforcement OR no compliance reporting OR no inheritance/versioning OR no testing OR user tampering possible OR incomplete documentation

**Evidence**: Policy management interface documentation, authentication policy configuration testing, encryption policy testing, data residency policy testing, access control policy testing, monitoring policy testing, policy enforcement verification, compliance dashboard screenshots, policy inheritance testing, versioning and rollback testing, policy template documentation, integration guides

**References**:

- Chrome Enterprise Policies: https://chromeenterprise.google/policies/
- Microsoft Intune: https://docs.microsoft.com/en-us/mem/intune/
- NIST Enterprise Configuration Management: https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final

### Assessment: RDPS-REQ-52 (Fully offline browser operation without remote connectivity)

**Reference**: RDPS-REQ-52 - Browser shall operate fully offline without requiring remote connectivity (RDPS-0 requirement)

**Given**: A conformant browser claiming RDPS-0 capability (no remote data processing) for air-gapped or offline-only deployments

**Task**: This assessment verifies that browsers operate completely offline with all core functionality (rendering, apps, bookmarks, settings, developer tools, security features), no network connectivity requirements for installation/setup/activation/updates, no error messages or degraded warnings, complete offline installers, and indefinite offline operation capability.

**Verification**:

1. Verify browser installs completely offline using offline installer → Complete offline installation with offline installer
2. Test that initial setup completes without network connectivity → No online activation or registration required
3. Verify all core functionality works offline (rendering, JavaScript, apps, bookmarks, settings) → All core functionality operational offline
4. Test that security features function without network (sandbox, encryption, isolation) → Security features fully functional without network
5. Verify browser never attempts network connections when offline → No network connection attempts when offline
6. Test that no error messages or warnings about missing network → No error messages or degraded functionality warnings
7. Verify offline-capable web applications work correctly (PWAs, service workers) → Offline web application support (PWAs, service workers)
8. Test that browser settings and configuration fully accessible offline → All settings and configuration accessible offline
9. Verify developer tools fully functional offline → Developer tools fully functional offline
10. Test that browser operates indefinitely without updates or online validation → Indefinite offline operation without degradation

**Pass Criteria**: Complete offline installation AND no online activation AND all core functionality offline AND all security features offline AND no network attempts AND no error/warning messages AND offline web app support AND indefinite operation AND documentation complete

**Fail Criteria**: Requires online installation OR online activation required OR limited functionality offline OR security features require network OR network connection attempts OR error/warning messages OR no offline app support OR time-limited offline OR incomplete documentation

**Evidence**: Offline installer verification, offline installation testing, network monitoring showing zero connection attempts, functionality testing without network, security feature verification offline, error message audit, offline web app testing, long-term offline operation testing, documentation review

**References**:

- Offline Web Applications: https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps/Offline_Service_workers
- Air-Gapped System Security: https://csrc.nist.gov/glossary/term/air_gap
- Offline-First Design: https://offlinefirst.org/

### Assessment: RDPS-REQ-53 (All user data stored locally without remote synchronization)

**Reference**: RDPS-REQ-53 - All user data shall be stored locally without remote synchronization (RDPS-0 requirement)

**Given**: A conformant browser claiming RDPS-0 capability (no remote data processing) for local-only data storage

**Task**: This assessment verifies that browsers store all user data types (history, bookmarks, passwords, autofill, cookies, settings, extensions, cached content) exclusively in local file system locations with no remote endpoints, no synchronization protocols, no sync features, zero network transmission, and documentation clearly stating local-only storage with user backup responsibilities and data portability guidance.

**Verification**:

1. Verify all user data types stored in local file system locations → All user data types stored locally (history, bookmarks, passwords, etc.)
2. Test that browsing history, bookmarks, passwords stored locally only → Local file system storage locations only
3. Verify form autofill, cookies, downloads, search history stored locally → No remote endpoints configured
4. Test that browser settings, extensions, cached content stored locally → No synchronization protocols present
5. Verify offline web app data (service workers, IndexedDB, localStorage) stored locally → No sync account or cloud backup features
6. Test that no remote endpoints configured for any data storage → Zero network transmission of user data (verified via monitoring)
7. Verify no synchronization protocols implemented (no sync code) → Documentation states local-only storage
8. Test that browser provides no remote synchronization features (no sync accounts) → User backup responsibility explained
9. Verify network monitoring shows zero data transmission for user data → Data loss risk warnings provided
10. Test documentation clearly states local-only storage and backup responsibilities → Data portability guidance (manual export/import)

**Pass Criteria**: All user data types local AND local file system storage AND no remote endpoints AND no sync protocols AND no sync features AND zero network transmission AND clear documentation AND backup guidance AND data loss warnings AND portability guidance

**Fail Criteria**: Any remote storage OR remote endpoints configured OR sync protocols present OR sync features available OR network data transmission OR unclear documentation OR no backup guidance OR no warnings OR no portability guidance

**Evidence**: File system analysis showing local-only storage, network monitoring showing zero user data transmission, code review showing no synchronization capabilities, documentation stating local-only storage with backup responsibilities, data portability documentation

**References**:

- Local Storage Privacy: https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage
- Air-Gapped Data Management: https://csrc.nist.gov/glossary/term/air_gap

### Assessment: RDPS-REQ-54 (No telemetry, diagnostics, or usage data transmission)

**Reference**: RDPS-REQ-54 - Browser shall not transmit telemetry, diagnostics, or usage data to remote servers (RDPS-0 requirement)

**Given**: A conformant browser claiming RDPS-0 capability (no remote data processing) for privacy-preserving operation

**Task**: This assessment verifies that browsers do not collect or transmit any telemetry, diagnostics, crash reports, usage analytics, or statistical data with no analytics SDKs or libraries, no crash reporting services, zero network transmission, verifiable through network monitoring and code review, and documentation clearly stating no telemetry collection.

**Verification**:

1. Verify no usage analytics collected or transmitted (page views, feature usage, session duration) → No usage analytics collection or transmission
2. Test that no performance metrics transmitted (rendering times, memory, CPU) → No performance metrics transmission
3. Verify no crash reports transmitted (stack traces, memory dumps, error logs) → No crash report transmission
4. Test that no debugging information transmitted (console logs, JavaScript errors) → No debugging information transmission
5. Verify no feature adoption metrics transmitted (feature usage, configuration) → No feature or system information transmission
6. Test that no system information transmitted (OS version, hardware, installed software) → No analytics SDKs or libraries present
7. Verify no network information transmitted (IP addresses, DNS queries, timing) → No crash reporting service integration
8. Test that no analytics SDKs or libraries included in browser → Zero telemetry transmission (verified via network monitoring)
9. Verify no crash reporting services integrated → Documentation states no telemetry
10. Test network monitoring shows zero telemetry transmission → Code review confirms no telemetry infrastructure

**Pass Criteria**: Zero telemetry of all types (usage, performance, crashes, debugging, features, system) AND no analytics SDKs AND no crash reporting services AND zero network transmission AND clear documentation AND code review verification

**Fail Criteria**: Any telemetry transmission OR analytics SDKs present OR crash reporting integrated OR network telemetry observed OR unclear documentation OR unverified code

**Evidence**: Network monitoring showing zero telemetry transmission, code review showing no analytics or telemetry libraries, binary analysis showing no telemetry endpoints, documentation stating no telemetry, privacy policy confirmation

**References**:

- Telemetry Privacy Risks: https://www.eff.org/deeplinks/2019/10/privacy-badger-now-fights-more-tracking-embedded-tweets
- GDPR Telemetry: https://gdpr.eu/what-is-gdpr/

### Assessment: RDPS-REQ-55 (No degradation when network connectivity unavailable)

**Reference**: RDPS-REQ-55 - Browser shall function without degradation when network connectivity unavailable (RDPS-0 requirement)

**Given**: A conformant browser claiming RDPS-0 capability (no remote data processing) for reliable offline operation

**Task**: This assessment verifies that browsers provide identical functionality and performance whether online or offline for all core features (rendering, applications, browsing, settings, developer tools, extensions, passwords, local storage) with no connectivity checks gating features, no error/warning messages, and equivalent performance metrics when tested with cached content.

**Verification**:

1. Verify all rendering capabilities work identically offline (HTML, CSS, JS, images, media, fonts) → All rendering capabilities identical offline
2. Test that web applications and scripts execute normally offline → Web applications execute normally offline
3. Verify browsing features fully functional offline (tabs, windows, navigation, bookmarks, history) → All browsing features functional offline
4. Test browser settings and configuration accessible offline without limitations → Settings and configuration fully accessible offline
5. Verify developer tools fully functional offline → Developer tools fully functional offline
6. Test extension management works offline (previously installed extensions) → Extension management operational offline
7. Verify password management and autofill work offline with local data → Password management and autofill work offline
8. Test local data storage operations work identically offline (cookies, localStorage, IndexedDB) → Local storage operations identical offline
9. Verify no connectivity checks before enabling features → No connectivity checks gating features
10. Test that no connectivity-dependent UI elements or degradation warnings shown → Performance metrics equivalent online/offline (verified with cached content)

**Pass Criteria**: All features identical offline AND no performance reduction AND no error/warning messages AND no feature limitations AND no connectivity checks AND equivalent performance metrics AND clear documentation

**Fail Criteria**: Reduced functionality offline OR degraded performance offline OR error/warning messages OR limited features OR connectivity checks gating features OR slower offline performance OR unclear documentation

**Evidence**: Offline functionality testing for all features, performance benchmarking (online vs offline with cached content), network monitoring during offline operation, error message audit, feature availability audit, UI element inspection, performance metrics comparison

**References**:

- Offline-First Web Applications: https://offlinefirst.org/
- Service Worker Offline Support: https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps/Offline_Service_workers
- Progressive Enhancement: https://www.w3.org/wiki/Graceful_degradation_versus_progressive_enhancement

### Assessment: RDPS-REQ-56 (No remote authentication or authorization services required)

**Reference**: RDPS-REQ-56 - No remote authentication or authorization services shall be required (RDPS-0 requirement)

**Given**: A conformant browser claiming RDPS-0 capability (no remote data processing) for local-only authentication

**Task**: This assessment verifies that browsers require no remote authentication or authorization for any functionality (installation, features, settings, data management, updates, security) with optional local authentication mechanisms only, local credential storage, identical online/offline behavior, and documentation confirming no remote authentication requirements.

**Verification**:

1. Verify no remote authentication required for installation and activation → No remote authentication for installation/activation
2. Test that all browser features accessible without online authentication → All features accessible without online authentication
3. Verify browser functionality works without remote authorization services → No remote authorization services required
4. Test local user data access requires no remote authentication → Local data access without remote authentication
5. Verify manual updates work without online validation → Manual updates without online validation
6. Test license validation, if any, does not require remote servers → No remote license validation required
7. Verify all security features operate without remote authentication → Security features independent of remote authentication
8. Test optional local authentication mechanisms work offline (master passwords, profiles, locks) → Optional local authentication works offline
9. Verify authentication data stored locally (encrypted database, OS credential manager) → Authentication data stored locally only
10. Test identical authentication behavior whether online or offline → Identical online/offline authentication behavior

**Pass Criteria**: Zero remote authentication requirements AND all features accessible without authentication AND local authentication only (if any) AND identical online/offline behavior AND local credential storage AND clear documentation

**Fail Criteria**: Any remote authentication required OR features gated by online authentication OR remote authorization services OR different online/offline behavior OR cloud-synced credentials OR unclear documentation

**Evidence**: Installation testing without network, feature access testing offline, authentication flow analysis showing local-only verification, network monitoring showing no authentication traffic, credential storage analysis showing local-only storage, online/offline behavior comparison, documentation review

**References**:

- Local Authentication: https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
- Air-Gapped Authentication: https://csrc.nist.gov/glossary/term/authentication
- Privacy-Preserving Authentication: https://www.w3.org/TR/webauthn-3/

### Assessment: RDPS-REQ-57 (Local-only operation capabilities and limitations documentation)

**Reference**: RDPS-REQ-57 - Browser shall document all local-only operation capabilities and limitations (RDPS-0 requirement)

**Given**: A conformant browser claiming RDPS-0 capability (no remote data processing) for transparent operation

**Task**: This assessment verifies that browsers provide comprehensive documentation of local-only operation covering offline capabilities (rendering, apps, storage, extensions, security, dev tools), clearly stated limitations (features unavailable offline, no sync, manual updates), operational guidance (installation, backup, troubleshooting, migration), and offline-accessible formats (bundled, PDF, plain text).

**Verification**:

1. Verify documentation comprehensively describes offline capabilities (rendering, apps, storage, extensions, security, dev tools) → Comprehensive offline capabilities documented (all feature categories)
2. Test that limitations clearly stated (features unavailable offline, no sync, manual updates) → Limitations and unavailable features clearly stated
3. Verify operational guidance provided (installation, backup, troubleshooting, migration) → Operational guidance provided (installation, backup, troubleshooting, migration)
4. Test documentation accessible offline (included with installation, PDF, plain text) → Documentation accessible offline (bundled, PDF, plain text)
5. Verify supported web standards and features documented → Supported web standards and features listed
6. Test that service worker and offline storage capabilities explained → Offline storage APIs and limits documented
7. Verify data management procedures documented (limits, backup, export) → Extension offline compatibility explained
8. Test extension compatibility and limitations clearly explained → Security feature offline operation confirmed
9. Verify security feature offline operation documented → Data backup procedures detailed
10. Test that offline installation procedures clearly described → Troubleshooting and migration guidance provided

**Pass Criteria**: Comprehensive capability documentation AND clear limitation statements AND operational guidance AND offline-accessible documentation AND web standards coverage AND storage documentation AND extension compatibility AND security documentation AND backup procedures AND troubleshooting guidance

**Fail Criteria**: Incomplete capability documentation OR unclear limitations OR no operational guidance OR online-only documentation OR missing standards coverage OR no storage documentation OR unclear extension support OR no security documentation OR no backup procedures OR no troubleshooting guidance

**Evidence**: Documentation completeness review covering all required areas, offline documentation accessibility verification (bundled docs, PDF availability), capability accuracy testing (verify documented features work as described), limitation verification (confirm stated limitations accurate), operational guidance evaluation (installation, backup, troubleshooting procedures)

**References**:

- Technical Documentation Best Practices: https://www.writethedocs.org/guide/
- Offline Documentation Standards: https://www.w3.org/TR/offline-webapps/
- Air-Gapped System Documentation: https://www.cisecurity.org/controls

### Assessment: RDPS-REQ-58 (User notification that no data leaves local system)

**Reference**: RDPS-REQ-58 - Users shall be informed that no data leaves the local system (RDPS-0 requirement)

**Given**: A conformant browser claiming RDPS-0 capability (no remote data processing) for transparent privacy protection

**Task**: This assessment verifies that browsers clearly inform users that no data leaves the local system through multiple mechanisms (setup notification, settings statement, documentation, privacy policy) using clear non-technical language, prominent visibility, benefits explanation, technical verification methods for advanced users, and honest accurate implementation with easy ongoing access to privacy commitments.

**Verification**:

1. Verify clear notification during installation or first launch stating data remains local → Initial setup notification stating data remains local
2. Test prominent privacy statement in browser settings describing local-only operation → Prominent settings interface privacy statement
3. Verify about or help documentation explains no data transmission policy → About/help documentation explaining policy
4. Test privacy policy contains legally binding commitment to local-only operation → Privacy policy legal commitment to local-only operation
5. Verify optional visual indicators reinforcing local-only status → Clear, non-technical language used
6. Test language used is clear and non-technical (accessible to average users) → Prominent and visible notifications
7. Verify notifications prominent and visible (not buried in lengthy terms) → Benefits clearly explained
8. Test that benefits explained (privacy, offline operation, no dependency) → Contrast with cloud-dependent alternatives explained
9. Verify documentation includes network monitoring procedures for user verification → Technical verification methods documented
10. Test browser provides verification tools (network activity monitor, diagnostic mode) → Easy ongoing access to privacy commitments

**Pass Criteria**: Multiple notification mechanisms (setup, settings, docs, privacy policy) AND clear non-technical language AND prominent visibility AND benefits explained AND technical verification methods AND honest accurate claims AND easy ongoing access AND documentation complete

**Fail Criteria**: Single notification only OR technical jargon OR buried in terms OR benefits unexplained OR no verification methods OR inaccurate claims OR difficult to access OR incomplete documentation

**Evidence**: First-run notification screenshots, settings interface privacy statements, help documentation review, privacy policy legal commitment, language clarity assessment, notification prominence evaluation, verification method documentation, accuracy verification (network monitoring confirms zero transmission)

**References**:

- Privacy Notice Requirements: https://gdpr.eu/privacy-notice/
- Transparency and Consent: https://www.ftc.gov/business-guidance/privacy-security

### Assessment: RDPS-REQ-59 (All RDPS-1 requirements implemented for RDPS-2)

**Reference**: RDPS-REQ-59 - All RDPS-1 requirements shall be implemented for RDPS-2 capability (RDPS-2-REQ-1 requirement)

**Given**: A conformant browser claiming RDPS-2 capability (extended remote processing with sensitive data) that should also meet all RDPS-1 requirements

**Task**: This assessment verifies that browsers claiming RDPS-2 capability fully implement all 15 RDPS-1 requirements (RDPS-REQ-1 through RDPS-REQ-15) as baseline foundation, each meeting specified criteria without degradation from RDPS-2 enhancements, with documentation confirming RDPS-2 includes all RDPS-1 protections and no gaps or exceptions.

**Verification**:

1. Verify RDPS-1-REQ-1 implemented (offline functionality documented) per RDPS-REQ-1 assessment → RDPS-1-REQ-11 implemented (failure logging) per RDPS-REQ-11
2. Test RDPS-1-REQ-2 implemented (data classification) per RDPS-REQ-2 assessment → RDPS-1-REQ-12 implemented (graceful degradation) per RDPS-REQ-12
3. Verify RDPS-1-REQ-3 implemented (data criticality) per RDPS-REQ-3 assessment → RDPS-1-REQ-13 implemented (credential protection) per RDPS-REQ-13
4. Test RDPS-1-REQ-4 implemented (TLS 1.3+ encryption) per RDPS-REQ-4 assessment → RDPS-1-REQ-14 implemented (rate limiting) per RDPS-REQ-14
5. Verify RDPS-1-REQ-5 implemented (certificate validation) per RDPS-REQ-5 assessment → RDPS-1-REQ-15 implemented (data validation) per RDPS-REQ-15
6. Test RDPS-1-REQ-6 implemented (retry with backoff) per RDPS-REQ-6 assessment → All 15 RDPS-1 requirements fully implemented
7. Verify RDPS-1-REQ-7 implemented (local caching) per RDPS-REQ-7 assessment → Each requirement meets specified criteria
8. Test RDPS-1-REQ-8 implemented (secure authentication) per RDPS-REQ-8 assessment → RDPS-2 enhancements do not compromise RDPS-1 baseline
9. Verify RDPS-1-REQ-9 implemented (certificate pinning) per RDPS-REQ-9 assessment → Documentation confirms RDPS-2 includes all RDPS-1 protections
10. Test RDPS-1-REQ-10 implemented (timeout controls) per RDPS-REQ-10 assessment → No gaps or exceptions in RDPS-1 requirement implementation

**Pass Criteria**: All 15 RDPS-1 requirements fully implemented AND each meets specified criteria AND no degradation from RDPS-2 enhancements AND documentation confirms inclusion AND no gaps or exceptions

**Fail Criteria**: Any RDPS-1 requirement not implemented OR any requirement fails criteria OR RDPS-2 compromises RDPS-1 baseline OR documentation does not confirm inclusion OR gaps or exceptions present

**Evidence**: RDPS-REQ-1 through RDPS-REQ-15 assessment results (all pass), comprehensive requirement coverage verification, baseline security preservation testing, documentation review confirming RDPS-2 includes all RDPS-1 protections, gap analysis showing complete RDPS-1 implementation

**References**:

- Defense in Depth: https://csrc.nist.gov/glossary/term/defense_in_depth
- Layered Security: https://www.nist.gov/cybersecurity
- Security Capability Levels: https://www.iso.org/standard/56328.html

### Assessment: RDPS-REQ-60 (All RDPS-2 requirements implemented for RDPS-3)

**Reference**: RDPS-REQ-60 - All RDPS-2 requirements shall be implemented for RDPS-3 capability (RDPS-3-REQ-1 requirement)

**Given**: A conformant browser claiming RDPS-3 capability (full remote processing with critical data requiring maximum security) that should also meet all RDPS-2 requirements

**Task**: This assessment verifies that browsers claiming RDPS-3 capability fully implement all 18 RDPS-2 requirements (including 15 RDPS-1 requirements via RDPS-2-REQ-1) as verified through RDPS-REQ-1 through RDPS-REQ-32 assessments, each meeting specified criteria without degradation from RDPS-3 enhancements, with documentation confirming RDPS-3 includes all RDPS-2 and RDPS-1 protections and no gaps or exceptions.

**Verification**:

1. Verify all RDPS-1 requirements implemented via RDPS-REQ-59 assessment (15 requirements) → RDPS-2-REQ-11 (replay defense) per RDPS-REQ-25
2. Test RDPS-2-REQ-2 implemented (encryption at rest) per RDPS-REQ-16 assessment → RDPS-2-REQ-12 (data minimization) per RDPS-REQ-26
3. Verify RDPS-2-REQ-3 implemented (mutual TLS) per RDPS-REQ-17 assessment → RDPS-2-REQ-13 (sync controls) per RDPS-REQ-27
4. Test RDPS-2-REQ-4 implemented (redundant copies) per RDPS-REQ-18 assessment → RDPS-2-REQ-14 (data export) per RDPS-REQ-28
5. Verify RDPS-2-REQ-5 implemented (backup recovery) per RDPS-REQ-19 assessment → RDPS-2-REQ-15 (endpoint config) per RDPS-REQ-29
6. Test RDPS-2-REQ-6 implemented (retention policies) per RDPS-REQ-20 assessment → RDPS-2-REQ-16 (availability) per RDPS-REQ-30
7. Verify RDPS-2-REQ-7 implemented (access controls) per RDPS-REQ-21 assessment → RDPS-2-REQ-17 (pooling) per RDPS-REQ-31
8. Test RDPS-2-REQ-8 implemented (audit logging) per RDPS-REQ-22 assessment → RDPS-2-REQ-18 (token protection) per RDPS-REQ-32
9. Verify RDPS-2-REQ-9 implemented (integrity verification) per RDPS-REQ-23 assessment → All 18 RDPS-2 requirements fully implemented (includes RDPS-1 via RDPS-2-REQ-1)
10. Test RDPS-2-REQ-10 implemented (endpoint protection) per RDPS-REQ-24 assessment → RDPS-3 enhancements do not compromise RDPS-1/RDPS-2 baseline

**Pass Criteria**: All 18 RDPS-2 requirements fully implemented (including 15 RDPS-1 via RDPS-2-REQ-1) AND each meets specified criteria AND no degradation from RDPS-3 enhancements AND documentation confirms inclusion AND no gaps or exceptions

**Fail Criteria**: Any RDPS-2 requirement not implemented OR any requirement fails criteria OR RDPS-3 compromises RDPS-2/RDPS-1 baseline OR documentation does not confirm inclusion OR gaps or exceptions present

**Evidence**: RDPS-REQ-1 through RDPS-REQ-32 assessment results (all pass), comprehensive requirement coverage verification across all three capability levels, baseline security preservation testing, documentation review confirming RDPS-3 includes all RDPS-2 and RDPS-1 protections, gap analysis showing complete RDPS-2 implementation

**References**:

- Defense in Depth: https://csrc.nist.gov/glossary/term/defense_in_depth
- Layered Security Architecture: https://www.nist.gov/cybersecurity
- Enterprise Security Capability Maturity: https://www.iso.org/standard/56328.html

# Annex A (informative): Mapping between the present document and CRA requirements

_Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements._

| CRA requirement                                 | Technical security requirements(s) |
|-------------------------------------------------|------------------------------------|
| No known exploitable vulnerabilities            | UPD-0-REQ-1 through UPD-0-REQ-24 (Forced automatic updates), UPD-1-REQ-1 through UPD-1-REQ-25 (Automatic updates with postponement), LOG-REQ-14 (Incident detection), LOG-REQ-15 (Audit trail completeness), EMB-REQ-9 (JavaScript bridge security review), EXT-REQ-4 (Manifest validation), EXT-REQ-17 (Extension signature validation) |
| Secure design, development, production          | EMB-REQ-9 (JavaScript bridge security review), EXT-REQ-4 (Manifest validation), EXT-REQ-17 (Extension signature validation), UPD-REQ-2 (Update signature verification), UPD-REQ-23 (Binary reproducibility), ENC-REQ-12 (Secure random number generation), SYS-REQ-26 (Sandbox escape prevention), SYS-REQ-27 (Spectre/Meltdown mitigations), SYS-REQ-28 (Side-channel mitigations) |
| Secure by default configuration                 | DOM-0-REQ-1 through DOM-0-REQ-6 (Full isolation by default), ENC-0-REQ-1 through ENC-0-REQ-23 (Full encryption by default), DOM-REQ-5 (SameSite=Lax default), DOM-REQ-12 (document.domain restricted by default), ENC-REQ-16 (HTTPS-first mode), UPD-0-REQ-1 (Automatic updates enabled by default), LOG-REQ-9 (User consent for telemetry), SYS-0-REQ-1 through SYS-0-REQ-13 (Sandboxed by default), EMB-0-REQ-1 through EMB-0-REQ-7 (Isolated by default) |
| Secure updates                                  | UPD-REQ-1 (Automatic update mechanism), UPD-REQ-2 (Update signature verification), UPD-REQ-3 (HTTPS-only delivery), UPD-REQ-4 (Manifest integrity), UPD-REQ-5 (Rollback protection), UPD-REQ-6 (Channel isolation), UPD-REQ-7 (Component updates), UPD-REQ-8 (Emergency updates), UPD-REQ-9 (Verification before installation), UPD-REQ-10 (Failure recovery), UPD-REQ-11 (Transparency logging), UPD-REQ-12 (Delta update security), UPD-REQ-13 (Server authentication), UPD-REQ-14 (Timing jitter), UPD-REQ-15 (Background enforcement), UPD-REQ-16 (Notification UI), UPD-REQ-17 (Forced critical updates), UPD-REQ-18 (Verification chain), UPD-REQ-19 (Source pinning), UPD-REQ-20 (Integrity verification), UPD-REQ-21 (Staged rollout), UPD-REQ-22 (Domain validation), UPD-REQ-23 (Binary reproducibility), EXT-REQ-10 (Extension update verification) |
| Authentication and access control mechanisms    | DOM-REQ-1 (Process-per-site isolation), DOM-REQ-3 (Cross-origin DOM access prevention), DOM-REQ-4 (CORS preflight), DOM-REQ-5 (SameSite cookies), DOM-REQ-6 (Storage isolation), EXT-REQ-1 (Extension permission model), EXT-REQ-3 (Extension API access control), EXT-REQ-7 (Host permissions validation), SYS-REQ-6 (Device API permissions), SYS-REQ-7 (PWA permission management), SYS-REQ-8 through SYS-REQ-19 (Device-specific permissions), EMB-REQ-1 (JavaScript bridge API allowlists), EMB-REQ-5 (User consent for sensitive operations), EMB-REQ-11 (Granular capability-based permissions), PRO-REQ-2 (User consent for custom protocols), PRO-REQ-3 (Protocol allowlist enforcement) |
| Confidentiality protection                      | ENC-REQ-1 (TLS 1.3+ support), ENC-REQ-2 (Certificate validation), ENC-REQ-3 (Certificate pinning), ENC-REQ-4 (HSTS enforcement), ENC-REQ-5 (Mixed content blocking), ENC-REQ-6 (Certificate Transparency), ENC-REQ-11 (Web Crypto API), ENC-REQ-13 (Subresource Integrity), ENC-REQ-14 (Encrypted SNI/ECH), ENC-REQ-16 (HTTPS-first mode), ENC-REQ-20 (Cryptographic key isolation), ENC-REQ-21 (Certificate store security), DOM-REQ-2 (CORB), DOM-REQ-6 (Storage isolation), EMB-REQ-4 (Context isolation), EMB-REQ-8 (Host credential protection), EMB-REQ-12 (Storage isolation from host), EMB-REQ-14 (Encrypted cross-process bridge), EMB-REQ-17 (Certificate validation for embedded content), EMB-REQ-21 (Mixed content prevention), EMB-REQ-27 (Network security configuration) |
| Integrity protection for data and configuration | ENC-REQ-2 (Certificate validation), ENC-REQ-13 (Subresource Integrity), UPD-REQ-2 (Update signature verification), UPD-REQ-4 (Update manifest integrity), UPD-REQ-5 (Rollback protection), UPD-REQ-20 (Update integrity verification), LOG-REQ-11 (Log integrity protection), EMB-REQ-2 (JavaScript bridge input validation), EMB-REQ-7 (Immutable bridge configuration), EMB-REQ-19 (SRI for embedded content), EMB-REQ-23 (Cryptographic signature verification for local content), EXT-REQ-4 (Manifest validation), EXT-REQ-17 (Extension signature validation), DOM-REQ-9 (CORP), DOM-REQ-11 (COEP) |
| Data minimization                               | LOG-REQ-7 (Log data minimization), LOG-REQ-8 (Log anonymization), LOG-REQ-12 (Log retention policies), LOG-REQ-18 (Privacy-preserving analytics), EXT-REQ-16 (Extension telemetry privacy), DOM-REQ-6 (Storage isolation limits data sharing), EMB-REQ-12 (Storage isolation from host), PRO-REQ-5 (Protocol parameter sanitization to prevent data leakage) |
| Availability protection                         | SYS-REQ-20 (Hardware resource limits), SYS-REQ-21 (Memory isolation), SYS-REQ-22 (CPU quotas), SYS-REQ-23 (Network bandwidth limits), SYS-REQ-24 (Storage quotas), SYS-REQ-25 (Process priority management), UPD-REQ-10 (Update failure recovery), UPD-REQ-21 (Staged rollout), EMB-REQ-10 (Bridge API rate limiting), EXT-REQ-5 (Extension sandboxing to prevent interference) |
| Minimize impact on other devices or services    | DOM-REQ-1 (Process-per-site isolation), SYS-REQ-1 (Process sandbox enforcement), SYS-REQ-2 (Renderer process isolation), SYS-REQ-3 (GPU process isolation), SYS-REQ-4 (Network service isolation), SYS-REQ-20 (Resource limits), SYS-REQ-26 (Sandbox escape prevention), EXT-REQ-5 (Extension sandboxing), EXT-REQ-6 (Cross-extension isolation), EMB-REQ-4 (Context isolation), PRO-REQ-13 (Handler capability restrictions) |
| Limit attack surface                            | EXT-0-REQ-1 through EXT-0-REQ-3 (No extension support), SYS-0-REQ-1 through SYS-0-REQ-13 (Fully sandboxed), EMB-0-REQ-1 through EMB-0-REQ-7 (No JavaScript bridge), PRO-0-REQ-1 through PRO-0-REQ-5 (HTTP/HTTPS only), DOM-REQ-7 (iframe sandboxing), DOM-REQ-8 (Opaque origin handling), EMB-REQ-6 (No system-level API exposure), EMB-REQ-16 (Allowlists over denylists), EXT-REQ-12 (Background script restrictions), ENC-REQ-19 (Legacy crypto deprecation) |
| Exploit mitigation by limiting incident impact  | DOM-REQ-1 (Process-per-site isolation limits cross-site impact), SYS-REQ-1 (Sandbox enforcement), SYS-REQ-2 (Process isolation), SYS-REQ-21 (Memory isolation), SYS-REQ-26 (Sandbox escape prevention), SYS-REQ-27 (Spectre/Meltdown mitigations), SYS-REQ-28 (Side-channel mitigations), DOM-REQ-2 (CORB), DOM-REQ-9 (CORP), DOM-REQ-10 (COOP), DOM-REQ-11 (COEP), EXT-REQ-2 (Content script isolation), EXT-REQ-5 (Extension sandboxing), EXT-REQ-6 (Cross-extension isolation), EMB-REQ-4 (Context isolation), UPD-REQ-5 (Rollback protection), UPD-REQ-21 (Staged rollout limits blast radius) |
| Logging and monitoring mechanisms               | LOG-REQ-1 (Security event logging), LOG-REQ-2 (Certificate error logging), LOG-REQ-3 (Extension security events), LOG-REQ-4 (CSP violation reporting), LOG-REQ-5 (Network Error Logging), LOG-REQ-6 (Crash reporting), LOG-REQ-10 (Secure log transmission), LOG-REQ-11 (Log integrity protection), LOG-REQ-13 (Security dashboard), LOG-REQ-14 (Incident detection), LOG-REQ-15 (Audit trail completeness), LOG-REQ-16 (Real-time security alerts), LOG-REQ-17 (Forensic log export), LOG-REQ-19 (Compliance logging), LOG-REQ-20 (Log access controls), EMB-REQ-3 (JavaScript bridge logging), EMB-REQ-22 (Trust decision logging), EMB-REQ-32 (Trust boundary violation events), UPD-REQ-11 (Update transparency logging), PRO-REQ-9 (Protocol handler logging) |
| Secure deletion and data transfer               | DOM-REQ-6 (Storage isolation enables secure per-origin deletion), ENC-REQ-1 (TLS 1.3+ for secure transfer), ENC-REQ-3 (Certificate pinning for critical transfers), ENC-REQ-5 (Mixed content blocking), EMB-REQ-17 (Certificate validation for embedded content transfers), EMB-REQ-21 (Mixed content prevention), EMB-REQ-27 (Network security configuration), SYS-REQ-24 (Storage quotas with cleanup mechanisms), EXT-REQ-11 (Extension storage isolation enables clean uninstall) |

# Annex B (informative): Mapping of Use Cases to Capabilities and Requirements

This annex provides a comprehensive mapping of each use case defined in Section 4.4 to the relevant browser capabilities and their associated requirement sets. This mapping helps manufacturers and assessors identify which requirements apply to specific deployment contexts.

## B.1 Use Case Mapping Methodology

For each use case, the mapping identifies:

1. **Primary Capabilities**: Core security capabilities that are essential for the use case
2. **Recommended Condition Levels**: Specific condition levels (e.g., DOM-1, EXT-2) appropriate for the use case's risk profile
3. **Critical Requirements**: Specific requirement sets that are satisfied for the use case
4. **Optional Enhancements**: Additional requirements that may be appropriate based on deployment specifics

## B.2 Use Case to Capability Mappings

### UC-B1: General Purpose Web Browsing (Risk Level: Standard)

**Primary Capabilities and Recommended Conditions**:

- **DOM (Domain/Origin Isolation)**: DOM-1 (Controlled isolation)
- **EXT (Extension System)**: EXT-1 or EXT-2
- **ENC (Encryption)**: ENC-1
- **LOG (Logging/Monitoring)**: LOG-1
- **UPD (Updates)**: UPD-1
- **PRO (Protocol Handlers)**: PRO-1
- **SYS (System Resources)**: SYS-1

**Critical Requirements**: DOM-1-REQ-1 through DOM-1-REQ-9, ENC-1-REQ-1 through ENC-1-REQ-19, UPD-1-REQ-1 through UPD-1-REQ-25, EXT-1-REQ-1 through EXT-1-REQ-14, LOG-1-REQ-1 through LOG-1-REQ-18, SYS-1-REQ-1 through SYS-1-REQ-22

**Assessment References**: All DOM, ENC, UPD, EXT, LOG, PRO, SYS assessments apply

---

### UC-B2: Development and Testing Environments (Risk Level: High)

**Primary Capabilities and Recommended Conditions**:

- **DOM**: DOM-2
- **EXT**: EXT-2
- **ENC**: ENC-1
- **LOG**: LOG-2
- **UPD**: UPD-1 or UPD-2
- **PRO**: PRO-2
- **SYS**: SYS-2

**Critical Requirements**: DOM-2-REQ-1 through DOM-2-REQ-12, EXT-2-REQ-1 through EXT-2-REQ-10, LOG-2-REQ-1 through LOG-2-REQ-20, PRO-2-REQ-1 through PRO-2-REQ-12, SYS-2-REQ-1 through SYS-2-REQ-15

**Assessment References**: All capability assessments, emphasis on EXT-REQ-9, DOM-REQ-9-11, SYS-REQ-14-17

---

### UC-B3: Kiosks and Shared Terminals (Risk Level: High)

**Primary Capabilities and Recommended Conditions**:

- **DOM**: DOM-0 or DOM-1
- **EXT**: EXT-0
- **ENC**: ENC-0 or ENC-1
- **LOG**: LOG-3
- **UPD**: UPD-0
- **PRO**: PRO-0
- **SYS**: SYS-0
- **EMB** (if embedded): EMB-1 or EMB-2

**Critical Requirements**: DOM-0-REQ-1 through DOM-0-REQ-6, EXT-0-REQ-1 through EXT-0-REQ-3, ENC-0-REQ-1 through ENC-0-REQ-23, LOG-3-REQ-1 through LOG-3-REQ-20, UPD-0-REQ-1 through UPD-0-REQ-24, PRO-0-REQ-1 through PRO-0-REQ-5, SYS-0-REQ-1 through SYS-0-REQ-13

**If Embedded**: EMB-1-REQ-1 through EMB-1-REQ-17, EMB-REQ-8, EMB-REQ-3, EMB-REQ-22

**Additional**: Domain allowlisting, session auto-termination, no credential storage, remote monitoring

**Assessment References**: Strictest criteria; DOM-REQ-1-8, ENC-REQ-1-6, UPD-REQ-1-11, SYS-REQ-1-4, LOG-REQ-10-11

---

### UC-B4: Financial Services Access (Risk Level: High)

**Primary Capabilities and Recommended Conditions**:

- **DOM**: DOM-1
- **EXT**: EXT-1
- **ENC**: ENC-0 or ENC-1
- **LOG**: LOG-1
- **UPD**: UPD-0 or UPD-1
- **PRO**: PRO-1
- **SYS**: SYS-1
- **EMB** (if embedded): EMB-1 or EMB-2

**Critical Requirements**: ENC-0-REQ-1 through ENC-0-REQ-23 OR ENC-1-REQ-1 through ENC-1-REQ-19, DOM-1-REQ-1 through DOM-1-REQ-9, EXT-1-REQ-1 through EXT-1-REQ-14, LOG-REQ-2, LOG-REQ-14

**If Embedded**: EMB-1-REQ-1 through EMB-1-REQ-17, EMB-REQ-17, EMB-REQ-20, EMB-REQ-2, EMB-REQ-8

**Assessment References**: ENC-REQ-1-7, ENC-REQ-17, DOM-REQ-5, LOG-REQ-2, EMB-REQ-1-10 (if embedded)

---

### UC-B5: Healthcare and Medical Systems (Risk Level: High)

**Primary Capabilities and Recommended Conditions**:

- **DOM**: DOM-1 or DOM-2
- **EXT**: EXT-1
- **ENC**: ENC-0
- **LOG**: LOG-3
- **UPD**: UPD-0 or UPD-1
- **PRO**: PRO-1
- **SYS**: SYS-1
- **EMB** (if embedded): EMB-1 or EMB-2

**Critical Requirements**: ENC-0-REQ-1 through ENC-0-REQ-23, LOG-3-REQ-1 through LOG-3-REQ-20, LOG-REQ-7, LOG-REQ-8, LOG-REQ-19, DOM-1-REQ-1 through DOM-1-REQ-9, UPD-0-REQ-17, EXT-1-REQ-1 through EXT-1-REQ-14

**If Embedded**: EMB-1-REQ-1 through EMB-1-REQ-17, EMB-REQ-8, EMB-REQ-3, EMB-REQ-22

**Compliance**: GDPR data protection, session re-auth, auto-timeout, audit trails

**Assessment References**: ENC-REQ-1-7, LOG-REQ-7-9, LOG-REQ-19, LOG-REQ-11, EMB-REQ-3, EMB-REQ-22 (if embedded)

---

### UC-B6: E-Government Services Access (Risk Level: High)

**Primary Capabilities and Recommended Conditions**:

- **DOM**: DOM-1
- **EXT**: EXT-1
- **ENC**: ENC-0
- **LOG**: LOG-2 or LOG-3
- **UPD**: UPD-0 or UPD-1
- **PRO**: PRO-1
- **SYS**: SYS-1 or SYS-2

**Critical Requirements**: ENC-0-REQ-1 through ENC-0-REQ-23, ENC-REQ-2, ENC-REQ-3, SYS-REQ-29, DOM-1-REQ-1 through DOM-1-REQ-9, LOG-REQ-15, UPD-0-REQ-1 through UPD-0-REQ-24

**Special**: Digital signatures, smart card integration, eIDAS compliance, legal non-repudiation

**Assessment References**: ENC-REQ-2-3, ENC-REQ-6, SYS-REQ-29, LOG-REQ-15

---

### UC-B7: Enterprise Applications (Risk Level: High)

**Primary Capabilities and Recommended Conditions**:

- **DOM**: DOM-2
- **EXT**: EXT-1 or EXT-2
- **ENC**: ENC-1
- **LOG**: LOG-3
- **UPD**: UPD-0 or UPD-1
- **PRO**: PRO-2
- **SYS**: SYS-2
- **EMB** (if Electron/CEF/Tauri): EMB-2 or EMB-3

**Critical Requirements**: DOM-2-REQ-1 through DOM-2-REQ-12, LOG-3-REQ-1 through LOG-3-REQ-20, LOG-REQ-13, LOG-REQ-14, LOG-REQ-16, EXT-2-REQ-10, UPD-0-REQ-1 through UPD-0-REQ-24, PRO-2-REQ-11, SYS-2-REQ-11 through SYS-2-REQ-15

**Enterprise Features**: SSO, DLP, extension allowlisting, profile separation, BYOD containerization

**Assessment References**: DOM-REQ-9-11, LOG-REQ-13-16, LOG-REQ-19, EXT-REQ-3, PRO-REQ-3, SYS-REQ-7

---

### UC-B8: Critical Infrastructure (Risk Level: CRITICAL)

**Primary Capabilities and Recommended Conditions**:

- **DOM**: DOM-0 or DOM-1
- **EXT**: EXT-0
- **ENC**: ENC-0
- **LOG**: LOG-3
- **UPD**: UPD-0
- **PRO**: PRO-0 or PRO-1
- **SYS**: SYS-0 or SYS-1
- **EMB** (if SCADA/ICS): EMB-0 or EMB-1

**Critical Requirements**: DOM-0-REQ-1 through DOM-0-REQ-6, EXT-0-REQ-1 through EXT-0-REQ-3, ENC-0-REQ-1 through ENC-0-REQ-23, LOG-3-REQ-1 through LOG-3-REQ-20, LOG-REQ-11, UPD-0-REQ-1 through UPD-0-REQ-24, UPD-REQ-5, UPD-REQ-11, PRO-0-REQ-1 through PRO-0-REQ-5, SYS-0-REQ-1 through SYS-0-REQ-13

**If Embedded**: EMB-0-REQ-1 through EMB-0-REQ-7, EMB-REQ-17, EMB-REQ-20, EMB-REQ-27, EMB-REQ-31

**Additional**: Zero trust, mTLS, RBAC, air-gapped deployment, supply chain controls, physical security

**Assessment References**: ALL assessments at strictest criteria; ENC-REQ-1-11, UPD-REQ-1-11, LOG-REQ-10-11, SYS-REQ-26-28, EMB-REQ-17-31 (if embedded)

---

### UC-B9: Security Research (Risk Level: CRITICAL)

**Primary Capabilities and Recommended Conditions**:

- **DOM**: DOM-2 or DOM-3
- **EXT**: EXT-3
- **ENC**: ENC-1
- **LOG**: LOG-3
- **UPD**: UPD-2 or UPD-3
- **PRO**: PRO-3
- **SYS**: SYS-3

**Critical Requirements**: LOG-3-REQ-1 through LOG-3-REQ-20, LOG-REQ-6, LOG-REQ-17, DOM-3-REQ-9, EXT-3-REQ-9 through EXT-3-REQ-12, SYS-3-REQ-15

**Environment Isolation**: Disposable VMs, network capture, air-gapped zones, snapshot/rollback, behavioral logging

**Important**: Deploy ONLY in isolated research environments; NOT for production

**Assessment References**: LOG-REQ-1-20, LOG-REQ-17, EXT-REQ-4, all assessments in adversarial conditions

---

### UC-B10: Adapted Browser with Modified Features (Risk Level: Standard to High)

**Primary Capabilities and Recommended Conditions**:

- **All capabilities**: Inherit from upstream browser
- **LOG**: May vary (LOG-1, LOG-2, or LOG-3)
- **UPD**: UPD-0 or UPD-1 (manufacturer-controlled)
- **EMB** (if native integration added): EMB-2 or EMB-3

**Critical Requirements**: All upstream requirements PLUS UPD-REQ-2, UPD-REQ-11, EMB-REQ-9, LOG-REQ-9, LOG-REQ-7, LOG-REQ-8

**If Native Integration Added**: EMB-2-REQ-1 through EMB-2-REQ-10 OR EMB-3-REQ-1 through EMB-3-REQ-12, EMB-REQ-1, EMB-REQ-2, EMB-REQ-3, EMB-REQ-9

**For Bundled Extensions**: EXT-REQ-4, EXT-REQ-17, supply chain security

**Manufacturer Obligations**: Timely upstream patches, security review, transparency, maintaining security controls, supply chain security

**Risk Level**: Standard (minimal modifications) to High (extensive modifications, sensitive data, high-risk deployment)

**Assessment References**: All upstream assessments PLUS EMB-REQ-9, UPD-REQ-2, LOG-REQ-9, EMB assessments if native integration

---

## B.3 Capability Condition Level Selection Guide

| Use Case Risk | DOM | EXT | ENC | LOG | UPD | PRO | SYS | EMB | RDPS |
|---------------|-----|-----|-----|-----|-----|-----|-----|-----|------|
| Standard | DOM-1 | EXT-1/2 | ENC-1 | LOG-1 | UPD-1 | PRO-1 | SYS-1 | EMB-1 | RDPS-0/1 |
| High | DOM-1/2 | EXT-0/1 | ENC-0/1 | LOG-2/3 | UPD-0/1 | PRO-0/1 | SYS-0/1/2 | EMB-0/1/2 | RDPS-0/2 |
| Critical | DOM-0/1 | EXT-0 | ENC-0 | LOG-3 | UPD-0 | PRO-0 | SYS-0/1 | EMB-0/1 | RDPS-0/3 |

**Note**: Specific deployments shall conduct detailed risk assessments per Annex D to determine appropriate condition levels.

**RDPS Note**: RDPS capability level selection depends on whether remote data processing is used and the sensitivity of data processed. RDPS-0 (no remote processing) is always acceptable and mandatory for air-gapped deployments. When remote processing is used, select RDPS level based on data sensitivity: RDPS-1 for non-sensitive data, RDPS-2 for sensitive data, RDPS-3 for critical data with regulatory requirements.

## B.4 Cross-Reference to Assessments

All assessments in Chapter 6 map to requirements referenced in this annex:

- **Section 6.1**: DOM-REQ-1 through DOM-REQ-12
- **Section 6.2**: EXT-REQ-1 through EXT-REQ-18
- **Section 6.3**: ENC-REQ-1 through ENC-REQ-21
- **Section 6.4**: LOG-REQ-1 through LOG-REQ-20
- **Section 6.5**: UPD-REQ-1 through UPD-REQ-23
- **Section 6.6**: PRO-REQ-1 through PRO-REQ-23
- **Section 6.7**: SYS-REQ-1 through SYS-REQ-32
- **Section 6.8**: EMB-REQ-1 through EMB-REQ-32
- **Section 6.6.5**: RDPS-REQ-1 through RDPS-REQ-60

## B.5 Remote Data Processing Systems (RDPS) Mapping

**RDPS Capabilities** are independent of deployment use cases but apply when browsers employ remote data processing for any functionality. The appropriate RDPS capability level should be selected based on data sensitivity and criticality:

### RDPS-0: No Remote Data Processing (Fully Local Operation)

**Applicable to**:
- **UC-B3**: Kiosks and Shared Terminals (air-gapped deployments)
- **UC-B8**: Critical Infrastructure (air-gapped SCADA/ICS systems)
- Any deployment requiring complete network isolation

**Requirements**: RDPS-0-REQ-1 through RDPS-0-REQ-7

**Assessment References**: RDPS-REQ-52 through RDPS-REQ-58

**Key Characteristics**: Zero network connectivity, all data local-only, no telemetry, no remote authentication, complete offline operation

---

### RDPS-1: Limited Remote Processing (Non-Sensitive Data)

**Applicable to**:
- **UC-B1**: General Purpose Web Browsing (preferences sync, bookmark sync)
- **UC-B2**: Development and Testing Environments (extension sync, settings sync)
- **UC-B10**: Adapted Browsers (non-sensitive preference synchronization)

**Requirements**: RDPS-1-REQ-1 through RDPS-1-REQ-15

**Assessment References**: RDPS-REQ-1 through RDPS-REQ-15

**Key Characteristics**: TLS 1.3+ encryption, certificate validation, graceful offline degradation, rate limiting, non-sensitive data only (configuration, preferences, non-critical bookmarks)

**Data Examples**: UI preferences, theme settings, non-sensitive bookmarks, display configuration, language preferences

---

### RDPS-2: Extended Remote Processing (Sensitive Data)

**Applicable to**:
- **UC-B4**: Financial Services (session state, transaction logs)
- **UC-B5**: Healthcare and Medical Systems (audit logs, anonymized analytics)
- **UC-B6**: E-Government Services (authentication state, encrypted form data)
- **UC-B7**: Enterprise Applications (SSO tokens, policy sync, encrypted data sync)

**Requirements**: All RDPS-1 requirements PLUS RDPS-2-REQ-1 through RDPS-2-REQ-18

**Assessment References**: RDPS-REQ-1 through RDPS-REQ-32, RDPS-REQ-59

**Key Characteristics**: Data encryption at rest, mutual TLS, redundant backups, per-user per-origin access controls, audit logging, integrity verification, replay attack defense, data minimization

**Data Examples**: Authentication tokens, encrypted passwords, financial transaction logs, healthcare audit trails, enterprise policy data, encrypted user documents

**Special Considerations**:
- GDPR compliance required for EU deployments
- Sector-specific regulations for healthcare (UC-B5)
- Financial services regulatory requirements (UC-B4)
- Enterprise data residency requirements (UC-B7)

---

### RDPS-3: Full Remote Processing (Critical Data - Maximum Security)

**Applicable to**:
- **UC-B5**: Healthcare and Medical Systems (patient data, medical records - where remote processing is legally permitted)
- **UC-B6**: E-Government Services (citizen PII, legal documents, classified data)
- **UC-B7**: Enterprise Applications (trade secrets, financial records, strategic data)
- **UC-B8**: Critical Infrastructure (control data, operational parameters - where remote processing is absolutely necessary and properly secured)

**Requirements**: All RDPS-1 and RDPS-2 requirements PLUS RDPS-3-REQ-1 through RDPS-3-REQ-20

**Assessment References**: RDPS-REQ-1 through RDPS-REQ-51, RDPS-REQ-59, RDPS-REQ-60

**Key Characteristics**: End-to-end encryption, hardware-backed keys, high availability with failover, disaster recovery, real-time integrity monitoring, SIEM integration, zero-trust architecture, compliance logging, automated security scanning, incident response procedures, access revocation, transparency reporting, forward secrecy, user notifications, enterprise policy enforcement

**Data Examples**: Medical records, patient health information, classified government data, trade secrets, financial statements, critical infrastructure operational data, personal identifiable information (PII)

**Regulatory Compliance**:
- GDPR Article 32 (Security of Processing) - full compliance required
- eIDAS Regulation (for e-government - UC-B6)
- NIS2 Directive (for critical infrastructure - UC-B8)
- Sector-specific EU regulations (healthcare, financial services)
- ISO 27001/27017/27018 certifications recommended

**Special Considerations**:
- Geographic data residency enforcement required
- Multi-tenant isolation mandatory
- Cryptographic proof of integrity
- 24/7 incident response capability
- Regular penetration testing and security audits
- Documented disaster recovery with tested procedures
- Enterprise administrator security policy controls

---

### RDPS Capability Selection Matrix by Use Case

| Use Case | Recommended RDPS Level | Data Types | Key Controls |
|----------|------------------------|------------|--------------|
| UC-B1 (General Browsing) | RDPS-0 or RDPS-1 | Preferences, bookmarks | Graceful offline, TLS 1.3+ |
| UC-B2 (Development/Testing) | RDPS-1 | Settings, extensions | Sync controls, rate limiting |
| UC-B3 (Kiosks) | RDPS-0 (mandatory) | None (local only) | No remote processing |
| UC-B4 (Financial) | RDPS-2 or RDPS-3 | Tokens, transactions | Encryption at rest, mTLS, audit logs |
| UC-B5 (Healthcare) | RDPS-2 or RDPS-3 | Audit logs, patient data | Sector regulations, E2EE, DR |
| UC-B6 (E-Government) | RDPS-2 or RDPS-3 | Citizen PII, documents | Data residency, zero-trust, compliance logging |
| UC-B7 (Enterprise) | RDPS-2 or RDPS-3 | Enterprise data, policies | Enterprise controls, SIEM, HA |
| UC-B8 (Critical Infrastructure) | RDPS-0 (preferred) or RDPS-3 | Control data | Air-gap preferred; if remote: max security |
| UC-B9 (Security Research) | RDPS-0 or RDPS-1 | Research data | Isolated environments, no sensitive data |
| UC-B10 (Adapted Browser) | Inherit from use case | Depends on deployment | Match upstream + manufacturer obligations |

**Important Notes**:

1. **RDPS-0 is mandatory** for air-gapped deployments (UC-B3 kiosks, UC-B8 critical infrastructure in isolated networks)

2. **RDPS capability levels are additive**: RDPS-2 includes all RDPS-1 requirements; RDPS-3 includes all RDPS-1 and RDPS-2 requirements

3. **Data classification drives RDPS level**: Manufacturers shall classify all remotely processed data and select appropriate RDPS level based on highest sensitivity

4. **Regulatory compliance**: RDPS-3 is recommended for all use cases with regulatory requirements (GDPR, NIS2, eIDAS, sector-specific regulations, etc.)

5. **User control**: For RDPS-1 and above, users should have transparency and control over what data is processed remotely

6. **Enterprise deployments**: UC-B7 should typically use RDPS-2 or RDPS-3 with enterprise policy controls (RDPS-3-REQ-20)

# Annex C (informative): Relationship between the present document and any related ETSI standards (if any)

_List any related ETSI standards and how they interact with the present document._

# Annex D (informative): Risk identification and assessment methodology

## D.1 Assets

### D.1.1 Data

_What data is stored on the product?_

### D.1.2 Product functions

_See the functions in Section 4.4._

## D.2 Threats

_Based on the assets, what are the threats during:_

- _Use for intended purpose or reasonably foreseeable use_
- _When integrated into another product_

_Example threats can be found in the same documents suggested in the section on security requirements._

## D.3 Assumptions

_List assumptions that are relevant to the risk analysis for these threats. Everything is hackable if you try hard enough. What kinds of threats are in and out of scope? What are you assuming is the sophistication of attack? Relate to use cases. Some examples might include:_

- _Not being attacked by a state actor_
- _Not using sophisticated or expensive hardware snooping techniques_
- _No secret hardware backdoors in other components_

## D.4 Risk assessments of threats

_For each threat identified above, use likelihood and magnitude of the threat to assess its risk in the context of use cases. The results should be consistent with the mapping of use cases to security levels._

_Guidance from latest PT1 draft:_

> _An analysis in terms of likelihood and magnitude of a product’s threats is required to be able to determine the product’s risks._
> _NOTE 1 This document does not require a specific methodology for a cybersecurity risk analysis as long as the cybersecurity risk estimation is based on the likelihood of occurrence and magnitude of loss or disruption of cybersecurity risks. Thus, different approaches and models such as the fishbone model, event tree analysis or fault tree models can be used within the analysis of cybersecurity risks._
> _NOTE 2 A qualitative estimation of the cybersecurity risks can be performed using risk matrices that map qualitative categories of the likelihood of occurrence and qualitative categories of magnitude of loss or disruption to cybersecurity risk categories._
> _NOTE 3 A quantitative estimation of the cybersecurity risks can be performed using scoring systems that map qualitative categories of the likelihood of occurrence and qualitative categories of magnitude of loss or disruption to certain values._

# Annex E (informative): Risk evaluation guidance

## E.1 Mapping of risks to requirements

_Table mapping the identified risks to requirements_

## E.2 Risks not treated by the requirements

_If any risks are not treated by the normative requirements, describe non-normative suggestions to mitigate them._

## E.3 Risk acceptance criteria

_Describe how to decide if residual risks are tolerable._

## E.4 Residual risks

_Describe how to treat any residual risks, for example by documenting them or informing the user._

# Annex K
Crypto todo

https://certification.enisa.europa.eu/publications/eucc-guidelines-cryptography_en 

# Annex L (informative): Relationship between the present document and the requirements of EU Regulation 2024/2847

DRAFT ANNEX L - DO NOT CONSIDER THE CONTENT

The present document has been prepared under the Commission's standardisation request C(2025) 618 final to provide one voluntary means of conforming to the requirements of Regulation (EU) No 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
Once the present document is cited in the Official Journal of the European Union under that Regulation, compliance with the normative clauses of the present document given in table A.1 confers, within the limits of the scope of the present document, a presumption of conformity with the corresponding requirements of that Regulation and associated EFTA regulations.
> NOTE:    The above paragraphs have to be repeated in the Foreword.

The annex shall have a table for a clear indication of correspondence between normative clauses of the standard and the legal requirements aimed to be covered.

**It should be evaluated - on the basis of the legal requirements supported and other information given in a harmonised standard - how detailed correspondence can be indicated between the normative elements of the harmonised standard and the legal requirements aimed to be covered. However, where this correspondence is expressed in too general terms, it could lead to a situation where the Commission cannot assess whether the Harmonised Standard satisfies the requirements, which it aims to cover, and subsequently publication of its references in the OJEU according to Article 10(6) of the Regulation is significantly delayed or is not possible at all.**

# Annex : Change history

| Date       | Version | Information about changes |
|------------|---------|---------------------------|
|&lt;Month year>|   <#>   | &lt;Changes made are listed in this cell> |
|            |         |                           |
|            |         |                           |
|            |         |                           |

<br />

# History

| Version      | Date         | Milestone      |
|--------------|--------------|---------------|
| <Month year> | <#>          | <Changes made>|
|              |              |               |
|              |              |               |