@@ -124,7 +124,15 @@ The following referenced documents are not necessary for the application of the
<spanid="_ref_i.4"></span><aname="_ref_i.4">[i.4]</a> prEN 40000-1-1: "Cybersecurity requirements for products with digital elements - Vocabulary" [Version and date to be added upon its publication by CEN CENELEC]
<spanid="_ref_i.5"></span><aname="#_ref_i.5">[i.5]</a> Web Platform Design Principles, World Wide Web Consortium Group Note, 27 January 2026 https://www.w3.org/TR/design-principles/#safe-to-browse
<spanid="_ref_i.5"></span><aname="#_ref_i.5">[i.5]</a> [Web Platform Design Principles](https://www.w3.org/TR/design-principles/#safe-to-browse), World Wide Web Consortium Group Note, 27 January 2026
<spanid="_ref_i.6"></span><aname="#_ref_i.6">[i.6]</a>[RFC 5246: TLS 1.2](https://datatracker.ietf.org/doc/html/rfc5246), IETF, August 2008
<spanid="_ref_i.7"></span><aname="#_ref_i.7">[i.7]</a>[RFC 8446: TLS 1.3](https://datatracker.ietf.org/doc/html/rfc8446), IETF, August 2018
<spanid="_ref_i.8"></span><aname="#_ref_i.8">[i.8]</a>[RFC 6979: HSTS](https://datatracker.ietf.org/doc/html/rfc6797), IETF, November 2012
<spanid="_ref_i.9"></span><aname="#_ref_i.9">[i.9]</a>[Mixed Content (W3C Candidate Recommendation Draft)](https://www.w3.org/TR/mixed-content/), W3C, 23 February 2023
@@ -155,6 +163,7 @@ For the purposes of the present document, the [following] abbreviations [given i
<mark>Editor's Note: Please only keep the abbreviations that are used in the present document and avoid using the same abbreviation with different meaning in the CRA vertical standards.</mark>
`ACM ENISA Agreed Cryptographic Methods`
`APT Advanced persistent threats`
`C2 Command and Control`
`CC Common Criteria`
@@ -167,6 +176,9 @@ For the purposes of the present document, the [following] abbreviations [given i
`GDPR General Data Protection Regulation`
`GUI Graphical User Interface`
`HSM Hardware Security Module`
`HSTS HTTP Strict Transport Security`
`HTTP Hypertext Transport Protocol`
`HTTPS Hypertext Transport Protocol Secure`
`IAM Identity and Access Management`
`ICMP Internet Control Message Protocol`
`ICT Information and Communication Technology`
@@ -344,6 +356,8 @@ _ESR :Proposed abbreviations referring to the different essential requirements o
_NNNNN - Incremental and unique sequence of numbers and letters_
<mark>Scheme used here: Use functional areas of the browser in place of PP, if there is any relevant functional area for the requirement.</mark>
<mark>Editor's Note: It is strongly recommended to follow the sequence of the CRA Annex I requirements when defining the subclauses in Clause 5. However, where this structure would result in unnecessary duplication/overlap, subclauses and requirements may be organized in a more suitable way, provided that clear traceability to the relevant CRA Annex I requirements is maintained.</mark>
@@ -371,6 +385,16 @@ Proposed ESR code SBD
This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 Part 1 (2) (b).
**[REQ-TLS-SBD-1]**: The web browser shall be configured by default to reject TLS protocol versions, cipers and configurations which present high risk to exploitation.
Editor's note: Consider whether "high risk to exploitation" is an appropriate phrase, and whether this requirement should say "reject or warn" instead of "reject". See also REQ-TLS-CON-3.
<mark>Editor's note: This requirement might be implied by Annex K. TODO: Research this interpretation and delete if redundant.</mark>
**[REQ-TLS-SBD-2]**: The web browser shall be configured by default with an appropriate trusted root store based on the manufacturer's risk assessment and documented policy.
Applicability: Web browsers which maintain their own root store, rather than using the OS's root store.
## 5.4 Secure Updates
@@ -379,6 +403,11 @@ Proposed ESR code: SU
This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 Part 1 (2) (c).
**[REQ-TLS-UPD-1]**: The web browser's root store shall be kept up to date appropriately, based on the manufacturer's risk assessment and documented policy.
Applicability: Web browsers which maintain their own root store, rather than using the OS's root store.
## 5.5 Authentication and access control
Proposed ESR code: AAC
@@ -394,6 +423,21 @@ This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 P
In this clause, reference can be made to the Annex K (normative), specifying State Of The Art Cryptography
**[REQ-TLS-CON-1]**: The web browser shall support TLS versions and configurations indicated as "recommended" (R) of the ENISA Agreed Cryptographic Methods [1], and it may support TLS versions and configurations indicated as "legacy" (L).
Note: These algorithms are listed on page 37-38 of [1](https://certification.enisa.europa.eu/document/download/a845662b-aee0-484e-9191-890c4cfa7aaa_en?filename=ECCG%20Agreed%20Cryptographic%20Mechanisms%20version%202.pdf). TLS 1.3 [i.7] is R, and TLS 1.2 [i.6] is L. The L[2025] algorithms (with CBC) are not considered state of the art, and should be ignored.
<mark>Editor's note: This requirement might be implied by Annex K. TODO: Research this interpretation and delete if redundant.</mark>
**[REQ-TLS-CON-2]**: The web browser shall check the full validity of certificate chain through to the root, including for expiration and revocation.
**[REQ-TLS-CON-3]**: The web browser shall warn or obstruct the user from interacting with with content served over insecure connections, including expired certificates and insecure TLS configurations.
Example: When presenting content served with cryptographic methods with a certain risk of exploitation, a web browser presents a user with a user interface element representing a broken lock, or an interstitial requiring user interaction to proceed.
**[REQ-TLS-CON-4]**: The web browser shall implement appropriate technologies to promote or require the use of HTTPS rather than HTTP.
Example: Implementation of HSTS [i.8], active mixed content blocking [i.9], and HTTPS-First loading strategies.
## 5.7 Integrity
@@ -401,6 +445,7 @@ Proposed ESR code: INT
This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 Part 1 (2) (f).
Note: TLS-related clauses contribute to integrity.
## 5.8 Data Minimisation
@@ -408,6 +453,8 @@ Proposed ESR code: DM
This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 Part 1 (2) (g).
Note: TLS-related clauses contribute to data minimization.
## 5.9 Availability Protection
@@ -441,12 +488,17 @@ Proposed ESR code: LOG
This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 Part 1 (2) (l).
**[REQ-TLS-LOG-1]**: The web browser shall present a user interface giving visibility into the security properties of the connection, including the origin.
## 5.14 Data Removal and Transparency
Proposed ESR code: DRT
This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 Part 1 (2) (m).
**[REQ-TLS-DRT-1]**: The web browser shall make available functionality to reset TLS-related functionality to the initial safe settings, including selection of algorithms and protocol versions, root certificates, and any other relevant properties.
Applicability: Web browsers which allow changing TLS-related settings.
