Update file EN-304-618.md (5504aa31) · Commits · STAN4CRA / EN 304 618 Password Manager

EN-304-618.md

+19 −1

Original line number	Diff line number	Diff line
		@@ -2717,7 +2717,6 @@ controls 4. Advanced controls 5. Defense in depth
		- CRITICAL: Score >25 or safety impact

		# Annex ZA (informative): Mapping between the present document and CRA requirements

		*Table mapping technical security requirements from Section 5 of the present
		document to essential cybersecurity requirements in Annex I of the CRA. The
		purpose of this is to help identify missing technical security requirements.*
		@@ -2749,6 +2748,25 @@ purpose of this is to help identify missing technical security requirements.*
		\| Audit Logging \| Part I, 2(a) - Security event logging \| HIGH \|
		\| Update Mechanism \| Part I, 2(b) - Security updates \| HIGH \|
		\| Vulnerability Management \| Part II, 1 - Vulnerability handling \| MEDIUM : :
		# Annex ZB (informative:Mapping between the present document and the Standardisation Request C(2025)618 under the Cyber Resilience Act)

		Table mapping technical security requirements from Section 5 of the present document to the essential cybersecurity requirements listed in the Standardisation Request C(2025)618, Annex II. This mapping supports the demonstration of alignment with the requirements set out in Annex I of the Cyber Resilience Act.

		\| Standardisation Request C(2025)618 Requirements \| Technical security requirements(s) \|
		\| --------------------------------------- \| ---------------------------------- \|
		\| Security by design and based on risk analysis (SReq Annex II §1, §2.3; CRA Annex I §1) \| R1.1; R2.2; R8.1a; R8.3a; R9.1a; R9.1b; R10.1 \|
		\| Default secure configuration (SReq Annex II §1; CRA Annex I §2(b)) \| R18.1a; R18.2; R18.3 \|
		\| Update mechanisms (authenticity, rollback, security-only updates) (SReq Annex II §2.3; CRA Annex I §2(c); Part II(2)(7)(8)) \| R16.1a; R16.1b; R16.2; R16.3; R16.4 \|
		\| Authentication and access control (CRA Annex I §2(d)) \| R1.1; R1.5a; R11.1; R11.2; R11.3; R11.4a; R12.1; R12.2a; R12.2b \|
		\| Data confidentiality (CRA Annex I §2(e)) \| R2.1a; R2.5; R13.1; R13.2; R13.3 \|
		\| Data and configuration integrity (CRA Annex I §2(f)) \| R2.2b; R9.1b; R9.4; R17.3; R17.4 \|
		\| Data minimisation (CRA Annex I §2(g)) \| R13.4c \|
		\| Availability and DoS protection (CRA Annex I §2(h)) \| R14.1; R14.2a; R14.3; R14.4 \|
		\| System isolation and minimising impact on other systems (CRA Annex I §2(i)) \| R8.1b; R8.3b \|
		\| Limiting attack surface (CRA Annex I §2(j)) \| R3.4; R5.1; R18.2 \|
		\| Exploit mitigation, impact limitation (CRA Annex I §2(k)) \| R4.2a; R4.2b; R5.2b; R6.5; R9.2; R9.3 \|
		\| Logging and monitoring (CRA Annex I §2(l)) \| R4.5; R5.3; R15.1; R15.2; R15.3a; R15.3b; R15.4a \|
		\| Secure deletion and data transfer (CRA Annex I §2(m)) \| R4.3; R13.4a; R13.4b; R13.4c \|

		# Annex C (informative): Relationship between the present document and any related ETSI standards (if any)

Original line number	Diff line number	Diff line
		@@ -2717,7 +2717,6 @@ controls 4. Advanced controls 5. Defense in depth
		- CRITICAL: Score >25 or safety impact

		# Annex ZA (informative): Mapping between the present document and CRA requirements

		*Table mapping technical security requirements from Section 5 of the present
		document to essential cybersecurity requirements in Annex I of the CRA. The
		purpose of this is to help identify missing technical security requirements.*
		@@ -2749,6 +2748,25 @@ purpose of this is to help identify missing technical security requirements.*
		\| Audit Logging \| Part I, 2(a) - Security event logging \| HIGH \|
		\| Update Mechanism \| Part I, 2(b) - Security updates \| HIGH \|
		\| Vulnerability Management \| Part II, 1 - Vulnerability handling \| MEDIUM : :
		# Annex ZB (informative:Mapping between the present document and the Standardisation Request C(2025)618 under the Cyber Resilience Act)

		Table mapping technical security requirements from Section 5 of the present document to the essential cybersecurity requirements listed in the Standardisation Request C(2025)618, Annex II. This mapping supports the demonstration of alignment with the requirements set out in Annex I of the Cyber Resilience Act.

		\| Standardisation Request C(2025)618 Requirements \| Technical security requirements(s) \|
		\| --------------------------------------- \| ---------------------------------- \|
		\| Security by design and based on risk analysis (SReq Annex II §1, §2.3; CRA Annex I §1) \| R1.1; R2.2; R8.1a; R8.3a; R9.1a; R9.1b; R10.1 \|
		\| Default secure configuration (SReq Annex II §1; CRA Annex I §2(b)) \| R18.1a; R18.2; R18.3 \|
		\| Update mechanisms (authenticity, rollback, security-only updates) (SReq Annex II §2.3; CRA Annex I §2(c); Part II(2)(7)(8)) \| R16.1a; R16.1b; R16.2; R16.3; R16.4 \|
		\| Authentication and access control (CRA Annex I §2(d)) \| R1.1; R1.5a; R11.1; R11.2; R11.3; R11.4a; R12.1; R12.2a; R12.2b \|
		\| Data confidentiality (CRA Annex I §2(e)) \| R2.1a; R2.5; R13.1; R13.2; R13.3 \|
		\| Data and configuration integrity (CRA Annex I §2(f)) \| R2.2b; R9.1b; R9.4; R17.3; R17.4 \|
		\| Data minimisation (CRA Annex I §2(g)) \| R13.4c \|
		\| Availability and DoS protection (CRA Annex I §2(h)) \| R14.1; R14.2a; R14.3; R14.4 \|
		\| System isolation and minimising impact on other systems (CRA Annex I §2(i)) \| R8.1b; R8.3b \|
		\| Limiting attack surface (CRA Annex I §2(j)) \| R3.4; R5.1; R18.2 \|
		\| Exploit mitigation, impact limitation (CRA Annex I §2(k)) \| R4.2a; R4.2b; R5.2b; R6.5; R9.2; R9.3 \|
		\| Logging and monitoring (CRA Annex I §2(l)) \| R4.5; R5.3; R15.1; R15.2; R15.3a; R15.3b; R15.4a \|
		\| Secure deletion and data transfer (CRA Annex I §2(m)) \| R4.3; R13.4a; R13.4b; R13.4c \|

		# Annex C (informative): Relationship between the present document and any related ETSI standards (if any)