@@ -1016,7 +1016,7 @@ This requirement applies to all products which do not provide IPv6 support.
#### 5.7.13.1 Requirement
If the VPN claims to support IPv6, it shall provide full, native IPv6 connectivity, and all cybersecurity requirements in this standard shall apply to IPv6 traffic.
If the VPN claims to support IPv6, it shall provide full support and all cybersecurity requirements in this standard shall apply to IPv6 traffic.
#### 5.7.13.2 Applicability
@@ -1193,15 +1193,15 @@ This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 P
The product shall not collect data unnecessary for the operation of the product.
### 5.9.2 REQ-DM-02 (MI-NPER-1) No Personal Data collected without authorization
### 5.9.2 REQ-DM-02 (MI-NPER-1) Data minimisation across the product
#### 5.9.2.1 Requirement
The product shall not collect Personal Data without explicit authorization.
The product shall not collect Personal Data unless the collection is necessary for an intended purpose of the product, or the user has explicitly authorized it.
#### 5.9.2.2 Applicability
* UC-1: not required
* UC-1: required
* UC-2: required
* UC-3: required
* UC-4: required
@@ -1213,46 +1213,45 @@ The product shall not collect Personal Data without explicit authorization.
#### 5.9.3.1 Requirement
The VPN shall not send Personal Data outside of the endpoint, except for the minimum data strictly necessary for user authentication, access control (e.g., IDP/OIDC integration), and subscription management. No Personal Data shall be collected or transmitted as part of the core VPN tunnelling and routing functionality.
The VPN shall not send or store Personal Data outside of the endpoint related to its use, except for the minimum data strictly necessary in relation to the intended purpose of the product, such as for the confidentiality and availability of the service provision (e.g.,unique identifiers, IP addresses meant to ensure the security of the service) user authentication, access control (e.g., endpoint identification, IDP/OIDC integration) and subscription management. No Personal Data shall be collected as part of the core VPN tunnelling and routing functionality.
#### 5.9.3.2 Applicability
* UC-1: not required
* UC-2: not required
* UC-2: required
* UC-3: required
* UC-4: not required
* UC-5: not required
* UC-6: not required
* UC-7: not required
### 5.9.4 REQ-DM-04 (MI-NPER-3) Minimize Personal Data required for use, service provisioning and payment
### 5.9.4 REQ-DM-04 (MI-NPER-3) Minimize Personal Data required for service provisioning and payment
#### 5.9.4.1 Requirement
The VPN shall minimize the required Personal Data for use of the product, collecting only the Personal Data strictly necessary for the service provider to process the payment, manage the subscription and fulfill contractual obligations.
1.**REQ-DM-04-1** The VPN shall minimize the required Personal Data, and
2.**REQ-DM-04-2** the VPN shall collect only the Personal Data strictly necessary to process the payment, manage the subscription, fulfil contractual obligations or other legitimate purposes.
#### 5.9.4.2 Applicability
* UC-1: not required
* UC-2: not required
* UC-2: required
* UC-3: required
* UC-4: not required
* UC-5: not required
* UC-6: not required
* UC-7: not required
### 5.9.5 REQ-DM-05 (MI-NPER-4) No Personal Data stored on remote data processing systems
### 5.9.5 REQ-DM-05 (MI-NPER-4) Minimize Personal Data stored
#### 5.9.5.1 Requirement
The VPN shall not store any Personal Data of the user on remote data processing systems.
> NOTE: VPN manufacturers may use remote systems to handle support tickets, e-mail and a knowledge base. The VPN manufacturer shall not store any Personal Data in remote data processing systems without abundantly clear and explicit permission from the user.
The VPN shall not store any Personal Data of the user on the VPN server, gateway or exit node.
#### 5.9.5.2 Applicability
* UC-1: not required
* UC-2: not required
* UC-2: required
* UC-3: required
* UC-4: not required
* UC-5: not required
@@ -1263,10 +1262,10 @@ The VPN shall not store any Personal Data of the user on remote data processing
| **REQ-DM-02 (MI-NPER-1)** | | x | x | x | x | | x |
| **REQ-DM-03 (MI-NPER-2)** | | | x | | | | |
| **REQ-DM-04 (MI-NPER-3)** | | | x | | | | |
| **REQ-DM-05 (MI-NPER-4)** | | | x | | | | |
| **REQ-DM-02 (MI-NPER-1)** | x | x | x | x | x | | x |
| **REQ-DM-03 (MI-NPER-2)** | | x | x | | | | |
| **REQ-DM-04 (MI-NPER-3)** | | x | x | | | | |
| **REQ-DM-05 (MI-NPER-4)** | | x | x | | | | |
## 5.10 Availability protection
@@ -1527,8 +1526,8 @@ The VPN client shall not require routing of traffic from sources/destinations ot
#### 5.13.6.1 Requirement
1.**REQ-EMM-06 (MI-LOGG-X)-1** The remote data processing solutions (e.g., exit nodes) of the VPN manufacturer shall utilize an ephemeral infrastructure architecture to technically prevent the persistent storage of user data, traffic metadata, or system logs at the hardware and operating system level, and
2.**REQ-EMM-06 (MI-LOGG-X)-2** servers shall operate exclusively using volatile memory (e.g., RAM disks or NVRAM) for temporary processing and system logs, without writing to non-volatile disk-based storage. To satisfy cybersecurity monitoring requirements, any non-Personal Data cybersecurity-relevant events shall be logged in volatile memory or securely transmitted to a remote logging system in accordance with REQ-LOG-03 (MI-LOGG-2).
1.**REQ-EMM-06 (MI-LOGG-X)-1** The VPN server, gateway or exit nodes shall utilize an ephemeral infrastructure architecture to technically prevent the persistent storage of user data, traffic metadata, or system logs at the hardware and operating system level, and
2.**REQ-EMM-06 (MI-LOGG-X)-2**VPN server, gateway or exit nodes shall operate exclusively using volatile memory (e.g., RAM disks or NVRAM) for temporary processing and system logs, without writing to non-volatile disk-based storage. To satisfy cybersecurity monitoring requirements, any non-Personal Data cybersecurity-relevant events shall be logged in volatile memory or securely transmitted to a remote logging system in accordance with REQ-LOG-03 (MI-LOGG-2).
This clause provides assessment for the requirements in 5.14 relating to CRA [\[i.1\]](#_ref_i.1) Annex 1 Part 1 (2) (g).
### 6.9.2 REQ-DM-02 (MI-NPER-1) No Personal Data collected without authorization
### 6.9.2 REQ-DM-02 (MI-NPER-1) Data minimisation across the product
#### 6.9.2.1 Objective
@@ -1608,14 +1608,14 @@ None.
* for how long,
* with whom it is shared,
* how it is stored,
* whether the user consented to it, and
* whether the user consented to it or the data collection is required for the product's intended purpose, and
* record of user consent.
#### 6.9.2.4 Verdict
PASS if **all** of the following are fulfilled:
* All Personal Data collected has a record of authorization by the user.
* All Personal Data collected has a record of authorization by the user or is required for the product's intended purpose.
Otherwise FAIL
@@ -1634,30 +1634,31 @@ Data minimization.
#### 6.9.3.2 Preparation
None.
Retrieve internal policy from VPN manufacturer.
#### 6.9.3.3 Activities
1. Capture all packets during a typical hour of use.
2. Document all data sent to the VPN manufacturer.
3. Label any Personal Data included in packet capture.
4. Identify if any labelled Personal Data originates from the tunnelling functionality or is otherwise outside the documented scope of necessary authentication/access control.
#### 6.9.3.4 Verdict
PASS if **all** of the following are fulfilled:
* All labelled Personal Data collected is strictly necessary, and
* all Personal Data collected is explicitly justified for authentication, access control, or subscription management.
* All labelled Personal Data collected is either:
* strictly necessary for the confidentiality or availability of the product as outlined in the internal policy and intended use of the VPN manufacturer or
* Personal Data collected is explicitly justified for authentication, access control, or subscription management.
* No personal data is collected from the user’s VPN tunnelling and routing functionality which is not indented for the VPN manufacturer
Otherwise FAIL
#### 6.9.3.5 Evidence
* Packet capture
* Manufacturer's documentation justifying the necessity of any transmitted authentication data
* Manufacturer's documentation justifying the necessity of any transmitted data
### 6.9.4 REQ-DM-04 (MI-NPER-3) Minimize Personal Data required for use, service provisioning and payment
### 6.9.4 REQ-DM-04 (MI-NPER-3) Minimize Personal Data required service provisioning and payment
#### 6.9.4.1 Objective
@@ -1680,7 +1681,7 @@ Obtain a fresh installation of the VPN product.
PASS if **any** of the following are fulfilled:
* There is no Personal Data recorded, or
* Personal Data recorded has a justified, documented operational reason essential for the delivery of the service or payment processing.
* Personal Data recorded has a justified, legal, or documented operational reason essential for the delivery of the service or payment processing.
Otherwise FAIL
@@ -1688,7 +1689,7 @@ Otherwise FAIL
* The record of data entered with a short description indicating whether the particular data element alone or in combination with other data elements allows for singling out the individual in accordance with the definition of personal data under the applicable law. Where this is the case, the reason why the data element is required should also be documented.
### 6.9.5 REQ-DM-05 (MI-NPER-4) No Personal Data stored on remote data processing systems
### 6.9.5 REQ-DM-05 (MI-NPER-4) Minimize Personal Data stored
#### 6.9.5.1 Objective
@@ -1696,18 +1697,18 @@ Confidentiality.
#### 6.9.5.2 Preparation
Gather internal written policy on what data may be stored, samples of all types of information stored by the manufacturer that may contain Personal Data, covering at least one instance of all types of activities conducted by the user.
None.
#### 6.9.5.3 Activities
Examine the written policy and samples of stored data and look for Personal Data.
Gather any data stored on the VPN server, gateway or exit node during a typical hour of use or smilate usage. Label data as personal data if any.
#### 6.9.5.4 Verdict
PASS if **all** of the following are fulfilled:
PASS if **any** of the following are fulfilled:
*Policy is consistent with not storing Personal Data, and
*samples of stored data contain no Personal Data.
*There is no Personal Data recorded, or
*Personal Data recorded has a justified, documented operational reason aligned with the intended purpose of the product.