@@ -171,7 +171,10 @@ The following referenced documents may be useful in implementing an ETSI deliver
<spanid="_ref_i.9">[i.9]</span> IEEE-ITSO 6100 (1.0.0): "Uptane Standard for Design and Implementation". <https://uptane.org/papers/ieee-isto-6100.1.0.0.uptane-standard.html>
<spanid="_ref_i.10">[10]</span> ITU-T x.509: "Public-key and attribute certificate frameworks". <https://www.itu.int/rec/T-REC-X.509/en>
<spanid="_ref_i.10">[i.10]</span> ITU-T x.509: "Public-key and attribute certificate frameworks". <https://www.itu.int/rec/T-REC-X.509/en>
<spanid="_ref_i.11">[i.11]</span> Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) <https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng#art_4>
@@ -181,7 +184,7 @@ The following referenced documents may be useful in implementing an ETSI deliver
This clause provides terms and definitions based on CEN-CENELEC JTC13 WG09's work on terms and definitions, terms and definitions provided by ETSI EN 303 645 [\[i.6\]](#_ref_i.6)/TS 103 701 [\[i.7\]](#_ref_i.7) and terms and definitions provided by CEN-CENELEC EN 18031 [\[i.8\]](#_ref_i.8) series.
For the purposes of the present document, the terms given in [i.1], [i.4], and the following apply:
For the purposes of the present document, the terms given in [\[i.1\]](#_ref_i.1), [\[i.4\]](#_ref_i.4), and the following apply:
cloud
: data centre or collection of data centres operated entirely by a third party which rents out space and time on their equipment, as well as providing services for managing infrastructure from outside networks
@@ -190,7 +193,7 @@ consumer
: natural person who acts for purposes which are outside that person's trade, business, craft or profession
cybersecurity
: cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881 [i5]
: cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881 [\[i.5\]](#_ref_i.5)
end-point
: device that is connected to a network and serves as an entry point to that network
@@ -215,6 +218,9 @@ logical connection
physical connection
: connection between electronic information systems or components implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio waves
Personal Data
: personal data as defined by (EU) 2016/679 General Data Protection Regulation [\[i.11\]](#_ref_i.11)
product with digital elements
: software or hardware product and its remote data processing solutions (including software or hardware components being placed on the market separately)
@@ -242,15 +248,12 @@ For the purposes of the present document, the following abbreviations apply:
| IPRFU | Intended purpose and reasonably foreseeable use |
| PII | Personally Identifiable Information |
| PwDE | Product with Digital Element |
| SBOM | Software Bill of Materials |
| VPN | Virtual Private Network |
# 4 Product context
## 4.1 Intended Purpose and Reasonably Foreseeable Use (IPRFU)
## 4.1 Intended Purpose and Reasonably Foreseeable Use
### 4.1.1 Intended Purpose
@@ -406,7 +409,7 @@ The following risks are delegated by the VPN product to other components within
This list of use cases is an informative resource to the manufacturer to simplify choosing a set of cybersecurity requirements. It is not an exhaustive list, and deployments may cross over more than one use.
See [i.3] for formal definitions of micro, small, and medium-sized enterprises.
See [\[i.3\]](#_ref_i.3) for formal definitions of micro, small, and medium-sized enterprises.
***UC-1** Individual consumer
* Client installed on personal devices like mobile phone, portable or desktop computer
@@ -446,7 +449,7 @@ See [i.3] for formal definitions of micro, small, and medium-sized enterprises.
# Annex A (informative): Relationship between the present document and the requirements of EU Regulation (EU) 2024/2847
The present document has been prepared under the Commission's standardisation request C(2025)618 M/606 to provide one voluntary means of conforming to the requirements of EU Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act). [i.1]
The present document has been prepared under the Commission's standardisation request C(2025)618 M/606 to provide one voluntary means of conforming to the requirements of EU Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act). [\[i.1\]](#_ref_i.1)
Once the present document is cited in the Official Journal of the European Union under that Regulation, compliance with the normative clauses of the present document given in table A.1 confers, within the limits of the scope of the present document, a presumption of conformity with the corresponding requirements of that Regulation and associated EFTA regulations.
@@ -499,7 +502,7 @@ Other Union legislation may be applicable to the product(s) falling within the s
- Configuration data
- Management application certificates
- CA information, certificates & keys (public, private, PSK)
- End-point details including authentication, location, and potential PII
- End-point details including authentication, location, and potential Personal Data
- Statistics and telemetry data
- Network configuration audit logs
- Network flow logs and other statistics about data transferred over the network
@@ -555,7 +558,7 @@ Description: Affects impact of threats involving loss of data confidentiality, a
Rationale: More sensitive data leads to a higher impact with a successful breach.
***[DAT-0]** User data is generally trivial and unimportant (ie. TV or streaming content, etc)
***[DAT-1]** User data is moderately important (i.e. may include some PII)
***[DAT-1]** User data is moderately important (i.e. may include some Personal Data)
***[DAT-2]** User data is important for preservation of human rights of user
### C.2.5 RF-FUN: Sensitivity of functions
@@ -618,15 +621,15 @@ Rationale: Different connectivity requirements create different risks and mitiga
***[CON-1]** Foreseeable use is one or more endpoints connecting to other endpoints or hosts via a private network
***[CON-2]** Foreseeable use is multiple endpoints connecting to each other via a private network, in addition to connecting to a public network
### C.2.10 RF-PII: Consequences of personally identifiable information compromise
### C.2.10 RF-PER: Consequences of personally identifiable information compromise
Description: What the consequences of an attacker acquiring PII via the product are.
Description: What the consequences of an attacker acquiring Personal Data via the product are.
Rationale: Different consequences change the impact of compromise of PII stored or transmitted by the product.
Rationale: Different consequences change the impact of compromise of Personal Data stored or transmitted by the product.
***[PII-0]** Foreseeable use is no or low consequences for compromise of PII stored or transmitted by the product
***[PII-1]** Foreseeable use is moderate consequences for compromise of PII stored or transmitted by the product, e.g. financial or reputational loss
***[PII-0]** Foreseeable use is high consequences for compromise of PII stored or transmitted by the product, e.g. loss of life or human rights
***[PER-0]** Foreseeable use is no or low consequences for compromise of Personal Data stored or transmitted by the product
***[PER-1]** Foreseeable use is moderate consequences for compromise of Personal Data stored or transmitted by the product, e.g. financial or reputational loss
***[PER-0]** Foreseeable use is high consequences for compromise of Personal Data stored or transmitted by the product, e.g. loss of life or human rights
## C.3 Assumptions
@@ -1049,22 +1052,22 @@ Mitigations for Impact:
* Medium to Low: AUTH-3, LOGG-1, CDST
* High to Low: AUTH-3, AUTH-4, AUTH-5, LOGG-1, LOGG-2, CDST
### C.4.15 TH-META: Compromise of PII due to metadata and traffic analysis
### C.4.15 TH-META: Compromise of Personal Data due to metadata and traffic analysis
Attacker may use user metadata such as IP addresses and traffic analysis to compromise personally identifiable information.
**Table C.4.15-1: Compromise of PII due to metadata and traffic analysis**
**Table C.4.15-1: Compromise of Personal Data due to metadata and traffic analysis**
@@ -769,53 +769,53 @@ The VPN client shall not require routing of traffic from sources/destinations ot
The product shall not collect data unnecessary for the operation of the product.
#### 5.2.12.2 MI-NPII-1: No PII collected without authorization
#### 5.2.12.2 MI-NPER-1: No Personal Data collected without authorization
The product shall not collect PII without explicit authorization.
The product shall not collect Personal Data without explicit authorization.
* Reference: TR-DMIN
* Objective: Data minimization
* Preparation: Packet capture during typical hour of use and document all data sent to the VPN manufacturer, label it all as to PII or not, and justify all PII sent, and document if it is kept or not, for how long, who it is shared with, how it is stored, how the user consents to it, record of user consent
* Activities: Review the documentation of the packet capture for PII and see if any of it was collected without authorization
* Verdict: All PII collected has a record of authorization by the user => PASS, otherwise FAIL
* Evidence: Packet capture, documentation of PII, authorization, justification
* Preparation: Packet capture during typical hour of use and document all data sent to the VPN manufacturer, label it all as to Personal Data or not, and justify all Personal Data sent, and document if it is kept or not, for how long, who it is shared with, how it is stored, how the user consents to it, record of user consent
* Activities: Review the documentation of the packet capture for Personal Data and see if any of it was collected without authorization
* Verdict: All Personal Data collected has a record of authorization by the user => PASS, otherwise FAIL
* Evidence: Packet capture, documentation of Personal Data, authorization, justification
#### 5.2.12.3 MI-NPII-2: No PII sent outside endpoint
#### 5.2.12.3 MI-NPER-2: No Personal Data sent outside endpoint
VPN shall not send PII outside of the endpoint at all.
VPN shall not send Personal Data outside of the endpoint at all.
* Reference: TR-DMIN
* Objective: Data minimization
* Preparation: Packet capture during typical hour of use and document all data sent to the VPN manufacturer
* Activities: Review the documentation of the packet capture for any form of PII
* Verdict: There is no PII collected => PASS, otherwise FAIL
* Activities: Review the documentation of the packet capture for any form of Personal Data
* Verdict: There is no Personal Data collected => PASS, otherwise FAIL
* Evidence: Packet capture
#### 5.2.12.4 MI-NPII-3: No PII required for use or payment
#### 5.2.12.4 MI-NPER-3: No Personal Data required for use or payment
The VPN shall not require PII for use of the product, including for payment.
The VPN shall not require Personal Data for use of the product, including for payment.
* Reference: TR-DMIN
* Objective: Confidentiality
* Preparation: Follow the instructions to use the product and start a VPN connection, selecting the options that require the least PII, recording all data entered
* Activities: Examine the data entered looking for PII
* Verdict: If there is any PII in the data entered => FAIL, otherwise => PASS
* Evidence: The record of data entered with a short description of each part accounting for why it is not PII
* Preparation: Follow the instructions to use the product and start a VPN connection, selecting the options that require the least Personal Data, recording all data entered
* Activities: Examine the data entered looking for Personal Data
* Verdict: If there is any Personal Data in the data entered => FAIL, otherwise => PASS
* Evidence: The record of data entered with a short description of each part accounting for why it is not Personal Data
#### 5.2.12.5 MI-NPII-4: No PII stored on remote data processing systems
#### 5.2.12.5 MI-NPER-4: No Personal Data stored on remote data processing systems
The VPN shall not store any PII of the user on remote data processing systems.
The VPN shall not store any Personal Data of the user on remote data processing systems.
> [!note]
> VPN manufacturers may use remote systems to handle support tickets, e-mail and a knowledge base. The VPN manufacturer shall not store any PII in remote data processing systems without abundantly clear and explicit permission from the user.
> VPN manufacturers may use remote systems to handle support tickets, e-mail and a knowledge base. The VPN manufacturer shall not store any Personal Data in remote data processing systems without abundantly clear and explicit permission from the user.
* Applicability: (optional, for requirements that depend on a feature)
* Reference: TR-DMIN
* Objective: Confidentiality
* Preparation: Gather internal written policy on what data may be stored, samples of all types of information stored by the manufacturer that may contain PII, covering at least one instance of all types of activities conducted by the user
* Activities: Examine the written policy and samples of stored data and look for PII
* Verdict: Policy is consistent with not storing PII and samples of stored data contain no PII
* Evidence: Policy, samples of stored data, documentation of why the samples don't contain PII
* Preparation: Gather internal written policy on what data may be stored, samples of all types of information stored by the manufacturer that may contain Personal Data, covering at least one instance of all types of activities conducted by the user
* Activities: Examine the written policy and samples of stored data and look for Personal Data
* Verdict: Policy is consistent with not storing Personal Data and samples of stored data contain no Personal Data
* Evidence: Policy, samples of stored data, documentation of why the samples don't contain Personal Data
### 5.2.13 TR-IPV6 Secure IPv6 Handling
@@ -883,7 +883,7 @@ The product shall record cybersecurity-relevant internal events, including but n
#### 5.2.15.2 MI-LOGG-1: Logging
The product shall record log messages indicating cybersecurity-relevant internal events in an internal log or transmit them to the host system logging system. The log messages shall not include any confidential information such as PII, secrets, or credentials, or any information which might reasonably be expected to include such items.
The product shall record log messages indicating cybersecurity-relevant internal events in an internal log or transmit them to the host system logging system. The log messages shall not include any confidential information such as Personal Data, secrets, or credentials, or any information which might reasonably be expected to include such items.
* Reference: TR-LOGG
* Objective: Monitoring and recording cybersecurity-relevant events
@@ -897,7 +897,7 @@ The product shall record log messages indicating cybersecurity-relevant internal
#### 5.2.15.3 MI-LOGG-2: Remote Logging
The product shall transfer log messages indicating cybersecurity-relevant internal events to a remote logging server. The log messages shall not include any confidential information such as PII, secrets, or credentials, or any information which might reasonably be expected to include such items.
The product shall transfer log messages indicating cybersecurity-relevant internal events to a remote logging server. The log messages shall not include any confidential information such as Personal Data, secrets, or credentials, or any information which might reasonably be expected to include such items.
* Reference: TR-LOGG
* Objective: Transfer log messages regarding cybersecurity-relevant events to mitigate local tampering
@@ -1130,7 +1130,7 @@ This clause lists all the mitigations necessary to meet requirements for each se
1. KEVD
1. LMEM
1. LOGG-1
1. NPII-1
1. NPER-1
1. ROUT-1
1. ROUT-2
1. SCFS
@@ -1184,10 +1184,10 @@ This clause lists all the mitigations necessary to meet requirements for each se
1. LMEM
1. LOGG-1
1. LOGG-2
1. NPII-1
1. NPII-2
1. NPII-3
1. NPII-4
1. NPER-1
1. NPER-2
1. NPER-3
1. NPER-4
1. NUTI-1
1. NUTI-2
1. ROUT-1
@@ -1247,7 +1247,7 @@ This clause lists all the mitigations necessary to meet requirements for each se
1. LMEM
1. LOGG-1
1. LOGG-2
1. NPII-1
1. NPER-1
1. NUTI-1
1. NUTI-2
1. ROUT-1
@@ -1305,7 +1305,7 @@ This clause lists all the mitigations necessary to meet requirements for each se
