Terminology consistency after BXL workshop 2

# Executive summary

The purpose of this document is to provide essential cybersecurity requirements for the design, development, and production of Virtual Private Networks intending to be placed on the European Union market.

The purpose of this document is to provide essential cybersecurity requirements of a Virtual Private Network product intending to be placed on the European Union market.

# Introduction

The present document defines cybersecurity requirements for products with digital elements which have the primary purpose is providing private connections to public networks such as the Internet or other private networks. Demonstrating compliance with the present document is voluntary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act [\[i.1\]](#_ref_i.1).

The present document does not provide presumption of conformity for products with digital elements which include a VPN feature as part of a larger networking or security product, though it may be useful as one part of the process of demonstrating compliance for a product containing or interacting with VPNs.

The present document does not provide presumption of conformity for products with digital elements which include a VPN feature as part of a larger networking or cybersecurity product, though it may be useful as one part of the process of demonstrating compliance for a product containing or interacting with VPNs.

# 1 Scope

## 1.1 General

The present document establishes security requirements and assessment criteria covering all elements defined in EU Regulation 2024/2847 Cyber Resilience Act Annex I Part 1 and Part 2 for products with digital elements (products) with the intended purpose and reasonably foreseeable use of Virtual Private Network. This includes providing commercial Virtual Private Network (VPN)s intended for a single user or home network to securely connect to a public or private networks with an emphasis on privacy, as well as for secure remote access of an organization's workforce, or interconnecting various infrastructures of those organizations through untrusted domains.

The present document establishes cybersecurity requirements and assessment criteria covering all elements defined in EU Regulation 2024/2847 Cyber Resilience Act Annex I Part 1 and Part 2 for products with digital elements (products) with the intended purpose and reasonably foreseeable use of Virtual Private Network. This includes providing commercial Virtual Private Network (VPN)s intended for a single user or home network to securely connect to a public or private networks with an emphasis on privacy, as well as for secure remote access of an organization's workforce, or interconnecting various infrastructures of those organizations through untrusted domains.

The present document is applicable to:

This list clarifies products whose functionality might be confused with the in-scope products of the present document, but which are excluded due to their primary purpose or operational environment.

* VPNs for industrial OT domains: Products with digital elements intended for use in the industrial OT (Operational Technology) domain are explicitly excluded from the present document, as their security requirements are covered under a different standard (EN 62443-5-XX).

* Products with a VPN as a component: Products whose core purpose is not a VPN, but which contain VPN functionality, cannot rely on the present document alone for a presumption of conformity. This may include devices like a home router with an integrated VPN client and products such as firewalls and routers. While these devices may have integrated VPN capabilities, their primary function is network security or traffic control, which is addressed by other standards.

* VPNs for industrial OT domains: Products intended for use in the industrial OT (Operational Technology) domain are explicitly excluded from the present document, as their cybersecurity requirements are covered under a different standard (EN 62443-5-XX).

* Products with a VPN as a component: Products whose intended purpose is not a VPN, but which contain VPN functionality, cannot rely on the present document alone for a presumption of conformity. This may include devices like a home router with an integrated VPN client and products such as firewalls and routers. While these devices may have integrated VPN capabilities, their intended purpose is network security or traffic control, which is addressed by other standards.

* VPN services without a component provided for the customer or end user. Commercial actors that provide a VPN service solely by providing users with configuration details (e.g., an OpenVPN config file) and do not provide an associated end-user client or managed hardware are not in scope.

* Unsecured network connections: the present document does not apply to software or hardware intended to link two or more networks without implementing a secure connection.

## 1.4 Product industries excluded from the Cyber Resilience Act

The types of product with digital elements listed below do not fall within the scope of the the Regulation (EU) 2024/2847 (Cyber Resilience Act), and are not covered by the present document:

The types of product listed below do not fall within the scope of the the Regulation (EU) 2024/2847 (Cyber Resilience Act), and are not covered by the present document:

1. Services, except for the remote data processing solutions for a covered product as defined in CRA recitals 11-12; article 3, (2) [\[i.1\]](#_ref_i.1)

2. Products developed or modified for national security and defence purpose, or for processing classified material, as described in CRA recitals 14 and 26; article 2, 7-8 [\[i.1\]](#_ref_i.1);

### 4.1.2 Reasonably foreseeable use

There are many reasons for VPNs' use, such as obfuscating information about the source of the VPN client, data transiting through an untrusted domain, etc. The use cases defined in clause 4.7 of the present document describe a range of reasonably foreseeable uses, which identify a range of security needs. This does not cover *all* reasonably foreseeable uses.

There are many reasons for VPNs' use, such as obfuscating information about the source of the VPN client, data transiting through an untrusted domain, etc. The use cases defined in clause 4.7 of the present document describe a range of reasonably foreseeable uses, which identify a range of cybersecurity needs. This does not cover *all* reasonably foreseeable uses.

## 4.2 Essential functions

As a complete product, a Virtual Private Network includes, at minimum, VPN software capable of establishing a secure encrypted tunnel between two or more devices.

The most common state of the art implementation is a product with digital elements that provides a secure tunnel to one or more servers—usually managed by the manufacturer as "exit nodes"—which then route traffic to its originally intended destination, typically on a public network like the Internet. The product consists of any client software installed on a user device as well as any remote data processing on manufacturer infrastructure required for the product to function as expected.

The most common state of the art implementation is a product that provides a secure tunnel to one or more servers—usually managed by the manufacturer as "exit nodes"—which then route traffic to its originally intended destination, typically on a public network like the Internet. The product consists of any client software installed on a user device as well as any remote data processing on manufacturer infrastructure required for the product to function as expected.

A VPN can also be a product with digital elements that provides access to a restricted-use logical computer network that is constructed from the system resources of a physical or virtual network, including cases where that product provides access from a restricted-use logical computer network to a public network.

A VPN can also be a product that provides access to a restricted-use logical computer network that is constructed from the system resources of a physical or virtual network, including cases where that product provides access from a restricted-use logical computer network to a public network.

Some VPN products also provide management capabilities to network administrators: user and group management, access control, logging and monitoring.

### 4.4.1 Physical environment

The technical requirements of the present document apply under the environmental profile for operation of the equipment, which shall be in accordance with its intended use. The equipment shall comply with all the technical requirements of the present document at all times when operating within the boundary limits of the operational environmental profile defined by its intended use.

The cybersecurity requirements of the present document apply under the environmental profile for operation of the equipment, which shall be in accordance with its intended use. The equipment shall comply with all the cybersecurity requirements of the present document at all times when operating within the boundary limits of the operational environmental profile defined by its intended use.

The physical hardware the VPN product is using may be:

* Distributed log collection and monitoring

* Firewalls

## 4.5 Distribution of security functions

## 4.5 Distribution of cybersecurity functions

### 4.5.1 Security function distribution overview

### 4.5.1 Cybersecurity function distribution overview

This clause describes the two-way relationship where the VPN product both delegates risks and provides security functionalities to other components in its ecosystem.

This clause describes the two-way relationship where the VPN product both delegates risks and provides cybersecurity functionalities to other components in its ecosystem.

The security of a VPN product is dependent on a chain of trust that spans across multiple components in its operational environment. Consequently, the VPN product delegates certain risks to other components while offering security functionalities that mitigate different risks for those same components.

The cybersecurity of a VPN product is dependent on a chain of trust that spans across multiple components in its operational environment. Consequently, the VPN product delegates certain risks to other components while offering cybersecurity functionalities that mitigate different risks for those same components.

### 4.5.2 Security Functionalities Offered to Integrated Components

### 4.5.2 Cybersecurity Functionalities Offered to Integrated Components

The VPN product offers the following security functionalities to other components in its operational environment:

The VPN product offers the following cybersecurity functionalities to other components in its operational environment:

- **Secure Data Transport** - The primary function of a VPN is to create a secure, encrypted tunnel over an untrusted network. This functionality protects all network traffic originating from the client device or network from eavesdropping and other network-based attacks.

- **Controlled Network Access** - The VPN client acts as a security gatekeeper for the remote network. This functionality protects the remote network by only allowing authenticated and authorized traffic to pass through.

- **Controlled Network Access** - The VPN client acts as a cybersecurity gatekeeper for the remote network. This functionality protects the remote network by only allowing authenticated and authorized traffic to pass through.

### 4.5.3 Security functions required from the environment

### 4.5.3 Cybersecurity functions required from the environment

The following risks are delegated by the VPN product to other components within its operational environment:

## 4.7 Use cases

This list of use cases is an informative resource to the manufacturer to simplify choosing a set of security requirements. It is not an exhaustive list, and deployments may cross over more than one use.

This list of use cases is an informative resource to the manufacturer to simplify choosing a set of cybersecurity requirements. It is not an exhaustive list, and deployments may cross over more than one use.

See [i.3] for formal definitions of micro, small, and medium-sized enterprises.

**Table A-1: Relationship between CRA requirements and requirements of the EU Regulation (EU) 2024/2847**

| CRA requirement                                 | Technical security requirements(s)  |

| CRA requirement                                 | Cybersecurity requirements(s)       |

|-------------------------------------------------|-------------------------------------|

| No known exploitable vulnerabilities            | NKEV, SSSD, SCUD, NUTI, LOGG        |

| Secure design, development, production          | SSDD                                |

| Secure deletion and data transfer               | SCDL, SDTR                          |

| Vulnerability handling                          | VULH                                |

Presumption of conformity stays valid only as long as a reference to the present document is maintained in the list published in the Official Journal of the European Union. Users of the present document should consult frequently the latest list published in the Official Journal of the European Union.

Other Union legislation may be applicable to the product(s) falling within the scope of the present document.

# Annex B (informative): Mappings

## B.1 Mapping of technical security requirements and assessment requirements

## B.1 Mapping of cybersecurity requirements and assessment requirements

(See Annex D)

## B.2 Mapping of technical security requirements and risks factors

## B.2 Mapping of cybersecurity requirements and risks factors

(See Annex D)

### C.2.1 General

Risk factors determine which mitigation(s) satisfy each of the technical requirements in clause 5.2. The assessor of a product determines the level of each risk factor via the development of a threat model and risk profile based on the intended and foreseeable use and misuse of the VPN.

Risk factors determine which mitigation(s) satisfy each of the cybersecurity requirements in clause 5.2. The assessor of a product determines the level of each risk factor via the development of a threat model and risk profile based on the intended and foreseeable use and misuse of the VPN.

Risk factors may increase the likelihood of an incident, increase the impact of an incident, or both. As a result, different mitigation strategies may be more or less relevant to different risk factors.

| UC-4     | Small organisation          | 2   | 2   | 2   | 1   | 1   | 2   | 2   | 2   | 1   | 1   | SP-4 |

| UC-5     | Large enterprise            | 2   | 2   | 2   | 2   | 0   | 2   | 2   | 2   | 2   | 1   | SP-4 |

## C.6 Security profiles

### C.6.1 General

Security profiles are an informative resource to the assessor. Each security profile is associated with a collection of levels of risk factors. Security profiles will be mapped to specific mitigations for each security requirements necessary to treat the risk.

Security profiles are an informative resource to the assessor. Each security profile is associated with a collection of levels of risk factors. Security profiles will be mapped to specific mitigations for each cybersecurity requirements necessary to treat the risk.

### C.6.2 Mapping of security profiles to risk factors

| SP-4             | Small organisation          | 2   | 2   | 2   | 1   | 1   | 1   | 2   | 2   | 1   | 1   |

| SP-5             | Large enterprise            | 2   | 2   | 2   | 2   | 0   | 1   | 2   | 2   | 2   | 1   |

# Annex D (informative): Risk evaluation guidance

## D.1 Explanation of Risk Modelling Approach

| USED   | AUTH, CDST, SCDL, SDRF                                      |

| CPII   | AUTH, DMIN, CRYPT, AUTH, ROUT, DNSL, CDST, SCDL, SDRF, LOGG |

## D.3 Risk acceptance criteria

If the Likelihood and Impact of a risk are already Low or have been reduced to Low by application of mitigations, then the risk is acceptable. Alternatively, the risk may be transferred to the user or the operational environment, given proper justification.