ETSI **Draft EN 304 620 v0.0.15 Part 1 (2025-12)**
ETSI **Draft EN 304 620 v0.0.16 (2025-12)**
@@ -6,8 +6,6 @@ CYBER; CRA; Harmonized Standards for essential cybersecurity requirements for Pr
CRA VPNs Topic # 20;<br/>
Part 1 of 2<br/>
Release #<br/>
<br/>
@@ -100,11 +98,7 @@ The present document has been prepared under the Commission's standardisation re
Once the present document is cited in the Official Journal of the European Union under that Regulation, compliance with the normative clauses of the present document given in table A.1 confers, within the limits of the scope of the present document, a presumption of conformity with the corresponding requirements of that Regulation and associated EFTA regulations.
The present document is part 1 of a multi-part deliverable covering Cyber Security (CYBER); Essential cybersecurity requirements for products with digital elements with the function of virtual private networks (VPN)
Part 1: VPNs for private connection to public networks
Part 2: VPNs for secure remote access to private networks
The present document is a deliverable covering Cyber Security (CYBER); Essential cybersecurity requirements for products with digital elements with the function of virtual private networks (VPN)
## Transposition table
@@ -135,7 +129,7 @@ The purpose of this document is to provide essential cybersecurity requirements
# Introduction
The present document defines cybersecurity requirements for products with digital elements whose primary purpose is providing private connections to public networks such as the Internet or other private networks. Demonstrating compliance with the present document is voluntary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act <ahref="#_ref_i.1">[i.1]</a>.
The present document defines cybersecurity requirements for products with digital elements which have the primary purpose is providing private connections to public networks such as the Internet or other private networks. Demonstrating compliance with the present document is voluntary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act <ahref="#_ref_i.1">[i.1]</a>.
The present document does not provide presumption of conformity for products with digital elements which include a VPN feature as part of a larger networking or security product, though it may be useful as one part of the process of demonstrating compliance for a product containing or interacting with VPNs.
@@ -143,32 +137,33 @@ The present document does not provide presumption of conformity for products wit
## 1.1 General
The present document establishes security requirements and assessment criteria covering all elements defined in EU Regulation 2024/2847 Cyber Resilience Act Annex I Part 1 and Part 2 for products with digital elements (products) with the intended purpose and reasonably foreseeable use of providing commercial Virtual Private Network (VPN)s for individual consumers. This includes products intended for a single user or home network to securely connect to a public or private networks with an emphasis on privacy.
The present document establishes security requirements and assessment criteria covering all elements defined in EU Regulation 2024/2847 Cyber Resilience Act Annex I Part 1 and Part 2 for products with digital elements (products) with the intended purpose and reasonably foreseeable use of Virtual Private Network. This includes providing commercial Virtual Private Network (VPN)s intended for a single user or home network to securely connect to a public or private networks with an emphasis on privacy, as well as for secure remote access of an organization's workforce, or interconnecting various infrastructures of those organizations through untrusted domains.
The present document is applicable to:
1. Software that operates as a VPN end-point on a consumer device
2. Remote data processing and associated software used for a consumer VPN product
1. Software that operates as a VPN end-point
2. Software that operates as a node within a mesh VPN network
4. Remote data processing and associated software used for such VPN products
## 1.2 Products in scope
The scope of the present document covers products intended for use by a consumer (a natural person) for non-commercial purposes, with a focus on enhancing personal privacy and increasing security on insecure networks.
The scope of the present document covers VPN products for use by consumers or organisations.
This includes:
* Software:
* VPN client software intended for installation on end-user devices such as mobile phones, tablets, or personal computers. This software is typically—but not exclusively—bespoke for a given VPN manufacturer with limited configuration possible by an end user.
* VPN client software, including "plugins" or other ecosystem-specific releases, intended for installation on home routers.
* VPN software, including "plugins" or other ecosystem-specific releases, intended for installation on home routers.
* Software intended for the management of VPNs in a business setting.
* Remote Data Processing:
* Cloud-based services or remote data processing solutions that are essential for the operation of a consumer VPN product, such as routing to exit nodes or managing user authentication.
* Cloud-based services or remote data processing solutions that are essential for the operation of a VPN product, such as routing to exit nodes or managing user authentication.
## 1.3 Products not in scope
The present document explicitly excludes enterprise VPN products & services and VPNs used in the industrial OT domain.
The present document explicitly VPNs used in the industrial OT domain.
This list clarifies products whose functionality might be confused with the in-scope products of the present document, but which are excluded due to their primary purpose or operational environment.
* Enterprise VPNs: Products with an intended purpose of providing a VPN for an organisation's workforce or for connecting data centres are not in the scope of the present document, as they are covered in a separate document.
* VPNs for industrial OT domains: Products with digital elements intended for use in the industrial OT (Operational Technology) domain are explicitly excluded from the present document, as their security requirements are covered under a different standard (EN 62443-5-XX).
* Products with a VPN as a component: Products whose core purpose is not a VPN, but which contain VPN functionality, cannot rely on the present document alone for a presumption of conformity. This may include devices like a home router with an integrated VPN client and products such as firewalls and routers. While these devices may have integrated VPN capabilities, their primary function is network security or traffic control, which is addressed by other standards.
* VPN services without a component provided for the customer or end user. Commercial actors that provide a VPN service solely by providing users with configuration details (e.g., an OpenVPN config file) and do not provide an associated end-user client or managed hardware are not in scope.
@@ -312,9 +307,11 @@ For the purposes of the present document, the following abbreviations apply:
### 4.1.1 Intended Purpose
The purpose of consumer VPN is to provide encrypted end-to-end communication between two end-points.
The purpose of a VPN is to create encrypted end-to-end communication between two end-points.
State of the art VPNs are generally defined by their functionality to provide access an "exit node" through which a user can elect to direct their internet traffic. Exit nodes can be controlled by users or, more commonly, the manufacturer. They may exist on user-owned and/or -operated hardware, manufacturer-owned and/or -operated hardware, or third party "cloud" infrastructure.
Consumer VPNs are defined, in part, by their functionality to provide access an "exit node" through which a user can elect to direct theirinternet traffic. Exit nodes can be controlled by users or, more commonly, the manufacturer. They may exist on user-owned and/or -operated hardware, manufacturer-owned and/or -operated hardware, or third party "cloud" infrastructure.
In a business environment, VPNs may also be used to create a restricted-use network without requiring separate physically restricted infrastructure. The VPN software controls which nodes can participate in the restricted-use network and which functions or data the node is able to use or access.
For the purpose of the current document, a VPN is a product with digital elements that provides a secure tunnel to one or more servers—usually managed by the manufacturer as "exit nodes"—which then route traffic to its originally intended destination, typically on a public network like the Internet. The product consists of any client software installed on a user device as well as any remote data processing on manufacturer infrastructure required for the product to function as expected.
As a complete product, a Virtual Private Network includes, at minimum, VPN software capable of establishing a secure encrypted tunnel between two or more devices.
The most common state of the art implementation is a product with digital elements that provides a secure tunnel to one or more servers—usually managed by the manufacturer as "exit nodes"—which then route traffic to its originally intended destination, typically on a public network like the Internet. The product consists of any client software installed on a user device as well as any remote data processing on manufacturer infrastructure required for the product to function as expected.
A VPN can also be a product with digital elements that provides access to a restricted-use logical computer network that is constructed from the system resources of a physical or virtual network, including cases where that product provides access from a restricted-use logical computer network to a public network.
Some VPN products also provide management capabilities to network administrators: user and group management, access control, logging and monitoring.
@@ -431,6 +434,7 @@ The security of a VPN product is dependent on a chain of trust that spans across
The VPN product offers the following security functionalities to other components in its operational environment:
-**Secure Data Transport** - The primary function of a VPN is to create a secure, encrypted tunnel over an untrusted network. This functionality protects all network traffic originating from the client device or network from eavesdropping and other network-based attacks.
-**Controlled Network Access** - The VPN client acts as a security gatekeeper for the remote network. This functionality protects the remote network by only allowing authenticated and authorized traffic to pass through.
### 4.5.3 Security functions required from the environment
