References are either specific (identified by date of publication and/or edition number or version number) or nonspecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.
@@ -153,9 +150,9 @@ References are either specific (identified by date of publication and/or edition
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.
<spanid="_ref_i.1">[i.1]</span> Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) [https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng>]
<spanid="_ref_i.1">[i.1]</span> Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) <https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng>
<spanid="_ref_i.2">[i.2]</span> Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025 on the technical description of the categories of important and critical products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council. [https://eur-lex.europa.eu/eli/reg_impl/2025/2392/oj]
<spanid="_ref_i.2">[i.2]</span> Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025 on the technical description of the categories of important and critical products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council. <https://eur-lex.europa.eu/eli/reg_impl/2025/2392/oj>
<spanid="_ref_i.3">[i.3]</span> C(2025)618 – Standardisation request M/606: Commission Implementing decision of 3.2.2025 on a standardisation request to the European Committee for Standardisation (CEN), the European Committee for Electrotechnical Standardisation (CENELEC) and the European Telecommunications Standards Institute (ETSI) as regards products with digital elements in support of Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act). <https://ec.europa.eu/transparency/documents-register/detail?ref=C(2025)618&lang=en>
@@ -186,56 +183,56 @@ This clause provides terms and definitions based on CEN-CENELEC JTC13 WG09's wor
For the purposes of the present document, the terms given in [\[i.1\]](#_ref_i.1), [\[i.4\]](#_ref_i.4), and the following apply:
cloud
**cloud**
: data centre or collection of data centres operated entirely by a third party which rents out space and time on their equipment, as well as providing services for managing infrastructure from outside networks
consumer
**consumer**
: natural person who acts for purposes which are outside that person's trade, business, craft or profession
cybersecurity
**cybersecurity**
: cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881 [\[i.5\]](#_ref_i.5)
end-point
**end-point**
: device that is connected to a network and serves as an entry point to that network
exit node
**exit node**
: VPN server software and associated hardware which routes user requests to and from their intended destination
hardware
**hardware**
: physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data
indirect connection
**indirect connection**
: connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network
intended purpose
**intended purpose**
: use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use
> NOTE: An intended purposes is what is specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation.
logical connection
**logical connection**
: virtual representation of a data connection implemented through a software interface
physical connection
**physical connection**
: connection between electronic information systems or components implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio waves
Personal Data
**Personal Data**
: personal data as defined by (EU) 2016/679 General Data Protection Regulation [\[i.11\]](#_ref_i.11)
product with digital elements
**product with digital elements**
: software or hardware product and its remote data processing solutions (including software or hardware components being placed on the market separately)
remote data processing
**remote data processing**
: data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer
> NOTE: This specifically refers to processing the absence of which would prevent the product with digital elements from performing one of its functions.
software
**software**
: part of an electronic information system which consists of computer code
software bill of materials
**software bill of materials**
: formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements
virtual private network
**virtual private network**
: product with digital elements that provides access to a restricted-use logical computer network that is constructed from the system resources of a physical or virtual network
> NOTE: This includes cases where that product provides access from a restricted-use logical computer network to the public internet.
Roles of nodes in VPNs (a node can have some or all):
* Authorisation - grant nodes access to the restricted use network
* Edge - uses a public network to communicate with the restricted use network
* Gateway - provides link between public network and restricted use network
* Router - forward traffic between nodes in the restricted use network
* Filter - select which traffic may transit this node in the restricted use network
* Relays - assist nodes in connecting to the restricted use network
* Authorisation: grant nodes access to the restricted use network
* Edge: uses a public network to communicate with the restricted use network
* Gateway: provides link between public network and restricted use network
* Router: forward traffic between nodes in the restricted use network
* Filter: select which traffic may transit this node in the restricted use network
* Relays: assist nodes in connecting to the restricted use network
During reasonably foreseeable use, VPN nodes may:
@@ -322,7 +319,7 @@ Some VPN products also provide management capabilities to network administrators
For the purpose of the current document, a VPN client is a piece of software responsible for connecting a single end-point (such as a computing device or home router) to servers operating as exit nodes. A VPN client typically uses authentication credentials provided by the manufacturer and input by the consumer to establish secure tunnel(s) to an aforementioned exit node running VPN server software.
After establishing a tunnel, the VPN client changes configuration of the host device operating system to facilitate connections to the private network - this can include changes to DNS configuration, firewall rules, routing table, etc. This configuration is tailored to the end-user, and is based on a combination of local user preferences and policies configured by the VPN manufacturer.
After establishing a tunnel, the VPN client changes configuration of the host device operating system to facilitate connections to the private network—this can include changes to DNS configuration, firewall rules, routing table, etc. This configuration is tailored to the end-user, and is based on a combination of local user preferences and policies configured by the VPN manufacturer.
### 4.3.3 VPN server, VPN gateway
@@ -383,16 +380,16 @@ The cybersecurity of a VPN product is dependent on a chain of trust that spans a
The VPN product offers the following cybersecurity functionalities to other components in its operational environment:
-**Secure Data Transport** - The primary function of a VPN is to create a secure, encrypted tunnel over an untrusted network. This functionality protects all network traffic originating from the client device or network from eavesdropping and other network-based attacks.
-**Controlled Network Access** - The VPN client acts as a cybersecurity gatekeeper for the remote network. This functionality protects the remote network by only allowing authenticated and authorized traffic to pass through.
-**Secure Data Transport**: The primary function of a VPN is to create a secure, encrypted tunnel over an untrusted network. This functionality protects all network traffic originating from the client device or network from eavesdropping and other network-based attacks.
-**Controlled Network Access**: The VPN client acts as a cybersecurity gatekeeper for the remote network. This functionality protects the remote network by only allowing authenticated and authorized traffic to pass through.
### 4.5.3 Cybersecurity functions required from the environment
The following risks are delegated by the VPN product to other components within its operational environment:
-**Operating System and Runtime Environment** - A VPN product relies on a secure and stable underlying operating system (OS) to function. The risks associated with OS vulnerabilities or a compromised runtime environment are delegated to the OS.
-**Hardware Integrity** - The VPN product depends on the integrity of the physical hardware for the confidentiality of cryptographic keys and data processing. Risks of physical tampering or hardware-based attacks are delegated to the hardware manufacturer.
-**Identity and Authentication** - The VPN product delegates the risks associated with user credential management to a trusted Identity and Access Management (IAM) system. It relies on this external component for secure authentication and authorisation of users.
-**Operating System and Runtime Environment**: A VPN product relies on a secure and stable underlying operating system (OS) to function. The risks associated with OS vulnerabilities or a compromised runtime environment are delegated to the OS.
-**Hardware Integrity**: The VPN product depends on the integrity of the physical hardware for the confidentiality of cryptographic keys and data processing. Risks of physical tampering or hardware-based attacks are delegated to the hardware manufacturer.
-**Identity and Authentication**: The VPN product delegates the risks associated with user credential management to a trusted Identity and Access Management (IAM) system. It relies on this external component for secure authentication and authorisation of users.
## 4.6 Users
@@ -514,12 +511,12 @@ Other Union legislation may be applicable to the product(s) falling within the s
A basic overview of VPN functions follows. See clause 4.2 for a detailed overview of the essential functions of a VPN product.
* Edge - uses a public network to communicate with the restricted use network
* Gateway - provides link between public network and restricted
* Router - forward traffic between nodes in the restricted use network
* Filter - select which traffic may transit this node
* Relays - assist nodes in connecting to the restricted use network
* Auth - grant nodes access to the restricted network
* Edge: uses a public network to communicate with the restricted use network
* Gateway: provides link between public network and restricted
* Router: forward traffic between nodes in the restricted use network
* Filter: select which traffic may transit this node
* Relays: assist nodes in connecting to the restricted use network
* Auth: grant nodes access to the restricted network
@@ -439,7 +439,7 @@ The VPN client shall provide a simple user-accessible documented method to resto
The VPN client shall not reduce system security after the end of the VPN connection, even if normal connection shutdown tasks have not completed.
> [!note]
> This is a "fail-closed" requirement - if something goes with the VPN connection, it is better to end with a more restricted/secure network configuration than the configuration before the VPN connection started, than a less restricted network configuration.
> This is a "fail-closed" requirement—if something goes with the VPN connection, it is better to end with a more restricted/secure network configuration than the configuration before the VPN connection started, than a less restricted network configuration.
* Reference: TR-CONF
* Objective: Preserve cybersecurity of system
@@ -458,7 +458,7 @@ The VPN client shall not reduce system security after the end of the VPN connect
Custom VPN clients shall not require permissions that that do not need.
> [!note]
> The VPN product should be able to operate without a wide set of permissions - eg, a VPN does not require access to files/folders (like ~/Downloads) nor would it need access to the local network.
> The VPN product should be able to operate without a wide set of permissions—eg, a VPN does not require access to files/folders (like ~/Downloads) nor would it need access to the local network.
* Reference: TR-CONF
* Objective: Operate on a least privilege principle
