Title:CRA;<br>Essential cybersecurity requirements for Products with digital elements with the function of virtual private network (VPN);<br>CRA VPNs Topic 20
Title:Cybersecurity (CYBER); CRA; Cybersecurity requirements for Virtual Private Networks
Spec Number:304 620
Version:V0.1.1
Date:2026-03
Work Item:TC/WI-Number
keywords:CRA
Version:v0.1.2
Date:2026-03-13
Release:5
Work Item:DEN/CYBER-EUS-005
keywords:CRA#KEYWORDS#
Copyright Year:2026
---
# Intellectual Property Rights
## Essential patents
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations pertaining to these essential IPRs, if any, are publicly available for **ETSI members and non-members**, and can be found in ETSI SR 000 314: _"Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards"_ , which is available from the ETSI Secretariat. Latest updates are available on the [ETSI IPR online database].
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations pertaining to these essential IPRs, if any, are publicly available for **ETSI members and non-members**, and can be found in ETSI SR 000 314: _"Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards"_ , which is available from the ETSI Secretariat. Latest updates are available on the [ETSI IPR online database](ETSI IPR online database).
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document.
[ETSI IPR online database]:https://ipr.etsi.org/
Trademarks
## Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
**DECT™**, **PLUGTESTS™**, **UMTS™** and the ETSI logo are trademarks of ETSI registered for the benefit of its Members. **3GPP™**, **LTE™** and **5G™**logo are trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. **oneM2M™** logo is a trademark of ETSI registered for the benefit of its Members and of the oneM2M Partners. **GSM®**; and the GSM logo are trademarks registered and owned by the GSM Association.
**DECT™**, **PLUGTESTS™**, **UMTS™** and the ETSI logo are trademarks of ETSI registered for the benefit of its Members. **3GPP™** and **LTE™** are trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. **oneM2M™** logo is a trademark of ETSI registered for the benefit of its Members and of the oneM2M Partners. **GSM**® and the GSM logo are trademarks registered and owned by the GSM Association.
# Foreword
This draft Harmonised European Standard (EN) has been produced by ETSI Technical Committee Cyber Working Group for EUSR (CYBER-EUSR), and is now submitted for the combined Public Enquiry and Vote phase of the ETSI Standardisation Request deliverable Approval Procedure (SRdAP).
This draft Harmonised European Standard (EN) has been produced by ETSI Technical Committee Cyber Security (CYBER), and is now submitted for the combined Public Enquiry and Vote phase of the ETSI Standardisation Request deliverable Approval Procedure (SRdAP).
The present document has been prepared under the Commission's standardisation request C(2025)618 final to provide one voluntary means of conforming to the requirements of Regulation (EU) No 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU)No168/2013 and (EU) No 2019/1020 and Directive (EU)2020/1828 (Cyber Resilience Act).
The present document has been prepared under the Commission's standardisation request C(2025)618 [\[i.3\]](#_ref_i.3) to provide one voluntary means of conforming to the requirements of Regulation (EU)2024/2847 [\[i.1\]](#_ref_i.1)of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU)No168/2013 and (EU)2019/1020 and Directive (EU)2020/1828, known as the Cyber Resilience Act (CRA).
Once the present document is cited in the Official Journal of the European Union under that Regulation, compliance with the normative clauses of the present document given in table A.1 confers, within the limits of the scope of the present document, a presumption of conformity with the corresponding requirements of that Regulation and associated EFTA regulations.
The present document is a deliverable covering Cyber Security (CYBER); Essential cybersecurity requirements for products with digital elements with the function of virtual private networks (VPN)
## Transposition table
_Transposition table_
The Harmonised Standard shall have appropriate transposition periods specified. A Harmonised Standard confers presumption of conformity when it has been published in the Official Journal of the European Union (OJEU) and transposed by a member state.
_The Harmonised Standard shall have appropriate transposition periods specified. A Harmonised Standard confers presumption of conformity when it has been published in the Official Journal of the European Union (OJEU) and transposed by a member state._
The Technical Body may propose different dates to the default ones (3, 6, 18). Technical Bodies who wish to propose different dates are advised to indicate this clearly in the approved committee draft.
The Technical Body should advise the ETSI Secretariat if the above default national transposition dates are inappropriate for the particular standard.
# Modal verbs terminology
In the present document "**shall**", "**shall not**", "**should**", "**should not**", "**may**", "**need not**", "**will**", "**will not**", "**can**" and "**cannot**" are to be interpreted as described in clause3.2 of the [ETSI Drafting Rules] (Verbal forms for the expression of provisions).
In the present document "**shall**", "**shall not**", "**should**", "**should not**", "**may**", "**need not**", "**will**", "**will not**", "**can**" and "**cannot** are to be interpreted as described in clause3.2 of the [ETSI Drafting Rules](ETSI Drafting Rules) (Verbal forms for the expression of provisions).
"**must**" and "**must not**" are **NOT** allowed in ETSI deliverables except when used in direct citation.
The purpose of this document is to provide essential cybersecurity requirements of a Virtual Private Network product intending to be placed on the European Union market.
