@@ -162,35 +162,29 @@ This standard does not apply to products that contain [vertical] or are part of
## 1.1 General
The present document provides security requirements and assessment criteria covering all elements defined in EU Regulation 2024/2847 Cyber Resilience Act Annex I Part 1 and Part 2 for products with digital elements (products) with the intended main purpose of providing commercial Virtual Private Network (VPN) services for individual consumers. This includes products intended for a single user or home network to securely connect to a public network. The scope applies to:
The present document provides security requirements and assessment criteria covering all elements defined in EU Regulation 2024/2847 Cyber Resilience Act Annex I Part 1 and Part 2 for products with digital elements (products) with the intended main purpose of providing commercial Virtual Private Network (VPN) services for individual consumers. This includes products intended for a single user or home network to securely connect to a public network.
- Software that operates as a VPN client on a consumer device
- Software that operates as a VPN server, gateway, or concentrator for termination of consumer VPN services.
- Hardware that is commercially available with the main functionality of providing a VPN client, server, or gateway for consumers' VPN services
-<mark>Remote data processing for consumer VPN services</mark>
The scope applies to:
This standard explicitly excludes VPNs used in the industrial OT domain, as mentioned in CRA Annex III Class I important products, which are covered in EN 62443-5-XX.
- Software that operates as a VPN client on a consumer device
- Software that operates as a VPN server or gateway for termination of consumer VPN services
- Remote data processing for consumer VPN services
## 1.2 Products in scope
> Detailed list of things that are in scope, to help manufacturers identify in-scope products. Make the scope as narrow as possible while still covering all products in the vertical. Use the latest draft of the technical descriptions to help. Technical experts are considered to be the authority for interpreting the meaning and definition of technical terms, so use your best technical judgement.
The scope of this part of the standard covers products intended for use by a consumer (a natural person) for non-commercial purposes, with a focus on enhancing personal privacy, bypassing censorship, or accessing geographically-restricted content.
This includes:
- Software:
- VPN client software intended for installation on end-user devices such as mobile phones, tablets, or personal computers. This software typically provides a preconfigured client for a consumer to install.
- Hardware:
- Commercially available hardware with the intended purpose of performing the duties of a VPN client for a home network.
- VPN client software intended for installation on end-user devices such as mobile phones, tablets, or personal computers. This software is typically—but not exclusively—bespoke for a given VPN service with minimal configuration possible by an end user.
- VPN client software intended for installation on home routers. This software is typically bespoke with minimal configuration possible by an end user.
- Remote Data Processing:
- Cloud-based services or remote data processing solutions that are essential for the operation of a consumer VPN service, such as routing to exit nodes or managing user authentication.
This standard explicitly excludes enterprise VPN services and VPNs used in the industrial OT domain.
## 1.3 Products not in scope
> Detailed list of things whose scope might be confusing, including parts of a system which are often included when the terms in the "in scope" section are used in general conversation. Reference the "Product Context" section again to remind the reader what operational environments are in scope.
This standard explicitly excludes enterprise VPN services and VPNs used in the industrial OT domain.
This list clarifies products and services whose functionality might be confused with the in-scope products of this standard, but which are explicitly excluded due to their primary purpose or operational environment. Referencing the Product Context section, this standard focuses on products and services for individual consumers, not for business or institutional use.
