Updating Scope 1.1-1.3 (from rotoloj)

## 1.1 General

The present document describes how to demonstrate compliance with requirements in the EU Regulation 2024/2847 under the conditions identified in Annex <L> of the following types of VPN:

The present document provides security requirements and assessment criteria covering all elements defined in EU Regulation 2024/2847 Cyber Resilience Act Annex I Part 1 and Part 2 for products with digital elements (products) with the intended main purpose of providing commercial Virtual Private Network (VPN) services for individual consumers. This includes products intended for a single user or home network to securely connect to a public network. The scope applies to:

1)  Software that offers as a VPN client for a commercial VPN service

2) All remote data processing without which the product could not perform ons of its core functions 

- Software that operates as a VPN client on a consumer device

- Software that operates as a VPN server, gateway, or concentrator for termination of consumer VPN services.

- Hardware that is commercially available with the main functionality of providing a VPN client, server, or gateway for consumers' VPN services

- <mark>Remote data processing for consumer VPN services</mark>

This standard explicitly excludes VPNs used in the industrial OT domain, as mentioned in CRA Annex III Class I important products, which are covered in EN 62443-5-XX.

## 1.2 Products in scope

> Detailed list of things that are in scope, to help manufacturers identify in-scope products. Make the scope as narrow as possible while still covering all products in the vertical. Use the latest draft of the technical descriptions to help. Technical experts are considered to be the authority for interpreting the meaning and definition of technical terms, so use your best technical judgement.

- Products which supply a VPN client to an end user and provide servers through which to route user outbound network traffic to a public network

- VPN products intended to increase privacy around network traffic

The scope of this part of the standard covers products intended for use by a consumer (a natural person) for non-commercial purposes, with a focus on enhancing personal privacy, bypassing censorship, or accessing geographically-restricted content.

This includes:

- Software:

  - VPN client software intended for installation on end-user devices such as mobile phones, tablets, or personal computers. This software typically provides a preconfigured client for a consumer to install.

- Hardware:

  - Commercially available hardware with the intended purpose of performing the duties of a VPN client for a home network.

- Remote Data Processing:

  - Cloud-based services or remote data processing solutions that are essential for the operation of a consumer VPN service, such as routing to exit nodes or managing user authentication.

This standard explicitly excludes enterprise VPN services and VPNs used in the industrial OT domain.

## 1.3 Products not in scope

> Detailed list of things whose scope might be confusing, including parts of a system which are often included when the terms in the "in scope" section are used in general conversation. Reference the "Product Context" section again to remind the reader what operational environments are in scope.

- Products which provide VPN servers with no associated VPN client TODO is this accurate?

- VPN products targeted at companies and IT department with the intention of increasing security without inherent expectation of increased privacy

This list clarifies products and services whose functionality might be confused with the in-scope products of this standard, but which are explicitly excluded due to their primary purpose or operational environment. Referencing the Product Context section, this standard focuses on products and services for individual consumers, not for business or institutional use.

- Enterprise VPNs: Products with an intended purpose of providing a VPN for an organization's workforce or for connecting data centers are not in the scope of this standard, as they are covered in a separate document.

- VPNs for industrial OT domains: Products with digital elements intended for use in the industrial OT (Operational Technology) domain are explicitly excluded from this standard, as their security requirements are covered under a different standard (EN 62443-5-XX).

- Products with a VPN as a component: Products whose core purpose is not a VPN, but which contain VPN functionality, cannot rely on this standard alone for a presumption of conformity. This may include devices like a home router with an integrated VPN client.

- VPN services without a provided client: Commercial actors that provide a VPN service solely by giving users configuration details (e.g., an OpenVPN config file) and do not provide an associated end-user client or managed hardware are not in scope.

- Unsecured network connections: This standard does not apply to software or hardware intended to link two or more networks without implementing a secure connection.

# 2 References