Commit 321a50aa authored by Santeri Toikka's avatar Santeri Toikka
Browse files

Transferring changes to the correct file

parent 3e6484be
Loading
Loading
Loading
Loading
+0 −129
Original line number Diff line number Diff line
@@ -55,151 +55,22 @@ The Technical Body should advise the ETSI Secretariat if the above default natio

# Modal verbs terminology

In the present document "**shall**", "**shall not**", "**should**", "**should not**", "**may**", "**need not**", "**will**", "**will not**", "**can**" and "**cannot**" are to be interpreted as described in clause 3.2 of the [ETSI Drafting Rules] (Verbal forms for the expression of provisions).

"**must**" and "**must not**" are **NOT** allowed in ETSI deliverables except when used in direct citation.

[ETSI Drafting Rules]: https://portal.etsi.org/Services/editHelp/How-to-start/ETSI-Drafting-Rules

# Introduction

This document is a European harmonised standard that defines cybersecurity requirements for network management systems.<NOTE: Replace with description of "how to use standard" - if short enough may allow removal of Annex?>

# 1 Scope

The present document specifies technical requirements and corresponding assessment criteria for network management systems related to cybersecurity. The products with digital elements in scope, thereafter "NMS":

* are specified within the "technical description" category of the "product category" number "6" in Annex I of the Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025 on the technical description of the categories of important and critical products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council. [i.2] as: Network Mangement Systems.

* are only covered within the product context described in clause 4 of this document.

In particular the present document specific technical requirements and methods of assessment for: 

> "Products with digital elements that collect information about and allow the configuration of network elements, such as servers, routers, switches, workstations, printers or mobile devices.
>
> This category includes but is not limited to network management systems that can be deployed on premise or on cloud." [i.2]

NMS as defined above is not restricted only to systems that are "internet protocol" (IP) connected. The scope covers all connected elements in the network that are managed. This includes, but is not limited to, Mobile Device Management (MDM) systems and Software Defined Networking.

Personal Area Network (PAN) consumer devices are usually not managed by an NMS, however, if they are capable, a NMS management could control them too, as PAN devices are communication media and can be used for management traffic. In such situations the NMS used often has functions beyond network configuration such as in most Mobile Decive Management systems.

NMS intended for use in the industrial OT (Operational Technology) domain are excluded from the scope of the present document, see prEN 50770 series [i.TKOT].

NMS necessary for extremely high secuirity deployments, such as those designed and developed to be hardened against nation-state and other highly sophisticated attackers are excluded from the scope of the present document.

<Note: This is the shared skeleton Scope with the following changes: "vulnerability handling" reference removed, retained note regarding bluetooth (now called "PAN" to remove TM), added OT exclusion>
<Note: Are we including bleutooth here? We need to make this a bit clearer I think - are we covering MDMs utilizing bluetooth? Do we have a use case for that?>

# 2 References

## 2.1 Normative references

> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.

The following referenced documents are necessary for the application of the present document.

<span id="_ref_1"></span><a name="_ref_1">[1]</a> ENISA April 2025 (Version 2.0) "Agreed Cryptographic Mechanisms"

<Note: Deleted Hornizontal Vulnerability Handling as reference per current EC suggestions>

## 2.2 Informative references

References are either specific (identified by date of publication and/or edition number or version number) or nonspecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.

> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.

The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.

<span id="_ref_i.2"></span><a name="_ref_i.2">[i.1]</a>Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
<span id="_ref_i.2"></span><a name="_ref_i.2">[i.2]</a>Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025 on the technical description of the categories of important and critical products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council.
<span id="_ref_i.3"></span><a name="_ref_i.3">[i.3]</a>Standardisation request M/606 - C(2025)618: "Commission Implementing decision of 3.2.2025 on a standardisation request to the European Committee for Standardisation (CEN), the European Committee for Electrotechnical Standardisation (Cenelec) and the European Telecommunications Standards Institute (ETSI) as regards products with digital elements in support of Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020and Directive (EU) 2020/1828 (Cyber Resilience Act)".
<span id="_ref_i.4"></span><a name="_ref_i.4">[i.4]</a>[i.4] prEN 40000-1-1: "Cybersecurity requirements for products with digital elements - Vocabulary" [Version and date to be added upon its publication by CEN CENELEC].

<span id="_ref_i.2"></span><a name="_ref_i.2">[i.2tk5]</a> ETSI EN 304 XXX IAM (CEN/TC 224 WG 17 output)

<span id="_ref_i.3"></span><a name="_ref_i.3">[i.3tk6]</a> ETSI EN 304 620 "Virtual Private Networks (VPNs)"

<span id="_ref_i.4"></span><a name="_ref_i.4">[i.4tk7]</a> CEN/CLC EN 50XXX-4 "VPN"

<span id="_ref_i.5"></span><a name="_ref_i.5">[i.5tk8]</a> ETSI EN 304 626 "Essential cybersecurity requirements for operating systems"

<span id="_ref_i.6"></span><a name="_ref_i.6">[i.6tk9]</a> ETSI EN 304 624 "PKIs and certificate issuance software"

<span id="_ref_i.7"></span><a name="_ref_i.7">[i.7tk10]</a> ETSI EN 304 622 "Essential cybersecurity requirements for Security information and event management (SIEM) systems"

<span id="_ref_i.8"></span><a name="_ref_i.8">[i.8tk11]</a> ETSI EN 304 627 "Router, modems and switches"

<span id="_ref_i.9"></span><a name="_ref_i.9">[i.9tk12]</a> ETSI EN 304 642 "Cybersecurity Requirements for Telecommunication Systems"

<span id="_ref_i.10"></span><a name="_ref_i.10">[i.10tk13]</a> [Mitre ATT&CK] framework

<span id="_ref_i.11"></span><a name="_ref_i.11">[i.11 now i.2]</a> EU 2025/2392 Comission implementing regulation on the technical description of the categories of important and critical products with digital elements pursuant to Regulation EU 2024/2847 (CRA)

<span id="_ref_i.12"></span><a name="_ref_i.12">[i.12tk14]</a> ISO/IEC 27000:2018

<span id="_ref_i.13"></span><a name="_ref_i.13">[i.13tk15]</a> NIST SP 800-63B-4 Authentication & Authenticator Management

<span id="_ref_i.14"></span><a name="_ref_i.14">[i.14tk16]</a> prEN 40000-1-1 "Vocabulary" 

<span id="_ref_i.15"></span><a name="_ref_i.15">[i.15tk17]</a> prEN 40000-1-2 "Principles for cyber resilience" <NOTE: Delete unless vocab>


[Mitre ATT&CK]: (https://attack.mitre.org)

<NOTE: Added Defs from shared skeleton and notations to adapt rest of doc>

# 3 Definition of terms, symbols and abbreviations

## 3.1 Terms

This section provides terms and definitions based on CEN/CLC JTC13 WG09's work on terms and definitions, terms and definitions provided by ETSI EN 303 645/TS 103 701 and terms and definitions provided by CEN/CLC EN 18031 series.

For the purposes of the present document, the following terms apply:

1. **Application Programming Interface (API):** interface used to communicate with the running program 
1. **component:** software or hardware intended for integration into an electronic information system
1. **essential requirement:**
1. **Identity Provider (IDP):** system maintaining identity information
1. **Internet Protocol (IP):**
1. **log**: record of an operational event
1. **machine user:** virtual user used to access the system programming interfaces
1. **Mobile Device Management**:
1. **Operating System (OS):** software product that provides an abstract interface to the underlying hardware and control the execution of software
1. **Personal Area Network (PAN):**
1. **Service Requesting Users (<span name="_term_.SRU">SRU</span>):** users relying on the correct functioning of the network element
1. **technical requirement:**
1. **trace**: record of a system status with all relevant data that can be gathered
1. **user:** person having the credentials to login to the NMS to operate administrative actions to control and maintain the managed element

<Note: added spaces for "IP", "PAN", "Technical Requirement" "Essential Requirement" and "Mobile Device Management" from Scope - definitions to be decided. Also made list alphabetical>

## 3.2 Abbreviations

For the purposes of the present document, the following abbreviations apply:

`2FA    Two Factor Authentication`
`ABAC   Attribute-Based Access Control`
`CRA    Cyber Resilience Act`
`CSP    Communication System Provider`
`ER     Essential Requirement`
`GUI    Graphical User Interface`
`IAM    Identity and Access Management`
`IDP    Identity Provider`
`IP     Internet Protocol`
`NE     Network Element`
`NMS    Network Management System`
`MDM    Mobile Device Management`
`OCI    Open Container Initiative`
`OS     Operating System`
`PAN    Personal Area Network`
`TR     Technical Requirement`
`VPN    Virtual Private Network`
`SDN    Software Defined Networks`
`SIEM   Security Information and Event Management Systems`

<NOTE: Added abbreviations for subject covered in scope>


# 4 Product context

## 4.1 General
+57 −13
Original line number Diff line number Diff line
@@ -4,8 +4,8 @@ Spec Number: 304 621
Version: vX.Y.Z
Date: 2026-00-00
Release: 5
Work Item: WI-0000
keywords: CRA #KEYWORDS#
Work Item: DEN/CYBER-EUS-009
keywords: CRA, Cybersecurity, Network
Copyright Year: 2026
---

@@ -23,12 +23,14 @@ The present document may include trademarks and/or tradenames which are asserted

The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.

**DECT&trade;**, **PLUGTESTS&trade;**, **UMTS&trade;** and the ETSI logo are trademarks of ETSI registered for the benefit of its Members. **3GPP&trade;** and **LTE&trade;** are trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. **oneM2M&trade;** logo is a trademark of ETSI registered for the benefit of its Members and of the oneM2M Partners. **GSM&reg;** and the GSM logo are trademarks registered and owned by the GSM Association.
**DECT&trade;**, **PLUGTESTS&trade;**, **UMTS&trade;** and the ETSI logo are trademarks of ETSI registered for the benefit of its Members. **3GPP&trade;** , **LTE&trade;** and **5G &trade;** logo are trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. **oneM2M&trade;** logo is a trademark of ETSI registered for the benefit of its Members and of the oneM2M Partners. **GSM&reg;** and the GSM logo are trademarks registered and owned by the GSM Association.

# Foreword

This draft Harmonised European Standard (EN) has been produced by ETSI Technical Committee Cyber Security (CYBER), and is now submitted for the combined Public Enquiry and Vote phase of the ETSI Standardisation Request deliverable Approval Procedure (SRdAP).

It is one of a series of standards prepared under the Commission's standardisation request to the European Committee for Standardisation (CEN), the European Committee for Electrotechnical Standardisation (Cenelec) and the European Telecommunications Standards Institute (ETSI) as regards products with digital elements in support of Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).

The present document has been prepared under the Commission's standardisation request C(2025)618 [\[i.3\]](#_ref_i.3) to provide one voluntary means of conforming to the requirements of Regulation (EU) 2024/2847 [\[i.1\]](#_ref_i.1) of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828, known as the Cyber Resilience Act (CRA).

Once the present document is cited in the Official Journal of the European Union under that Regulation, compliance with the normative clauses of the present document given in table A.1 confers, within the limits of the scope of the present document, a presumption of conformity with the corresponding requirements of that Regulation and associated EFTA regulations.
@@ -88,6 +90,14 @@ Further information on guidance for the application of the present document is p

# 1 Scope

The present document specifies technical requirements and corresponding assessment criteria for network management systems related to cybersecurity. The products with digital elements in scope, thereafter "NMS":

* are specified within the "technical description" category of the "product category" number "6" in Annex I of the Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025 on the technical description of the categories of important and critical products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council. [i.2] as: Network Mangement Systems.

* are only covered within the product context described in clause 4 of this document.

In particular the present document specific technical requirements and methods of assessment for:

The present document specifies technical requirements and corresponding assessment criteria for [vertical product category name] related to cybersecurity.
The products with digital elements in scope, thereafter "NMS":

@@ -97,6 +107,14 @@ are specified within the "technical description" of the "category of product" nu
>
> This category includes but is not limited to end-to-end management systems and dedicated configuration management systems, such as controllers for software-defined networking.

NMS as defined above is not restricted only to systems that are "internet protocol" (IP) connected. The scope covers all connected elements in the network that are managed. This includes, but is not limited to, Mobile Device Management (MDM) systems and Software Defined Networking.

Personal Area Network (PAN) consumer devices are usually not managed by an NMS, however, if they are capable, a NMS management could control them too, as PAN devices are communication media and can be used for management traffic. In such situations the NMS used often has functions beyond network configuration such as in most Mobile Decive Management systems.

NMS intended for use in the industrial OT (Operational Technology) domain are excluded from the scope of the present document, see prEN 50770 series [i.TKOT].

NMS necessary for extremely high secuirity deployments, such as those designed and developed to be hardened against nation-state and other highly sophisticated attackers are excluded from the scope of the present document.

The present document covers those products to demonstrate compliance with essential cybersecurity requirements in the Regulation (EU) 2024/2847 [\[i.1\]](#_ref_i.1) Annex I Part I under the conditions identified in annex A.

> NOTE: This reduces the scope of the vertical. Full presumption of conformity of the product will be given by complying with both the CRA Vertical standard and PT3, once they are cited in the EUOJ.
@@ -182,7 +200,11 @@ The following referenced documents may be useful in implementing an ETSI deliver

<span id="_ref_i.17"></span><a name="_ref_i.17">[i.17]</a> Example source for DDoS related threat reports https://radar.cloudflare.com/reports

<span id="_ref_i.2"></span><a name="_ref_i.2">[i.2tk5]</a> ETSI EN 304 XXX IAM (CEN/TC 224 WG 17 output)

<span id="_ref_i.6"></span><a name="_ref_i.6">[i.6tk9]</a> ETSI EN 304 624 "PKIs and certificate issuance software"

<span id="_ref_i.9"></span><a name="_ref_i.9">[i.9tk12]</a> ETSI EN 304 642 "Cybersecurity Requirements for Telecommunication Systems"

# 3 Definition of terms, symbols and abbreviations

@@ -190,15 +212,28 @@ The following referenced documents may be useful in implementing an ETSI deliver

For the purposes of the present document, the terms given in Regulation (EU) 2024/2847 [\[i.1\]](#_ref_i.1), prEN 40000-1-1 [\[i.4\]](#_ref_i.4) and the following apply:

1. **Application Programming Interface (API):** interface used to communicate with the running program
1. **Operating System (OS):** software product that provides an abstract interface to the underlying hardware and that controls the execution of software
2. **Identity Provider (IDP):** system maintaining identity information
3. **Service Requesting Users (<span name="_term_.SRU">SRU</span>):** users relying on the correct functioning of the network element
4. **user:** person having the credentials to login to the NMS to operate administrative actions to control and maintain the managed element
5. **machine user:** virtual user used to access the system programming interfaces
6. **component:** software or hardware intended for integration into an electronic information system
7. **Application Programming Interface (API):** interface used to communicate with the running program
8. **log**: record of an operational event
9. **trace**: record of a system status with all relevant data that can be gathered
1. **Identity Provider (IDP):** system maintaining identity information
1. **Service Requesting Users (<span name="_term_.SRU">SRU</span>):** users relying on the correct functioning of the network element
1. **user:** person having the credentials to login to the NMS to operate administrative actions to control and maintain the managed element
1. **machine user:** virtual user used to access the system programming interfaces
1. **component:** software or hardware intended for integration into an electronic information system
1. **Application Programming Interface (API):** interface used to communicate with the running program
1. **log**: record of an operational event
1. **trace**: record of a system status with all relevant data that can be gathered
1. **Internet Protocol (IP):**
1. **log**: record of an operational event
1. **Mobile Device Management**:
1. **Personal Area Network (PAN):**
1. **Service Requesting Users (<span name="_term_.SRU">SRU</span>):** users relying on the correct functioning of the network element
1. **trace**: record of a system status with all relevant data that can be gathered
1. **user:** not used without defining prefix, see section [4.5 Users](#45-users)

This section provides terms and definitions based on CEN/CLC JTC13 WG09's work on terms and definitions, terms and definitions provided by ETSI EN 303 645/TS 103 701 and terms and definitions provided by CEN/CLC EN 18031 series.

For the purposes of the present document, the following terms apply:


## 3.2 Symbols

@@ -265,12 +300,21 @@ For the purposes of the present document, the abbreviations given in <mark>... d
`NMS    Network Management System`
`2FA    Two Factor Authentication`
`CSP    Communication System Provider`
`SDN    Software Defined Networks`
`ER     Essential Requirement`
`GUI    Graphical User Interface`
`IAM    Identity and Access Management`
`IDP    Identity Provider`
`IP     Internet Protocol`
`NE     Network Element`
`NMS    Network Management System`
`MDM    Mobile Device Management`
`IAM    Identity and Access Management`
`OCI    Open Container Initiative`
`OS     Operating System`
`PAN    Personal Area Network`
`TR     Technical Requirement`
`VPN    Virtual Private Network`
`SDN    Software Defined Networks`
`SIEM   Security Information and Event Management Systems`
`SRU    Service Requesting Users`
`PII    Personally Identifiable Information`