Commit 42fba104 authored by August Bournique's avatar August Bournique
Browse files

Changes to implement HAS #99 and clarify risk factor and risk level mapping. ... 

Changes to implement HAS #99 and clarify risk factor and risk level mapping.  Closes HAS 99, #100 and #386
parent 9df6cc98

EN-304-621.md

+1 −6
Original line number Diff line number Diff line
@@ -713,7 +713,7 @@ This section contains technical cybersecurity requirements for the product. Each 
Each requirement has at least one concrete example that satisfies the requirements of the CRA.

Later [Section 5.3 Risk Mitigations](#53-risk-mitigations) combines these general requirements to [Section 4.5 Risk Factors](#45-risk-factors). The Risk Mitigations can include additional topic specific requirements.



When evaluating the applicability of these requirements, the highest of following risk factors define the category to follow: [SRU], [Complexity], [Segment], [NIS2]

When evaluating the applicability of these requirements, the highest of following risk factors define the category to follow: [SRU], [Complexity], [Segment], and [NIS2] defines the below risk category low, medium or high to follow. The requirements covering high risks comprise all requirements of the medium and low risk, and, analogously, the requirements from the medium risk comprise also those from the low risk.



For low risk:

- **[REQ-TECH-0]** The product shall be shipped without undocumented interfaces.
@@ -729,11 +729,6 @@ For high risk: 
- **[REQ-TECH-6]** All system clock drifts shall be monitored.

- **[REQ-TECH-7]** The product shall be designed in a way, that all cryptographic keys can be replaced with user controlled keys.



The listed requirement shall be implemented, if the risk of the given factor is defined as follows.

When multiple factors define a different level, the lowest level shall be selected.

A product which risk factor is evaluated to be medium, shall implement both low and medium requirements.

A product which risk factor is evaluated to be high, shall implement all mapped requirements.



### 5.2.1 Secure channel



A **secure channel** referred in [REQ-TECH-2] and used in transportation is a cryptographically protected communication channel, that may be implemented with TLS. When TLS is used, manufacturer shall ensure that the channel uses appropriate cryptographic functions and configuration according to the requirements of the foreseeable use. Manufacturer shall ensure that the channel can not be impaired by downgrading it [i.10].