Added placeholder for security profile definitions and minor edits

1. **User**: This is the person having the credentials to login to the NMS to operate administrative actions to control and maintain the NE.

1. **Machine User**: A virtual user used to access the system programming interfaces. Often attached with a role based access that is tailored for the need.

1. **Component**: software or hardware intended for integration into an electronic information system

**Application Programming Interface (API):** A specification of routines, data structures, object classes, and variables that allows an application to make use of services provided by another software component, such as a library. APIs are often provided for a set of libraries included with the platform.

## 3.2 Abbreviations

## 4.2 Out of scope use/environments

> List uses/environments covered by other legislation or standards (critical, industrial, medical, etc.). Hoping to have a reusable generic list of these soon.

The types of product with digital elements listed in the section do not fall within the scope of the the Regulation (EU) 2024/2847 (Cyber Resilience Act), and are not covered by this standard:

1. Services, except for the remote data processing solutions for a covered product as defined in CRA recitals 11-12; article 3, 2 <a href="#_ref_i.1">[i.1]</a>;

-   **[RQ-9]**

-   **[RQ-10]**

## 5.3 Risk Mitigations

> **TODO**: Connect the technical security requirements in Section 5.2 to specific Risk Factors, and define these as sets of Risk Mitigations that will be referenced in section 6.

# 6 Security Profiles

## 6.1 General

# Annex A (informative): Mapping between the present document and CRA requirements

> Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements.