The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI deliverable is the one made publicly available in PDF format on [ETSI deliver](ETSI deliver) repository.
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI deliverable is the one made publicly available in PDF format on [ETSI deliver] repository.
Users should be aware that the present document may be revised or have its status changed, this information is available in the [Milestones listing](Milestones listing).
Users should be aware that the present document may be revised or have its status changed, this information is available in the [Milestones listing].
If you find errors in the present document, please send your comments to<br/>the relevant service listed under [Committee Support Staff](Committee Support Staff).
If you find errors in the present document, please send your comments tothe relevant service listed under [Committee Support Staff].
If you find a security vulnerability in the present document, please report it through our
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations pertaining to these essential IPRs, if any, are publicly available for **ETSI members and non-members** , and can be found in ETSI SR 000 314: _"Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards"_ , which is available from the ETSI Secretariat. Latest updates are available on the [ETSI IPR online database](https://ipr.etsi.org/).
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations pertaining to these essential IPRs, if any, are publicly available for **ETSI members and non-members** , and can be found in ETSI SR 000 314: _"Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards"_ , which is available from the ETSI Secretariat. Latest updates are available on the [ETSI IPR online database].
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document.
[ETSI IPR online database]:https://ipr.etsi.org/
## Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
@@ -129,33 +135,31 @@ The Technical Body should advise the ETSI Secretariat if the above default natio
# Modal verbs terminology
In the present document "**shall** ", "**shall not** ", "**should** ", "**should not** ", "**may** ", "**need not** ", "**will** ", "**will not** ", "**can** " and "**cannot** are to be interpreted as described in clause 3.2 of the [ETSI Drafting Rules](https://portal.etsi.org/Services/editHelp/How-to-start/ETSI-Drafting-Rules)(Verbal forms for the expression of provisions).
In the present document "**shall** ", "**shall not** ", "**should** ", "**should not** ", "**may** ", "**need not** ", "**will** ", "**will not** ", "**can** " and "**cannot** are to be interpreted as described in clause 3.2 of the [ETSI Drafting Rules] (Verbal forms for the expression of provisions).
"**must** " and "**must not** " are **NOT** allowed in ETSI deliverables except when used in direct citation.
> A brief summary of the document to help the manufacturer figure out if they need to keep reading or if they should move on to a different document.
The present document is a European harmonised standard that defines cybersecurity requirements for products whose primary purpose is network management system. Demonstrating compliance with this standard is not necessary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act.
The present document is a European harmonised standard that defines cybersecurity requirements for products whose primary purpose is network management system. Demonstrating compliance with this standard is not necessary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act <ahref="#_ref_i.1">[i.1]</a>.
# 1 Scope
# 1.1 General
## 1.1 General
The present document describes how to demonstrate compliance with requirements in the EU Regulation 2024/2847 under the conditions identified in Annex <III> of network management systems, within the context described in section 4, Product Context.
# 1.2 Products in scope
> Detailed list of things that are in scope, to help manufacturers identify in-scope products. Make the scope as narrow as possible while still covering all products in the vertical. Use the latest draft of the technical descriptions to help. Technical experts are considered to be the authority for interpreting the meaning and definition of technical terms, so use your best technical judgement.
## 1.2 Products in scope
This standard applies to Network management systems Products with digital elements that manage IP-connected network elements, such as servers, routers, switches, workstations, printers or mobile devices, by tracking them and controlling their network configuration.
This category includes but is not limited to end-to-end management systems and dedicatedconfiguration management systems, such as controllers for software-defined networking.
# 1.3 Products not in scope
## 1.3 Products not in scope
> Detailed list of things whose scope might be confusing, including parts of a system which are often included when the terms in the "in scope" section are used in general conversation. Reference the "Product Context" section again to remind the reader what operational environments are in scope.
@@ -391,7 +395,7 @@ Only products, which implement high risk profile can be offered for an entity cl
| Medium | NIS2 important |
| High | NIS2 critical |
## 4.6 Essential functions
## 4.7 Essential functions
> List the essential functions of the product, including:
>
@@ -406,7 +410,7 @@ Only products, which implement high risk profile can be offered for an entity cl
<mark>FIXME more use-based functions</mark>
## 4.7 Operational Environment
## 4.8 Operational Environment
> Describe the expected operating environment given the exclusions in Section 4.2. This includes:
>
@@ -422,7 +426,7 @@ Only products, which implement high risk profile can be offered for an entity cl
The technical requirements of the present document apply under the environmental profile for operation of the product with digital elements, which shall be in accordance with its intended use. The product with digital elements shall comply with all the technical requirements of the present document at all times when operating within the boundary limits of the operational environmental profile defined by its intended use.
## 4.8 Users
## 4.9 Users
> Describe the classes of users for this product, as differentiated by sophistication in understanding and taking responsibility for security risks. More sophisticated users can be expected to follow more instructions and cope with higher levels of unmitigated risks. Suggestions:
>
@@ -524,7 +528,13 @@ The following security functionalities are handled by other systems:
## C.3 Assumptions
> List assumptions that are relevant to the risk analysis for these threats. Everything is hackable if you try hard enough. What kinds of threats are in and out of scope? What are you assuming is the sophistication of attack? Relate to use cases.
> List assumptions that are relevant to the risk analysis for these threats. Everything is hackable if you try hard enough, but what risks can this product mitigate, and what must it delegate to other components or the operational environment? Some potential examples:
>
> - An antivirus product assumes the operating system is not already compromised
> - No one will unplug the computer
> - The Baseboard Management Controller is not malicious
>
> Assumptions may vary by use case. For example, for a VPN, if the use case is protecting from a state actor, then you must assume focused, specific surveillance of all of the user's network traffic. If the use case is downloading a TV show only available in another country, you can assume that no one is analyzing the user's traffic.
- Proper platform
@@ -595,7 +605,7 @@ The annex shall have a table for a clear indication of correspondence between no
> **EXAMPLE for a table:**
**Table A.1: Relationship between the present document and<br />the requirements of EU Regulation 2024/2847**<aname="table_A.1"></a>
**Table A.1: Relationship between the present document and<br />the requirements of EU Regulation 2024/2847**<ahref="#table_A.1"></a>
