<spanid="_ref_i.11"></span><aname="_ref_i.11">[i.11]</a> EU 2025/2392 Comission implementing regulation on the technical description of the categories of important and critical products with digital elements pursuant to Regulation EU 2024/2847 (CRA)
<spanid="_ref_i.16"></span><aname="_ref_i.16">[i.16]</a> Directive (EU) 2022/2555 of the European Parliament and the council and (EU) 2024/2690 European Commission implementing regulation
<spanid="_ref_i.16"></span><aname="_ref_i.16">[i.16]</a> [Directive (EU) 2022/2555](https://eur-lex.europa.eu/eli/dir/2022/2555/oj) of the European Parliament and the council and (EU) 2024/2690 European Commission implementing regulation
<spanid="_ref_i.17"></span><aname="_ref_i.17">[i.17]</a> Example source for DDoS related threat reports https://radar.cloudflare.com/reports
* Produce and rely monitoring data for security and operational analysis
* Provide execution environment for 3rd. party applications and workloads
## 4.1.2 Software defined networks
## 4.1.2 Software defined networks management
Supporting use-cases:
@@ -499,16 +497,22 @@ When a single device is compromised, the exposure is limited to the devices in t
#### 4.2.1.x Devices using provided connectivity
Relying on provided connectivity is more common for devices that are part of some [ecosystem](#413-ecosystem-management) where the main function of the device is not to serve Service Requesting Users with connectivity, but to provide the user higher level application features.
Relying on provided connectivity is common for devices that are part of some [ecosystem](#413-ecosystem-management) where the main function of the device is not nessesarily to serve Service Requesting Users with connectivity, but to provide the user higher level application features.
Provided connectivity is also used with [ICT device management](#414-ict-device-management), where the management control can vary between partial OS configuration to full ownership.
The product control therefore does not extend to the surrounding network.
Part of the initialisation of the device is to configure local network access for example when wireless access is used.
@@ -536,7 +540,7 @@ All of the following affects the risk likeliness and impact:
* How many devices are managed for a single product user?
* How complex are the managed devices?
* Is the managed device control complete or partial?
* What is the role of services that are [implemented as RDPS](#) and therefore partially external to this document?
* What is the role of services that are [implemented as RDPS](#44-distribution-of-security-functions) and therefore partially external to this document?
### 4.2.3 Applying encryption in RFC 1122
@@ -696,20 +700,23 @@ An NMS can be formed by a compilation or collaboration of different subsystems i
The security functions may be implemented inside one or more of the subsystems that form the NMS.
The NMS can thereby be operated by an OS package manager or other systems which also belong to the NMS and are in scope of the present standard.
The NMS documentation shall clarify whether a security requirement is <mark>Note: move this shall to chapter 5</mark>
Where the product relies on a remote data processing solution (RDPS) for the provision or support of one or more product functions, such reliance introduces a product-facing RDPS boundary between the local product side and the RDPS side.
The applicability of the supplementary requirements specified in Annex R should be considered in accordance with the requirement-applicability provisions of Clause 5.
1. completed fulfilled by the NMS itself,
1. where it relies on support from external services and
1. to which extent it is dependent on an external service.
> NOTE: Annex R applies to the product-facing RDPS boundary and to the RDPS-dependent product function. It does not replace the requirements applicable to the product function as such.
### 4.4.1 External security functions, not in scope of the present document
### 4.4.1 Ancillary functionality
The following cybersecurity functionalities can be handled from components outside the product:
The following functionalities can be implemented as part of the product or addressed as RDPS:
* From external provided updates on secured channels that the product uses to update the managed elements and also itself.
***Identity management systems** that provide mechanisms for identification and authentication. The system can include also the lifecycle management for identity credentials [\[i.2\]](#_ref_i.2)
***Virtual Private Network** providing access to a physical or virtual established network of managed devices that have strictly controlled access to authorised functions of the product. [\[i.3\]](#_ref_i.3)[\[i.4\]](#_ref_i.4)
***Identity management systems** that provide mechanisms for identification and authentication. The system can include also the lifecycle management of identity credentials [\[i.2\]](#_ref_i.2)
***Provision of cryptographic keys** coming from a public key infrastructure or other key management system for services of key generation, provision, establishment, and for certificate services such as generation, signing, verification, validation or withdrawal. [\[i.6\]](#_ref_i.6)
***Monitoring data processing** that filters, aggregates and transforms metrics, logs, events, traces and provides adminstrative visiblity to the system operation.
### 4.4.2 Related core functionalities
***Virtual Private Network** providing access to a physical or virtual established network of managed devices that have strictly controlled access to authorised functions of the product. [\[i.3\]](#_ref_i.3)[\[i.4\]](#_ref_i.4)
***Security information and event management systems** that collect data from multiple sources, analyse and correlate that data and present it as actionable information for security-related purposes unless it is considered to be integral part of the product features [\[i.7\]](#_ref_i.7)
***Physical and virtual network interfaces** on the NMS-host and not used or accessed by users for the operation of the NMS.
***Operating systems** Operating systems that act as abstraction layer for the hardware system(s) that host the product and are otherwise not involved in the internal functioning. [\[i.5\]](#_ref_i.5)
@@ -717,9 +724,9 @@ The following cybersecurity functionalities can be handled from components outsi
Furthermore, it is essential to detail the generation and establishment of the trust relations between the NMS and the essential external services and systems.
### 4.4.2 Security functions provided to other products
### 4.4.3 Security functions provided to other products
NSM can provide the following services to 3rd. party applications and for the connected devices:
The product can provide the following services to 3rd. party applications and connected devices:
* Access to the collected data sets; raw or enriched.
* PKI services for the devices acting as Certificate Authority [CA]
@@ -979,6 +986,13 @@ This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 P
<mark>Editor’s Note: It is not adequate to normatively reference prEN 40000-1-2 (PT1) to fulfil this requirement.</mark>
***CYB_GENERAL_1**: The product shall define whether a service is completed fulfilled by the product itself or expected to integrated into in operative environment.
***CYB_GENERAL_2**: The product shall define where it relies on existense of external services.
***CYB_GENERAL_3**: The product shall define how it dependent on RDPS.
***CYB_RDPS_1**: Where the product relies on a remote data processing solution (RDPS) for the provision or support of one or more product functions, the product shall satisfy the applicable requirements specified in Annex R.
[Annex R](#annex-r-normative-additional-provisions-for-products-relying-on-remote-data-processing-solutions-rdps) specifies supplementary requirements for the product-facing RDPS boundary and does not replace the requirements applicable to the product function as such.
## 5.3 No known exploitable vulnerabilities
This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 Part 1 (2) (a).
