Refactored risk levels

Siret N° 348 623 562 00017 - APE 7112B<br />

Association à but non lucratif enregistrée à la<br />

Sous-préfecture de Grasse (06) N° w061004871<br />

</div>

<br />

The types of product with digital elements listed in the section do not fall within the scope of the the Regulation (EU) 2024/2847 (Cyber Resilience Act), and are not covered by this standard:

1. Services, except for the remote data processing solutions for a covered product as defined in CRA recitals 11-12; article 3, 2 <a name="_ref_i.1">[i.1]</a>;

2. Products specifically designed or procured for national security and defence purpose as defined in CRA recitals 14 and 26; article 2, 7-8 <a name="_ref_i.1">[i.1]</a>;

3. Products developed for or used exclusively for internal use by public administration as defined in CRA recital 16; article 5, 2 <a name="_ref_i.1">[i.1]</a>;

4. Non-commercial free and open source software as defined in CRA recitals 17-21; article 13, 5 <a name="_ref_i.1">[i.1]</a>;

5. Medical Devices and Software as defined in CRA recital 25; article 2, 2 [a-b] <a name="_ref_i.1">[i.1]</a>;

6. Vehicles, including aviation and marine equipment as defined in CRA recital 27; article 2, 2.c "vehicles"; recital 27; article 2, 3 "aviation"; article 2, 4 "marine equipment" <a name="_ref_i.1">[i.1]</a>;

7. Spare and used parts as defined in CRA recital 29; article 2, 6 <a name="_ref_i.1">[i.1]</a>;

8. Refurbished, repaired, and upgraded products that have not been substantially modifiedas defined in recitals 39 - 42 <a name="_ref_i.1">[i.1]</a>;

1. Services, except for the remote data processing solutions for a covered product as defined in CRA recitals 11-12; article 3, 2 <a href="#_ref_i.1">[i.1]</a>;

2. Products specifically designed or procured for national security and defence purpose as defined in CRA recitals 14 and 26; article 2, 7-8 <a href="#_ref_i.1">[i.1]</a>;

3. Products developed for or used exclusively for internal use by public administration as defined in CRA recital 16; article 5, 2 <a href="#_ref_i.1">[i.1]</a>;

4. Non-commercial free and open source software as defined in CRA recitals 17-21; article 13, 5 <a href="#_ref_i.1">[i.1]</a>;

5. Medical Devices and Software as defined in CRA recital 25; article 2, 2 [a-b] <a href="#_ref_i.1">[i.1]</a>;

6. Vehicles, including aviation and marine equipment as defined in CRA recital 27; article 2, 2.c "vehicles"; recital 27; article 2, 3 "aviation"; article 2, 4 "marine equipment" <a href="#_ref_i.1">[i.1]</a>;

7. Spare and used parts as defined in CRA recital 29; article 2, 6 <a href="#_ref_i.1">[i.1]</a>;

8. Refurbished, repaired, and upgraded products that have not been substantially modifiedas defined in recitals 39 - 42 <a href="#_ref_i.1">[i.1]</a>;

The following types of products have reduced or varied requirements under Regulation (EU) 2024/2847 (Cyber Resilience Act) <a name="_ref_i.1">[i.1]</a> and can only be partially covered by this standard.

The following types of products have reduced or varied requirements under Regulation (EU) 2024/2847 (Cyber Resilience Act) <a href="#_ref_i.1">[i.1]</a> and can only be partially covered by this standard.

9. High Risk AI as defined in CRA recital 51; article 12 <a name="_ref_i.1">[i.1]</a>;

10. Testing and unfinished versions as defined in recital 37; Article 4, 2-3 <a name="_ref_i.1">[i.1]</a>;

11. Products Placed on the Market Prior to December 11, 2027 as defined in CRA article 69 <a name="_ref_i.1">[i.1]</a>.

9. High Risk AI as defined in CRA recital 51; article 12 <a href="#_ref_i.1">[i.1]</a>;

10. Testing and unfinished versions as defined in recital 37; Article 4, 2-3 <a href="#_ref_i.1">[i.1]</a>;

11. Products Placed on the Market Prior to December 11, 2027 as defined in CRA article 69 <a href="#_ref_i.1">[i.1]</a>.

The following are products and features are covered by separate standard.

12. Topics covered in "Cybersecurity Requirements for Telecommunication Systems" <a name="_ref_i.9">[i.9]</a>;

13. That CEN/CLC industrial network management systems stuff under EN-204-621b <a name="_ref_i.4">[i.4]</a>; <mark>define better</mark>

12. Topics covered in "Cybersecurity Requirements for Telecommunication Systems" <a href="#_ref_i.9">[i.9]</a>;

13. That CEN/CLC industrial network management systems stuff under EN-204-621b <a href="#_ref_i.4">[i.4]</a>; <mark>define better</mark>

## 4.3 Product overview and architecture

> Create a list of representative use cases, each one representing a different threat profile. If the threat profile is the same for two use cases, then it is basically the same use case for the purposes of the present document. Use cases should include both intended and reasonably foreseeable use/misuse. Use cases don't include industrial operations, automotive, transport, marine, airplane, medical, military, national security, etc.

This list of use cases is an informative resource to the manufacturer to simplify choosing a set of security requirements. Each use case is mapped to a security level, which is a collection of risks and the security requirements necessary to mitigate them.

> When you have many use cases, group them into 3 - 5 levels of risk. These will probably be your security levels.

Manufacturer shall delcare what risk profile it's product is meant to be evaluated at.

Manufacturer shall be responsible of implementing all security measurments regardless of what subcomponents are in use.

### 4.4.1 Low risk deployment

### 4.4.1 Distributed deployment

-   Distributed element design

-   Insignificant ammount of interconnectivity within the network elements

-   Lesser importance with the device functionality and role in the deployment context

-   Isolated management system design

-   Pocket deployments with high independency

Devices are limited in functionality like:

1. IoT network elements in a small deployment

1. Single home network deployment

#### IoT network with monitoring data collection

#### 4.4.1.1 IoT network with monitoring data collection

![IoT network with monitoring data collection](./media/2025-08-10_iot.drawio.png)

User can pair the device to own account, and see the device listed in the application.

#### Home network deployment

#### 4.4.1.2 Home network deployment

![Home network deployment](./media/2025-08-10_homenetwork.drawio.png)

There can be multple devices in the same network, and the NMS provides supporting services like DHCP and DNS caching.

### 4.4.2 Medium risk deployment

### 4.4.2 Multi-user deployment

-   Converged network design

-   Often more than one installation site

-   High number of elements

-   Significant size of affected user base

#### Office network

#### 4.4.2.1 Office network

![Office network](./media/2025-08-10_office.drawio.png)

### 4.4.3 High risk deployment

#### 4.4.2.2 Waste management

-   High number of elements

-   Significant size of affected user base

<mark>Draw somethign nice</mark>

#### Telecom network

#### 4.4.2.3 Telecom network

![Telecom network](./media/2025-08-10_telco.drawio.png)

-   Large enterprice network

## 4.5 Security levels

## 4.5 Risk factors

> List the security levels and the use cases that correspond to them.

> List the security profiles and the use cases that correspond to them.

For each network management system placed on the market, the manufacturer shall develop a threat model and risk profile of the forseeable use of the network management system, and shall consider the interplay between:

-   likelihood of an incident, given the forseeable use

-   impact of an incident, given the forseeable use

The security level requirements reflects the intented deployment of the NMS.

The functionality requirements are cumulative.

High risk deployment shall implement the lower risk functionalities.

The security profile requirements reflects the intented deployment of the NMS.

| ID  | Deployment risk | Required functionality                        |

| --- | --------------- | --------------------------------------------- |

| L-0 | Low             | Adequate authorization                        |

| L-1 | Medium          | IDP with 2FA                                  |

| L-2 | High            | Low and medium level functionality. SIEM, PKI |

### 4.5.1 Evaluating product security level

### 4.5.1 List of risk factors

The risk factors identified by the risk assessment in Annex C are grouped into risk categories and assigned unique identifiers below.

These risks are grouped into risk categories and assigned unique identifiers below.

-   Number of affected Users

    -   **Rationale**: the affected user base should be accounted for in the risk calculation

    -   **Rationale**: the affected user base should be accounted for in the risk definition

    -   **[AUSR-L-0]** single household or a small business

    -   **[AUSR-L-1]** medium or large sized company with possibly multiple operation sites

    -   **[AUSR-L-2]** local CSP

    -   **[AUSR-L-0-RQ-1]** An network management system shall implement appropriate cryptographic libraries to allow the protection of the provisioned configuration according to the requirements of the forseeable use.

    -   **[AUSR-L-1-RQ-1]** An network management system which supports medium or larger enterprise networks shall implement and document appropriate safeguards to ensure the validity of users identity according to the requirements of the forseeable use.

    -   **[AUSR-L-2-RQ-1]**

-   Complexity of managed network element implementation

    -   **[COM-L-0]** Minimal features to collect and send data to NMS

    -   **[COM-L-1]** Some simple features to enable basic networking like firewall, DHCP

    -   **[COM-L-2]** Dynamic routing table modifications or exposed connectivity services like VPN

    -   **[COM-L-3]** Complex network element performing

-   Security expectations of intented network segment operation

    -   **Rationale**: NIS2 identifies entities that require higher level of protection

    -   **[EXP-L-0]** Undefined

    -   **[EXP-L-1]** NIS2 important entity

    -   **[EXP-L-2]** NIS2 critical entity

### 4.5.2 Availability for market

### 4.5.1 Mapping of use cases to risk factors and security levels

Only products, which implement high risk profile can be offered for an entity classified as NIS2 critical.

| Use case                                              | AUSR       | COM       | EXP       | Sec Lev |

| ----------------------------------------------------- | ---------- | --------- | --------- | ------- |

| [4.4.1.1 IoT network with monitoring data collection] | [AUSR-L-0] | [COM-L-0] | [EXP-L-0] | SEC-1   |

| [4.4.1.2 Home network deployment]                     | [AUSR-L-0] | [COM-L-1] | [EXP-L-0] | SEC-2   |

| [4.4.2.1 Office network]                              | [AUSR-L-1] | [COM-L-2] | [EXP-L-0] | SEC-3   |

| [4.4.2.2 Waste management]                            | [AUSR-L-1] | [COM-L-2] | [EXP-L-1] | SEC-4   |

| [4.4.2.3 Telecom network]                             | [AUSR-L-2] | [COM-L-3] | [EXP-L-2] | SEC-5   |

| Deployment risk | Market               |

| --------------- | -------------------- |

| Low             | Not targeted by NIS2 |

| Medium          | NIS2 important       |

| High            | NIS2 critical        |

## 4.6 Security levels

### 4.6.1 General

Security levels are an informative resource to the manufacturer. Each security level is associated with a collection of levels of risk factors. Security levels will be mapped to specific mitigations for each security requirements necessary to treat the risk.

### 4.6.2 Mapping of security level to risk factors

Security levels are associated with sets of risk factor levels.

> FIXME add security requirements when they exist

| Security level | AUSR | COM | EXP |

| -------------- | ---- | --- | --- |

| SEC-1          |      |     |     |

| SEC-2          |      |     |     |

| SEC-3          |      |     |     |

| SEC-4          |      |     |     |

| SEC-5          |      |     |     |

## 4.7 Essential functions

> -   How its functions are configured?

> -   How it keeps itself secure and functioning?

-   Network element configuration

-   Network element configuration and change management

-   Role based access control

-   Performance metrics assuring that the operation of the network is in the nominal levels

-   Fault discovery

-   Dynamic routing and switching control based on requests. Used extensively with Software Defined Networks.

-   Device discovery

-   Device inventory management

<mark>FIXME more use-based functions</mark>

>

> For example, most individual hardware components do not have a built-in method of securely updating any firmware in the product. Usually this requires a full-featured system running an operating system which can check for firmware updates, download and verify them, and carry out the process of updating the firmware.

### 4.10.2 Security functions provided outside the product

> Describe what security functions are delegated to other components.

The following security functionalities may be handled by other components in the system:

-   Secure update of firmware and/or device driver

-   **Identity management systems** that provide mechanisms for authentication or authorisation and that may also provide mechanisms for the lifecycle management of identity credentials <a name="_ref_i.2">[i.2]</a>

-   **Virtual Private Network** that provide access to a restricted-use logical computer network that is constructed from the system resources of a physical or virtual network <a name="_ref_i.3">[i.3]</a> <a name="_ref_i.4">[i.4]</a>

-   **Provision of cryptographic keys** that serve as a management system for asymmetric cryptographic keys, digital certificates or signed or encrypted data created using digital certificates <a name="_ref_i.6">[i.6]</a>

-   **Security information and event management systems** that collect data from multiple sources, analyse and correlate that data and present it as actionable information for security-related purposes unless it is considered to be integral part of the NMS product features <a name="_ref_i.7">[i.7]</a>

-   Secure update of firmware and/or device driver in the managed element

-   **Identity management systems** that provide mechanisms for authentication or authorisation and that may also provide mechanisms for the lifecycle management of identity credentials <a href="#_ref_i.2">[i.2]</a>

-   **Virtual Private Network** that provide access to a restricted-use logical computer network that is constructed from the system resources of a physical or virtual network <a href="#_ref_i.3">[i.3]</a> <a href="#_ref_i.4">[i.4]</a>

-   **Provision of cryptographic keys** that serve as a management system for asymmetric cryptographic keys, digital certificates or signed or encrypted data created using digital certificates <a href="#_ref_i.6">[i.6]</a>

-   **Security information and event management systems** that collect data from multiple sources, analyse and correlate that data and present it as actionable information for security-related purposes unless it is considered to be integral part of the NMS product features <a href="#_ref_i.7">[i.7]</a>

-   **Physical and virtual network interfaces**

-   **Operating systems** that provide an abstract interface of the underlying hardware and control the execution of software <a name="_ref_i.5">[i.5]</a>

-   **Routers, modems and switches** that establish and control the flow of data between different networks <a name="_ref_i.8">[i.8]</a>

-   **Operating systems** that provide an abstract interface of the underlying hardware and control the execution of software <a href="#_ref_i.5">[i.5]</a>

-   **Routers, modems and switches** that establish and control the flow of data between different networks <a href="#_ref_i.8">[i.8]</a>

Manufacturer shall document in the techical documentation what relevant systems are used outside of the NMS and how the trust is established and maintained between the components.

The documentation may contain, but is not limited to, components listed above.

### 4.10.3 Security functions provided to other components

> -   PT2 drafts, available in the [ETSI DocBox](https://docbox.etsi.org/CYBER/CYBER/CEN-CLC/JTC13/WG09)

> -   ENISA's [CRA Requirements Standards Mapping](https://www.enisa.europa.eu/sites/default/files/2024-11/Cyber%20Resilience%20Act%20Requirements%20Standards%20Mapping%20-%20final_with_identifiers_0.pdf)

    -   **[AUSR-L-0-RQ-1]** An network management system shall implement appropriate cryptographic libraries to allow the protection of the provisioned configuration according to the requirements of the forseeable use.

    -   **[AUSR-L-1-RQ-1]** An network management system which supports medium or larger enterprise networks shall implement and document appropriate safeguards to ensure the validity of users identity according to the requirements of the forseeable use.

    -   **[AUSR-L-2-RQ-1]**

# Annex A (informative): Mapping between the present document and CRA requirements

> Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements.