#### 4.5.1.3 Security expectations of the deployment context
#### 4.5.1.3 Critical entity
The expectations on security are a sum of deployment, its environment, likelihood and impact. Therefore this risk factor is evaluated directly as perceived by the market the product is made available.
**Key:** [NIS2] </br>
**Rationale:** The NIS2 [i.16] identifies entities that require higher level of protection. The important and essential classifications are combined, as the NIS2 provides no product related additional cybersecurity requirements based on the entity classification. Additional security mechanisms can be and are definied on national level.
**Key:** [CENT] </br>
**Rationale:** Critical entity's operations are governance is defined by laws and guidances like the NIS2 [i.16] in addition to nation specific regulation.
Entities that require higher level of protection also expects more accuracy and scrunity from the product.
The deployment context may include additional mechanisms to detect and respond to security compromise.
[NIS2] </br> risk level is **low** if:
-NMS is intended for or foreseaably used to manage networks whose NIS2 status is undefined.
-NMS's intended deployment target is a household or a small business with under a thousand users.
[CENT] </br> risk level is **low** if:
-The product is intended for or foreseaably used to manage networks whose product user entity status is undefined.
-Product's intended deployment target is a household or a small business with under a thousand users.
[NIS2] </br> risk level is **medium** if:
-NMS is intended for or foreseaably used to manage networks whose NIS2 status is undefined.
- The product serves for a medium-sized enterprise as set by NIS2 Article 2.1 [i.16]
- The managed element is widely used
[CENT] </br> risk level is **medium** if:
-The product is intended for or foreseaably used to manage networks whose entity status is undefined.
- The product serves for a medium-sized enterprise.
- The managed element is widely used.
[NIS2] </br> risk level is **high** if:
- The product is targeted to NIS2 important or essential entities.
[CENT] </br> risk level is **high** if:
- The product is targeted important or essential entities.
| [4.4.1.1 IoT network with monitoring data collection] | low | low | TBD | high |
| [4.4.1.2 Home network deployment] | low | low | low | medium |
@@ -297,7 +297,7 @@ This section contains technical cybersecurity requirements for the product. Each
Each requirement has at least one concrete example that satisfies the requirements of the CRA.
Later [Section 5.3 Risk Mitigations](#53-risk-mitigations) combines these general requirements to [Section 4.5 Risk Factors](#45-risk-factors). The Risk Mitigations can include additional topic specific requirements.
When evaluating the applicability of these requirements, the highest of following risk factors define the category to follow: [SRU], [Complexity], [Segment], and [NIS2] defines the below risk category low, medium or high to follow. The requirements covering high risks comprise all requirements of the medium and low risk, and, analogously, the requirements from the medium risk comprise also those from the low risk.
When evaluating the applicability of these requirements, the highest of following risk factors define the category to follow: [SRU], [Complexity], [Segment], and [CENT] defines the below risk category low, medium or high to follow. The requirements covering high risks comprise all requirements of the medium and low risk, and, analogously, the requirements from the medium risk comprise also those from the low risk.
For low risk:
-**[REQ-TECH-0]** The product shall be shipped without undocumented interfaces.
@@ -494,7 +494,7 @@ See [5.2.6 Role based authorisation](#526-role-based-authorisation)
### 5.3.2 Mitigations for ingested data integrity and confidentiality
When evaluating the applicability of these requirements, the highest of following risk factors define the category to follow: [SRU], [Complexity], [Segment], [NIS2]
When evaluating the applicability of these requirements, the highest of following risk factors define the category to follow: [SRU], [Complexity], [Segment], [CENT]
For medium risk:
@@ -567,7 +567,7 @@ Especially when there are forensic demands, comprehensive and detailed logging b
The logging requirements in this subclause define baseline event recording and additional protections for retention, integrity, backup, and external forwarding according to the applicable risk tier.
When evaluating the applicability of these requirements, the highest of following risk factors define the category to follow: [NIS2]
When evaluating the applicability of these requirements, the highest of following risk factors define the category to follow: [CENT]
For low risk:
@@ -666,7 +666,7 @@ It is up to the software design to tolerate these interruptions.
Modern design is often distributed, but depending on the implementation and runtime context, a singular process can also provide the targetted service availability if implemented correctly and self healing system can launch a replacement within the given time window.
When evaluating the applicability of these requirements, the highest of following risk factors define the category to follow: [SRU], [Complexity], [Segment], [NIS2]
When evaluating the applicability of these requirements, the highest of following risk factors define the category to follow: [SRU], [Complexity], [Segment], [CENT]