Renamed security levels to security profiles and dropped more writing instructions

# HARMONISED EUROPEAN STANDARD

**ETSI EN 304-621a V0.0.2 (2025-08)**

**Draft ETSI EN 304-621a V0.0.3 (2025-08)**

<br />

<br />

The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.

-   <a name="_ref_i.1">[i.1]</a> EU 2024/2847 "Cyber Resilience Act"

-   <a name="_ref_i.2">[i.2]</a> ETSI hEN IAM

-   <a name="_ref_i.2">[i.2]</a> ETSI EN 304 XXX IAM (CEN/TC 224 WG 17 output)

-   <a name="_ref_i.3">[i.3]</a> ETSI EN 304 620 "Virtual Private Networks (VPNs)"

-   <a name="_ref_i.4">[i.4]</a> CEN/CLC EN 50XXX-4 "VPN"

-   <a name="_ref_i.5">[i.5]</a> ETSI EN 304 626 "Essential cybersecurity requirements for operating systems"

-   Number of affected Service Requesting Users [<a href="#_term_.SRU">SRU</a>]

    -   **Rationale**: the affected user base should be accounted for in the risk definition

    -   **[AUSR-L-0]** single household or a small business, small ammount of SRUs

    -   **[AUSR-L-1]** medium or large sized company with possibly multiple operation sites, medium ammount of SRUs

    -   **[AUSR-L-2]** CSP, large ammount of SRUs

    -   **[SRU-L-0]** single household or a small business, small ammount of SRUs

    -   **[SRU-L-1]** medium or large sized company with possibly multiple operation sites, medium ammount of SRUs

    -   **[SRU-L-2]** CSP, large ammount of SRUs

-   Complexity of managed network element implementation

    -   **[COM-L-0]** Minimal features to collect and send data to NMS

    -   **[COM-L-0]** Minimal features to collect and send data to NMS like IoT devices

    -   **[COM-L-1]** Some simple features to enable basic networking like firewall, DHCP

    -   **[COM-L-2]** Dynamic routing table modifications or exposed connectivity services like VPN

    -   **[COM-L-3]** Complex network element performing

    -   **[COM-L-2]** Dynamic routing table modifications or exposed connectivity services like VPN and SDN

    -   **[COM-L-3]** Complex network element with sophisticated functions and supporting services

-   Security expectations of intented network segment operation

    -   **Rationale**: NIS2 identifies entities that require higher level of protection

    -   **[EXP-L-1]** NIS2 important entity

    -   **[EXP-L-2]** NIS2 critical entity

### 4.5.1 Mapping of use cases to risk factors and security levels

### 4.5.1 Mapping of use cases to risk factors and security profiles

| Use case                                              | AUSR     | COM     | EXP     | Sec Lev |

| ----------------------------------------------------- | -------- | ------- | ------- | ------- |

| [4.4.1.1 IoT network with monitoring data collection] | AUSR-L-0 | COM-L-0 | EXP-L-0 | SEC-1   |

| [4.4.1.2 Home network deployment]                     | AUSR-L-0 | COM-L-1 | EXP-L-0 | SEC-2   |

| [4.4.2.1 Office network]                              | AUSR-L-1 | COM-L-2 | EXP-L-0 | SEC-3   |

| [4.4.2.2 Waste management]                            | AUSR-L-1 | COM-L-2 | EXP-L-1 | SEC-4   |

| [4.4.2.3 Telecom network]                             | AUSR-L-2 | COM-L-3 | EXP-L-2 | SEC-5   |

The table below is an example, how the example use cases could be mapped to different risk factors.

If there is no clear use case to be referred, the manufacturer shall take the presented dimensions, Service Requesting Users, Complexity and Expectations, into consideraton and document what factors apply.

The different risk factors have a set of minimun requirements defined that are lowering the posibility and mitigating the impact of an security incident.

In case of overlap in the requirements, a stronger and more secure option shall be selected.

| Use case                                              | SRU     | COM     | EXP     | Sec Pro |

| ----------------------------------------------------- | ------- | ------- | ------- | ------- |

| [4.4.1.1 IoT network with monitoring data collection] | SRU-L-0 | COM-L-0 | EXP-L-0 | SEC-1   |

| [4.4.1.2 Home network deployment]                     | SRU-L-0 | COM-L-1 | EXP-L-0 | SEC-2   |

| [4.4.2.1 Office network]                              | SRU-L-1 | COM-L-2 | EXP-L-0 | SEC-3   |

| [4.4.2.2 Waste management]                            | SRU-L-1 | COM-L-2 | EXP-L-1 | SEC-4   |

| [4.4.2.3 Telecom network]                             | SRU-L-2 | COM-L-3 | EXP-L-2 | SEC-5   |

[4.4.1.1 IoT network with monitoring data collection]: #4411-iot-network-with-monitoring-data-collection

[4.4.1.2 Home network deployment]: #4412-home-network-deployment

[4.4.2.2 Waste management]: #4422-waste-management

[4.4.2.3 Telecom network]: #4423-telecom-network

## 4.6 Security levels

## 4.6 Security profiles

### 4.6.1 General

Security levels are an informative resource to the manufacturer. Each security level is associated with a collection of levels of risk factors. Security levels will be mapped to specific mitigations for each security requirements necessary to treat the risk.

Security profiles are an informative resource to the manufacturer. Each security profile is associated with a collection of levels of risk factors. Security profiles will be mapped to specific mitigations for each security requirements necessary to treat the risk.

### 4.6.2 Mapping of security level to risk factors

### 4.6.2 Mapping of security profile to risk factors

Security levels are associated with sets of risk factor levels.

Security profiles are associated with sets of risk factor levels.

> FIXME add security requirements when they exist

| Security level | AUSR | COM | EXP |

| -------------- | ---- | --- | --- |

| Security profile | SRU | COM | EXP |

| ---------------- | --- | --- | --- |

| SEC-1            |     |     |     |

| SEC-2            |     |     |     |

| SEC-3            |     |     |     |

-   Device discovery

-   Device inventory management

<mark>FIXME more use-based functions</mark>

## 4.8 Operational Environment

> Describe the expected operating environment given the exclusions in Section 4.2. This includes:

>

> -   Physical environment (if applicable)

> -   Networks it is connected to

> -   Supporting/associated devices

> -   Supporting/associated software or services

> -   Other relevant context

> You may be able to use the following instructions taken from the Common Internet of Things draft:

>

> Harmonised Standards not specifying a normative environmental profile should use the following text:

The technical requirements of the present document apply under the environmental profile for operation of the product with digital elements, which shall be in accordance with its intended use. The product with digital elements shall comply with all the technical requirements of the present document at all times when operating within the boundary limits of the operational environmental profile defined by its intended use.

## 4.9 Users

> Describe the classes of users for this product, as differentiated by sophistication in understanding and taking responsibility for security risks. More sophisticated users can be expected to follow more instructions and cope with higher levels of unmitigated risks. Suggestions:

>

> -   General public

> -   Children

> -   Assistants to primary user

> -   IT professionals

> -   Systems integrators

Users of the system are natural persons, administrators, who have an insentive to modify the network configuration or view it's status. User often accesses the system through a HTTPS GUI or by a third party software.

Machine Users may be used to identify functions and operators, which require access to the system. The Machine User authorizaton grants are often defined strictly to bare minimun set of operations needed to perform the function.

Service Requesting Users do not have access to the system, nor should they be interfaces to interract with the NMS.

The target group relies on the outcomes of an functional system, but do not participate to it's operative aspects in any way.

## 4.10 Distribution of security functions

A NMS is often a compilation of different subsystems performing the task of the network management. The security functions may be implemented inside of the product as an integral part of the system or with help the of an established structures like OS package manager or logging subsystems.

> -   PT2 drafts, available in the [ETSI DocBox](https://docbox.etsi.org/CYBER/CYBER/CEN-CLC/JTC13/WG09)

> -   ENISA's [CRA Requirements Standards Mapping](https://www.enisa.europa.eu/sites/default/files/2024-11/Cyber%20Resilience%20Act%20Requirements%20Standards%20Mapping%20-%20final_with_identifiers_0.pdf)

-   **[AUSR-L-0-RQ-1]** An network management system shall implement appropriate cryptographic libraries to allow the protection of the provisioned configuration according to the requirements of the forseeable use.

-   **[AUSR-L-1-RQ-1]** An network management system which supports medium or larger enterprise networks shall implement and document appropriate safeguards to ensure the validity of users identity according to the requirements of the forseeable use.

-   **[AUSR-L-2-RQ-1]**

-   **[RQ-1]** An network management system shall implement appropriate cryptographic libraries to allow the protection of the provisioned configuration according to the requirements of the forseeable use.

-   **[RQ-2]** An network management system which supports medium or larger enterprise networks shall implement and document appropriate safeguards to ensure the validity of users identity according to the requirements of the forseeable use.

-   **[RQ-3]** The product is shipped without undocumented interfaces.

-   **[RQ-4]** The administrative actions shall be traced in case of accidental or intentional misconfiguration.

-   **[RQ-5]** The manufacturer shall protect the system against data poisoning or other adversial attacks.

-   **[RQ-6]** The collected network element monitoring and metrics data shall be verifiable

-   **[RQ-7]**

-   **[RQ-8]**

-   **[RQ-9]**

-   **[RQ-10]**

# Annex A (informative): Mapping between the present document and CRA requirements