Some editorials

<div style="text-align: center;">

![~~ETSI Standard header image~~](media/etsi-coverpage-logo.png)

# HARMONISED EUROPEAN STANDARD

**Draft ETSI EN 304 625 V0.0.12**

<br />

<br />

<br />

<br />

CRA; Essential cybersecurity requirements for physical and virtual network interfaces<br />

Release #<br />

</div>

<br />

<br />

<br />

<br />

<div style="text-align: center;">

Reference<br />

&lt;Workitem><br />

Keywords<br />

&lt;keywords><br />

ETSI<br />

650 Route des Lucioles<br />

F-06921 Sophia Antipolis Cedex - FRANCE<br />

Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16<br />

Siret N° 348 623 562 00017 - APE 7112B<br />

Association à but non lucratif enregistrée à la<br />

Sous-préfecture de Grasse (06) N° w061004871<br />

</div>

<br />

**CAUTION: This INTERIM DRAFT document is provided for information and is for future development work within the ETSI Technical Committee CYBER  Working Group EUSR only. ETSI and its Members accept no liability for any further use/implementation of this Specification. Approved and published specifications and reports shall be obtained exclusively via the ETSI Documentation Service at [http://www.etsi.org/standards-search]()**

<div style="text-align: center;">

**_Important notice_**

The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI deliverable is the one made publicly available in PDF format on [ETSI deliver] repository.

Users should be aware that the present document may be revised or have its status changed, this information is available in the [Milestones listing].

If you find errors in the present document, please send your comments to the relevant service listed under [Committee Support Staff].

If you find a security vulnerability in the present document, please report it through our

[Coordinated Vulnerability Disclosure (CVD)][CVD] program.

<br />

**_Notice of disclaimer & limitation of liability_**

The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of experience to understand and interpret its content in accordance with generally accepted engineering or

other professional standard and applicable regulations.

No recommendation as to products and services or vendors is made or should be implied.

No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness for any particular purpose or against infringement of intellectual property rights.

In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use of or inability to use the software.

<br />

**_Copyright Notification_**

No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2025.

All rights reserved.<br />

[ETSI deliver]: http://www.etsi.org/deliver

[Milestones listing]: https://portal.etsi.org/Services/editHelp/Standards-development/Tracking-a-draft/Status-codes

[Committee Support Staff]: https://portal.etsi.org/People/Commitee-Support-Staff

[CVD]: https://www.etsi.org/standards/coordinated-vulnerability-disclosure

</div>

# Contents

=======

---

Title: CRA;<br>Essential cybersecurity requirements for physical and virtual network interfaces

Spec Number: 304 626

Version: v0.0.11

Spec Number: 304 625

Version: v0.0.12

Date: 2025-12

Work Item: TC/WI-Number

keywords: CRA

#### 5.2.1.4 MI-KEVM: Documentation of mitigation of known exploitable vulnerabilities

The product's development and release process shall include a process to document known exploitable vulnerabilities in the product and their fixes or mitigations. The documentation for this process shall be compliant with the process described in [\[3\]](#_ref_3) prEN 40000-1-3: \"Cybersecurity requirements for products with digital elements – Vulnerability Handling\". The product shall be compliant with this requirement if it:

The product\'s development and release process shall include a process to document known exploitable vulnerabilities in the product and their fixes or mitigations. The documentation for this process shall be compliant with the process described in [\[3\]](#_ref_3) prEN 40000-1-3: \"Cybersecurity requirements for products with digital elements – Vulnerability Handling\". The product shall be compliant with this requirement if it:

1. has no known exploitable vulnerabilities

1. has known exploitable vulnerabilities whose age is consistent with the specification of how long vulnerabilities may go unfixed after public disclosure, as described in the vulnerability handling procedure for the product