@@ -278,22 +278,26 @@ For the purposes of the present document, the following abbreviations apply:
## 4.2 Out of scope use/environments
The types of product with digital elements listed in the section do not fall within the scope of the the Regulation (EU) 2024/2847 (Cyber Resilience Act), and are not covered by this standard:
Out of scope use cases and environments include those explicitly carved out by the Regulation (EU) 2024/2847 (Cyber Resilience Act)<ahref="#_ref_i.1">[i.1]</a>, and are not covered by this standard.
1. Services, except for the remote data processing solutions for a covered product as defined in CRA recitals 11-12; article 3, 2 <ahref="#_ref_i.1">[i.1]</a>;
2. Products specifically designed or procured for national security and defence purpose as defined in CRA recitals 14 and 26; article 2, 7-8 <ahref="#_ref_i.1">[i.1]</a>;
3. Products developed for or used exclusively for internal use by public administration as defined in CRA recital 16; article 5, 2 <ahref="#_ref_i.1">[i.1]</a>;
4. Non-commercial free and open source software as defined in CRA recitals 17-21; article 13, 5 <ahref="#_ref_i.1">[i.1]</a>;
5. Medical Devices and Software as defined in CRA recital 25; article 2, 2 [a-b] <ahref="#_ref_i.1">[i.1]</a>;
6. Vehicles, including aviation and marine equipment as defined in CRA recital 27; article 2, 2.c "vehicles"; recital 27; article 2, 3 "aviation"; article 2, 4 "marine equipment" <ahref="#_ref_i.1">[i.1]</a>;
7. Spare and used parts as defined in CRA recital 29; article 2, 6 <ahref="#_ref_i.1">[i.1]</a>;
8. Refurbished, repaired, and upgraded products that have not been substantially modifiedas defined in recitals 39 - 42 <ahref="#_ref_i.1">[i.1]</a>;
For the convenience of the developers of these standards, the following list is temporarily included and will be removed before publication:
The following types of products have reduced or varied requirements under Regulation (EU) 2024/2847 (Cyber Resilience Act) <ahref="#_ref_i.1">[i.1]</a> and can only be partially covered by this standard.
The types of product with digital elements listed in the section do not fall within the scope of the the Regulation (EU) 2024/2847 (Cyber Resilience Act) <ahref="#_ref_i.1">[i.1]</a>, and are not covered by this standard:
9. High Risk AI as defined in CRA recital 51; article 12 <ahref="#_ref_i.1">[i.1]</a>;
10. Testing and unfinished versions as defined in recital 37; Article 4, 2-3 <ahref="#_ref_i.1">[i.1]</a>;
11. Products Placed on the Market Prior to December 11, 2027 as defined in CRA article 69 <ahref="#_ref_i.1">[i.1]</a>.
1. Services, except for the remote data processing solutions for a covered product as defined in CRA recitals 11-12; article 3, 2 <ahref="#_ref_i.1">[i.1]</a>
1. Products specifically designed or procured for national security and defence purpose as defined in CRA recitals 14 and 26; article 2, 7-8 <ahref="#_ref_i.1">[i.1]</a>
1. Products developed for or used exclusively for internal use by public administration as defined in CRA recital 16; article 5, 2 <ahref="#_ref_i.1">[i.1]</a>
1. Non-commercial free and open source software as defined in CRA recitals 17-21; article 13, 5 <ahref="#_ref_i.1">[i.1]</a>
1. Medical Devices and Software as defined in CRA recital 25; article 2, 2 [a-b] <ahref="#_ref_i.1">[i.1]</a>
1. Vehicles, including aviation and marine equipment as defined in CRA recital 27; article 2, 2.c "vehicles"; recital 27; article 2, 3 "aviation"; article 2, 4 "marine equipment" <ahref="#_ref_i.1">[i.1]</a>
1. Spare and used parts as defined in CRA recital 29; article 2, 6 <ahref="#_ref_i.1">[i.1]</a>
1. Refurbished, repaired, and upgraded products that have not been substantially modifiedas defined in recitals 39 - 42 <ahref="#_ref_i.1">[i.1]</a>
The following types of products have reduced or varied requirements under Regulation (EU) 2024/2847 (Cyber Resilience Act) <ahref="#_ref_i.1">[i.1]</a> and can only be partially covered by this standard:
1. High Risk AI as defined in CRA recital 51; article 12 <ahref="#_ref_i.1">[i.1]</a>
1. Testing and unfinished versions as defined in recital 37; Article 4, 2-3 <ahref="#_ref_i.1">[i.1]</a>
1. Products Placed on the Market Prior to December 11, 2027 as defined in CRA article 69 <ahref="#_ref_i.1">[i.1]</a>
## 4.3 Product overview and architecture
@@ -523,11 +527,11 @@ The risk factors identified by the risk assessment in Annex C are grouped into r
### 4.6.1 General
Security levels are an informative resource to the manufacturer. Each security level is associated with a collection of levels of risk factors. Security levels will be mapped to the security requirements necessary to mitigate them in a future draft.
Security levels are an informative resource to the manufacturer. Each security level is associated with a collection of levels of risk factors. Security levels will be mapped to specific mitigations for each security requirements necessary to treat the risk.
### 4.6.2 Mapping of security level to risk factors
Each security level will consist of the security requirements necessary to mitigate the threats related to the associated levels of risk factors.
Security levels are associated with sets of risk factor levels.
> FIXME add security requirements when they exist
@@ -580,7 +584,7 @@ Other functionality is generally implemented outside of the device driver.
The technical requirements of the present document apply under the environmental profile for operation of the equipment, which shall be in accordance with its intended use. The equipment shall comply with all the technical requirements of the present document at all times when operating within the boundary limits of the operational environmental profile defined by its intended use.
The manufacturer will document and communicate the expected environmental profile for the product to the consumer.
The manufacturer shall document and communicate the expected environmental profile for the product to the consumer.
The network device will operate in the context of a host system and operating system. If the device driver is not included with the product, it will be provided by the operating system or other part of the system. See Section 4.10 for more details.
@@ -632,9 +636,24 @@ Optional:
## 4.11 Support period
> Describe the expected support period and its impact on security risks. Generally the support period should be at least 5 years, shorter or longer according to the expected period of use. See Article 13.8 and Recitals 59 - 62 of the CRA for more information.
> Give guidelines to the manufacturer for selecting and documenting the expected support period. Generally the support period should be at least 5 years. It may be shorter if the expected lifetime of the product is less than 5 years. The 5 year minimum support period of CRA Article 13<a href="#_ref_i.1">[i.1]</a> is explained in greater detail in Recital 60, which also provides guidance on exceptions both for special purpose products where a shorter period is necessary or unavoidable and classes of products that the Act expects to have a longer support period. A 10 year minimum support period is suggested for:
>
> 1. Hardware products such as: “motherboards or microprocessors, network devices such as routers, modems or switches”
> 1. Long use software product such as “operating systems or video-editing tools”
> 1. Products designed for use in industrial settings, such as industrial control systems
>
> In the future, a dedicated administrative cooperation group “ADCO” whose duties and creation are described in CRA Recitals 22, 62, 108, 109 and Article 52 (15), (16)<a href="#_ref_i.1">[i.1]</a> will assist in the process of setting minimum support periods by collecting and analyzing data on support periods set by manufacturers and setting minimums should manufacturers systematically fail to provide adequate support periods. These duties and powers are described in Recital 62, Recital 117, and Article 13 (8) of the Act<a href="#_ref_i.1">[i.1]</a>. Any support period set by the standards will be superseded by those produced by the commission or its delegates.
The support period shall be at least 10 years.
In accordance with Article 13 (8) of the CRA<ahref="#_ref_i.1">[i.1]</a>, the manufacturer shall document how it reached a decision on a specific support period in the technical documentation of the product. The manufacturer shall document the following considerations that affected the decision making process:
The support period should be at least 10 years. Network cards often stay in use for 15 years or longer.
1. Reasonable user expectations
1. Nature of the product and intended purpose
1. Relevant law and guidance
1. Support period of products on the market with similar functionality
1. The availability of the operating environment
1. The support period of any integrated components that provide core functions of the product.
