Fixup references, convert to "the present document"

# Introduction

The present document is a European harmonised standard that defines cybersecurity requirements for products whose core function is as an virtual or physical network interface. Demonstrating compliance with this standard is not necessary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act <a href="#_ref_i.1">[i.1]</a>.

The present document is a European harmonised standard that defines cybersecurity requirements for products whose core function is as an virtual or physical network interface. Demonstrating compliance with the present document is not necessary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act <a href="#_ref_i.1">[i.1]</a>.

The present document does not apply to products that contain network interfaces or are part of a network interface if the core purpose of the product is not that of a network interface. However, it may be useful as one part of the process of demonstrating compliance for a product containing or interacting with network interfaces.

## 1.1 General

The present document describes how to demonstrate compliance with requirements in the EU Regulation 2024/2847 under the conditions identified in Annex <L> of physical and virtual network interfaces within the context described in section 4, Product Context.

The present document describes how to demonstrate the compliance of virtual and physical network interfaces with the requirements in the EU Regulation 2024/2847, within the context described in clause 4, Product Context.

## 1.2 Products in scope

1. "Standalone modem": A device with two or more network interfaces that routes network data between two different networks, relaying data from one type of physical transmission media to another, such as a cable modem

"Modem interfaces" are included in this standard. "Standalone modems" are excluded from this standard.

"Modem interfaces" are included in the present document. "Standalone modems" are excluded from the present document.

This category includes purely virtual standalone products, such as virtual network interfaces, container network interfaces, VPN interfaces, and loopback interfaces.

This category includes products whose core function is a network interface and provides the feature of remote management interface for the network interface or the host system. FIXME do we have time to do this?

This category includes products whose core function is a network interface and provides the feature of remote management interface for the network interface or the host system.

FIXME what to do about network interfaces with multiple adapters that have a non-default switch mode?

For the purposes of this standard, network interfaces will be split up into the following groups, due to their distinct threat models:

For the purposes of the present document, network interfaces will be split up into the following groups, due to their distinct threat models:

* Wired network interfaces

* Wireless network interfaces

* Cables connected to network interfaces

* Software or hardware add-ons, changes, or upgrades not shipped by the manufacturer that substantially modify the product

This standard does not cover products in use in contexts other than those identified in Annex <L>.

# 2 References

## 2.1 Normative references

> **In Harmonised Standards these references shall be specific** (identified by date of publication and/or edition number or version number) **publicly available and in English, except in exceptional circumstances making sure that impacts have been evaluated and explanations have been given on how any negative implications should be avoided** . See clauses 2.10.1 and 8.4 of the [EDRs] and the communiqué on "[References in ETSI Deliverables][References]".

>

> Guidance for selecting normative references in harmonised standards is given in clause 2.8.3 of the Vademecum on European standardisation. Please **systematically consult with your Technical Officer** for the latest guidance on normative references other than to ENs, ISO/IEC standards, notably to prevent the risk of non-acceptance.

>

> **Legal acts can never be used as normative references.**

>

> It is recommended that the number of references be limited to the minimum needed for the implementation/application of the ETSI Deliverables. References not directly concerned with the implementation/application/understanding of the ETSI Deliverable shall be listed in the Bibliography annex.

>

> References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.

>

> Referenced documents which are not found to be publicly available in the expected location might be found in the [ETSI docbox].

> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.

The following referenced documents are necessary for the application of the present document.

> NONE AT PRESENT

* <a name="_ref_i.4">[i.4]</a>    EN 18031-3 (2024): “Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value".

References are either specific (identified by date of publication and/or edition number or version number) or nonspecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.

> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.

The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.

* <a name="_ref_i.1">[i.1]</a>    Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).

* <a name="_ref_i.2">[i.2]</a>    C(2025)618 – Standardisation request M/606: Commission Implementing decision of 3.2.2025 on a standardisation request to the European Committee for Standardisation (CEN), the European Committee for Electrotechnical Standardisation (Cenelec) and the European Telecommunications Standards Institute (ETSI) as regards products with digital elements in support of Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).

* <a name="_ref_i.3">[i.3]</a>    CEN/CLC JTC13: "Cybersecurity and Data Protection".

* <a name="_ref_i.number">[i.number]</a>    &lt;Standard Organization acronym> &lt;document number> (&lt;version number>): "&lt;Title>".

# 3 Definition of terms, symbols and abbreviations

## 3.1 Terms

This section provides terms and definitions based on CEN/CLC JTC13 WG09's work on terms and definitions, terms and definitions provided by ETSI EN 303 645/TS 103 701 and terms and definitions provided by CEN/CLC EN 18031 series.

This clause provides terms and definitions based on CEN/CLC JTC13 WG09's <a href="#_ref_i.6">[i.6]</a> work on terms and definitions, terms and definitions provided by ETSI EN 303 645/TS 103 701 <a href="#_ref_i.3">[i.3]</a> and by CEN/CLC EN 18031 <a href="#_ref_i.5">[i.5]</a> series.

For the purposes of the present document, the following terms apply:

> For the convenience of the developers of these standards, the following list is temporarily included and will be removed before publication:

>

> The types of product with digital elements listed in the section do not fall within the scope of the the Regulation (EU) 2024/2847 (Cyber Resilience Act) <a href="#_ref_i.1">[i.1]</a>, and are not covered by this standard:

> The types of product with digital elements listed in the section do not fall within the scope of the the Regulation (EU) 2024/2847 (Cyber Resilience Act) <a href="#_ref_i.1">[i.1]</a>, and are not covered by the present document:

>

> 1. Services, except for the remote data processing solutions for a covered product as defined in CRA recitals 11-12; article 3, 2 <a href="#_ref_i.1">[i.1]</a>

> 1. Products specifically designed or procured for national security and defence purpose as defined in CRA recitals 14 and 26; article 2, 7-8 <a href="#_ref_i.1">[i.1]</a>

> 1. Spare and used parts as defined in CRA recital 29; article 2, 6 <a href="#_ref_i.1">[i.1]</a>

> 1. Refurbished, repaired, and upgraded products that have not been substantially modifiedas defined in recitals 39 - 42 <a href="#_ref_i.1">[i.1]</a>

>

> The following types of products have reduced or varied requirements under Regulation (EU) 2024/2847 (Cyber Resilience Act) <a href="#_ref_i.1">[i.1]</a> and can only be partially covered by this standard:

> The following types of products have reduced or varied requirements under Regulation (EU) 2024/2847 (Cyber Resilience Act) <a href="#_ref_i.1">[i.1]</a> and can only be partially covered by the present document:

>

> 1. High Risk AI as defined in CRA recital 51; article 12 <a href="#_ref_i.1">[i.1]</a>

> 1. Testing and unfinished versions as defined in recital 37; Article 4, 2-3 <a href="#_ref_i.1">[i.1]</a>

> 1. Products Placed on the Market Prior to December 11, 2027 as defined in CRA article 69 <a href="#_ref_i.1">[i.1]</a>

Out of scope use cases and environments include those explicitly carved out by the Regulation (EU) 2024/2847 (Cyber Resilience Act) <a href="#_ref_i.1">[i.1]</a>, and are not covered by this standard.

Out of scope use cases and environments include those explicitly carved out by the Regulation (EU) 2024/2847 (Cyber Resilience Act) <a href="#_ref_i.1">[i.1]</a>, and are not covered by the present document.

## 4.3 Product overview and architecture

## 4.9 Users

While users of almost every product with digital elements are also using a network interface, the users for the purpose of this standard are restricted to those removing, installing, administering, or otherwise directly interacting with the network interface as an individual product.

While users of almost every product with digital elements are also using a network interface, the users for the purpose of the present document are restricted to those removing, installing, administering, or otherwise directly interacting with the network interface as an individual product.

* Personal computer user adding/removing/administering a network interface

* Corporate computer user adding/removing/administering a network interface

    * TR: general secure design stuff PT1 that we can only do if testable on product

FIXME: reference or use IEC 62443 certification? industrial use case, mostly for B2B relationships, suppliers, sophisticated, we are more consumer-related, probably can't base it on but we can find some overlap and inspire this standard

FIXME: reference or use IEC 62443 certification? industrial use case, mostly for B2B relationships, suppliers, sophisticated, we are more consumer-related, probably can't base it on but we can find some overlap and inspire the present document

Potential sources of threats:

>

> An analysis in terms of likelihood and magnitude of a product’s threats is required to be able to determine the product’s risks.

> NOTE 1 This document does not require a specific methodology for a cybersecurity risk analysis as long as the cybersecurity risk estimation is based on the likelihood of occurrence and magnitude of loss or disruption of cybersecurity risks. Thus, different approaches and models such as the fishbone model, event tree analysis or fault tree models can be used within the analysis of cybersecurity risks.

> NOTE 1 The present document does not require a specific methodology for a cybersecurity risk analysis as long as the cybersecurity risk estimation is based on the likelihood of occurrence and magnitude of loss or disruption of cybersecurity risks. Thus, different approaches and models such as the fishbone model, event tree analysis or fault tree models can be used within the analysis of cybersecurity risks.

> NOTE 2 A qualitative estimation of the cybersecurity risks can be performed using risk matrices that map qualitative categories of the likelihood of occurrence and qualitative categories of magnitude of loss or disruption to cybersecurity risk categories.