Fix references

The following referenced documents are necessary for the application of the present document.

> NONE AT PRESENT

- <a name="_ref_1">[1]</a> prEN 40000-1-1: “Cybersecurity requirements for products with digital elements – Vocabulary”</a>

- <a name="_ref_1">[1]</a>    &lt;Standard Organization acronym> &lt;document number> (&lt;version number>): "&lt;Title>".

- <a name="_ref_2">[2] prEN 40000-1-2: “Cybersecurity requirements for products with digital elements - Part 1-2: Principles for cyber resilience”</a>

- <a name="_ref_3">[3] prEN 40000-1-3: “Cybersecurity requirements for products with digital elements – Vulnerability Handling”</a>

## 2.2 Informative references

The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.

* <a name="_ref_i.0">[i.0]</a>    &lt;Standard Organization acronym> &lt;document number> (&lt;version number>): "&lt;Title>".

References are either specific (identified by date of publication and/or edition number or version number) or nonspecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.

* <a name="_ref_i.1">[i.1]</a>    Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)

* <a name="_ref_i.2">[i.2]</a>    EN 18031-1 (2024): “Common security requirements for radio equipment - Part 1: Internet connected radio equipment”.

* <a name="_ref_i.3">[i.3]</a>   EN 18031-2 (2024): ”Common security requirements for radio equipment - Part 2: radio equipment processing data, namely Internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment".

* <a name="_ref_i.4">[i.4]</a>    EN 18031-3 (2024): “Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value".

* <a name="_ref_i.2">[i.2]</a>    EN 18031-1 (2024): "Common security requirements for radio equipment - Part 1: Internet connected radio equipment".

References are either specific (identified by date of publication and/or edition number or version number) or nonspecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.

> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.

* <a name="_ref_i.3">[i.3]</a>    EN 18031-2 (2024): "Common security requirements for radio equipment - Part 2: radio equipment processing data, namely Internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment".

The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.

* <a name="_ref_i.4">[i.4]</a>    EN 18031-3 (2024): "Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value".

* <a name="_ref_i.1">[i.1]</a>    Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).

* <a name="_ref_i.5">[i.5]</a>    C(2025)618 – Standardisation request M/606: Commission Implementing decision of 3.2.2025 on a standardisation request to the European Committee for Standardisation (CEN), the European Committee for Electrotechnical Standardisation (Cenelec) and the European Telecommunications Standards Institute (ETSI) as regards products with digital elements in support of Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).

* <a name="_ref_i.2">[i.2]</a>    C(2025)618 – Standardisation request M/606: Commission Implementing decision of 3.2.2025 on a standardisation request to the European Committee for Standardisation (CEN), the European Committee for Electrotechnical Standardisation (Cenelec) and the European Telecommunications Standards Institute (ETSI) as regards products with digital elements in support of Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).

* <a name="_ref_i.6">[i.6]</a>    CEN/CLC JTC13: "Cybersecurity and Data Protection".

* <a name="_ref_i.3">[i.3]</a>    CEN/CLC JTC13: "Cybersecurity and Data Protection".

* <a name="_ref_i.number">[i.number]</a>    &lt;Standard Organization acronym> &lt;document number> (&lt;version number>): "&lt;Title>".

* <a name="_ref_i.7">[i.7]</a>    ETSI TS 103 732 "Consumer Mobile Device Protection Profile".

# 3 Definition of terms, symbols and abbreviations

## 3.1 Terms

This clause provides terms and definitions based on CEN/CLC JTC13 WG09's <a href="#_ref_i.6">[i.6]</a> work on terms and definitions, terms and definitions provided by ETSI EN 303 645/TS 103 701 <a href="#_ref_i.3">[i.3]</a> and by CEN/CLC EN 18031 <a href="#_ref_i.5">[i.5]</a> series.

This clause provides terms and definitions based on CEN/CLC JTC13 WG09's <a href="#_ref_i.6">[i.6]</a> work on terms and definitions, terms and definitions provided by ETSI EN 303 645/TS 103 701 <a href="#_ref_i.7">[i.7]</a> and by CEN/CLC EN 18031 <a href="#_ref_i.2">[i.2]</a> series.

For the purposes of the present document, the following terms apply:

#### 5.2.X.x **MI-KEVM**: Documentation of mitigation of known exploitable vulnerabilities

The product's development and release process shall include a process to document known exploitable vulnerabilities in the product and their fixes or mitigations. The documentation for this process shall be compliant with the process described in FIXME PT3 REFERENCE. The product shall be compliant with this requirement if it:

The product's development and release process shall include a process to document known exploitable vulnerabilities in the product and their fixes or mitigations. The documentation for this process shall be compliant with the process described in <a ref="_ref_3">[3] prEN 40000-1-3: "Cybersecurity requirements for products with digital elements – Vulnerability Handling". The product shall be compliant with this requirement if it:

1. has no known exploitable vulnerabilities

1. has known exploitable vulnerabilities whose age is consistent with the manufacturer's documentation of how long vulnerabilities may go unfixed after public disclosure