@@ -150,7 +150,7 @@ This standard does not apply to products that contain an operating system or are
## 1.1 General
The present document describes how to demonstrate compliance with requirements in the EU Regulation 2024/2847 under the conditions identified in Annex <L> of operating systems, within the context described in section 4, Product Context.
The present document describes how to demonstrate the compliance of operating systems with the requirements in the EU Regulation 2024/2847, within the context described in section 4, Product Context.
## 1.2 Products in scope
@@ -187,10 +187,6 @@ Security-relevant parts of the operating system include but are not limited to:
## 1.3 Products not in scope
> Detailed list of things whose scope might be confusing, including parts of a system which are often included when the terms in the "in scope" section are used in general conversation. Reference the "Product Context" section again to remind the reader what operational environments are in scope.
This standard does not cover products in use in contexts other than those identified in Annex <L>.
This standard does not cover parts of the operating system that are not security-relevant.
This standard does not cover:
@@ -209,11 +205,13 @@ Usermode "operating systems" are applications simulating an operating system in
Boot managers have the primary purpose of initializing the hardware after power on or reset with the goal of choosing, loading, and/or transferring execution to an operating system or other program. While many boot managers provide some or all of the services of an operating system (or are literally operating systems adapted for use as a boot manager), they are designed and intended primarily to transfer control to an operating system or other program, rather than continuously operate and provide services.
FIXME: make this more specific. Firmware running on a device is an operating system if its core function is to abstract the hardware platform and control the execution of software that uses services it provides. Otherwise it is special purpose device-specific firmware.
Firmware running on a device is an operating system if its core function is to abstract the hardware platform and control the execution of software that uses services it provides. Otherwise it is special purpose device-specific firmware.
> FIXME make the above more specific.
Device drivers are generally included in the security-relevant parts of an operating system. However, the manufacturer of the operating system is only responsible for device drivers included in the operating system.
Device drivers are generally included in the security-relevant parts of an operating system. However, the manufacturer of the operating system is only responsible for device drivers included in the product.
> FIXME diagram(s) showing relationship to hypervisors, containers, boot managers, IAM, network interfaces, antivirus, hardware, and software.
> FIXME add diagram(s) showing relationship to hypervisors, containers, boot managers, IAM, network interfaces, antivirus, hardware, and software.
# 2 References
@@ -2469,71 +2467,7 @@ Special case of verified/measured boot partially implemented outside the operati
Special case configuration files? Not code in most cases, but substantial impact on the security configuration of the operating system.
DRAFT ANNEX L - DO NOT CONSIDER THE CONTENT
The present document has been prepared under the Commission's standardisation request C(2025) 618 final to provide one voluntary means of conforming to the requirements of Regulation (EU) No 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
Once the present document is cited in the Official Journal of the European Union under that Regulation, compliance with the normative clauses of the present document given in table A.1 confers, within the limits of the scope of the present document, a presumption of conformity with the corresponding requirements of that Regulation and associated EFTA regulations.
> NOTE: The above paragraphs have to be repeated in the Foreword.
The annex shall have a table for a clear indication of correspondence between normative clauses of the standard and the legal requirements aimed to be covered.
**It should be evaluated - on the basis of the legal requirements supported and other information given in a harmonised standard - how detailed correspondence can be indicated between the normative elements of the harmonised standard and the legal requirements aimed to be covered. However, where this correspondence is expressed in too general terms, it could lead to a situation where the Commission cannot assess whether the Harmonised Standard satisfies the requirements, which it aims to cover, and subsequently publication of its references in the OJEU according to Article 10(6) of the Regulation is significantly delayed or is not possible at all.**
> **EXAMPLE for a table:**
**Table A.1: Relationship between the present document and<br />the requirements of EU Regulation 2024/2847**<aname="table_A.1"></a>
| **No** | **Description** | **Requirements of Regulation** | **Clause(s) of the present document** | **Use case** | **Condition** |
| 1 | | | | | |
| 2 | | | | | |
| 3 | | | | | |
| ... | | | | | |
**Key to columns:**
**Requirement:**
**No** A unique identifier for one row of the table which may be used to identify a requirement.
**Description** A textual reference to the requirement.
**Requirements of Regulation** Identification of article(s) defining the requirement in the Regulation.
**Clause(s) of the present document** Identification of clause(s) defining the requirement in the present document unless another document is referenced explicitly.
**Requirement Conditionality:**
**Use case** Indicates whether the requirement is unconditionally applicable (U) or is conditional upon the manufacturer's claimed functionality of the equipment (C).
**Condition** Explains the conditions when the requirement is or is not applicable for a requirement which is classified "conditional".
> NOTE 1: The table cannot indicate direct relationship between the relevant legal requirement and other standards or normative clauses contained in other standards.
>
> NOTE 2: The order of the first and the second columns can be changed.
>
> NOTE 3: The title of this column can be adapted on the basis of specific needs
The annex shall have at least the following two warnings.
A warning stating that presumption of conformity is effective only as long as the reference is maintained in the OJEU by the Commission. The following URL-address [https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards_en](https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards_en) to consult the latest list of Harmonised Standards published in the OJEU should be provided.
Presumption of conformity stays valid only as long as a reference to the present document is maintained in the list published in the Official Journal of the European Union. Users of the present document should consult frequently the latest list published in the Official Journal of the European Union.
A warning stating that those products or services which are within the scope of a relevant standard may be also subject to other Union legislation.
Other Union legislation may be applicable to the product(s) falling within the scope of the present document.
The "Change history/Change request (history)" annex shall be included in every revised or amended harmonised standard and shall contain information concerning significant changes that have been introduced by it. It shall be presented as a table.
