Indicate which standards provide presumption of conformity #186
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -1,65 +1,70 @@ | ||||||
| # Summary of European Commission implementing decision of a standardisation request to the ESOs | ||||||
|
|
||||||
| This is a summary of the [European Commission implementing decision of a standardisation request to the ESOs][StandReq] of February 2, 2025 (PDFs: [act](./resources/C(2025)618_0.pdf), [annexes](./resources/C(2025)618_1.pdf)). | ||||||
|
|
||||||
| ## Milestone 1 - Horizontal standards due August 30, 2026 | ||||||
|
|
||||||
| | Number | Description | CRA Link | CEN/CENELEC | ETSI | Provides presumption of conformity<sup><a href="#note-1">[1]</a><sup> | | ||||||
| |---|---|---|:---:|:---:|:---:| | ||||||
| | 1 | designing, developing and producing products with digital elements in such a way that they ensure an appropriate level of cybersecurity based on the risks | [Annex I, Part I, point (1)][Annex I] | WG9 PT1 | - | No | | ||||||
| | 15 | vulnerability handling for products with digital elements | [Annex I, Part II][Annex I] | WG9 PT3 | - | No | | ||||||
|
|
||||||
| ## Milestone 2 - Vertical standards due October 30, 2026 | ||||||
|
|
||||||
| These standards describe essential cybersecurity requirements for the _Important Products_ listed in [Annex III][] and the _Critical Products_ listed in [Annex IV][]. | ||||||
|
|
||||||
| | Number | Description | CRA Link | CEN/CENELEC | ETSI | Provides presumption of conformity<sup><a href="#note-1">[1]</a><sup> | | ||||||
| |---|---|---|:---:|:---:|:---:| | ||||||
| | 16 | identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers | [Annex III, Class I, point (1)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 17 | standalone and embedded browsers | [Annex III, Class I, point (2)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 18 | password managers | [Annex III, Class I, point (3)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 19 | software that searches for, removes, or quarantines malicious software | [Annex III, Class I, point (4)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 20 | products with digital elements with the function of virtual private network (VPN) | [Annex III, Class I, point (5)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 21 | network management systems | [Annex III, Class I, point (6)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 22 | Security information and event management (SIEM) systems | [Annex III, Class I, point (7)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 23 | boot managers | [Annex III, Class I, point (8)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 24 | public key infrastructure and digital certificate issuance software | [Annex III, Class I, point (9)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 25 | physical and virtual network interfaces | [Annex III, Class I, point (10)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 26 | operating systems | [Annex III, Class I, point (11)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 27 | routers, modems intended for the connection to the internet, and switches | [Annex III, Class I, point (12)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 28 | microprocessors with security-related functionalities | [Annex III, Class I, point (13)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 29 | microcontrollers with security-related functionalities | [Annex III, Class I, point (14)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 30 | application specific integrated circuits (AS IC) and field-programmable gate arrays (FPGA) with security-related functionalities | [Annex III, Class I, point (15)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 31 | smart home general purpose virtual assistants | [Annex III, Class I, point (16)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 32 | smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems | [Annex III, Class I, point (17)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 33 | Internet connected toys covered by Directive 2009/48/EC that have social interactive features (e.g. speaking or filming) or that have location tracking features | [Annex III, Class I, point (18)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 34 | personal wearable products to be worn or placed on a human body that have a health monitoring (such as tracking) purpose and to which Regulation (EU) 2017/745 or Regulation (EU) 2017/746 do not apply or personal wearable products that are intended for the use by and for children | [Annex III, Class I, point (19)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 35 | hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments | [Annex III, Class II, point (1)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 36 | firewalls, intrusion detection and/or prevention systems, including specifically those intended for industrial use | [Annex III, Class II, point (2)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 37 | tamper-resistant microprocessors | [Annex III, Class II, point (3)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 38 | tamper-resistant microcontrollers | [Annex III, Class II, point (4)][Annex III] | _TBD_ | _TBD_ | Yes | | ||||||
| | 39 | Hardware Devices with Security Boxes | [Annex IV, point (1)][Annex IV] | _TBD_ | - | Yes | | ||||||
| | 40 | smart meter gateways within smart metering systems as defined in Article 2 (23) of Directive (EU) 2019/944 and other devices for advanced security purposes, including for secure cryptoprocessing | [Annex IV, point (2)][Annex IV] | _TBD_ | - | Yes | | ||||||
| | 41 | smartcards or similar devices, including secure elements | [Annex IV, point (3)][Annex IV] | _TBD_ | - | Yes | | ||||||
|
|
||||||
| ## Milestone 3 - Horizontal standards due October 30, 2027 | ||||||
|
|
||||||
| | Number | Description | CRA Link | CEN/CENELEC | ETSI | Provides presumption of conformity<sup><a href="#note-1">[1]</a><sup> | | ||||||
| |---|---|---|:---:|:---:|:---:| | ||||||
| | 2 | making products with digital elements available on the market without known exploitable vulnerabilities | [Annex I, Part I, point (2)⁠(a)][Annex I] | WG9 PT2 | - | No | | ||||||
| | 3 | making products with digital elements available on the market with a secure by default configuration | [Annex I, Part I, point (2)⁠(b)][Annex I] | WG9 PT2 | - | No | | ||||||
| | 4 | ensuring that vulnerabilities in products with digital elements can be addressed through security updates | [Annex I, Part I, point (2)⁠(c)][Annex I] | WG9 PT2 | - | No | | ||||||
| | 5 | ensuring protection of products with digital elements from unauthorised access and reporting on possible unauthorised access | [Annex I, Part I, point (2)⁠(d)][Annex I] | WG9 PT2 | - | No | | ||||||
| | 6 | protecting the confidentiality of data stored, transmitted or otherwise processed by a product with digital elements | [Annex I, Part I, point (2)⁠(e)][Annex I] | WG9 PT2 | - | No | | ||||||
| | 7 | protecting the integrity of data, commands, programs by a product with digital elements, and its configuration against any manipulation or modification not authorised by the user, as well as reporting on corruptions | [Annex I, Part I, point (2)⁠(f)][Annex I] | WG9 PT2 | - | No | | ||||||
| | 8 | processing only personal or other data that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (‘minimisation of data’) | [Annex I, Part I, point (2)⁠(g)][Annex I] | WG9 PT2 | - | No | | ||||||
| | 9 | protecting the availability of essential and basic functions of the product with digital elements | [Annex I, Part I, point (2)⁠(h)][Annex I] | WG9 PT2 | - | No | | ||||||
| | 10 | minimising the negative impact of a product with digital elements or its connected devices on the availability of services provided by other devices or networks | [Annex I, Part I, point (2)⁠(i)][Annex I] | WG9 PT2 | - | No | | ||||||
| | 11 | designing, developing and producing products with digital elements with limitted attack surfaces | [Annex I, Part I, point (2)⁠(j)][Annex I] | WG9 PT2 | - | No | | ||||||
| | 12 | designing, developing and producing products with digital elements that reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques | [Annex I, Part I, point (2)⁠(k)][Annex I] | WG9 PT2 | - | No | | ||||||
| | 13 | providing security related information by recording and/or monitoring relevant internal activity of products with digital elements with an opt-out mechanism for the user | [Annex I, Part I, point (2)⁠(l)][Annex I] | WG9 PT2 | - | No | | ||||||
| | 14 | securely and easily removing or transferring all data and settings of a product with digital elements | [Annex I, Part I, point (2)⁠(m)][Annex I] | WG9 PT2 | - | No | | ||||||
|
|
||||||
| --- | ||||||
|
|
||||||
| <sup><a href="#note-1" name="note-1">[1]</a></sup> _Vertical standards mentioned in Point 2.3 of Annex II of the [European Commission implementing decision of a standardisation request to the ESOs][StandReq] are the only one requested to aim to provide a presumption of conformity._ | ||||||
|
There was a problem hiding this comment.
Suggested change
There was a problem hiding this comment. Maybe actually add a second footnote referencing Article 27 paragraph 1 of the CRA which states
There was a problem hiding this comment. This seems to very much clash with what I'm hearing that only the vertical standards will provide presumption of conformity. There was a problem hiding this comment. Did you mean to respond to the other thread? There was a problem hiding this comment. No. Doesn't that imply all harmonised standards would provide presumption of conformity? There was a problem hiding this comment. So, I looked all of it up.The Blue Guide has the relevant sections 4.1.2.1 and 4.1.2.2. As soon as a reference to a harmonised standard is published in the OJE it does provide presumption of conformity. So, I think we should revise this as not only vertical ones will be relevant. There was a problem hiding this comment. I believe, but can't instantly confirm, that compliance with all applicable parts of all harmonised standards is necessary for a presumption of conformity. There was a problem hiding this comment. We definitely need FAQs on this topic. Happy to bring to the Commission and/or CEN/CENELEC for input. We need more clarity here, imho. There was a problem hiding this comment. I volunteered offline to create a FAQ on this |
||||||
|
|
||||||
| [StandReq]: https://ec.europa.eu/transparency/documents-register/detail?ref=C(2025)618&lang=en | ||||||
| [Annex I]: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_I | ||||||
| [Annex III]: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_III | ||||||
| [Annex IV]: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_IV | ||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PT3 aims to achieve a "Yes" here