Main Categories
- +Signs, Symbols and Product Specifications (11)
- +Information management (10)
- +Business (5)
- +Services (1)
- +Measurement and Science (14)
- +Healthcare (41)
- +Environment (9)
- +Health and Safety (12)
- +Engineering (78)
- +ICT (32)
- +Manufacturing (62)
- +Agriculture and Food (7)
- +Construction (22)
- +Commercial and Consumer Goods (41)
- General (22)
The present document specifies technical cybersecurity product requirements and corresponding assessment criteria for
boot managers. The products with digital elements in scope, there after "the products":
• are specified within the technical description of the category of product number 8 by the Commission
Implementing Regulation (EU) 2025/2392 [i.2] as: -
"Software products with digital elements that manage the process of initial system startup after power
on/restart by initialising hardware, loading or transferring control to the operating system environment or
system resources, and selecting boot options. This category includes but is not limited to UEFI firmware,
single-stage and multi-stage boot loaders."
• are only covered within the product context described in clause 4.
The scope covers software and firmware components that manage the boot process from power-on through
establishment of the chain of trust to handoff to the boot target. Products in scope include boot management software
and firmware regardless of distribution model or integration level. These are:
• System firmware that performs hardware initialisation and boot management.
• Bootloaders that manage boot target selection, verification, and loading.
• Embedded boot firmware in IoT and embedded devices.
• Network boot implementations enabling remote boot capabilities.
• Boot managers that integrate with hardware security components for chain of trust establishment.
NOTE 1: Boot managers may be single-stage (direct loading) or multi-stage (staged verification).
NOTE 2: For microcontrollers (MCUs) and microprocessors (MPUs):
• Silicon-integrated immutable firmware: Mask ROM, fused code, or boot firmware integrated during chip
manufacturing is assessed as part of MCU/MPU hardware under semiconductor standards.
• Updateable boot managers: Boot software in flash storage (including OTP programmed post-manufacture) is
assessed using the present document when distinctly identifiable or independently updatable.
NOTE 3: Runtime services executing after boot target handoff (such as secure monitor mode handlers or attestation
services) are in scope only if they provide verification or attestation services to the boot process itself, not
to the boot target.
The present document covers those products to demonstrate compliance with essential cybersecurity requirements in the
Regulation (EU) 2024/2847 [i.1], Annex I Part I under the conditions identified in Annex A.
The present document specifies technical requirements and corresponding assessment criteria for Virtualisation
Execution Stack (VES) and Container Execution Stack (CES) products, including hypervisors and container runtime
systems, related to cybersecurity. The products with digital elements in scope, thereafter referred to as the "product":
• are specified within the "technical description" of the "category of product" in Class II, point 1 by the
Commission Implementing Regulation (EU) 2025/2392 [i.2] as:
"Hypervisors and container runtime systems that support virtualised execution of operating systems and
similar environments";
• are only covered within the product context described in clause 4.
The present document covers those products to demonstrate compliance with essential cybersecurity requirements in the
Regulation (EU) 2024/2847 [i.1], Annex I, Part I under the conditions identified in Annex A.
Commission Implementing Regulation (EU) 2025/2392 [i.2] identifies hypervisors and container runtime systems as
core components. However, actual market products typically include additional elements beyond the hypervisor kernel
or container runtime binary. These additional components provide essential management, orchestration, and operational
capabilities that are necessary for real-world deployment and are therefore included within the scope of the present
document.
The present document addresses the CRA Class II, point 1 product category within the following product contexts:
• Virtualisation Execution Stack (VES) for hypervisor-based environments; and
• Container Execution Stack (CES) for container-based environments.
The corresponding terms and definitions are provided in clause 3. The architectural decomposition, in-scope
components, and security-relevant environmental dependencies are specified in clause 4.
Accordingly, the present document defines security requirements not only for the core execution systems identified in
the CRA but also for the broader product context in which these systems are deployed, ensuring alignment with market
reality and comprehensive coverage of security risks. The Management and Orchestration (M&O) System, Container
Engine (CE), and Container Orchestrator (CO) are covered by the present document and are in scope only where they
are developed or provided by the manufacturer, or under the responsibility of the manufacturer, as part of the declared
product.
Any usage of AI agents is out of scope of the present document.
Where the product includes or depends on components that are outside the scope of the present document, the
applicable requirements are to be addressed through the relevant operational-environment provisions or other relevant harmonised standards, as identified in clause 4.3.