Draft Details

The present document specifies technical requirements and corresponding assessment criteria for Virtualisation 
Execution Stack (VES) and Container Execution Stack (CES) products, including hypervisors and container runtime 
systems, related to cybersecurity. The products with digital elements in scope, thereafter referred to as the "product": 
• are specified within the "technical description" of the "category of product" in Class II, point 1 by the 
Commission Implementing Regulation (EU) 2025/2392 [i.2] as: 
"Hypervisors and container runtime systems that support virtualised execution of operating systems and 
similar environments"; 
• are only covered within the product context described in clause 4. 
The present document covers those products to demonstrate compliance with essential cybersecurity requirements in the 
Regulation (EU) 2024/2847 [i.1], Annex I, Part I  under the conditions identified in Annex A. 
Commission Implementing Regulation (EU) 2025/2392 [i.2] identifies hypervisors and container runtime systems as 
core components. However, actual market products typically include additional elements beyond the hypervisor kernel 
or container runtime binary. These additional components provide essential management, orchestration, and operational 
capabilities that are necessary for real-world deployment and are therefore included within the scope of the present 
document. 
The present document addresses the CRA Class II, point 1 product category within the following product contexts: 
• Virtualisation Execution Stack (VES) for hypervisor-based environments; and 
• Container Execution Stack (CES) for container-based environments. 
The corresponding terms and definitions are provided in clause 3. The architectural decomposition, in-scope 
components, and security-relevant environmental dependencies are specified in clause 4. 
Accordingly, the present document defines security requirements not only for the core execution systems identified in 
the CRA but also for the broader product context in which these systems are deployed, ensuring alignment with market 
reality and comprehensive coverage of security risks. The Management and Orchestration (M&O) System, Container 
Engine (CE), and Container Orchestrator (CO) are covered by the present document and are in scope only where they 
are developed or provided by the manufacturer, or under the responsibility of the manufacturer, as part of the declared 
product. 
Any usage of AI agents is out of scope of the present document. 
Where the product includes or depends on components that are outside the scope of the present document, the 
applicable requirements are to be addressed through the relevant operational-environment provisions or other relevant harmonised standards, as identified in clause 4.3.