Draft Details

Number:Draft ETSI EN 304 627 V1.0.1 (2026-07)
Source:NSAI
Committee:NSAI/TC 2
Committee name:ICT
Review published:09 Jul 2026
Review end date:30 Aug 2026
Categories:General
Contact email:nepadmin(at)nsai.ie
Draft Scope:

The present document specifies vulnerability handling activities, technical requirements and corresponding assessment 
criteria for routers, modems intended for connection to the internet, and switches related to cybersecurity. The products 
with digital elements in scope: 
• are specified within the "technical description" of the "category of product" in Class I, point 12 by the 
Commission Implementing Regulation (EU) 2025/2392 [i.2] of 28 November 2025 on the technical 
description of the categories of important and critical products with digital elements pursuant to 
Regulation (EU) 2024/2847 of the European Parliament and of the Council [i.1] as: - - - 
"Routers are products with digital elements that establish and control the flow of data between different 
networks by selecting paths or routes using routing protocol mechanisms and algorithms, typically 
operating at the network layer. 
This category includes but is not limited to wired and wireless routers, virtual routers and routers with or 
without modems."; 
"Modems intended for the connection to the Internet are hardware products with digital elements that use 
digital modulation and demodulation techniques to convert analogue signals from and to digital signals 
for IP-based communication. 
This category includes but is not limited to fibre modems, Digital Subscriber Line (DSL) modems, cable 
(DOCSIS) modems, satellite modems and cellular modems."; 
"Switches are products with digital elements that provide connectivity between networked devices 
through traffic forwarding mechanisms typically implemented at the data link layer. 
This category includes but is not limited to managed switches, smart switches, multilayer switches, 
virtual security switches, programmable switches for software-defined networking and bridges such as 
wireless access points."; 
• are only covered within the product context described in clause 4. 
The present document covers those products to demonstrate compliance with the essential cybersecurity requirements 
of Regulation (EU) 2024/2847 [i.1], Annex I Part I, under the conditions identified in Annex A. 
NOTE 1: The term "internet" refers to any public network accessible beyond organizational boundaries. Public 
networks are accessible to multiple organizations or the general public. Private networks operate under 
single organizational control. 
Routers, modems intended for connection to the internet, and switches fall within the scope of the present document 
when they provide management capabilities. This applies to all deployment forms such as dedicated hardware, virtual 
machines, containerized applications, and cloud-native network functions. The intended purpose or reasonably 
foreseeable use is to process, forward, or manage network traffic between devices, network segments, or between public 
and private networks. 
NOTE 2: Unmanaged products with fixed functionality and no configuration interface are excluded from scope, as 
they lack the interfaces needed to implement the security controls of the present document. 
The present document does not specify protocol conformance requirements, performance specifications, QoS metrics, 
or interoperability testing. Security controls for protocol implementation and vulnerability management remain within 
scope. 
NOTE 3: Products that integrate particular wireless or wired communication technologies, such as Wi-Fi®, cellular, 
DECT, and DECT-2020 NR remain within scope when they function as routers, modems intended for 
connection to the internet, or switches 
Routers, modems intended for connection to the internet, and switches intended for use in the industrial Operational 
Technology (OT) domain are excluded from the scope of the present document, see prEN 50770-5 [i.14].

You may comment on any clause of this document. Simply enter the clause number, make your comment and your proposed changed text for each clause, subclause, paragraph, table or figure.

All comments are checked by a moderator before they are made public on the site. This is to ensure that improper language or marketing is not placed on the site – we will not judge or modify technical content. Similarly, we will not correct your grammar or spelling