Draft Details
The present document specifies vulnerability handling activities, technical requirements and corresponding assessment
criteria for routers, modems intended for connection to the internet, and switches related to cybersecurity. The products
with digital elements in scope:
• are specified within the "technical description" of the "category of product" in Class I, point 12 by the
Commission Implementing Regulation (EU) 2025/2392 [i.2] of 28 November 2025 on the technical
description of the categories of important and critical products with digital elements pursuant to
Regulation (EU) 2024/2847 of the European Parliament and of the Council [i.1] as: - - -
"Routers are products with digital elements that establish and control the flow of data between different
networks by selecting paths or routes using routing protocol mechanisms and algorithms, typically
operating at the network layer.
This category includes but is not limited to wired and wireless routers, virtual routers and routers with or
without modems.";
"Modems intended for the connection to the Internet are hardware products with digital elements that use
digital modulation and demodulation techniques to convert analogue signals from and to digital signals
for IP-based communication.
This category includes but is not limited to fibre modems, Digital Subscriber Line (DSL) modems, cable
(DOCSIS) modems, satellite modems and cellular modems.";
"Switches are products with digital elements that provide connectivity between networked devices
through traffic forwarding mechanisms typically implemented at the data link layer.
This category includes but is not limited to managed switches, smart switches, multilayer switches,
virtual security switches, programmable switches for software-defined networking and bridges such as
wireless access points.";
• are only covered within the product context described in clause 4.
The present document covers those products to demonstrate compliance with the essential cybersecurity requirements
of Regulation (EU) 2024/2847 [i.1], Annex I Part I, under the conditions identified in Annex A.
NOTE 1: The term "internet" refers to any public network accessible beyond organizational boundaries. Public
networks are accessible to multiple organizations or the general public. Private networks operate under
single organizational control.
Routers, modems intended for connection to the internet, and switches fall within the scope of the present document
when they provide management capabilities. This applies to all deployment forms such as dedicated hardware, virtual
machines, containerized applications, and cloud-native network functions. The intended purpose or reasonably
foreseeable use is to process, forward, or manage network traffic between devices, network segments, or between public
and private networks.
NOTE 2: Unmanaged products with fixed functionality and no configuration interface are excluded from scope, as
they lack the interfaces needed to implement the security controls of the present document.
The present document does not specify protocol conformance requirements, performance specifications, QoS metrics,
or interoperability testing. Security controls for protocol implementation and vulnerability management remain within
scope.
NOTE 3: Products that integrate particular wireless or wired communication technologies, such as Wi-Fi®, cellular,
DECT, and DECT-2020 NR remain within scope when they function as routers, modems intended for
connection to the internet, or switches
Routers, modems intended for connection to the internet, and switches intended for use in the industrial Operational
Technology (OT) domain are excluded from the scope of the present document, see prEN 50770-5 [i.14].
You may comment on any clause of this document. Simply enter the clause number, make your comment and your proposed changed text for each clause, subclause, paragraph, table or figure.
All comments are checked by a moderator before they are made public on the site. This is to ensure that improper language or marketing is not placed on the site – we will not judge or modify technical content. Similarly, we will not correct your grammar or spelling