Draft Details
The present document specifies vulnerability handling activities, technical requirements and corresponding assessment
criteria for firewalls, intrusion detection systems, and intrusion prevention systems related to cybersecurity. The
products with digital elements in scope:
• are specified within the "technical description" of the "category of product" in Class II, point 2 by the
Commission Implementing Regulation (EU) 2025/2392 [i.2] of 28 November 2025 on the technical
description of the categories of important and critical products with digital elements pursuant to Regulation
(EU) 2024/2847 of the European Parliament and of the Council [i.1] as: - - -
"Firewalls are products with digital elements that protect a connected network or system from
unauthorised access by monitoring and restricting data communication traffic to and from that network.
This category includes but is not limited to network firewalls and application firewalls such as web
application firewalls or filters and anti-spam gateways.";
"Intrusion detection systems are products with digital elements that monitor traffic once it has entered the
network environment for suspicious activity and detect or identify that an intrusion has been attempted,
is occurring, or has occurred on a connected network or system.
This category includes but is not limited to network-based intrusion detection systems and host-based
intrusion detection systems.";
"Intrusion prevention systems are products with digital elements composed of an intrusion detection
system that actively responds to an intrusion to a connected network or system.
This category includes but is not limited to network-based intrusion prevention systems and host-based
intrusion prevention systems.";
• are only covered within the product context described in clause 4.
The present document covers those products to demonstrate compliance with the essential cybersecurity requirements
of Regulation (EU) 2024/2847 [i.1], Annex I Part I, under the conditions identified in Annex A.
Firewalls, intrusion detection systems, and intrusion prevention systems fall within the scope of the present document,
whether deployed as physical appliances or software. The present document applies when the intended purpose or
reasonably foreseeable use involves monitoring, analysing, or controlling network traffic for security purposes.
Products that detect access attempts made without authorisation, identify malicious activity, or enforce traffic controls
to protect networks and systems from intrusions are within scope.
Firewalls, intrusion detection systems, and intrusion prevention systems intended for use in the industrial OT
(Operational Technology) domain are excluded from the scope of the present document, see prEN 50770-1 [i.7].
The present document does not specify how products detect threats, classify traffic, or implement inspection algorithms.
Detection accuracy rates, false positive thresholds, and signature effectiveness metrics are outside scope. Security
requirements for the robustness of protocol parsing engines, the integrity of inspection processes, and vulnerability
management remain within scope.
You may comment on any clause of this document. Simply enter the clause number, make your comment and your proposed changed text for each clause, subclause, paragraph, table or figure.
All comments are checked by a moderator before they are made public on the site. This is to ensure that improper language or marketing is not placed on the site – we will not judge or modify technical content. Similarly, we will not correct your grammar or spelling