ETSI publishes CRA standards covering routers to virtualization. The drafts set out concrete requirements and testable security measures, with all details summarized.
Overview of published draft standards
ETSI has made the following draft standards available through its Open Consultation Platform:
- EN 304 618 – Password Managers (Version 0.0.3, 29.09.2025)
- EN 304 619 – Antivirus (Version 0.0.5, 30.09.2025)
- EN 304 623 – Boot Managers (Version 0.0.4, 30.09.2025)
- EN 304 625 – Network Interfaces (Version 0.0.5, 22.09.2025)
- EN 304 626 – Operating Systems (Version 0.0.6, 22.09.2025)
- EN 304 627 – Routers, Modems, Switches (Version 0.0.7, 29.09.2025)
- EN 304 635 – Virtualisation & Containers (Version 0.0.6, 01.10.2025)
With a total volume of over 400 pages, these documents provide a comprehensive framework, although they will still undergo substantial revisions.
Structural layout of the standards
The ETSI draft standards follow a uniform, four-stage concept that brings clarity and traceability to the cybersecurity requirements:
1. Use cases – realistic deployment scenarios
Each standard begins with concrete use cases that describe typical deployment scenarios for Products With Digital Elements (PWDE).
Example from EN 304 623 (Boot Manager): The use case “Home Modem” describes the typical home environment, existing security measures and expected usage patterns such as web browsing, home office and online gaming. This realistic approach allows manufacturers to place their products in the appropriate context.
2. Threats and risk considerations – threats and risks
Building on the use cases, the standards systematically analyse the threat landscape, identify specific risk factors and take product-specific capabilities into account during the risk assessment.
Example from EN 304 626 (Operating Systems): Risk tolerance is classified into four levels – from critical environments (RT-C: high sensitivity, low tolerance) to environments with high risk tolerance (RT-H: negligible potential damage, no expectation of regular security updates). This categorisation considers the product in terms of potential harm and the likelihood of occurrence.
3. Mitigations – security measures and requirements
To address the identified risks, the standards propose various mitigation measures. These include technical requirements and security controls that must be implemented.
An interesting approach can be found in EN 304 627 (Router), which uses “capability-based conditions”: the specific capabilities of a product determine which security requirements are relevant. This enables flexible, product-appropriate application of the standards.
4. Assessment – objective testability
The standards define test criteria to evaluate compliance with the requirements. As emphasised in EN 304 625 (Network Interfaces), requirements should “ideally be objectively testable on a product instance” to enable independent assessments by market surveillance authorities.
Where necessary, “Check-box Requirements” can be used – structured decision trees that provide manufacturers with a framework for documenting the rationale for their compliance.
Implications for practice
This early publication of the drafts by ETSI is notable and offers manufacturers and other stakeholders several advantages:
Early insight: The drafts provide a valuable overview of the direction and scope of the standardisation efforts, even though substantial revisions are still to be expected.
Ability to shape outcomes: The public consultation phase allows industry to actively provide feedback and help shape the final form of the standards.
Planning certainty: Companies can already begin aligning their products and processes with the upcoming requirements.
Recommended action
Manufacturers of affected products should carefully review the draft standards relevant to them and participate in the consultation. Comment templates are available via the ETSI Open Consultation Platform.
If you have questions about contacting the responsible ETSI bodies or submitting comments, interested parties can reach out to their national standardisation organisations or directly to ETSI TC CYBER-EUSR.
Conclusion
With the publication of these seven draft standards, ETSI makes the abstract requirements of the Cyber Resilience Act tangible and actionable. The structured approach across use cases, risk factors, mitigations and assessment creates a clear framework for manufacturers.
Many thanks to the members of ETSI TC CYBER-EUSR for their work on these important standards. The early opening of the consultation process is a positive sign for transparent and practice-oriented standardisation in the field of cybersecurity.
