【EU CRA】 EN 304 627 Final Draft Released, Clarifying Security Requirements for Network Devices

🔍 5 Key Updates in the Final Draft

Compared to previous versions, the Final Draft refines and strengthens the security framework through several key aspects:

• Clearer Scope: Further refines product definitions and deployment contexts across Consumer, Enterprise, and Service Provider settings (including physical and virtual devices).
• Concrete SBOM & Vulnerability Requirements: Manufacturers must maintain a machine-readable Software Bill of Materials (SBOM) for each release and check for known exploitable vulnerabilities prior to launch.
• Refined Secure-by-Default Configuration: Explicitly demands that only necessary interfaces are enabled by default, diagnostic ports are disabled, and strict logging for legacy protocols is implemented.
• New Dedicated Cryptography Annex (Annex K): Introduces normative requirements specifically outlining acceptable cryptographic algorithms and protocols for network devices.
• Structured Assessment Framework: Organizes assessment criteria into actionable objectives, activities, and evidence, making it easier for manufacturers and test labs to prepare technical documentation.

The transition towards mandatory cybersecurity compliance under the EU CRA is accelerating. From ETSI EN 304 627 for network devices to EN 18031, EN 303 645, and industrial IEC 62443, the regulatory landscape demands robust “Security by Design.”

---

For further inquiries, please contact:
Email：Charles.liao@theonelab.co
Phone：(02)8601-2828