Cyber Resilience Act (CRA) for routers, modems and switches: guide to EN 304 627

08/07/2026

    What is EN 304 627 under the Cyber Resilience Act?

    EN 304 627 is a draft vertical cybersecurity standard developed to support compliance with the EU Cyber Resilience Act (CRA) for network equipment such as routers, modems intended for internet connection and switches.

    This standard defines product-specific cybersecurity requirements aligned with the CRA essential requirements, enabling manufacturers to assess and demonstrate compliance with the regulation once harmonized.

    It follows the European standardization model where:

    • Horizontal standards define general requirements
    • Vertical standards (such as EN 304 627) adapt them to specific product categories

    Routers and network equipment were historically partially covered under frameworks such as RED, but the CRA significantly expands the scope, covering full lifecycle cybersecurity (design, deployment, vulnerability management).

    The standard is still under development (enquiry draft version 1.0.1), and its final harmonization status will determine whether it provides presumption of conformity with the CRA.

    EN 304 627 scope and applicability

    Which products are covered by EN 304 627?

    The standard applies to routers, modems intended for internet connection, and switches, including both hardware and cloud-based implementations.

    To better understand the scope, these product types can be broken down into the following categories:

    Routers

    Products that establish and control the flow of data between different networks.

    • Wired routers
    • Wireless routers
    • Virtual routers
    • Routers with integrated modems

    Modems

    Hardware products that use digital modulation and demodulation to convert analogue signals into digital signals for internet connection.

    • Fibre modems
    • DSL modems
    • DOCSIS modems
    • Satellite or cellular modems

    Switches

    Products that provide connectivity between devices through traffic forwarding mechanisms, typically at the data link layer.

    • Managed switches
    • Multilayer switches
    • Virtual switches
    • Wireless access points

    Which products are NOT covered?

    The standard explicitly excludes:

    • Unmanaged products: Devices with fixed functionality that do not provide configuration interfaces. These products fall outside the scope because they do not provide interfaces to implement the security controls of this document.
    • Products aimed at use in industrial Operational Technology (OT) environments.

    What category do routers, modems and switches fall into under the CRA?

    These product types are typically classified under network and connectivity infrastructure within the CRA product categorization.

    Depending on their functionality and criticality, they may fall into:

    • Default category
    • Important category (Class I)

    This classification directly affects:

    • The applicable conformity assessment route
    • Whether third-party certification is required

    Why EN 304 627 is critical for CRA compliance

    Routers, modems and switches are core components of digital infrastructure, acting as entry points, traffic control nodes and connectivity layers within networks.

    Their exposure makes them high-value targets for cyberattacks, including unauthorized access, traffic manipulation or Distributed denial-of-service (DDoS) attacks, playing a critical role in overall system security.

    EN 304 627 complements horizontal CRA standards by translating generic cybersecurity requirements into product-specific controls for network equipment. While horizontal standards address common obligations across the product lifecycle, this vertical standard defines the additional technical requirements needed to assess cybersecurity for this specific category.

    Full CRA compliance therefore depends on combining both layers, with EN 304 627 providing the product-level interpretation once harmonized.

    How is EN 304 627 structured / organized?

    Main sections of the EN 304 627 standard

    The structure can be understood through the following key blocks:

    Scope

    • Defines the context of the document
    • Specifies which products are included and excluded

     

    References

    • Lists normative and informative references
    • Provides supporting standards and frameworks

     

    Definitions, symbols and abbreviations

    • Clarifies terminology used throughout the document
    • Ensures consistent interpretation of requirements

     

    Product context

    • Describes product functions, assets and operational environment
    • Provides the basis for risk assessment

     

    Technical requirements

    • Defines the cybersecurity controls applicable to the product
    • Specifies the measures that must be implemented

     

    Assessing cybersecurity requirement compliance

    • Explains how compliance is evaluated
    • Defines required evidence and verification approach

     

    Supporting annexes

    In addition to the main structure, the standard includes annexes that support implementation: 

    • Annex A: Mapping between CRA essential cybersecurity requirements and the standard
    • Annex B: Security analysis and threat modelling
    • Annex K: State-of-the-art cryptography

    Risk assessment framework

    To determine which requirements are applicable to a specific product, the standard provides a threat and vulnerability analysis section which includes the threats and risk factors.

    Baseline risk factors derive from those security properties required for all network products while there are others that may be considered including management access, protocol implementation or data operation risk factors.

    Risk factor assessment methodology is based on determining the applicable threats, considering the applicable risk factors and product context, and they shall be assessed and documented.

    When the assessment has been determined, next step is analyzing which cybersecurity requirements are applicable for mitigation. A table with a mapping between threats, risk factors and requirements is included to understand which requirements have to be applied.

    Cybersecurity requirements in EN 304 627

    The standard defines a comprehensive set of cybersecurity controls: 

    Reference Brief Explanation
    [KEV-1] No known exploitable vulnerabilities Analyze software bill of materials and vulnerabilities on the product and third-party components
    [DEFAULT-1] Secure by default configuration Ensure secure default configuration by enabling only necessary services, enforcing strict access control, authentication, auditing, modern cryptography, least privilege, and secure handling of legacy protocols and diagnostics.
    [RESET-1] Factory reset Ensure a factory reset restores a secure default state, preserves firmware and updates, and removes all sensitive data.
    [UPDATE-1] Update mechanisms Ensure secure update management by requiring authenticated installation, verifying integrity, enabling automatic updates (when needed), tracking versions, and generating audit logs.
    [AUTH-1] Authentication Ensure strong authentication and access security by eliminating default credentials, protecting sensitive data with modern cryptography, enforcing credential strength and failure controls, and securing management access.
    [AUTH-2] Authorization Ensures strict access control by enforcing privilege separation, limiting users to authorized levels, and blocking any unauthorized commands across all management interfaces.
    [AUTH-3] Authenticated session lifecycle Ensures secure session management by using strong cryptography, enforcing timeouts, protecting session data, limiting concurrent sessions, and preventing unauthorized privilege escalation.
    [AUTH-4] Protocol access control Ensures secure management by using strong cryptographic protocols, protecting sessions, limiting access and concurrency, enforcing timeouts, and preventing unauthorized privilege escalation.
    [DATA-1] Confidentiality protection Ensures strong data security by encrypting data at rest and in transit, preventing unauthorized changes, minimizing data processing and retention, and requiring explicit user consent for diagnostics or telemetry collection.
    [AVAIL-1] Availability and resilience Ensures protection against DoS attacks by enforcing rate limiting and connection throttling, enabling automatic recovery, and logging relevant events.
    [INTEGRITY-1] System integrity and boot process Ensures secure boot by verifying integrity with strong cryptography, enforcing a trusted boot chain, protecting recovery modes, and logging all boot activities.
    [PACKET-1] Default packet disposition Drop any packet for which it cannot determine any processing action
    [EXPOSURE-1] Interface and service exposure minimization Ensures only configured services and interfaces are active, with flexible control to enable or disable them as needed.
    [LOG-1] Monitoring and logging Ensures comprehensive audit logging by tracking authentication events, session activities, and any attempts to execute unauthorized commands.
    [TRANSFER-1] Secure data export and transfer Ensures secure data import and export by using encrypted channels, restricting operations to authorized management access, and logging all transfer activities.
    [CRY-SOTA] State of the art cryptography For every cryptographic algorithm, scheme or protocol used by a security mechanism of the product, appropriate evidence is provided demonstrating classification as CRY-SOTA

    Vulnerability handling

    In this enquiry draft version of the standard, there is no explicit reference to the CEN CENELEC EN 40000-1-3 “Cybersecurity requirements for products with digital elements – Vulnerability Handling” or CEN CENELEC EN 40000-1-2 “Cybersecurity requirements for products with digital elements – Principles for cyber resilience” horizontal standards. In future versions of EN 304 627 more details about EN 40000-1-2 and EN 40000-1-3 may be included.

    How to use EN 304 627 to achieve CRA compliance

    The EN 304 627 standard has been created to comply with the CRA and understand the essential cybersecurity requirements for routers, modems intended for the connection to the internet, and switches. The requirements in this document follow a risk-based approach, applying conditionally to ensure that security measures are appropriate to the deployment context and level of threat exposure.

    Routers, modems intended for connection to the internet, and switches must comply with the standard when they provide management capabilities so unmanaged products that function with preset capabilities and do not offer any configuration interface or administrative access are not in scope

    To determine which requirements are applicable to a specific product, the standard provides a threat and vulnerability analysis section which includes the threats and risk factors.

    • Baseline risk factors derive from those security properties required for all network products while there are others that may be considered including management access, protocol implementation or data operation risk factors.
    • Risk factor assessment methodology is based on the applicable threats, considering the applicable risk factors and product context, and they shall be assessed and documented.
    • When the assessment has been determined, next step is analyzing which cybersecurity requirements are applicable for mitigation. A table with a mapping between threats, risk factors and requirements is included to understand which requirements have to be applied.

    FAQs about EN 304 627 and CRA

    Is EN 304 627 mandatory?
    No, but once harmonized, it can provide presumption of conformity with the CRA essential requirements.

    Do all routers need to comply?
    Only those with management functionality and capabilities are in scope of this document.

    Can unmanaged devices be excluded?
    Yes, unmanaged products with fixed functionality and no configuration interface are out of scope.

    Do I need third-party certification?
    It depends on product categorization and availability of harmonized standards.

    How Applus+ Laboratories can support CRA compliance

    Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

    Cookie settings panel