EN 304 627 is a draft vertical cybersecurity standard developed to support compliance with the EU Cyber Resilience Act (CRA) for network equipment such as routers, modems intended for internet connection and switches.
This standard defines product-specific cybersecurity requirements aligned with the CRA essential requirements, enabling manufacturers to assess and demonstrate compliance with the regulation once harmonized.
It follows the European standardization model where:
Routers and network equipment were historically partially covered under frameworks such as RED, but the CRA significantly expands the scope, covering full lifecycle cybersecurity (design, deployment, vulnerability management).
The standard is still under development (enquiry draft version 1.0.1), and its final harmonization status will determine whether it provides presumption of conformity with the CRA.
The standard applies to routers, modems intended for internet connection, and switches, including both hardware and cloud-based implementations.
To better understand the scope, these product types can be broken down into the following categories:
Products that establish and control the flow of data between different networks.
Hardware products that use digital modulation and demodulation to convert analogue signals into digital signals for internet connection.
Products that provide connectivity between devices through traffic forwarding mechanisms, typically at the data link layer.
The standard explicitly excludes:
These product types are typically classified under network and connectivity infrastructure within the CRA product categorization.
Depending on their functionality and criticality, they may fall into:
This classification directly affects:
Routers, modems and switches are core components of digital infrastructure, acting as entry points, traffic control nodes and connectivity layers within networks.
Their exposure makes them high-value targets for cyberattacks, including unauthorized access, traffic manipulation or Distributed denial-of-service (DDoS) attacks, playing a critical role in overall system security.
EN 304 627 complements horizontal CRA standards by translating generic cybersecurity requirements into product-specific controls for network equipment. While horizontal standards address common obligations across the product lifecycle, this vertical standard defines the additional technical requirements needed to assess cybersecurity for this specific category.
Full CRA compliance therefore depends on combining both layers, with EN 304 627 providing the product-level interpretation once harmonized.
The structure can be understood through the following key blocks:
Scope
References
Definitions, symbols and abbreviations
Product context
Technical requirements
Assessing cybersecurity requirement compliance
In addition to the main structure, the standard includes annexes that support implementation:
To determine which requirements are applicable to a specific product, the standard provides a threat and vulnerability analysis section which includes the threats and risk factors.
Baseline risk factors derive from those security properties required for all network products while there are others that may be considered including management access, protocol implementation or data operation risk factors.
Risk factor assessment methodology is based on determining the applicable threats, considering the applicable risk factors and product context, and they shall be assessed and documented.
When the assessment has been determined, next step is analyzing which cybersecurity requirements are applicable for mitigation. A table with a mapping between threats, risk factors and requirements is included to understand which requirements have to be applied.
The standard defines a comprehensive set of cybersecurity controls:
| Reference | Brief Explanation |
|---|---|
| [KEV-1] No known exploitable vulnerabilities | Analyze software bill of materials and vulnerabilities on the product and third-party components |
| [DEFAULT-1] Secure by default configuration | Ensure secure default configuration by enabling only necessary services, enforcing strict access control, authentication, auditing, modern cryptography, least privilege, and secure handling of legacy protocols and diagnostics. |
| [RESET-1] Factory reset | Ensure a factory reset restores a secure default state, preserves firmware and updates, and removes all sensitive data. |
| [UPDATE-1] Update mechanisms | Ensure secure update management by requiring authenticated installation, verifying integrity, enabling automatic updates (when needed), tracking versions, and generating audit logs. |
| [AUTH-1] Authentication | Ensure strong authentication and access security by eliminating default credentials, protecting sensitive data with modern cryptography, enforcing credential strength and failure controls, and securing management access. |
| [AUTH-2] Authorization | Ensures strict access control by enforcing privilege separation, limiting users to authorized levels, and blocking any unauthorized commands across all management interfaces. |
| [AUTH-3] Authenticated session lifecycle | Ensures secure session management by using strong cryptography, enforcing timeouts, protecting session data, limiting concurrent sessions, and preventing unauthorized privilege escalation. |
| [AUTH-4] Protocol access control | Ensures secure management by using strong cryptographic protocols, protecting sessions, limiting access and concurrency, enforcing timeouts, and preventing unauthorized privilege escalation. |
| [DATA-1] Confidentiality protection | Ensures strong data security by encrypting data at rest and in transit, preventing unauthorized changes, minimizing data processing and retention, and requiring explicit user consent for diagnostics or telemetry collection. |
| [AVAIL-1] Availability and resilience | Ensures protection against DoS attacks by enforcing rate limiting and connection throttling, enabling automatic recovery, and logging relevant events. |
| [INTEGRITY-1] System integrity and boot process | Ensures secure boot by verifying integrity with strong cryptography, enforcing a trusted boot chain, protecting recovery modes, and logging all boot activities. |
| [PACKET-1] Default packet disposition | Drop any packet for which it cannot determine any processing action |
| [EXPOSURE-1] Interface and service exposure minimization | Ensures only configured services and interfaces are active, with flexible control to enable or disable them as needed. |
| [LOG-1] Monitoring and logging | Ensures comprehensive audit logging by tracking authentication events, session activities, and any attempts to execute unauthorized commands. |
| [TRANSFER-1] Secure data export and transfer | Ensures secure data import and export by using encrypted channels, restricting operations to authorized management access, and logging all transfer activities. |
| [CRY-SOTA] State of the art cryptography | For every cryptographic algorithm, scheme or protocol used by a security mechanism of the product, appropriate evidence is provided demonstrating classification as CRY-SOTA |
In this enquiry draft version of the standard, there is no explicit reference to the CEN CENELEC EN 40000-1-3 “Cybersecurity requirements for products with digital elements – Vulnerability Handling” or CEN CENELEC EN 40000-1-2 “Cybersecurity requirements for products with digital elements – Principles for cyber resilience” horizontal standards. In future versions of EN 304 627 more details about EN 40000-1-2 and EN 40000-1-3 may be included.
The EN 304 627 standard has been created to comply with the CRA and understand the essential cybersecurity requirements for routers, modems intended for the connection to the internet, and switches. The requirements in this document follow a risk-based approach, applying conditionally to ensure that security measures are appropriate to the deployment context and level of threat exposure.
Routers, modems intended for connection to the internet, and switches must comply with the standard when they provide management capabilities so unmanaged products that function with preset capabilities and do not offer any configuration interface or administrative access are not in scope
To determine which requirements are applicable to a specific product, the standard provides a threat and vulnerability analysis section which includes the threats and risk factors.
Is EN 304 627 mandatory?
No, but once harmonized, it can provide presumption of conformity with the CRA essential requirements.
Do all routers need to comply?
Only those with management functionality and capabilities are in scope of this document.
Can unmanaged devices be excluded?
Yes, unmanaged products with fixed functionality and no configuration interface are out of scope.
Do I need third-party certification?
It depends on product categorization and availability of harmonized standards.
Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.
They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy.
They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy.
Based on your behavior on the website (where you click, how long you browse, etc.) we establish parameters and a profile for you to display ads that correspond to your interests. See the cookies we store in our Cookies Policy.