Standards Development

Scope

This project aims at supporting presumption of conformity of products defined as ‘Hardware Devices with Security Boxes’ (HWSB) under Annex IV, CRA (regulation 2024/2487). HWSB covers hardware products with digital elements that incorporate a hardware physical envelope providing countermeasures against physical attacks, including tamper evidence, resistance or response, and that are designed to securely store, process, and manage sensitive data and cryptographic operations.

 This category includes but is not limited to payment terminals, hardware security modules, and tachographs that meet the above definition.

This project deal with already regulated products as well as unregulated and generic purpose products. The aim is to cover a broad set of products with general requirements that ensures CRA compliance according to relevant risk profile as well as representative canonical use cases.

This project may mention deliverables prepared by other organisations than ISO/IEC.

Purpose

This document covers the line 39 of the CRA standardisation request and provides:

  General description of products and its components belonging to HWSB category, including – amongst other:

o A structured description of that product category:

 Common characteristics of HWSB products with a hardware envelope, internal HW and SW

 Description of representative products using these common characteristics

o Identification of the various types of HWSB;

o Intended purpose and reasonably foreseeable use;

o Identification of the HWSB which are excluded from that category o delineation and interplay with the other categories in which HWSB could fall in.

 Description of the typical life cycle;

 Scope of application and relevance of cybersecurity essential requirements;

 Definition of applicable risk profiles to be considered for these HWSB, which will define the security requirements and assessment methodologies to be applied;

 Applicable security requirements ensuring fulfillment of the essential requirements for each risk profile; 

 Provide criteria to determine applicable risk profile; A base document is provided:

 defining the risk profiles; 

 identifying initial cybersecurity security requirements;