Security Framework for Fixed and Mobile Telecommunications Network Functions
Vertical standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
We will expand ETSI EN 304 642 (Cybersecurity requirements for Network Functions of Telecommunications Systems) beyond mobile networks to cover fixed network infrastructure. The work addresses European broadband security through specifications for DNS servers processing millions of queries, DHCP systems managing IP allocation, Broadband Network Gateways controlling subscriber access, and NAT implementations. Our efforts translate CRA Annex I provisions into technical requirements, provide feedback on drafts, participate in ETSI working groups to build consensus, and develop conformity assessments for continuously operating infrastructure.
What is the expected result and impact of this activity?
This standard will protect Europe's complete telecommunications infrastructure including fixed and mobile networks alike. Fixed networks serving hundreds of millions of broadband connections currently lack the standardized security that frameworks like GSMA NESAS provide for mobile networks. We establish equivalent requirements for fixed infrastructure. The standard ensures consistent security whether citizens connect via fiber, cable, DSL, or mobile. Manufacturers gain clear requirements, operators receive deployment guidance, and regulators obtain enforceable criteria for the complete ecosystem. It supports converged architectures where fixed and mobile share infrastructure, prevents fragmented national requirements, and secures the foundational services of Europe's digital economy.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
We adapt CRA essential requirements to telecommunications infrastructure that operates continuously. Network functions cannot go offline for maintenance; they must be updated without service interruption, unlike consumer devices. We define "secure-by-default" for systems requiring carrier-grade availability, establish vulnerability procedures compatible with extensive testing cycles, and specify access controls for multi-vendor environments where components cross trust boundaries. Network functions must arrive without known vulnerabilities yet maintain telecommunications performance standards. The work balances robust security with 24/7 operational constraints, translating regulatory requirements into standards manufacturers can implement and operators can deploy reliably.
