The present document specifies technical requirements and corresponding assessment criteria for password managers related to cybersecurity. The products with digital elements in scope, thereafter "the product":
• are specified within the "technical description" of the "category of product" number "NN" by the Commission Implementing Regulation (EU) 2025/2392 as:
"Products with digital elements that store passwords, locally on a device or on a remote server, including activities such as generation of passwords as well as password sharing and integration with local or third-party applications for usage of passwords.
This category includes but is not limited to local password managers, password managers provided as browser extensions, enterprise password managers as well as hardware-based password managers".
• are only covered within the product context described in clause 4.
The present document covers those products to demonstrate compliance with essential cybersecurity requirements in the Regulation (EU) 2024/2847, Annex I Part I under the conditions identified in annex A.
Password Managers: a subset of identity and access management systems. For other types of authentication mechanisms, see the IAM standard prEN 40000-10 currently drafted by CEN TC 224. Consult clause 3.1 for the product definition.
Required fields are indicated with *