The present document specifies technical requirements and corresponding assessment criteria for Virtualisation Execution Stack (VES) and Container Execution Stack (CES) products, including hypervisors and container runtime systems, related to cybersecurity. The products with digital elements in scope, thereafter referred to as the "product":
• are specified within the "technical description" of the "category of product" in Class II, point 1 by the Commission Implementing Regulation (EU) 2025/2392 as:
"Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments";
• are only covered within the product context described in clause 4.
The present document covers those products to demonstrate compliance with essential cybersecurity requirements in the Regulation (EU) 2024/2847, Annex I, Part I under the conditions identified in Annex A.
Commission Implementing Regulation (EU) 2025/2392 identifies hypervisors and container runtime systems as core components. However, actual market products typically include additional elements beyond the hypervisor kernel or container runtime binary. These additional components provide essential management, orchestration, and operational capabilities that are necessary for real-world deployment and are therefore included within the scope of the present document.
The present document addresses the CRA Class II, point 1 product category within the following product contexts:
• Virtualisation Execution Stack (VES) for hypervisor-based environments; and
• Container Execution Stack (CES) for container-based environments.
The corresponding terms and definitions are provided in clause 3. The architectural decomposition, in-scope components, and security-relevant environmental dependencies are specified in clause 4.
Accordingly, the present document defines security requirements not only for the core execution systems identified in the CRA but also for the broader product context in which these systems are deployed, ensuring alignment with market reality and comprehensive coverage of security risks. The Management and Orchestration (M&O) System, Container Engine (CE), and Container Orchestrator (CO) are covered by the present document and are in scope only where they are developed or provided by the manufacturer, or under the responsibility of the manufacturer, as part of the declared product.
Any usage of AI agents is out of scope of the present document.
Where the product includes or depends on components that are outside the scope of the present document, the applicable requirements are to be addressed through the relevant operational-environment provisions or other relevant harmonised standards, as identified in clause 4.3.
Required fields are indicated with *