SIEM Under CRA Class II (EN 304 622)
Security Information and Event Management systems are classified as Important Products Class II โ the second-highest classification. This reflects the critical role SIEMs play in organizational security.
Why Class II?
A compromised SIEM is catastrophic:
- Attackers can hide their tracks by manipulating security logs
- False negatives mean real attacks go undetected
- Sensitive security data could be exfiltrated
- Undermines the entire security monitoring infrastructure
Key Requirements
Log Integrity
- Cryptographic integrity protection for stored logs
- Tamper-evident log storage
- Secure log transport (TLS, mutual authentication)
- Access controls on log data
Detection Quality
- Documented detection capabilities and coverage
- Regular rule/signature updates (signed)
- False positive/negative rate documentation
- Threat intelligence integration
Availability
- High availability architecture
- Graceful degradation under load
- Alert on SIEM health issues
- No security gaps during updates
Conformity Assessment
Class II products may require third-party assessment. SIEM vendors should:
- Engage with ETSI EN 304 622 development
- Plan for potential third-party certification costs (โฌ20K-100K)
- Begin conformity documentation now
- Prepare for ongoing assessment as the product evolves
Building or deploying SIEM solutions? I help organizations navigate CRA Class II compliance. Get in touch.