VPN Software Under the CRA (EN 304 620)
VPN software is classified as Important Products Class I. Given the sensitive nature of VPN traffic, the CRA imposes specific security requirements.
Key Requirements
Encryption Standards
- Minimum TLS 1.3 for control plane
- AES-256-GCM or ChaCha20-Poly1305 for data plane
- Forward secrecy mandatory (ECDHE key exchange)
- No fallback to weak ciphers
Authentication
- Certificate-based authentication support
- Multi-factor authentication capability
- No default credentials
- Secure credential storage
Data Protection
- No logging of traffic content by default
- Minimal metadata collection
- DNS leak prevention β force DNS through VPN tunnel
- Kill switch β block traffic if VPN disconnects
Update Mechanism
- Signed updates with cryptographic verification
- Auto-update capability
- Rollback protection
For Enterprise VPN Deployments
If your organization deploys VPN software:
- The VPN vendor is the manufacturer (CRA applies to them)
- You should verify your vendorβs CRA compliance roadmap
- Request SBOMs and vulnerability handling documentation
- Include CRA compliance in procurement criteria
SBOM Requirements
VPN software SBOMs must include:
- Cryptographic libraries (OpenSSL, BoringSSL, WireGuard kernel module)
- Network stack components
- Authentication modules
- UI frameworks
- All transitive dependencies
Developing or deploying VPN software in the EU? I help organizations prepare for EN 304 620 compliance. Get in touch.