SIST EN IEC 62541-21:2026

SLOVENSKI STANDARD
01-maj-2026
Enotna arhitektura OPC - 21. del: Vzpostavitev naprav (IEC 62541-21:2026)
OPC Unified architecture - Part 21: Device onboarding (IEC 62541-21:2026)
OPC Unified Architecture – Teil 21: Onboarding von Geräten (IEC 62541-21:2026)
Architecture unifiée OPC - Partie 21: Mise en service d'appareils (IEC 62541-21:2026)
Ta slovenski standard je istoveten z: EN IEC 62541-21:2026
ICS:
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN IEC 62541-21

NORME EUROPÉENNE
EUROPÄISCHE NORM February 2026
ICS 25.040
English Version
OPC Unified architecture - Part 21: Device Onboarding
(IEC 62541-21:2026)
Architecture unifiée OPC - Partie 21: Mise en service OPC Unified Architecture - Teil 21: Onboarding von
d'appareils Geräten
(IEC 62541-21:2026) (IEC 62541-21:2026)
This European Standard was approved by CENELEC on 2026-02-09. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Türkiye and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2026 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN IEC 62541-21:2026 E

European foreword
The text of document 65E/1046/CDV, future edition 1 of IEC 62541-21, prepared by SC 65E "Devices
and integration in enterprise systems" of IEC/TC 65 "Industrial-process measurement, control and
automation" was submitted to the IEC-CENELEC parallel vote and approved by CENELEC as
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2027-02-28
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2029-02-28
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Standard IEC 62541-21:2026 was approved by CENELEC as a European
Standard without any modification.
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1  Where an International Publication has been modified by common modifications, indicated by (mod),
the relevant EN/HD applies.
NOTE 2  Up-to-date information on the latest versions of the European Standards listed in this annex is available
here: www.cencenelec.eu.
Publication Year Title EN/HD Year
IEC 62541-1 - OPC Unified Architecture - Part 1: EN IEC 62541-1 -
Overview and concepts
IEC 62541-2 - OPC unified architecture - Part 2: Security EN IEC 62541-2 -
model
IEC 62541-3 - OPC Unified Architecture - Part 3: Address EN IEC 62541-3 -
Space Model
IEC 62541-4 - OPC unified architecture - Part 4: Services EN IEC 62541-4 -
IEC 62541-5 - OPC Unified architecture - Part 5: EN IEC 62541-5 -
Information Model
IEC 62541-6 - OPC unified architecture - Part 6: EN IEC 62541-6 -
Mappings
IEC 62541-9 - OPC Unified Architecture - Part 9: Alarms EN IEC 62541-9 -
and Conditions
IEC 62541-12 - OPC unified architecture - Part 12: EN IEC 62541-12 -
Discovery and global services
IEC 62541-22 - OPC unified architecture - Part 22: Base EN IEC 62541-22 -
Network Model
IEC 62541-100 - OPC unified architecture - Part 100: EN IEC 62541-100 -
Devices
IEEE Std 802.1AR- - IEEE Standard for Local and Metropolitan - -
2018 Area Networks - Secure
Device Identity
IETF RFC 2045 - Multipurpose Internet Mail Extensions - -
(MIME) Part 1: Format of Internet Message
Bodies
IETF RFC 4648 - The Base16, Base32, and Base64 Data - -
Encodings
Under preparation. Stage at the time of publication: FprEN IEC 62541-2:2025.
IETF RFC 5280 - Internet X.509 Public Key Infrastructure - -
Certificate and Certificate Revocation List
(CRL) Profile
IETF RFC 7515 - JSON Web Signature (JWS) - -
IETF RFC 7518 - JSON Web Algorithms (JWA) - -

IEC 62541-21 ®
Edition 1.0 2026-01
INTERNATIONAL
STANDARD
OPC Unified architecture –
Part 21: Device Onboarding
ICS 25.040  ISBN 978-2-8327-0847-7

IEC 62541-21:2026-01(en)
IEC 62541-21:2026 © IEC 2026
CONTENTS
FOREWORD . 4
1 Scope . 6
2 Normative references . 6
3 Terms, definitions and abbreviated terms . 7
3.1 Terms and definitions. 7
3.2 Abbreviated terms . 9
4 Onboarding Model . 9
4.1 Device lifecycle . 9
4.2 Concepts . 12
4.2.1 Secure elements . 12
4.2.2 Firmware and Applications . 12
4.2.3 Transfer of physical control. 13
4.2.4 Trust on first use (TOFU) . 14
4.2.5 SoftwareUpdateManager . 14
4.2.6 Roles and privileges . 14
4.3 Device workflows . 15
4.3.1 Distribution . 15
4.3.2 Onboarding . 15
4.3.3 Application setup . 15
4.3.4 Configuration . 16
4.3.5 Operation . 16
4.3.6 Decommissioning . 16
5 Identities . 16
5.1 Overview . 16
5.2 Device identity . 17
5.3 ProductInstanceUri . 18
5.4 Composite identity . 18
6 Ticket semantics . 19
6.1 Tickets . 19
6.2 Ticket distribution . 20
6.3 Authentication . 20
6.4 Acquiring and validating tickets . 21
7 Device Authentication . 22
7.1 Overview . 22
7.2 Pull Management . 24
7.3 Push Management . 26
7.4 Alternate authentication models . 27
8 Ticket syntax . 29
8.1 Signed ticket encoding . 29
8.2 Ticket Types . 30
8.2.1 EncodedTicket . 30
8.2.2 BaseTicketType . 30
8.2.3 DeviceIdentityTicketType . 31
8.2.4 CompositeIdentityTicketType . 32
8.2.5 TicketListType . 32
8.2.6 CertificateAuthorityType . 33
IEC 62541-21:2026 © IEC 2026
9 Information Model . 34
9.1 Overview . 34
9.2 Registrar . 34
9.2.1 Overview . 34
9.2.2 DeviceRegistrarType . 34
9.2.3 ProvideIdentities . 35
9.2.4 UpdateSoftwareStatus . 36
9.2.5 RegisterDeviceEndpoint . 37
9.2.6 GetManagers . 38
9.2.7 ManagerDescription . 39
9.2.8 RegisterManagedApplication . 40
9.2.9 DeviceRegistrar . 41
9.2.10 DeviceRegistrarAdminType. 41
9.2.11 RegisterTickets . 42
9.2.12 UnregisterTickets . 43
9.2.13 DeviceRegistrationAuditEventType . 43
9.2.14 DeviceIdentityAcceptedAuditEventType . 44
9.2.15 DeviceSoftwareUpdatedAuditEventType . 45
9.3 Device Configuration Application (DCA) . 45
9.3.1 Overview . 45
9.3.2 ProvisionableDevice . 46
9.3.3 ProvisionableDeviceType . 47
9.3.4 RequestTickets . 48
9.3.5 SetRegistrarEndpoints . 48
9.3.6 ApplicationConfigurationType . 49
10 Namespaces. 50
10.1 Namespace Metadata . 50
10.2 Handling of OPC UA Namespaces . 50
Annex A (normative) Namespaces and Identifiers . 52
A.1 Namespace and Identifiers for the Onboarding Information Model . 52
A.2 Capability Identifier . 52
Bibliography . 53

Figure 1 – The Lifecycle of a Device . 10
Figure 2 – Device hardware and software layers . 12
Figure 3 – Possible Transfers of physical control . 13
Figure 4 – Relationship between Devices, Actors, Identifiers and Tickets . 17
Figure 5 – Device Authentication using Pull Management . 24
Figure 6 – Requesting Certificates using Pull Management . 25
Figure 7 – Device Authentication using Push Management . 26
Figure 8 – Updating Certificates using Push Management . 27
Figure 9 – Alternate authentication models with Pull Management . 28
Figure 10 – Registrar Address Space for Onboarding Workflow . 34
Figure 11 – Device Address Space for Onboarding Workflows . 46

Table 1 – The Actors in the Device Lifecycle . 11
IEC 62541-21:2026 © IEC 2026
Table 2 – The Stages in the Device Lifecycle . 11
Table 3 – Well-known Roles for Onboarding . 15
Table 4 – Privileges for Onboarding . 15
Table 5 – RFC 7515 Header Fields . 30
Table 6 – EncodedTicket Definition . 30
Table 7 – BaseTicketType Structure . 31
Table 8 – BaseTicketType Definition . 31
Table 9 – DeviceIdentityTicketType Structure . 31
Table 10 – DeviceIdentityTicketType Definition . 32
Table 11 – CompositeIdentityTicketType Structure . 32
Table 12 – CompositeIdentityTicketType Definition . 32
Table 13 – TicketListType Structure . 33
Table 14 – TicketListType Definition . 33
Table 15 – CertificateAuthorityType Structure . 33
Table 16 – CertificateAuthorityType Definition . 33
Table 17 – DeviceRegistrarType Definition . 35
Table 18 – ProvideIdentities Method AddressSpace Definition . 36
Table 19 – UpdateSoftwareStatus Method AddressSpace Definition . 37
Table 20 – RegisterDeviceEndpoint Method AddressSpace Definition . 38
Table 21 – GetManagers Method AddressSpace Definition . 39
Table 22 – ManagerDescription Structure . 39
Table 23 – ManagerDescription Definition . 40
Table 24 – RegisterManagedApplication Method AddressSpace Definition. 41
Table 25 – DeviceRegistrar Definition . 41
Table 26 – DeviceRegistrarAdminType Definition . 41
Table 27 – RegisterTickets Method AddressSpace Definition . 42
Table 28 – UnregisterTickets Method AddressSpace Definition . 43
Table 29 – DeviceRegistrationAuditEventType Definition . 44
Table 30 – DeviceIdentityAcceptedAuditEventType Definition . 44
Table 31 – DeviceSoftwareUpdatedAuditEventType Definition . 45
Table 32 – ProvisionableDevice Object Definition . 47
Table 33 – ProvisionableDeviceType Definition . 47
Table 34 – RequestTickets Method AddressSpace Definition . 48
Table 35 – SetRegistrarEndpoints Method AddressSpace Definition . 49
Table 36 – ApplicationConfigurationType Definition . 49
Table 37 – NamespaceMetadata Object for this Document . 50
Table 38 – Namespaces used in this document . 51

IEC 62541-21:2026 © IEC 2026
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
OPC unified architecture -
Part 21: Device Onboarding
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) IEC draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). IEC takes no position concerning the evidence, validity or applicability of any claimed patent rights in
respect thereof. As of the date of publication of this document, IEC had not received notice of (a) patent(s), which
may be required to implement this document. However, implementers are cautioned that this may not represent
the latest information, which may be obtained from the patent database available at https://patents.iec.ch. IEC
shall not be held responsible for identifying any or all such patent rights.
IEC 62541-21 has been prepared by subcommittee 65E: Devices and integration in enterprise
systems, of IEC technical committee 65: Industrial-process measurement, control and
automation. It is an International Standard.
The text of this International Standard is based on the following documents:
Draft Report on voting
65E/1046/CDV 65E/1103/RVC
Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this International Standard is English.
IEC 62541-21:2026 © IEC 2026
This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
at www.iec.ch/members_experts/refdocs. The main document types developed by IEC are
described in greater detail at www.iec.ch/publications.
Throughout this document and the other Parts of the series, certain document conventions are
used:
Italics are used to denote a defined term or definition that appears in the “Terms and definitions”
clause in one of the parts of the series.
Italics are also used to denote the name of a service input or output parameter or the name of
a structure or element of a structure that are usually defined in tables.
The italicized terms and names are also often written in camel-case (the practice of writing
compound words or phrases in which the elements are joined without spaces, with each
element's initial letter capitalized within the compound). For example, the defined term is
AddressSpace instead of Address Space. This makes it easier to understand that there is a
single definition for AddressSpace, not separate definitions for Address and Space.
A list of all parts in the IEC 62541 series, published under the general title OPC Unified
Architecture, can be found on the IEC website.
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under webstore.iec.ch in the data related to the
specific document. At this date, the document will be
– reconfirmed,
– withdrawn, or
– revised.
IEC 62541-21:2026 © IEC 2026
1 Scope
This part of IEC 62541 defines the life cycle of Devices and Composites and mechanisms to
verify their authenticity, set up their security and maintain their configuration.
The NodeIds of all Nodes described in this standard are only symbolic names. Annex A defines
the NamespaceUri for all NodeIds and the actual NodeIds.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies.
For undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 62541-1, OPC Unified Architecture - Part 1: Overview and Concepts
IEC 62541-2, OPC Unified Architecture - Part 2: Security
IEC 62541-3, OPC Unified Architecture - Part 3: Address Space Model
IEC 62541-4, OPC Unified Architecture - Part 4: Services
IEC 62541-5, OPC Unified Architecture - Part 5: Information Model
IEC 62541-6, OPC Unified Architecture - Part 6: Mappings
IEC 62541-9, OPC Unified Architecture - Part 9: Alarms and Conditions
IEC 62541-12, OPC Unified Architecture - Part 12: Discovery and Global Services
IEC 62541-22, OPC Unified Architecture - Part 22: Base Network Model
IEC 62541-100, OPC Unified Architecture - Part 100: Device Model
IEEE Std 802.1AR-2018, IEEE Standard for Local and Metropolitan Area Networks - Secure
Device Identity
IETF RFC 2045, N. Freed, N. Borenstein, Multipurpose Internet Mail Extensions (MIME) Part
One: Format of Internet Message Bodies, November 1996, available at
https://tools.ietf.org/html/rfc2045
IETF RFC 4648, S. Josefsson, The Base16, Base32, and Base64 Data Encodings, Octobre
2006, available at https://tools.ietf.org/html/rfc4648
IETF RFC 5280, D. Cooper, S. Santesson, S. Farrell, S. Boeyen, T. Polk, Russ Housley,
Internet X.509 Public Key Infrastructure Certificate, May 2008, available at
https://tools.ietf.org/html/rfc5280
IETF RFC 7515, M. Jones, J. Bradley, N. Sakimura, JSON Web Signature (JWS), May 2015,
available at https://tools.ietf.org/html/rfc7515
IETF RFC 7518, M. Jones, JSON Web Algorithms (JWA), May 2015, available at
https://tools.ietf.org/html/rfc7518
IEC 62541-21:2026 © IEC 2026
3 Terms, definitions and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 62541-1, IEC 62541-2,
IEC 62541-3, IEC 62541-4, IEC 62541-6, IEC 62541-9 and IEC 62541-100 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following
addresses:
– IEC Electropedia: available at https://www.electropedia.org/
– ISO Online browsing platform: available at https://www.iso.org/obp
3.1.1
Application
a program that runs on a Device and communicates with other Applications on the network.
Note 1 to entry: Each Application has an identifier that is unique within the network.
Note 2 to entry: An OPC UA Application is an Application that supports OPC UA.
3.1.2
ApplicationUri
a globally unique identifier for an OPC UA Application running on a particular Device.
Note 1 to entry: The Application Instance Certificate has the ApplicationUri in the subjectAltName field.
3.1.3
Composite
collection of Devices or Composites assembled into a single unit
Note 1 to entry: Each Composite has a globally unique identifier.
Note 2 to entry: A Composite can act as a single Device when connected to a network.
Note 3 to entry: A Composite can appear as multiple Devices when connected to a network.
3.1.4
CompositeBuilder
organization that creates Composites
3.1.5
CompositeInstanceUri
globally unique resource identifier assigned by a builder to a Composite
3.1.6
DCA Client
DCA which is a Client and supports PullManagement
3.1.7
DCA Server
DCA which is a Server and supports PushManagement
IEC 62541-21:2026 © IEC 2026
3.1.8
Device
independent physical entity capable of performing one or more specified functions in a particular
context and delimited by its interfaces as defined in IEC 62541-100
Note 1 to entry: For this document a Device also executes one or more OPC UA Applications.
Note 2 to entry: a generic computer or mobile device can be a Device if it has a DeviceIdentity Certificate
3.1.9
Device Configuration Application (DCA)
Client or Server installed on a Device used to configure other applications installed on the same
Device
Note 1 to entry: a DCA which is a Client uses PullManagement (see 7.2) to interact with the Registrar.
Note 2 to entry: the Registrar uses PushManagement (see 7.3) to interact with a DCA which is a Server.
3.1.10
DeviceIdentity Certificate
Certificate issued to a Device that identifies the Device
Note 1 to entry: All DeviceIdentity Certificates have the ProductInstanceUri as a subjectAltName.
Note 2 to entry: All DeviceIdentity Certificates are IDevID or LDevID Certificates as defined by IEEE Std 802.1AR-
2018.
Note 3 to entry: The ProductInstanceUri is the ApplicationUri when the DeviceIdentity Certificate is used to create
a SecureChannel.
3.1.11
Distributor
organization that re-sells Devices and/or Composites
Note 1 to entry: A Distributor can enhance Devices and Composites by adding customized products or services.
3.1.12
Manufacturer
organization that creates Devices
3.1.13
OwnerOperator
organization deploying and operating a system that comprises of Devices, Composites or other
computers connected via a network
3.1.14
Privilege
named set of permissions or access rights which are needed to perform a task
3.1.15
ProductInstanceUri
globally unique resource identifier assigned by the manufacturer to a Device
3.1.16
Registrar
OPC UA Application that registers and authenticates Devices added to the network
3.1.17
SystemIntegrator
organization that installs and configures a system for an OwnerOperator that comprises of
Devices, Composites or other computers connected via a network
IEC 62541-21:2026 © IEC 2026
3.1.18
SecureElement
hardware component that protects Private Keys from unauthorized access and disclosure
3.1.19
Ticket
document that identifies a Device or Composite and has a DigitalSignature
3.2 Abbreviated terms
API application programming interface
ASN.1 abstract syntax notation #1
CA certificate authority
CRL certificate revocation list
DCA device configuration application
DER ASN.1 distinguished encoding rules
DHCP dynamic host configuration protocol
DNS domain name system
ERP enterprise resource planning
GDS global discovery server
IDevID initial device identifier
LDevID locally significant device identifier
LDS local discovery server
mDNS multicast domain name system
NAT network address translation
PKCS public key cryptography standards
TLS transport layer security
TPM trusted platform module
UA unified architecture
URI uniform resource identifier
URN uniform resource name
4 Onboarding Model
4.1 Device lifecycle
The Onboarding model is designed to allow the configuration of a Device to be managed over
the complete lifecycle of the Device from manufacture to decommissioning. The entire lifecycle
approach is required because Devices, unlike PC-class computers, are often shipped with
automation software pre-installed and are connected directly to sensitive networks. This
requires a process to authenticate Devices before they are given access to a sensitive network.
The complete life cycle of a Device is shown in Figure 1.
IEC 62541-21:2026 © IEC 2026
Figure 1 – The Lifecycle of a Device
The actors in the Device lifecycle are described in Table 1.
IEC 62541-21:2026 © IEC 2026
Table 1 – The Actors in the Device Lifecycle
Actor Description
Device A computer that is able to communicate via a network. A Device has a unique
identifier and can have one or more Applications (see 3.1.4)
Composite A collection of Devices or Composites assembled into a single unit. Each Composite
has a unique identifier and can appear as a single Device on a network or it can
appear as multiple Devices (see 3.1.3).
Application A program that runs on a Device. Each Application has a unique identifier and
communicates with other Applications on the network (see 3.1.1).
OwnerOperator An organization deploying and operating a system that comprises of Devices,
Composites or other computers connected via a network (see 3.1.13).
Manufacturer An organization that creates Devices (see 3.1.12).
CompositeBuilder An organization that creates Composites (see 3.1.4).
Distributor An organization that re-sells Devices and/or Composites. A Distributor enhances
Devices and Composites by adding customized products or services before resale
(see 3.1.11).
SystemIntegrator An organization that installs and configures a system for an OwnerOperator that
comprises of Devices, Composites or other computers connected via a network (see
3.1.17).
RegistrarAdmin A user authorized to change the configuration of the Registrar.
SoftwareUpdateAdmin A user authorized to update the firmware running on a Device.
A user authorized to make changes to security configuration for Clients and Servers
SecurityAdmin
running on the network.
The stages in the lifecycle for a single Device are described in Table 2. This information model
defines mechanisms to automate some of the tasks necessary for each stage.
Table 2 – The Stages in the Device Lifecycle
Stage Description
Device Manufacture A Device is created and a DeviceIdentity Certificate is assigned. This Certificate is
provided when the Device is transferred to other actors. During Device Manufacture,
Applications can be installed on the Device. A Ticket describing the Device is created
and signed by the Manufacturer.
Composite Assembly A Composite is created from Devices and a unique identity is assigned to the
Composite. This identity is provided when the Composite is transferred to other actors.
During Composite Assembly, Applications can be installed on the Devices contained in
the Composite. A Ticket describing the Composite is created and signed by the
CompositeBuilder.
Distribution The Device or Composite is stored until it is delivered to a CompositeBuilder,
SystemIntegrator, OwnerOperator or another Distributor.
Onboarding The SystemIntegrator connects a Device to the network and verifies that the identity
reported by the Device matches the identity in a Ticket provided by the Manufacturer or
CompositeBuilder.
Application Setup The SystemIntegrator configures the Applications running on the Device or Composite
so they can communicate with other Applications running in the system. This process
includes distributing TrustLists and issuing Certificates.
Configuration The OwnerOperator performs tasks that are not done while the Device is in full
operation, such as updating firmware, installing new Applications, or changing
Application configuration.
Operation The Device does the tasks it was deployed to do.
Decommissioning The Device has all access revoked and, if the Device is still functional, then it is reset
to the default factory settings.

IEC 62541-21:2026 © IEC 2026
The commonly understood concept of “Commissioning” is represented by the Onboarding,
Application Setup and Configuration stages.
The stages in the Device lifecycle map onto workflows that are defined in this document. The
workflows are described in 4.2.
4.2 Concepts
4.2.1 Secure elements
SecureElements are a hardware-based storage for cryptographic secrets that protect them
against authorized access and disclosure. The mechanisms defined for Device authentication
depend on PrivateKeys that are stored in SecureElements. PrivateKeys stored on Devices
without SecureElements can be stolen and reused on counterfeit Devices.
OwnerOperators can provision Devices without SecureElements if they have other ways to
ensure their authenticity.
4.2.2 Firmware and Applications
Every Device has multiple layers of hardware and software that are installed and managed at
different stages in the lifecycle by different actors. The layers are shown in Figure 2.

Figure 2 – Device hardware and software layers
A Device has firmware that is generally not changed during normal operation. Firmware updates
can be provided by the Manufacturer to correct software bugs or patch security flaws. A Device
should have a mechanism to ensure the integrity of the system, including the firmware, during
the boot process. A Device should have a way to update firmware after onboarding in the
OwnerOperator’s system.
A Device should have SecureElement storage used for security sensitive elements such as
Private Keys. This storage cannot be backed up nor is it affect by a firmware update. The Private
Key of DeviceIdentity Certificates (IDevID and LDevID) shall be placed in this storage.
A Device shall have a Device Configuration Application (DCA) which is used for Device
authentication and setup of other Applications on the Device.
IEC 62541-21:2026 © IEC 2026
A Device can have storage used for Applications and their configuration. A Device should have
a mechanism to back up and restore configurations. A Device can support multiple Applications
which have their own configuration and security configuration.
A Device has storage for the Application security configuration that is not required to be in the
protected storage. This storage is separate from the storage for Applications and configurations.
Certificates, Trust Lists, administrator credentials are examples of information that is part of the
security configuration. The Device shall have mechanisms to ensure that only authorized actors
are able to alter the security configuration or access sensitive data such as the PrivateKeys. If
a Device supports multiple Applications, the set of authorized actors can be different for each
Application.
4.2.3 Transfer of physical control
Implicit in the Device lifecycle is the notion that Devices and Composites will be physically
delivered to different actors. The transfers of physical control that can occur are shown in
Figure 3.
Figure 3 – Possible Transfers of physical control
In many cases, the Distributor belongs to the same organization as the Manufacturer or
CompositeBuilder. Similarly, the Integrator and the OwnerOperator can be the same
organization.
When a transfer of physical control occurs, the supplier ships the equipment (a Device or
Composite) and an electronic Ticket (see 6) that describes the equipment. The receiver can
use the Ticket to authenticate the origin of the equipment using the mechanisms defined in this
standard or save it so it can be provided when the equipment is transferred to another actor.
While an actor has physical control, the actor can Install, Provision, Configure or Operate (see
Table 2) the equipment. For example, if an actor (e.g., a CompositeBuilder) makes changes to
a Device and then transfers this Device to another actor (e.g., an OwnerOperator) then those
changes can restrict what the new owner is able to do, i.e., CompositeBuilder can install an
Application used for maintenance that the OwnerOperator cannot access.
The workflows (see 4.3) describe this process in more detail.
IEC 62541-21:2026 © IEC 2026
4.2.4 Trust on first use (TOFU)
The onboarding process defined in this document describes how an OwnerOperator can
authenticate Devices added to the network. This document does not define any mechanisms to
allow Devices to authentic
...