CRA regulation

While existing Union law applies to certain products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements for all products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. The various acts and initiatives taken thus far at Union and national levels only partially address the identified cybersecurity-related problems and risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and users of those products and adding an unnecessary burden on businesses and organisations to comply with a number of requirements and obligations for similar types of products. The cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of those products has a particularly strong cross-border dimension, as products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; manufactured in one Member State or third country are often used by organisations and consumers means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; across the entire internal market. This makes it necessary to regulate the field at Union level to ensure a harmonised regulatory framework and legal certainty for users, organisations and businesses, including microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; as defined in the Annex to Commission Recommendation 2003/361/EC(⁵)Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).. The Union regulatory landscape should be harmonised by introducing horizontal cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements for products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. In addition, legal certainty for economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; and users, as well as a better harmonisation of the internal market and proportionality for microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, creating more viable conditions for economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; aiming to enter that market, should be ensured across the Union.

As regards microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, when determining the category an enterprise falls into, the provisions of the Annex to Recommendation 2003/361/EC should be applied in their entirety. Therefore, when calculating the staff headcount and financial ceilings determining the enterprise categories, the provisions of Article 6 of the Annex to Recommendation 2003/361/EC on establishing the data of an enterprise in consideration of specific types of enterprises, such as partner enterprises or linked enterprises, should also be applied.

The Commission should provide guidance to assist economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;, in particular microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, in the application of this Regulation. Such guidance should cover, inter alia, the scope of this Regulation, in particular remote data processing means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions; and its implications for free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; developers, the application of the criteria used to determine support periods means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; for products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, the interplay between this Regulation and other Union law and the concept of substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;.

At Union level, various programmatic and political documents, such as the Joint communication of the Commission and the High Representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; of the Union for Foreign Affairs and Security Policy of 16 December 2020, entitled ‘The EU’s Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; Strategy for the Digital Decade’, the Council Conclusions of 2 December 2020 on the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of connected devices and of 23 May 2022 on the development of the European Union’s cyber posture and the European Parliament resolution of 10 June 2021 on the EU’s Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; Strategy for the Digital Decade(⁶)OJ C 67, 8.2.2022, p. 81., have called for specific Union cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements for digital or connected products, with several third countries introducing measures to address this issue on their own initiative. In the final report of the Conference on the Future of Europe, citizens called for ‘a stronger role for the EU in countering cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; threats’. In order for the Union to play a leading international role in the field of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;, it is important to establish an ambitious regulatory framework.

To increase the overall level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of all products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; placed on the internal market, it is necessary to introduce objective-oriented and technology-neutral essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements for those products that apply horizontally.

Under certain conditions, all products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; integrated in or connected to a larger electronic information system means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data; can serve as an attack vector for malicious actors. As a result, even hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; and software means the part of an electronic information system which consists of computer code; considered to be less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or to move laterally across systems. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should therefore ensure that all products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are designed and developed in accordance with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements laid down in this Regulation. That obligation relates to both products that can be connected physically via hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; interfaces and products that are connected logically, such as via network sockets, pipes, files, application programming interfaces or any other types of software means the part of an electronic information system which consists of computer code; interface. As cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; can propagate through various products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; before reaching a certain target, for example by chaining together multiple vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; exploits, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should also ensure the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are only indirectly connected to other devices or networks.

By laying down cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements for placing on the market means the first making available of a product with digital elements on the Union market; products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, it is intended that the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of those products for consumers means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; and businesses alike be enhanced. Those requirements will also ensure that cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; is taken into account throughout supply chains, making final products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and their components means software or hardware intended for integration into an electronic information system; more secure. This also includes requirements for placing on the market means the first making available of a product with digital elements on the Union market; consumer means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; intended for vulnerable consumers means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession;, such as toys and baby monitoring systems. Consumer means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; categorised in this Regulation as important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; present a higher cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; by performing a function which carries a significant risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedure. This applies to such products as smart home products with security functionalities, including smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology. Furthermore, the stricter conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures that other products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; categorised in this Regulation as important or critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are required to undergo, will contribute to preventing potential negative impacts on consumers means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; of the exploitation of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;.

The purpose of this Regulation is to ensure a high level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and their integrated remote data processing means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions; solutions. Such remote data processing means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions; solutions should be defined as data processing at a distance for which the software means the part of an electronic information system which consists of computer code; is designed and developed by or on behalf of the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned, the absence of which would prevent the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; from performing one of its functions. That approach ensures that such products are adequately secured in their entirety by their manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, irrespective of whether data is processed or stored locally on the user’s device or remotely by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;. At the same time, processing or storage at a distance falls within the scope of this Regulation only in so far as it is necessary for a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; to perform its functions. Such processing or storage at a distance includes the situation where a mobile application requires access to an application programming interface or to a database provided by means of a service developed by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;. In such a case, the service falls within the scope of this Regulation as a remote data processing means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions; solution. The requirements concerning the remote data processing means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions; solutions falling within the scope of this Regulation do therefore not entail technical, operational or organisational measures aiming to manage the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed to the security of a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;’s network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; as a whole.

Cloud solutions constitute remote data processing means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions; solutions within the meaning of this Regulation only if they meet the definition laid down in this Regulation. For example, cloud enabled functionalities provided by a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of smart home devices that enable users to control the device at a distance fall within the scope of this Regulation. On the other hand, websites that do not support the functionality of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, or cloud services designed and developed outside the responsibility of a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; do not fall within the scope of this Regulation. Directive (EU) 2022/2555 applies to cloud computing services means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; and cloud service models, such as Software means the part of an electronic information system which consists of computer code; as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS). Entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; providing cloud computing services means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; in the Union which qualify as medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; provided for in paragraph 1 of that Article, fall within the scope of that Directive.

In line with the objective of this Regulation to remove obstacles to the free movement of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, Member States should not impede, for the matters covered by this Regulation, the making available on the market means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which comply with this Regulation. Therefore, for matters harmonised by this Regulation, Member States cannot impose additional cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements for the making available on the market means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Any entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, public or private, can however establish additional requirements to those laid down in this Regulation for the procurement or use of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; for its specific purposes, and can therefore choose to use products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that meet stricter or more specific cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements than those applicable for the making available on the market means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge; under this Regulation. Without prejudice to Directives 2014/24/EU(⁷)Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65). and 2014/25/EU(⁸)Directive 2014/25/EU of the European Parliament and of the Council of 26 February 2014 on procurement by entities operating in the water, energy, transport and postal services sectors and repealing Directive 2004/17/EC (OJ L 94, 28.3.2014, p. 243). of the European Parliament and of the Council, when procuring products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, which must comply with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements laid down in this Regulation, including those relating to vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling, Member States should ensure that such requirements are taken into consideration in the procurement process and that the manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;’ ability to effectively apply cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; measures and manage cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; are also taken into consideration. Furthermore, Directive (EU) 2022/2555 sets out cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures for essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3 of that Directive that could entail supply chain security measures that require the use by such entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; meeting stricter cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements than those laid down in this Regulation. In accordance with Directive (EU) 2022/2555 and in line with its minimum harmonisation principle, Member States can therefore impose additional cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements for the use of information and communications technology (ICT) products by essential or important entitiesas defined in Article 3 of Directive (EU) 2022/2555 pursuant to that Directive in order to ensure a higher level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;, provided that such requirements are consistent with Member States’ obligations laid down in Union law. Matters not covered by this Regulation can include non-technical factors relating to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and the manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; thereof. Member States can therefore lay down national measures, including restrictions on products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; or suppliers of such products that take account of non-technical factors. National measures relating to such factors are required to comply with Union law.

This Regulation should be without prejudice to the Member States’ responsibility for safeguarding national security, in compliance with Union law. Member States should be able to subject products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are procured or used for national security or defence purposes to additional measures, provided that such measures are consistent with Member States’ obligations laid down in Union law.

This Regulation applies to economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; only in relation to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; made available on the market, hence supplied for distribution or use on the Union market in the course of a commercial activity. Supply in the course of a commercial activity might be characterised not only by charging a price for a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, but also by charging a price for technical support services where this does not serve only the recuperation of actual costs, by an intention to monetise, for instance by providing a software means the part of an electronic information system which consists of computer code; platform through which the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; monetises other services, by requiring as a condition for use the processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; for reasons other than exclusively for improving the security, compatibility or interoperability of the software means the part of an electronic information system which consists of computer code;, or by accepting donations exceeding the costs associated with the design, development and provision of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Accepting donations without the intention of making a profit should not be considered to be a commercial activity.

Products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; provided as part of the delivery of a service for which a fee is charged solely to recover the actual costs directly related to the operation of that service, such as may be the case with certain products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; provided by public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital;, should not be considered on those grounds alone to be a commercial activity for the purposes of this Regulation. Furthermore, products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which are developed or modified by a public administration entity means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital; exclusively for its own use should not be considered to be made available on the market within the meaning of this Regulation.

Software means the part of an electronic information system which consists of computer code; and data that are openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market. To foster the development and deployment of free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;, in particular by microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, including start-ups, individuals, not-for-profit organisations, and academic research organisations means an entity which has as its primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but which does not include educational institutions., the application of this Regulation to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; supplied for distribution or use in the course of a commercial activity should take into account the nature of the different development models of software means the part of an electronic information system which consists of computer code; distributed and developed under free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; licences.

Free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; is understood as software means the part of an electronic information system which consists of computer code; the source code of which is openly shared and the licensing of which provides for all rights to make it freely accessible, usable, modifiable and redistributable. Free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; is developed, maintained and distributed openly, including via online platforms. In relation to economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; that fall within the scope of this Regulation, only free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; made available on the market, and therefore supplied for distribution or use in the course of a commercial activity, should fall within the scope of this Regulation. The mere circumstances under which the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has been developed, or how the development has been financed, should therefore not be taken into account when determining the commercial or non-commercial nature of that activity. More specifically, for the purposes of this Regulation and in relation to the economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; that fall within its scope, to ensure that there is a clear distinction between the development and supply phases, the provision of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; that are not monetised by their manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should not be considered to be a commercial activity. Furthermore, the supply of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; components means software or hardware intended for integration into an electronic information system; intended for integration by other manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; into their own products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be considered to be making available on the market means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge; only if the component means software or hardware intended for integration into an electronic information system; is monetised by its original manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;. For instance, the mere fact that an open-source software means the part of an electronic information system which consists of computer code; product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; receives financial support from manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; or that manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; contribute to the development of such a product should not in itself determine that the activity is of commercial nature. In addition, the mere presence of regular releases should not in itself lead to the conclusion that a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is supplied in the course of a commercial activity. Finally, for the purposes of this Regulation, the development of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; by not-for-profit organisations should not be considered to be a commercial activity provided that the organisation is set up in such a way that ensures that all earnings after costs are used to achieve not-for-profit objectives. This Regulation does not apply to natural or legal persons who contribute with source code to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; that are not under their responsibility.

Taking into account the importance for cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of many products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; that are published, but not made available on the market within the meaning of this Regulation, legal persons who provide support on a sustained basis for the development of such products which are intended for commercial activities, and who play a main role in ensuring the viability of those products (open-source software stewards means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;), should be subject to a light-touch and tailor-made regulatory regime. Open-source software stewards means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products; include certain foundations as well as entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that develop and publish free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; in a business context, including not-for-profit entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. The regulatory regime should take account of their specific nature and compatibility with the type of obligations imposed. It should only cover products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; that are ultimately intended for commercial activities, such as for integration into commercial services or into monetised products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. For the purposes of that regulatory regime, an intention for integration into monetised products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; includes cases where manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that integrate a component means software or hardware intended for integration into an electronic information system; into their own products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; either contribute to the development of that component means software or hardware intended for integration into an electronic information system; in a regular manner or provide regular financial assistance to ensure the continuity of a software means the part of an electronic information system which consists of computer code; product. The provision of sustained support to the development of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; includes but is not limited to the hosting and managing of software means the part of an electronic information system which consists of computer code; development collaboration platforms, the hosting of source code or software means the part of an electronic information system which consists of computer code;, the governing or managing of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; as well as the steering of the development of such products. Given that the light-touch and tailor-made regulatory regime does not subject those acting as open-source software stewards means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products; to the same obligations as those acting as manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; under this Regulation, they should not be permitted to affix the CE marking means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing; to the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; whose development they support.

The sole act of hosting products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; on open repositories, including through package managers or on collaboration platforms, does not in itself constitute the making available on the market means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge; of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Providers of such services should be considered to be distributors means a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties; only if they make such software means the part of an electronic information system which consists of computer code; available on the market and hence supply it for distribution or use on the Union market in the course of a commercial activity.

In order to support and facilitate the due diligence of manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that integrate free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; components means software or hardware intended for integration into an electronic information system; that are not subject to the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation into their products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, the Commission should be able to establish voluntary security attestation programmes, either by a delegated act supplementing this Regulation or by requesting a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme pursuant to Article 48 of Regulation (EU) 2019/881 that takes into account the specificities of the free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; development models. The security attestation programmes should be conceived in such a way that not only natural or legal persons developing or contributing to the development of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; can initiate or finance a security attestation but also third parties, such as manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that integrate such products into their own products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, users, or Union and national public administrations.

In view of the public cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; objectives of this Regulation and in order to improve the situational awareness of Member States as regards the Union’s dependency on software means the part of an electronic information system which consists of computer code; components means software or hardware intended for integration into an electronic information system; and in particular on potentially free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; components means software or hardware intended for integration into an electronic information system;, a dedicated administrative cooperation group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; (ADCO) established by this Regulation should be able to decide to jointly undertake a Union dependency assessment. Market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; should be able to request manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of categories of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; established by ADCO to submit the software bills of materials means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements; (SBOMs) that they have generated pursuant to this Regulation. In order to protect the confidentiality of SBOMs, market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; should submit relevant information about dependencies to ADCO in an anonymised and aggregated manner.

The effectiveness of the implementation of this Regulation will also depend on the availability of adequate cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; skills. At Union level, various programmatic and political documents, including the Commission communication of 18 April 2023 on Closing the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; talent gap to boost the EU’s competitiveness, growth and resilience and the Council Conclusions of 22 May 2023 on the EU Policy on Cyber Defence acknowledged the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; skills gap in the Union and the need to address such challenges as a matter of priority, in both the public and private sectors. With a view to ensuring an effective implementation of this Regulation, Member States should ensure that adequate resources are available for the appropriate staffing of the market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; and conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; to perform their tasks as laid down in this Regulation. Those measures should enhance workforce mobility in the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; field and their associated career pathways. They should also contribute to making the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; workforce more resilient and inclusive, also in terms of gender. Member States should therefore take measures to ensure that those tasks are carried out by adequately trained professionals, with the necessary cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; skills. Similarly, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should ensure that their staff has the necessary skills to comply with their obligations as laid down in this Regulation. Member States and the Commission, in line with their prerogatives and competences and the specific tasks conferred upon them by this Regulation, should take measures to support manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and in particular microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, including start-ups, also in areas such as skill development, for the purposes of compliance with their obligations as laid down in this Regulation. Furthermore, as Directive (EU) 2022/2555 requires Member States to adopt policies promoting and developing training on cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; and cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; skills as part of their national cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; strategies, Member States may also consider, when adopting such strategies, addressing the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; skills needs resulting from this Regulation, including those relating to re-skilling and up-skilling.

A secure internet is indispensable for the functioning of critical infrastructures and for society as a whole. Directive (EU) 2022/2555 aims at ensuring a high level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of services provided by essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3 of that Directive, including digital infrastructure providers that support core functions of the open internet, ensure internet access and provide internet services. It is therefore important that the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; necessary for digital infrastructure providers to ensure the functioning of the internet are developed in a secure manner and that they comply with well-established internet security standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).. This Regulation, which applies to all connectable hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; and software means the part of an electronic information system which consists of computer code; products, also aims at facilitating the compliance of digital infrastructure providers with the supply chain requirements under Directive (EU) 2022/2555 by ensuring that the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that they use for the provision of their services are developed in a secure manner and that they have access to timely security updates for such products.

Regulation (EU) 2017/745 of the European Parliament and of the Council(⁹)Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1). lays down rules on medical devices and Regulation (EU) 2017/746 of the European Parliament and of the Council(¹⁰)Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176). lays down rules on in vitro diagnostic medical devices. Those Regulations address cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and follow particular approaches that are also addressed in this Regulation. More specifically, Regulations (EU) 2017/745 and (EU) No 2017/746 lay down essential requirements for medical devices that function through an electronic system or that are software means the part of an electronic information system which consists of computer code; themselves. Certain non-embedded software means the part of an electronic information system which consists of computer code; and the whole lifecycle approach are also covered by those Regulations. Those requirements mandate manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to develop and build their products by applying risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management principles and by setting out requirements concerning IT security measures, as well as corresponding conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures. Furthermore, specific guidance on cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; for medical devices is in place since December 2019, providing manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of medical devices, including in vitro diagnostic devices, with guidance on how to fulfil all the relevant essential requirements set out in Annex I to those Regulations with regard to cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;. Products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; to which either of those Regulations apply should not therefore be subject to this Regulation.

Products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are developed or modified exclusively for national security or defence purposes or products that are specifically designed to process classified information fall outside the scope of this Regulation. Member States are encouraged to ensure the same or a higher level of protection for those products as for those falling within the scope of this Regulation.

Regulation (EU) 2019/2144 of the European Parliament and of the Council(¹¹)Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1). establishes requirements for the type-approval of vehicles, and of their systems and components means software or hardware intended for integration into an electronic information system;, introducing certain cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements, including on the operation of a certified cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; management system, on software means the part of an electronic information system which consists of computer code; updates, covering organisations’ policies and processes for cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; related to the entire lifecycle of vehicles, equipment and services in compliance with the applicable United Nations regulations on technical specifications means a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012; and cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;, in particular UN Regulation No 155 – Uniform provisions concerning the approval of vehicles with regards to cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; and cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; management system(¹²)OJ L 82, 9.3.2021, p. 30. and providing for specific conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures. In the area of aviation, the principal objective of Regulation (EU) 2018/1139 of the European Parliament and of the Council(¹³)Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1). is to establish and maintain a high uniform level of civil aviation safety in the Union. It creates a framework for essential requirements for airworthiness for aeronautical products, parts and equipment, including software means the part of an electronic information system which consists of computer code;, that includes obligations to protect against information security threats. The certification process under Regulation (EU) 2018/1139 ensures the level of assurance aimed for by this Regulation. Products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; to which Regulation (EU) 2019/2144 applies and products certified in accordance with Regulation (EU) 2018/1139 should not therefore be subject to the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements and conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures set out in this Regulation.

This Regulation lays down horizontal cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; rules which are not specific to sectors or to certain products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Nevertheless, sectoral or product-specific Union rules could be introduced, laying down requirements that address all or some of the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; covered by the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation. In such cases, the application of this Regulation to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; covered by other Union rules laying down requirements that address all or some of the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; covered by the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation may be limited or excluded where such limitation or exclusion is consistent with the overall regulatory framework applying to those products and where the sectoral rules achieve at least the same level of protection as the one provided for by this Regulation. The Commission should be empowered to adopt delegated acts to supplement this Regulation by identifying such products and rules. For existing Union law where such limitation or exclusion should apply, this Regulation contains specific provisions to clarify its relation with that Union law.

In order to ensure that products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; made available on the market can be repaired effectively and their durability extended, an exemption should be provided for spare parts. That exemption should cover both spare parts that have the purpose of repairing legacy products made available before the date of application of this Regulation and spare parts that have already undergone a conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedure pursuant to this Regulation.

Commission Delegated Regulation (EU) 2022/30(¹⁴)Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive (OJ L 7, 12.1.2022, p. 6). specifies that a number of essential requirements set out in Article 3(3), points (d), (e) and (f), of Directive 2014/53/EU of the European Parliament and of the Council(¹⁵)Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62)., relating to network harm and misuse of network resources, personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; and privacy, and fraud, apply to certain radio equipment. Commission Implementing Decision C(2022) 5637 of 5 August 2022 on a standardisation request to the European Committee for Standardisation and the European Committee for Electrotechnical Standardisation lays down requirements for the development of specific standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). further specifying how those essential requirements should be addressed. The essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation include all the elements of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of Directive 2014/53/EU. Furthermore, the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation are aligned with the objectives of the requirements for specific standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). included in that standardisation request. Therefore, when the Commission repeals or amends Delegated Regulation (EU) 2022/30 with the consequence that it ceases to apply to certain products subject to this Regulation, the Commission and the European standardisation organisations should take into account the standardisation work carried out in the context of Implementing Decision C(2022) 5637 in the preparation and development of harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; to facilitate the implementation of this Regulation. During the transitional period for the application of this Regulation, the Commission should provide guidance to manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; subject to this Regulation that are also subject to Delegated Regulation (EU) 2022/30 to facilitate the demonstration of compliance with the two Regulations.

Directive (EU) 2024/2853 of the European Parliament and of the Council(¹⁶)Directive (EU) 2024/2853 of the European Parliament and of the Council of 23 October 2024 on liability for defective products and repealing Council Directive 85/374/EEC (OJ L, 2024/2853, 18.11.2024, ELI: http://data.europa.eu/eli/dir/2024/2853/oj). is complementary to this Regulation. That Directive sets out liability rules for defective products so that injured persons can claim compensation when a damage has been caused by defective products. It establishes the principle that the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of a product is liable for damages caused by a lack of safety in their product irrespective of fault (strict liability). Where such a lack of safety consists in a lack of security updates after the placing on the market means the first making available of a product with digital elements on the Union market; of the product, and this causes damage, the liability of the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; could be triggered. Obligations for manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that concern the provision of such security updates should be laid down in this Regulation.

This Regulation should be without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council(¹⁷)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1)., including to provisions relating to the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance of processing operations by controllers and processors with that Regulation. Such operations could be embedded in a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Data protection by design and by default, and cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; in general, are key elements of Regulation (EU) 2016/679. By protecting consumers means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; and organisations from cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements laid down in this Regulation are also to contribute to enhancing the protection of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; and privacy of individuals. Synergies on both standardisation and certification of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; aspects should be considered through the cooperation between the Commission, the European standardisation organisations, the European Union Agency for Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; (ENISA), the European Data Protection Board established by Regulation (EU) 2016/679, and the national data protection supervisory authorities. Synergies between this Regulation and Union data protection law should also be created in the area of market surveillance and enforcement. To that end, national market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; designated under this Regulation should cooperate with authorities supervising the application of Union data protection law. The latter should also have access to information relevant for accomplishing their tasks.

To the extent that their products fall within the scope of this Regulation, providers of European Digital Identity Wallets as referred to in Article 5a(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council(¹⁸)Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73)., should comply with both the horizontal essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation and the specific security requirements set out in Article 5a of Regulation (EU) No 910/2014. In order to facilitate compliance, wallet providers should be able to demonstrate the compliance of European Digital Identity Wallets with the requirements set out in this Regulation and in Regulation (EU) No 910/2014, respectively, by certifying their products under a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme established under Regulation (EU) 2019/881 and for which the Commission has specified, by means of delegated acts, a presumption of conformity with this Regulation, in so far as the certificate, or parts thereof, covers those requirements.

When integrating components means software or hardware intended for integration into an electronic information system; sourced from third parties in products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; during the design and development phase, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should, in order to ensure that the products are designed, developed and produced in accordance with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation, exercise due diligence with regard to those components means software or hardware intended for integration into an electronic information system;, including free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; components means software or hardware intended for integration into an electronic information system; that have not been made available on the market. The appropriate level of due diligence depends on the nature and the level of cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with a given component means software or hardware intended for integration into an electronic information system;, and should, for that purpose, take into account one or more of the following actions: verifying, as applicable, that the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of a component means software or hardware intended for integration into an electronic information system; has demonstrated conformity with this Regulation, including by checking if the component means software or hardware intended for integration into an electronic information system; already bears the CE marking means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;; verifying that a component means software or hardware intended for integration into an electronic information system; receives regular security updates, such as by checking its security updates history; verifying that a component means software or hardware intended for integration into an electronic information system; is free from vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; registered in the European vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; database established pursuant to Article 12(2) of Directive (EU) 2022/2555 or other publicly accessible vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; databases; or carrying out additional security tests. The vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling obligations set out in this Regulation, which manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; have to comply with when placing a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; on the market and for the support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, apply to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; in their entirety, including to all integrated components means software or hardware intended for integration into an electronic information system;. Where, in the exercise of due diligence, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; identifies a vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; in a component means software or hardware intended for integration into an electronic information system;, including in a free and open-source component means software or hardware intended for integration into an electronic information system;, it should inform the person or entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; manufacturing or maintaining the component means software or hardware intended for integration into an electronic information system;, address and remediate the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, and, where applicable, provide the person or entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; with the applied security fix.

Immediately after the transitional period for the application of this Regulation, a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that integrates one or several components means software or hardware intended for integration into an electronic information system; sourced from third parties which are also subject to this Regulation may not be able to verify, as part of its due diligence obligation, that the manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of those components means software or hardware intended for integration into an electronic information system; have demonstrated conformity with this Regulation by checking, for instance, if the components means software or hardware intended for integration into an electronic information system; already bear the CE marking means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;. This may be the case where the components means software or hardware intended for integration into an electronic information system; have been integrated before this Regulation becomes applicable to the manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of those components means software or hardware intended for integration into an electronic information system;. In such a case, a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; integrating such components means software or hardware intended for integration into an electronic information system; should exercise due diligence through other means.

Products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should bear the CE marking means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing; to visibly, legibly and indelibly indicate their conformity with this Regulation so that they can move freely within the internal market. Member States should not create unjustified obstacles to the placing on the market means the first making available of a product with digital elements on the Union market; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that comply with the requirements laid down in this Regulation and bear the CE marking means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;. Furthermore, at trade fairs, exhibitions and demonstrations or similar events, Member States should not prevent the presentation or use of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which does not comply with this Regulation, including its prototypes, provided that the product is presented with a visible sign clearly indicating that the product does not comply with this Regulation and that it is not to be made available on the market until it does so.

In order to ensure that manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; can release software means the part of an electronic information system which consists of computer code; for testing purposes before subjecting their products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; to conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;, Member States should not prevent the making available of unfinished software means the part of an electronic information system which consists of computer code;, such as alpha versions, beta versions or release candidates, provided that the unfinished software means the part of an electronic information system which consists of computer code; is made available only for the time necessary to test it and gather feedback. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should ensure that software means the part of an electronic information system which consists of computer code; made available under those conditions is released only following a risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment and that it complies to the extent possible with the security requirements relating to the properties of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; laid down in this Regulation. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should also implement the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling requirements to the extent possible. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should not force users to upgrade to versions only released for testing purposes.

In order to ensure that products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, when placed on the market, do not pose cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to persons and organisations, essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements should be set out for such products. Those essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements, including vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; management handling requirements, apply to each individual product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; when placed on the market, irrespective of whether the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is manufactured as an individual unit or in series. For example, for a product type, each individual product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should have received all security patches or updates available to address relevant security issues when it is placed on the market. Where products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in the initial risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment and that may imply that they no longer meet the relevant essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements, the modification should be considered to be substantial. For example, repairs could be assimilated to maintenance operations provided that they do not modify a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; for which the product has been assessed may be changed.

As is the case for physical repairs or modifications, a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be considered to be substantially modified by a software means the part of an electronic information system which consists of computer code; change where the software means the part of an electronic information system which consists of computer code; update modifies the intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of that product and those changes were not foreseen by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in the initial risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment, or where the nature of the hazard has changed or the level of cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; has increased because of the software means the part of an electronic information system which consists of computer code; update, and the updated version of the product is made available on the market. Where a security update which is designed to decrease the level of cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; does not modify the intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, it is not considered to be a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;. This usually includes situations where a security update entails only minor adjustments of the source code. For example, this could be the case where a security update addresses a known vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, including by modifying functions or the performance of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; for the sole purpose of decreasing the level of cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Similarly, a minor functionality update, such as a visual enhancement or the addition of new pictograms or languages to the user interface, should not generally be considered to be a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;. Conversely, where a feature update modifies the original intended functions or the type or performance of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and meets the above criteria, it should be considered to be a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;, as the addition of new features typically leads to a broader attack surface, thereby increasing the cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. For example, this could be the case where a new input element is added to an application, requiring the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to ensure adequate input validation. In assessing whether a feature update is considered to be a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; it is not relevant whether it is provided as a separate update or in combination with a security update. The Commission should issue guidance on how to determine what constitutes a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;.

Taking into account the iterative nature of software means the part of an electronic information system which consists of computer code; development, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that have placed subsequent versions of a software means the part of an electronic information system which consists of computer code; product on the market as a result of a subsequent substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; of that product should be able to provide security updates for the support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; only for the version of the software means the part of an electronic information system which consists of computer code; product that they have last placed on the market. They should be able to do so only if the users of the relevant previous product versions have access to the product version last placed on the market free of charge and do not incur additional costs to adjust the hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; or software means the part of an electronic information system which consists of computer code; environment in which they operate the product. This could, for instance, be the case where a desktop operating system upgrade does not require new hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;, such as a faster central processing unit or more memory. Nonetheless, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should continue to comply, for the support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, with other vulnerability-handling requirements, such as having a policy on coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure or measures in place to facilitate the sharing of information about potential vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; for all subsequent substantially modified versions of the software means the part of an electronic information system which consists of computer code; product placed on the market. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should be able to provide minor security or functionality updates that do not constitute a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; only for the latest version or sub-version of a software means the part of an electronic information system which consists of computer code; product that has not been substantially modified. At the same time, where a hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; product, such as a smartphone, is not compatible with the latest version of the operating system it was originally delivered with, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should continue to provide security updates at least for the latest compatible version of the operating system for the support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;.

In line with the commonly established concept of substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; for products regulated by Union harmonisation legislation means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies;, where a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; occurs that may affect the compliance of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; with this Regulation or when the intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of that product changes, it is appropriate that the compliance of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is verified and that, where applicable, it undergoes a new conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;. Where applicable, if the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; undertakes a conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; involving a third party, a change that might lead to a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; should be notified to the third party.

Where a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is subject to ‘refurbishment’, ‘maintenance’ and ‘repair’ as defined in Article 2, points (18), (19) and (20), of Regulation (EU) 2024/1781 of the European Parliament and of the Council(¹⁹)Regulation (EU) 2024/1781 of the European Parliament and of the Council of 13 June 2024 establishing a framework for the setting of ecodesign requirements for sustainable products, amending Directive (EU) 2020/1828 and Regulation (EU) 2023/1542 and repealing Directive 2009/125/EC (OJ L, 2024/1781, 28.6.2024, ELI: http://data.europa.eu/eli/reg/2024/1781/oj)., this does not necessarily lead to a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; of the product, for instance if the intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; and functionalities are not changed and the level of risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; remains unaffected. However, an upgrade of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; might lead to changes in the design and development of that product and might therefore affect its intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; and compliance with the requirements set out in this Regulation.

Products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be considered to be important if the negative impact of the exploitation of potential vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; in the product can be severe due to, inter alia, the cybersecurity-related functionality or a function carrying a significant risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; or to the health, security or safety of its users through direct manipulation, such as a central system function, including network management, configuration control, virtualisation or processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;. In particular, vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; in products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that have a cybersecurity-related functionality, such as boot managers, can lead to a propagation of security issues throughout the supply chain. The severity of the impact of an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; may also increase where the product primarily performs a central system function, including network management, configuration control, virtualisation or processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;.

Certain categories of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be subject to stricter conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures, while keeping a proportionate approach. For that purpose, important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be divided into two classes, reflecting the level of cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; linked to those categories of products. An incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; involving important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall under class II might lead to greater negative impacts than an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; involving important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall under class I, for instance due to the nature of their cybersecurity-related function or the performance of another function which carries a significant risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of adverse effects. As an indication of such greater negative impacts, products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall under class II could either perform a cybersecurity-related functionality or another function which carries a significant risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of adverse effects that is higher than for those listed in class I, or meet both of the aforementioned criteria. Important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall under class II should therefore be subject to a stricter conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedure.

Important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; as referred to in this Regulation should be understood as products which have the core functionality of a category of important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that is set out in this Regulation. For example, this Regulation sets out categories of important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which are defined by their core functionality as firewalls or intrusion detection or prevention systems in class II. As a result, firewalls and intrusion detection or prevention systems are subject to mandatory third-party conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;. This is not the case for other products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; not categorised as important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which may integrate firewalls or intrusion detection or prevention systems. The Commission should adopt an implementing act to specify the technical description of the categories of important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall under classes I and II as set out in this Regulation.

The categories of critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; set out in this Regulation have a cybersecurity-related functionality and perform a function which carries a significant risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; through direct manipulation. Furthermore, those categories of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are considered to be critical dependencies for essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3(1) of Directive (EU) 2022/2555. The categories of critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; set out in an annex to this Regulation, due to their criticality, already widely use various forms of certification, and are also covered by the European Common Criteria-based cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme (EUCC) set out in Commission Implementing Regulation (EU) 2024/482(²⁰)Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (OJ L, 2024/482, 7.2.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/482/oj).. Therefore, in order to ensure a common adequate cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; protection of critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; in the Union, it could be adequate and proportionate to subject such categories of product, by means of a delegated act, to mandatory European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification where a relevant European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme covering those products is already in place and an assessment of the potential market impact of the envisaged mandatory certification has been carried out by the Commission. That assessment should consider both the supply and demand side, including whether there is sufficient demand for the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned from both Member States and users for European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification to be required, as well as the purposes for which the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are intended to be used, including the critical dependency on them by essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3(1) of Directive (EU) 2022/2555. The assessment should also analyse the potential effects of the mandatory certification on the availability of those products on the internal market and the capabilities and the readiness of the Member States for the implementation of the relevant European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes.

Delegated acts requiring mandatory European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification should determine the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that have the core functionality of a category of critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; set out in this Regulation that are to be subject to mandatory certification, as well as the required assurance level, which should be at least ‘substantial’. The required assurance level should be proportionate to the level of cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. For instance, where the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has the core functionality of a category of critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; set out in this Regulation and is intended for the use in a sensitive or critical environment, such as products intended for the use of essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3(1) of Directive (EU) 2022/2555, it may require the highest assurance level.

In order to ensure a common adequate cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; protection in the Union of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that have the core functionality of a category of critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; set out in this Regulation, the Commission should also be empowered to adopt delegated acts to amend this Regulation by adding or withdrawing categories of critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; for which manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; could be required to obtain a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certificate under a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme pursuant to Regulation (EU) 2019/881 to demonstrate conformity with this Regulation. A new category of critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; can be added to those categories if there is a critical dependency on them by essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3(1) of Directive (EU) 2022/2555 or, if affected by incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; or when containing exploited vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, this could lead to disruptions of critical supply chains. When assessing the need for adding or withdrawing categories of critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; by means of a delegated act, the Commission should be able to take into account whether the Member States have identified at national level products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that have a critical role for the resilience of essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3(1) of Directive (EU) 2022/2555 and which increasingly face supply chain cyberattacks, with potential serious disruptive effects. Furthermore, the Commission should be able to take into account the outcome of the Union level coordinated security risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555.

The Commission should ensure that a wide range of relevant stakeholders are consulted in a structured and regular manner when preparing measures for the implementation of this Regulation. This should particularly be the case where the Commission assesses the need for potential updates to the lists of categories of important or critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, where relevant manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should be consulted and their views taken into account in order to analyse the cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; as well as the balance of costs and benefits of designating such categories of products as important or critical.

This Regulation addresses cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; in a targeted manner. Products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; might, however, pose other safety risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, that are not always related to cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; but can be a consequence of a security breach. Those risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; should continue to be regulated by relevant Union harmonisation legislation means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies; other than this Regulation. If no Union harmonisation legislation means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies; other than this Regulation is applicable, they should be subject to Regulation (EU) 2023/988 of the European Parliament and of the Council(²¹)Regulation (EU) 2023/988 of the European Parliament and of the Council of 10 May 2023 on general product safety, amending Regulation (EU) No 1025/2012 of the European Parliament and of the Council and Directive (EU) 2020/1828 of the European Parliament and the Council, and repealing Directive 2001/95/EC of the European Parliament and of the Council and Council Directive 87/357/EEC (OJ L 135, 23.5.2023, p. 1).. Therefore, in light of the targeted nature of this Regulation, as a derogation from Article 2(1), third subparagraph, point (b), of Regulation (EU) 2023/988, Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of Regulation (EU) 2023/988 should apply to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; with respect to safety risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; not covered by this Regulation, if those products are not subject to specific requirements laid down in Union harmonisation legislation means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies; other than this Regulation within the meaning of Article 3, point (27), of Regulation (EU) 2023/988.

Products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; classified as high-risk AI systems pursuant to Article 6 of Regulation (EU) 2024/1689 of the European Parliament and of the Council(²²)Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/2024/1689/oj). which fall within the scope of this Regulation should comply with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation. Where those high-risk AI systems fulfil the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation, they should be deemed to comply with the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Article 15 of Regulation (EU) 2024/1689 in so far as those requirements are covered by the EU declaration of conformity or parts thereof issued under this Regulation. For that purpose, the assessment of the cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; classified as a high-risk AI system pursuant to Regulation (EU) 2024/1689 that is to be taken into account during the planning, design, development, production, delivery and maintenance phases of such product, as required under this Regulation, should take into account risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to the cyber resilience of an AI system as regards attempts by unauthorised third parties to alter its use, behaviour or performance, including AI specific vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; such as data poisoning or adversarial attacks, as well as, as relevant, risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to fundamental rights, in accordance with Regulation (EU) 2024/1689. As regards the conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures relating to the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements for a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that falls within the scope of this Regulation and that is classified as a high-risk AI system, Article 43 of Regulation (EU) 2024/1689 should apply as a rule instead of the relevant provisions of this Regulation. However, that rule should not result in a reduction of the necessary level of assurance for important or critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; as referred to in this Regulation. Therefore, by way of derogation from that rule, high-risk AI systems that fall within the scope of Regulation (EU) 2024/1689 which are also important or critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; as referred to in this Regulation and to which the conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedure based on internal control referred to in Annex VI to Regulation (EU) 2024/1689 applies, should be subject to the conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures provided for in this Regulation in so far as the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation are concerned. In such a case, for all the other aspects covered by Regulation (EU) 2024/1689 the relevant provisions on conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; based on internal control set out in Annex VI to that Regulation should apply.

In order to improve the security of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; placed on the internal market it is necessary to lay down essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements applicable to such products. Those essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements should be without prejudice to the Union level coordinated security risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments of critical supply chains provided for in Article 22 of Directive (EU) 2022/2555, which take into account both technical and, where relevant, non-technical risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; factors, such as undue influence by a third country on suppliers. Furthermore, they should be without prejudice to the Member States’ prerogative to lay down additional requirements that take account of non-technical factors for the purpose of ensuring a high level of resilience, including those defined in Commission Recommendation (EU) 2019/534(²³)Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42)., in the EU coordinated risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment of the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of 5G networks and in the EU Toolbox on 5G cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; agreed by the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established pursuant to Article 14 of Directive (EU) 2022/2555.

Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of products falling within the scope of Regulation (EU) 2023/1230 of the European Parliament and of the Council(²⁴)Regulation (EU) 2023/1230 of the European Parliament and of the Council of 14 June 2023 on machinery and repealing Directive 2006/42/EC of the European Parliament and of the Council and Council Directive 73/361/EEC (OJ L 165, 29.6.2023, p. 1). which are also products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; as defined in this Regulation should comply with both the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation and the essential health and safety requirements set out in Regulation (EU) 2023/1230. The essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation and certain essential requirements set out in Regulation (EU) 2023/1230 might address similar cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Therefore, the compliance with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation could facilitate the compliance with the essential requirements that also cover certain cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; as set out in Regulation (EU) 2023/1230, and in particular those regarding the protection against corruption and safety and reliability of control systems set out in sections 1.1.9 and 1.2.1 of Annex III to that Regulation. Such synergies have to be demonstrated by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, for instance by applying, where available, harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; or other technical specifications means a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012; covering relevant essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements following a risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment covering those cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. The manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should also follow the applicable conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures set out in this Regulation and in Regulation (EU) 2023/1230. The Commission and the European standardisation organisations, in the preparatory work supporting the implementation of this Regulation and of Regulation (EU) 2023/1230 and the related standardisation processes, should promote consistency in how the cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; are to be assessed and in how those risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; are to be covered by harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; with regard to the relevant essential requirements. In particular, the Commission and the European standardisation organisations should take into account this Regulation in the preparation and development of harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; to facilitate the implementation of Regulation (EU) 2023/1230 as regards in particular the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; aspects related to the protection against corruption and safety and reliability of control systems set out in sections 1.1.9 and 1.2.1 of Annex III to that Regulation. The Commission should provide guidance to support manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; subject to this Regulation that are also subject to Regulation (EU) 2023/1230, in particular to facilitate the demonstration of compliance with relevant essential requirements set out in this Regulation and in Regulation (EU) 2023/1230.

In order to ensure that products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are secure both at the time of their placing on the market means the first making available of a product with digital elements on the Union market; as well as during the time the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is expected to be in use, it is necessary to lay down essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements for vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling and essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements relating to the properties of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. While manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should comply with all essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements related to vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling throughout the support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, they should determine which other essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements related to the product properties are relevant for the type of product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned. For that purpose, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should undertake an assessment of the cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; to identify relevant risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and relevant essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements in order to make available their products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; without known exploitable vulnerabilities means a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions; that might have an impact on the security of those products and to appropriately apply suitable harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European or international standards means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;.

Where certain essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements are not applicable to a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should include a clear justification in the cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment included in the technical documentation. This could be the case where an essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirement is incompatible with the nature of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. For example, the intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; may require the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to follow widely recognised interoperability standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). even if its security features are no longer considered to be state of the art. Similarly, other Union law requires manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to apply specific interoperability requirements. Where an essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirement is not applicable to a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, but the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; has identified cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; in relation to that essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirement, it should take measures to address those risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; by other means, for instance by limiting the intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of the product to trusted environments or by informing the users about those risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;.

One of the most important measures for users to take in order to protect their products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; from cyberattacks is to install the latest available security updates as soon as possible. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should therefore design their products and put in place processes to ensure that products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; include functions that enable the notification, distribution, download and installation of security updates automatically, in particular in the case of consumer means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; products. They should also provide the possibility to approve the download and installation of the security updates as a final step. Users should retain the ability to deactivate automatic updates, with a clear and easy-to-use mechanism, supported by clear instructions on how users can opt out. The requirements relating to automatic updates as set out in an annex to this Regulation are not applicable to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; primarily intended to be integrated as components means software or hardware intended for integration into an electronic information system; into other products. They also do not apply to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; for which users would not reasonably expect automatic updates, including products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; intended to be used in professional ICT networks, and especially in critical and industrial environments where an automatic update could cause interference with operations. Irrespective of whether a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is designed to receive automatic updates or not, its manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should inform users about vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and make security updates available without delay. Where a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has a user interface or similar technical means allowing direct interaction with its users, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should make use of such features to inform users that their product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has reached the end of the support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;. Notifications should be limited to what is necessary in order to ensure the effective reception of this information and should not have a negative impact on the user experience of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;.

To improve the transparency of vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling processes and to ensure that users are not required to install new functionality updates for the sole purpose of receiving the latest security updates, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should ensure, where technically feasible, that new security updates are provided separately from functionality updates.

The joint communication of the Commission and the High Representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; of the Union for Foreign Affairs and Security Policy of 20 June 2023 entitled ‘European Economic Security Strategy’ stated that the Union needs to maximise the benefits of its economic openness while minimising the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; from economic dependencies on high-risk vendors, through a common strategic framework for Union economic security. Dependencies on high-risk suppliers of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; may pose a strategic risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; that needs to be addressed at Union level, especially where the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are intended for the use by essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3(1) of Directive (EU) 2022/2555. Such risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; may be linked, but not limited, to the jurisdiction applicable to the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, the characteristics of its corporate ownership and the links of control to a third-country government where it is established, in particular where a third country engages in economic espionage or irresponsible state behaviour in cyberspace and its legislation allows arbitrary access to any kind of company operations or data, including commercially sensitive data, and can impose obligations for intelligence purposes without democratic checks and balances, oversight mechanisms, due process or the right to appeal to an independent court or tribunal. When determining the significance of a cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; within the meaning of this Regulation, the Commission and the market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;, as per their responsibilities as set out in this Regulation, should also consider non-technical risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; factors, in particular those established as a result of Union level coordinated security risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555.

For the purpose of ensuring the security of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; after their placing on the market means the first making available of a product with digital elements on the Union market;, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should determine the support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, which should reflect the time the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is expected to be in use. In determining a support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should take into account in particular reasonable user expectations, the nature of the product, as well as relevant Union law determining the lifetime of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should also be able to take into account other relevant factors. Criteria should be applied in a manner that ensures proportionality in the determination of the support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;. Upon request, a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should provide market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; with the information that was taken into account to determine the support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;.

The support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; for which the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; ensures the effective handling of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; should be no less than five years, unless the lifetime of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is less than five years, in which case the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should ensure the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling for that lifetime. Where the time the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is reasonably expected to be in use is longer than five years, as is often the case for hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; components means software or hardware intended for integration into an electronic information system; such as motherboards or microprocessors, network devices such as routers, modems or switches, as well as software means the part of an electronic information system which consists of computer code;, such as operating systems or video-editing tools, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should accordingly ensure longer support periods means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;. In particular, products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; intended for use in industrial settings, such as industrial control systems, are often in use for significantly longer periods of time. A manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should be able to define a support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; of less than five years only where this is justified by the nature of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned and where that product is expected to be in use for less than five years, in which case the support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; should correspond to the expected use time. For instance, the lifetime of a contact tracing application intended for use during a pandemic could be limited to the duration of the pandemic. Moreover, some software means the part of an electronic information system which consists of computer code; applications can by nature only be made available on the basis of a subscription model, in particular where the application becomes unavailable to the user and is consequently not in use anymore once the subscription expires.

When products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; reach the end of their support periods means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, in order to ensure that vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; can be handled after the end of the support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should consider releasing the source code of such products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; either to other undertakings which commit to extending the provision of vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling services or to the public. Where manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; release the source code to other undertakings, they should be able to protect the ownership of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and prevent the dissemination of the source code to the public, for example through contractual arrangements.

In order to ensure that manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; across the Union determine similar support periods means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; for comparable products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, ADCO should publish statistics on the average support periods means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; determined by manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; for categories of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and issue guidance indicating appropriate support periods means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; for such categories. In addition, with a view to ensuring a harmonised approach across the internal market, the Commission should be able to adopt delegated acts to specify minimum support periods means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; for specific product categories where the data provided by market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; suggests that the support periods means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; determined by manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; are either systematically not in line with the criteria for determining the support periods means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; as laid down in this Regulation or that manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in different Member States unjustifiably determine different support periods means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;.

Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; of the product with digital element. They should make the single point of contact easily accessible for users and clearly indicate its availability, keeping this information up to date. Where manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; choose to offer automated tools, e.g. chat boxes, they should also offer a phone number or other digital means of contact, such as an email address or a contact form. The single point of contact should not rely exclusively on automated tools.

Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should make their products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; available on the market with a secure by default configuration and provide security updates to users free of charge. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should only be able to deviate from the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements in relation to tailor-made products that are fitted to a particular purpose for a particular business user and where both the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and the user have explicitly agreed to a different set of contractual terms.

Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should notify simultaneously via the single reporting platform both the computer security incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; response team (CSIRT) designated as coordinator as well as ENISA of actively exploited vulnerabilities means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; contained in products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, as well as severe incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; having an impact on the security of those products. The notifications should be submitted using the electronic notification end-point means any device that is connected to a network and serves as an entry point to that network; of a CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. and should be simultaneously accessible to ENISA.

Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should notify actively exploited vulnerabilities means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; to ensure that the CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555., and ENISA, have an adequate overview of such vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and are provided with the information necessary to fulfil their tasks as set out in Directive (EU) 2022/2555 and raise the overall level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3 of that Directive, as well as to ensure the effective functioning of market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;. As most products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are marketed across the entire internal market, any exploited vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; in a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be considered to be a threat to the functioning of the internal market. ENISA should, in agreement with the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, disclose fixed vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; to the European vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; database established pursuant to Article 12(2) of Directive (EU) 2022/2555. The European vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; database will assist manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in detecting known exploitable vulnerabilities means a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions; in their products, in order to ensure that secure products are made available on the market.

Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should also notify any severe incident having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions; to the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. and ENISA. In order to ensure that users can react quickly to severe incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; having an impact on the security of their products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should also inform their users about any such incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and, where applicable, about any corrective measures that the users can deploy to mitigate the impact of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, for example by publishing relevant information on their websites or, where the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; is able to contact the users and where justified by the cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, by reaching out to the users directly.

Actively exploited vulnerabilities means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; concern instances where a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; establishes that a security breach affecting its users or any other natural or legal persons has resulted from a malicious actor making use of a flaw in one of the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; made available on the market by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;. Examples of such vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; could be weaknesses in a product’s identification and authentication functions. Vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; that are discovered with no malicious intent for purposes of good faith testing, investigation, correction or disclosure to promote the security or safety of the system owner and its users should not be subject to mandatory notification. Severe incidents having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;, on the other hand, refer to situations where a cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; affects the development, production or maintenance processes of the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in such a way that it could result in an increased cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; for users or other persons. Such a severe incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; could include a situation where an attacker has successfully introduced malicious code into the release channel via which the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; releases security updates to users.

To ensure that notifications can be disseminated quickly to all relevant CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. and to enable manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to submit a single notification at each stage of the notification process, a single reporting platform with national electronic notification end-points means any device that is connected to a network and serves as an entry point to that network; should be established by ENISA. The day-to-day operations of the single reporting platform should be managed and maintained by ENISA. The CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. should inform their respective market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; about notified vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; or incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;. The single reporting platform should be designed in such a way that it ensures the confidentiality of notifications, in particular as regards vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; for which a security update is not yet available. In addition, ENISA should put in place procedures to handle information in a secure and confidential manner. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; in products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and submit it to the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established pursuant to Article 14 of Directive (EU) 2022/2555.

In exceptional circumstances and in particular upon request by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. initially receiving a notification should be able to decide to delay its dissemination to the other relevant CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. via the single reporting platform where this can be justified on cybersecurity-related grounds and for a period of time that is strictly necessary. The CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. should immediately inform ENISA about the decision to delay and on which grounds, as well as when it intends to disseminate further. The Commission should develop, through a delegated act, specifications on the terms and conditions for when cybersecurity-related grounds could be applied and should cooperate with the CSIRTscomputer security incident response teams network established pursuant to Article 15 of Directive (EU) 2022/2555, and ENISA in preparing the draft delegated act. Examples of cybersecurity-related grounds include an ongoing coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure procedure or situations in which a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; is expected to provide a mitigating measure shortly and the cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of an immediate dissemination via the single reporting platform outweigh its benefits. If requested by the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555., ENISA should be able to support that CSIRT on the application of cybersecurity-related grounds in relation to delaying the dissemination of the notification based on the information ENISA has received from that CSIRT on the decision to withhold a notification on those cybersecurity-related grounds. Furthermore, in particularly exceptional circumstances, ENISA should not receive all the details of a notification of an actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; in a simultaneous manner. This would be the case when the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; marks in its notification that the notified vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; has been actively exploited by a malicious actor and that, according to the information available, it has been exploited in no other Member State than the one of the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. to which the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; has notified the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, when any immediate further dissemination of the notified vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; would likely result in the supply of information the disclosure of which would be contrary to the essential interests of that Member State, or when the notified vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; poses an imminent high cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from the further dissemination. In such cases, ENISA will only receive simultaneous access to the information that a notification was made by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, general information about the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned, the information about the general nature of the exploit and information about the fact that those security grounds were raised by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and that the full content of the notification is therefore withheld. The full notification should then be made available to ENISA and other relevant CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. when the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. initially receiving the notification finds that those security grounds, reflecting particularly exceptional circumstances as established in this Regulation, cease to exist. Where, based on the information available, ENISA considers that there is a systemic risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; affecting the security of the internal market, ENISA should recommend to the recipient CSIRT to disseminate the full notification to the other CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. and to ENISA itself.

When manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; notify an actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; or a severe incident having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;, they should indicate how sensitive they consider the notified information to be. The CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. initially receiving the notification should take this information into account when assessing whether the notification gives rise to exceptional circumstances that justify a delay in the dissemination of the notification to the other relevant CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. based on justified cybersecurity-related grounds. It should also take that information into account when assessing whether the notification of an actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; gives rise to particularly exceptional circumstances that justify that the full notification is not made available simultaneously to ENISA. Finally, CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. should be able to take that information into account when determining appropriate measures to mitigate the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from such vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;.

In order to simplify the reporting of information required under this Regulation, in consideration of other complementary reporting requirements laid down in Union law, such as Regulation (EU) 2016/679, Regulation (EU) 2022/2554 of the European Parliament and of the Council(²⁵)Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1)., Directive 2002/58/EC of the European Parliament and of the Council(²⁶)Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ L 201, 31.7.2002, p. 37). and Directive (EU) 2022/2555, as well as to decrease the administrative burden for entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, Member States are encouraged to consider providing at national level single entry points for such reporting requirements. The use of such national single entry points for the reporting of security incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; under Regulation (EU) 2016/679 and Directive 2002/58/EC should not affect the application of the provisions of Regulation (EU) 2016/679 and Directive 2002/58/EC, in particular those relating to the independence of the authorities referred to therein. When establishing the single reporting platform referred to in this Regulation, ENISA should take into account the possibility for the national electronic notification end-points means any device that is connected to a network and serves as an entry point to that network; referred to in this Regulation to be integrated into national single entry points that may also integrate other notifications required under Union law.

When establishing the single reporting platform referred to in this Regulation and in order to benefit from past experience, ENISA should consult other Union institutions or agencies that are managing platforms or databases subject to stringent security requirements, such as the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). ENISA should also analyse potential complementarities with the European vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; database established pursuant to Article 12(2) of Directive (EU) 2022/2555.

Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and other natural and legal persons should be able to notify to a CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. or ENISA, on a voluntary basis, any vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; contained in a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; that could affect the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, any incident having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions; as well as near misses that could have resulted in such an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;.

Member States should aim to address, to the extent possible, the challenges faced by vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; researchers, including their potential exposure to criminal liability, in accordance with national law. Given that natural and legal persons researching vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; could in some Member States be exposed to criminal and civil liability, Member States are encouraged to adopt guidelines as regards the non-prosecution of information security researchers and an exemption from civil liability for their activities.

Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should put in place coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure policies to facilitate the reporting of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; by individuals or entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; either directly to the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; or indirectly, and where requested anonymously, via CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. for the purposes of coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure in accordance with Article 12(1) of Directive (EU) 2022/2555. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;’ coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure policy should specify a structured process through which vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; are reported to a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in a manner allowing the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to diagnose and remedy such vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; before detailed vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; information is disclosed to third parties or to the public. Moreover, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should also consider publishing their security policies in machine-readable format. Given the fact that information about exploitable vulnerabilities means a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions; in widely used products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; can be sold at high prices on the black market, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of such products should be able to use programmes, as part of their coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure policies, to incentivise the reporting of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; by ensuring that individuals or entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; receive recognition and compensation for their efforts. This refers to so-called ‘bug bounty programmes’.

In order to facilitate vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; analysis, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should identify and document components means software or hardware intended for integration into an electronic information system; contained in the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, including by drawing up an SBOM. An SBOM can provide those who manufacture, purchase, and operate software means the part of an electronic information system which consists of computer code; with information that enhances their understanding of the supply chain, which has multiple benefits, in particular it helps manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and users to track known newly emerged vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. It is of particular importance that manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; ensure that their products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; do not contain vulnerable components means software or hardware intended for integration into an electronic information system; developed by third parties. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should not be obliged to make the SBOM public.

Under the new complex business models linked to online sales, a business operating online can provide a variety of services. Depending on the nature of the services provided in relation to a given product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, the same entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; may fall within different categories of business models or economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;. Where an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; provides only online intermediation services for a given product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and is merely a provider of an online marketplace means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (^31^); Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (Unfair Commercial Practices Directive) (OJ L 149, 11.6.2005, p. 22). as defined in Article 3, point (14), of Regulation (EU) 2023/988, it does not qualify as one of the types of economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; defined in this Regulation. Where the same entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is a provider of an online marketplace means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (^31^); Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (Unfair Commercial Practices Directive) (OJ L 149, 11.6.2005, p. 22). and also acts as an economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; as defined in this Regulation for the sale of particular products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, it should be subject to the obligations set out in this Regulation for that type of economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;. For instance, if the provider of an online marketplace means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (^31^); Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (Unfair Commercial Practices Directive) (OJ L 149, 11.6.2005, p. 22). also distributes a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, then, with respect to the sale of that product, it would be considered to be a distributor means a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;. Similarly, if the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; in question sells its own branded products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, it would qualify as a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and would thus have to comply with the applicable requirements for manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;. Also, some entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; can qualify as fulfilment service providers as defined in Article 3, point (11), of Regulation (EU) 2019/1020 of the European Parliament and of the Council(²⁷)Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (OJ L 169, 25.6.2019, p. 1). if they offer such services. Such cases would need to be assessed on a case-by-case basis. Given the prominent role that online marketplaces means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (^31^); Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (Unfair Commercial Practices Directive) (OJ L 149, 11.6.2005, p. 22). have in enabling electronic commerce, they should strive to cooperate with the market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; of the Member States in order to help ensure that products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; purchased through online marketplaces means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (^31^); Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (Unfair Commercial Practices Directive) (OJ L 149, 11.6.2005, p. 22). comply with the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements laid down in this Regulation.

In order to facilitate assessment of conformity with the requirements laid down in this Regulation, there should be a presumption of conformity for products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which are in conformity with harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, which translate the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation into detailed technical specifications means a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012;, and which are adopted in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council(²⁸)Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).. That Regulation provides for a procedure for objections to harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; where those standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). do not entirely satisfy the requirements set out in this Regulation. The standardisation process should ensure a balanced representation of interests and effective participation of civil society stakeholders, including consumer means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; organisations. International standards means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012; that are in line with the level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; protection aimed for by the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation should also be taken into account, in order to facilitate the development of harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; and the implementation of this Regulation, as well as to facilitate compliance for companies, in particular microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; and those operating globally.

The timely development of harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; during the transitional period for the application of this Regulation and their availability before the date of application of this Regulation will be particularly important for its effective implementation. This is, in particular, the case for important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall under class I. The availability of harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; will enable manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of such products to perform the conformity assessments means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; via the internal control procedure and can therefore avoid bottlenecks and delays in the activities of conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;.

Regulation (EU) 2019/881 establishes a voluntary European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification framework for ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881;, ICT processes and ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;. European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes provide a common framework of trust for users to use products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall within the scope of this Regulation. This Regulation should consequently create synergies with Regulation (EU) 2019/881. In order to facilitate the assessment of conformity with the requirements laid down in this Regulation, products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are certified or for which a statement of conformity has been issued under a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; scheme pursuant to Regulation (EU) 2019/881 that has been identified by the Commission in an implementing act, shall be presumed to be in compliance with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation in so far as the European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certificate or statement of conformity or parts thereof cover those requirements. The need for new European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes for products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be assessed in the light of this Regulation, including when preparing the Union rolling work programme in accordance with Regulation (EU) 2019/881. Where there is a need for a new scheme covering products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, including in order to facilitate compliance with this Regulation, the Commission can request ENISA to prepare candidate schemes in accordance with Article 48 of Regulation (EU) 2019/881. Such future European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes covering products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should take into account the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements and conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures as set out in this Regulation and facilitate compliance with this Regulation. For European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes that enter into force before the entry into force of this Regulation, further specifications may be needed on detailed aspects of how a presumption of conformity can apply. The Commission, by means of delegated acts, should be empowered to specify under which conditions the European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes can be used to demonstrate conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation. Furthermore, to avoid undue administrative burdens, there should be no obligation for manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to carry out a third-party conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; as provided for in this Regulation for corresponding requirements where a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certificate has been issued under such European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes at least at level ‘substantial’.

Upon entry into force of Implementing Regulation (EU) 2024/482 which concerns products that fall within the scope of this Regulation, such as hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; security modules and microprocessors, the Commission should be able to specify, by means of a delegated act, how the EUCC provides a presumption of conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements as set out in this Regulation or parts thereof. Furthermore, such a delegated act may specify how a certificate issued under the EUCC eliminates the obligation for manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to carry out a third-party assessment as required pursuant to this Regulation for corresponding requirements.

The current European standardisation framework, which is based on the New Approach principles set out in Council Resolution of 7 May 1985 on a new approach to technical harmonization and standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). and on Regulation (EU) No 1025/2012, represents the framework by default to elaborate standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). that provide for a presumption of conformity with the relevant essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation. European standards means a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012; should be market-driven, take into account the public interest, as well as the policy objectives clearly stated in the Commission’s request to one or more European standardisation organisations to draft harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, within a set deadline, and be based on consensus. However, in the absence of relevant references to harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, the Commission should be able to adopt implementing acts establishing common specifications for the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation, provided that in doing so it duly respects the role and functions of European standardisation organisations, as an exceptional fall back solution to facilitate the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;’s obligation to comply with those essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements, where the standardisation process is blocked or where there are delays in the establishment of appropriate harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;. If such delay is due to the technical complexity of the standard means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). in question, this should be considered by the Commission before considering whether to establish common specifications.

With a view to establishing, in the most efficient way, common specifications that cover the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation, the Commission should involve relevant stakeholders in the process.

‘Reasonable period’ has the meaning, in relation to the publication of a reference to harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012, of a period during which the publication in the Official Journal of the European Union of the reference to the standard means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12)., its corrigendum or its amendment is expected and which should not exceed one year after the deadline for drafting a European standard means a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012; set in accordance with Regulation (EU) No 1025/2012.

In order to facilitate the assessment of conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation, there should be a presumption of conformity for products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are in conformity with the common specifications adopted by the Commission pursuant to this Regulation for the purpose of expressing detailed technical specifications means a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012; of those requirements.

The application of harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes adopted pursuant to Regulation (EU) 2019/881 providing presumption of conformity in relation to the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements applicable to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; will facilitate the assessment of conformity by the manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;. If the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; chooses not to apply such means for certain requirements, it has to indicate in their technical documentation how the compliance is reached otherwise. Furthermore, the application of harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes adopted pursuant to Regulation (EU) 2019/881 providing presumption of conformity by manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; would facilitate the check of compliance of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; by market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;. Therefore, manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are encouraged to apply such harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes.

Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should draw up an EU declaration of conformity to provide information required under this Regulation on the conformity of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation and, where applicable, of the other relevant Union harmonisation legislation means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies; by which the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is covered. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; may also be required to draw up an EU declaration of conformity by other Union legal acts. To ensure effective access to information for market surveillance purposes, a single EU declaration of conformity should be drawn up in respect of compliance with all relevant Union legal acts. In order to reduce the administrative burden on economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;, it should be possible for that single EU declaration of conformity to be a dossier made up of relevant individual declarations of conformity.

The CE marking means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;, indicating the conformity of a product, is the visible consequence of a whole process comprising conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; in a broad sense. The general principles governing the CE marking means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing; are set out in Regulation (EC) No 765/2008 of the European Parliament and of the Council(²⁹)Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).. Rules governing the affixing of the CE marking means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing; on products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be laid down in this Regulation. The CE marking means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing; should be the only marking which guarantees that products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; comply with the requirements set out in this Regulation.

In order to allow economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; to demonstrate conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation and to allow market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; to ensure that products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; made available on the market comply with those requirements, it is necessary to provide for conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures. Decision No 768/2008/EC of the European Parliament and of the Council(³⁰)Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (OJ L 218, 13.8.2008, p. 82). establishes modules for conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures in proportion to the level of risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; involved and the level of security required. In order to ensure inter-sectoral coherence and to avoid ad-hoc variants, conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures adequate for verifying the conformity of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation should be based on those modules. The conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures should examine and verify both product and process-related requirements covering the whole lifecycle of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, including planning, design, development or production, testing and maintenance of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;.

Conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are not listed as important or critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; in this Regulation can be carried out by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; under its own responsibility following the internal control procedure based on module A of Decision No 768/2008/EC in accordance with this Regulation. This also applies to cases where a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; chooses not to apply in whole or in part an applicable harmonised standard means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specification or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme. The manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; retains the flexibility to choose a stricter conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedure involving a third party. Under the internal control conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedure, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; ensures and declares on its sole responsibility that the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and the processes of the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; meet the applicable essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation. If an important product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; falls under class I, additional assurance is required to demonstrate conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation. The manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should apply harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes adopted pursuant to Regulation (EU) 2019/881 which have been identified by the Commission in an implementing act if it wants to carry out the conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; under its own responsibility (module A). If the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; does not apply such harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should undergo conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; involving a third party (based on modules B and C or module H). Taking into account the administrative burden on manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and the fact that cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; plays an important role in the design and development phase of tangible and intangible products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures based on modules B and C or module H of Decision No 768/2008/EC have been chosen as most appropriate for assessing the compliance of important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; in a proportionate and effective manner. The manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that carries out the third-party conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; can choose the procedure that best suits its design and production process. Given the even greater cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; linked with the use of important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall under class II, the conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; should always involve a third party, even where the product complies fully or partly with harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; should be able to follow the internal control procedure based on module A, provided that they make the technical documentation available to the public.

While the creation of tangible products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; usually requires manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to make substantial efforts throughout the design, development and production phases, the creation of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; in the form of software means the part of an electronic information system which consists of computer code; almost exclusively focuses on design and development, while the production phase plays a minor role. Nonetheless, in many cases software means the part of an electronic information system which consists of computer code; products still need to be compiled, built, packaged, made available for download or copied onto physical media before being placed on the market. Those activities should be considered to be activities amounting to production when applying the relevant conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; modules to verify the compliance of the product with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation across the design, development and production phases.

In relation to microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million;, in order to ensure proportionality, it is appropriate to alleviate administrative costs without affecting the level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; protection of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall within the scope of this Regulation or the level playing field among manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;. It is therefore appropriate for the Commission to establish a simplified technical documentation form targeted at the needs of microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million;. The simplified technical documentation form adopted by the Commission should cover all the applicable elements related to technical documentation set out in this Regulation and specify how a microenterprise means a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million; or a small enterprise means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million; can provide the requested elements in a concise way, such as the description of the design, development and production of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. In doing so, the form would contribute to alleviating the administrative compliance burden by providing the enterprises concerned with legal certainty about the extent and detail of information to be provided. Microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million; should be able to choose to provide the applicable elements related to technical documentation in extensive form and not take advantage of the simplified technical form available to them.

In order to promote and protect innovation, it is important that the interests of manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that are microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; or small or medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, in particular microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million;, including start-ups, are taken into particular account. To that end, Member States could develop initiatives which are targeted at manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that are microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; or small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million;, including on training, awareness raising, information communication, testing and third-party conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; activities, as well as the establishment of sandboxes. Translation costs related to mandatory documentation, such as the technical documentation and the information and instructions to the user required pursuant to this Regulation, and communication with authorities, may constitute a significant cost for manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, in particular those of a smaller size. Therefore, Member States should be able to consider that one of the languages determined and accepted by them for relevant manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;’ documentation and for communication with manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; is one which is broadly understood by the largest possible number of users.

In order to ensure a smooth application of this Regulation, Member States should strive to ensure, before the date of application of this Regulation, that a sufficient number of notified bodies means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation; is available to carry out third-party conformity assessments means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;. The Commission should seek to assist Member States and other relevant parties in this endeavour, in order to avoid bottlenecks and hindrances to market entry for manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;. Targeted training activities led by Member States, including where appropriate with the support of the Commission, can contribute to the availability of skilled professionals including to support the activities of notified bodies means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation; under this Regulation. Furthermore, in light of the costs that third-party conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; may entail, funding initiatives at Union and national level that seek to alleviate such costs for microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million; should be considered.

In order to ensure proportionality, conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;, when setting the fees for conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures, should take into account the specific interests and needs of microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, including start-ups. In particular, conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; should apply the relevant examination procedure and tests provided for in this Regulation only where appropriate and following a risk-based approach.

The objectives of regulatory sandboxes should be to foster innovation and competitiveness for businesses by establishing controlled testing environments before the placing on the market means the first making available of a product with digital elements on the Union market; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Regulatory sandboxes should contribute to improve legal certainty for all actors that fall within the scope of this Regulation and facilitate and accelerate access to the Union market for products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, in particular when provided by microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million;, including start-ups.

In order to carry out third-party conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; for products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; should be notified by the national notifying authorities means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring; to the Commission and the other Member States, provided they comply with a set of requirements, in particular on independence, competence and absence of conflicts of interest.

In order to ensure a consistent level of quality in the performance of conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, it is also necessary to lay down requirements for notifying authorities means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring; and other bodies involved in the assessment, notification and monitoring of notified bodies means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation;. The system set out in this Regulation should be complemented by the accreditation system provided for in Regulation (EC) No 765/2008. Since accreditation is an essential means of verifying the competence of conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;, it should also be used for the purposes of notification.

Conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; that have been accredited and notified under Union law laying down requirements similar to those laid down in this Regulation, such as a conformity assessment body means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; that has been notified for a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme adopted pursuant to Regulation (EU) 2019/881 or notified under Delegated Regulation (EU) 2022/30, should be newly assessed and notified under this Regulation. However, synergies can be defined by relevant authorities regarding any overlapping requirements in order to prevent an unnecessary financial and administrative burden and to ensure a smooth and timely notification process.

Transparent accreditation as provided for in Regulation (EC) No 765/2008, ensuring the necessary level of confidence in certificates of conformity, should be considered by the national public authorities means any government or other public administration entity, including national central banks. throughout the Union to be the preferred means of demonstrating the technical competence of conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;. However, national authorities may consider that they possess the appropriate means of carrying out that evaluation themselves. In such cases, in order to ensure the appropriate level of credibility of evaluations carried out by other national authorities, they should provide the Commission and the other Member States with the necessary documentary evidence demonstrating the compliance of the conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; evaluated with the relevant regulatory requirements.

Conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; frequently subcontract parts of their activities linked to the assessment of conformity or have recourse to a subsidiary means a subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU;. In order to safeguard the level of protection required for a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; to be placed on the market, it is essential that conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; subcontractors and subsidiaries means a subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU; fulfil the same requirements as notified bodies means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation; in relation to the performance of conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; tasks.

The notification of a conformity assessment body means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; should be sent by the notifying authority means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring; to the Commission and the other Member States via the New Approach Notified and Designated Organisations (NANDO) information system. The NANDO information system is the electronic notification tool developed and managed by the Commission where a list of all notified bodies means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation; can be found.

Since notified bodies means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation; may offer their services throughout the Union, it is appropriate to give the other Member States and the Commission the opportunity to raise objections concerning a notified body means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation;. It is therefore important to provide for a period during which any doubts or concerns as to the competence of conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; can be clarified before they start operating as notified bodies means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation;.

In the interests of competitiveness, it is crucial that notified bodies means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation; apply the conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures without creating unnecessary burden for economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;. For the same reason, and to ensure equal treatment of economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;, consistency in the technical application of the conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures needs to be ensured. That should be best achieved through appropriate coordination and cooperation between notified bodies means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation;.

Market surveillance is an essential instrument in ensuring the proper and uniform application of Union law. It is therefore appropriate to put in place a legal framework within which market surveillance can be carried out in an appropriate manner. The rules on Union market surveillance and control of products entering the Union market provided for in Regulation (EU) 2019/1020 apply to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall within the scope of this Regulation.

In accordance with Regulation (EU) 2019/1020, a market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; carries out market surveillance in the territory of the Member State that designates it. This Regulation should not prevent Member States from choosing the competent authoritiesas defined in Article 46 to carry out market surveillance tasks. Each Member State should designate one or more market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; in its territory. Member States should be able to choose to designate any existing or new authority to act as market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;, including competent authoritiesas defined in Article 46 designated or established pursuant to Article 8 of Directive (EU) 2022/2555, national cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification authorities designated pursuant to Article 58 of Regulation (EU) 2019/881 or market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; designated for the purposes of Directive 2014/53/EU. Economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; should fully cooperate with market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; and other competent authoritiesas defined in Article 46. Each Member State should inform the Commission and the other Member States of its market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; and the areas of competence of each of those authorities and should ensure the necessary resources and skills to carry out the market surveillance tasks relating to this Regulation. Pursuant to Article 10(2) and (3) of Regulation (EU) 2019/1020, each Member State should appoint a single liaison office that should be responsible, inter alia, for representing the coordinated position of the market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; and assisting in the cooperation between market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; in different Member States.

A dedicated ADCO for the cyber resilience of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be established for the uniform application of this Regulation, pursuant to Article 30(2) of Regulation (EU) 2019/1020. ADCO should be composed of representatives means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; of the designated market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; and, if appropriate, representatives means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; of the single liaison offices. The Commission should support and encourage cooperation between market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; through the Union Product Compliance Network established pursuant to Article 29 of Regulation (EU) 2019/1020 and comprising representatives means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; from each Member State, including a representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; of each single liaison office as referred to in Article 10 of that Regulation and an optional national expert, the chairs of ADCOs, and representatives means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; from the Commission. The Commission should participate in the meetings of the Union Product Compliance Network, its sub-groups and ADCO. It should also assist ADCO by means of an executive secretariat that provides technical and logistic support. ADCO may also invite independent experts to participate, and liaise with other ADCOs, such as that established under Directive 2014/53/EU.

Market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;, through ADCO established under this Regulation, should cooperate closely and should be able to develop guidance documents to facilitate market surveillance activities at national level, such as by developing best practices and indicators to effectively check the compliance of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; with this Regulation.

In order to ensure timely, proportionate and effective measures in relation to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; presenting a significant cybersecurity risk means a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;, a Union safeguard procedure under which interested parties are informed of measures intended to be taken with regard to such products should be provided for. This should also allow market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;, in cooperation with the relevant economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;, to act at an earlier stage where necessary. Where the Member States and the Commission agree as to the justification of a measure taken by a Member State, no further involvement of the Commission should be required, except where non-compliance can be attributed to shortcomings of a harmonised standard means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;.

In certain cases, a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which complies with this Regulation can nonetheless present a significant cybersecurity risk means a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption; or pose a risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to the health or safety of persons, to compliance with obligations under Union or national law intended to protect fundamental rights, to the availability, authenticity, integrity or confidentiality of services offered using an electronic information system means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data; by essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3(1) of Directive (EU) 2022/2555 or to other aspects of public interest protection. Therefore it is necessary to establish rules which ensure mitigation of those risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. As a result, market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; should take measures to require the economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; to ensure that the product no longer presents that risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, or to recall means recall as defined in Article 3, point (22), of Regulation (EU) 2019/1020; or withdraw it, depending on the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. As soon as a market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; restricts or forbids the free movement of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; in such way, the Member State should notify without delay the Commission and the other Member States of the provisional measures, indicating the reasons and justification for the decision. Where a market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; adopts such measures against products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; presenting a risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, the Commission should enter into consultation with the Member States and the relevant economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; or operators without delay and should evaluate the national measure. On the basis of the results of this evaluation, the Commission should decide whether the national measure is justified or not. The Commission should address its decision to all Member States and immediately communicate it to them and the relevant economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; or operators. If the measure is considered to be justified, the Commission should also consider whether to adopt proposals to revise the relevant Union law.

For products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; presenting a significant cybersecurity risk means a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;, and where there is reason to believe that they do not comply with this Regulation, or for products that comply with this Regulation, but that present other important risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, such as risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to the health or safety of persons, to compliance with obligations under Union or national law intended to protect fundamental rights or to the availability, authenticity, integrity or confidentiality of services offered using an electronic information system means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data; by essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3(1) of Directive (EU) 2022/2555, the Commission should be able to request ENISA to carry out an evaluation. Based on that evaluation, the Commission should be able to adopt, by means of implementing acts, corrective or restrictive measures at Union level, including requiring the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned to be withdrawn from the market or recalled, within a reasonable period, commensurate with the nature of the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. The Commission should be able to have recourse to such intervention only in exceptional circumstances that justify an immediate intervention to preserve the proper functioning of the internal market, and only where no effective measures have been taken by market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; to remedy the situation. Such exceptional circumstances may be emergency situations where, for example, a non-compliant product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is widely made available by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; throughout several Member States, used also in key sectors by entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that fall within the scope of Directive (EU) 2022/2555 while containing known vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; that are being exploited by malicious actors and for which the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; does not provide available patches. The Commission should be able to intervene in such emergency situations only for the duration of the exceptional circumstances and if non-compliance with this Regulation or the important risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; presented persist.

Where there are indications of non-compliance with this Regulation in several Member States, market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; should be able to carry out joint activities with other authorities, with a view to verifying compliance and identifying cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;.

Simultaneous coordinated control actions (sweeps) are specific enforcement actions by market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; that can further enhance product security. Sweeps should, in particular, be conducted where market trends, consumer means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; complaints or other indications suggest that certain categories of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are often found to present cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Furthermore, when determining the product categories to be subjected to sweeps, market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; should also take into account circumstances relating to non-technical risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; factors. To that end, market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; should be able to take into account the results of Union level coordinated security risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555, including circumstances relating to non-technical risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; factors. ENISA should submit proposals for categories of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; for which sweeps could be organised to the market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;, based, inter alia, on the notifications of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; it receives.

In light of its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, ENISA should be able to propose joint activities to be conducted by market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; based on indications or information regarding potential non-compliance with this Regulation of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; across several Member States or identify categories of products for which sweeps should be organised. In exceptional circumstances, ENISA should be able, at the request of the Commission, to conduct evaluations in respect of specific products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that present a significant cybersecurity risk means a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;, where an immediate intervention is required to preserve the proper functioning of the internal market.

This Regulation confers certain tasks upon ENISA which require appropriate resources in terms of both expertise and human resources in order to enable ENISA to carry out those tasks effectively. The Commission will propose the necessary budgetary resources for ENISA’s establishment plan, in accordance with the procedure set out in Article 29 of Regulation (EU) 2019/881, when preparing the draft general budget of the Union. During that process, the Commission will consider ENISA’s overall resources to enable it to fulfil its tasks, including those conferred on ENISA pursuant to this Regulation.

In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union (TFEU) should be delegated to the Commission in respect of updating an annex to this Regulation listing the important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Power to adopt acts in accordance with that Article should be delegated to the Commission to identify products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; covered by other Union rules which achieve the same level of protection as this Regulation, specifying whether a limitation or exclusion from the scope of this Regulation would be necessary as well as the scope of that limitation, if applicable. Power to adopt acts in accordance with that Article should also be delegated to the Commission in respect of the potential mandating of certification under a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme of the critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; set out in an annex to this Regulation, as well as for updating the list of critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; based on criticality criteria set out in this Regulation, and for specifying the European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements or parts thereof as set out in an annex to this Regulation. Power to adopt acts should also be delegated to the Commission to specify the minimum support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; for specific product categories where the market surveillance data suggests inadequate support periods means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, as well as to specify the terms and conditions for applying the cybersecurity-related grounds in relation to delaying the dissemination of notifications of actively exploited vulnerabilities means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner;. Furthermore, power to adopt acts should be delegated to the Commission to establish voluntary security attestation programmes for assessing the conformity of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; with all or certain essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements or other obligations laid down in this Regulation, as well as to specify the minimum content of the EU declaration of conformity and to supplement the elements to be included in the technical documentation. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making(³¹)OJ L 123, 12.5.2016, p. 1.. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups means a group as defined in Article 2, point (11), of Directive 2013/34/EU; dealing with the preparation of delegated acts. The power to adopt delegated acts pursuant to this Regulation should be conferred on the Commission for a period of five years from 10 December 2024. The Commission should draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power should be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to specify the technical description of the categories of important products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; set out in an annex to this Regulation, specify the format and elements of the SBOM, specify further the format and procedure of the notifications of actively exploited vulnerabilities means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; and severe incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; having an impact on the security of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; submitted by manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, establish common specifications covering technical requirements that provide a means to comply with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in an annex to this Regulation, lay down technical specifications means a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012; for labels, pictograms or any other marks related to the security of the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, their support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; and mechanisms to promote their use and to increase public awareness about the security of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, specify the simplified documentation form targeted at the needs of microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million;, and decide on corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention to preserve the proper functioning of the internal market. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(³²)Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13, ELI: http://data.europa.eu/eli/reg/2011/182/oj)..

In order to ensure trusting and constructive cooperation of market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; at Union and national level, all parties involved in the application of this Regulation should respect the confidentiality of information and data obtained in carrying out their tasks.

In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; should have the power to impose or request the imposition of administrative fines. Maximum levels for administrative fines to be provided for in national law for non-compliance with the obligations laid down in this Regulation should therefore be established. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account and, as a minimum, those explicitly established in this Regulation, including whether the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; is a microenterprise means a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million; or a small or medium-sized enterprise means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, including a start-up, and whether administrative fines have been already applied by the same or other market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; to the same economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; for a similar infringement. Such circumstances could be either aggravating, in situations where the infringement by the same economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; persists on the territory of Member States other than that where an administrative fine has already been applied, or mitigating, in ensuring that any other administrative fine considered by another market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; for the same economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; or the same type of infringement should already take account, along with other relevant specific circumstances, of a penalty and the quantum thereof imposed in other Member States. In all such cases, the cumulative administrative fine that could be applied by market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; of several Member States to the same economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; for the same type of infringement should ensure the respect of the principle of proportionality. Given that administrative fines do not apply to microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; or small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million; for a failure to meet the 24-hour deadline for the early warning notification of actively exploited vulnerabilities means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; or severe incidents having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;, nor to open-source software stewards means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products; for any infringement of this Regulation, and subject to the principle that penalties should be effective, proportionate and dissuasive, Member States should not impose other kinds of penalties with pecuniary character on those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

Where administrative fines are imposed on a person that is not an undertaking, the competent authorityas defined in Article 46 should take account of the general level of income in the Member State as well as the economic situation of the person when considering the appropriate amount of the fine. It should be for the Member States to determine whether and to what extent public authorities means any government or other public administration entity, including national central banks. should be subject to administrative fines.

Member States should examine, taking into account national circumstances, the possibility of using the revenues from the penalties as provided for in this Regulation or their financial equivalent to support cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; policies and increase the level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; in the Union by, inter alia, increasing the number of qualified cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; professionals, strengthening capacity building for microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; and improving public awareness of cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;.

In its relationships with third countries, the Union endeavours to promote international trade in regulated products. A broad variety of measures can be applied in order to facilitate trade, including several legal instruments such as bilateral (inter-governmental) Mutual Recognition Agreements (MRAs) for conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; and marking of regulated products. MRAs are established between the Union and third countries which are on a comparable level of technical development and have a compatible approach concerning conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;. Those agreements are based on the mutual acceptance of certificates, marks of conformity and test reports issued by the conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; of either party in conformity with the legislation of the other party. Currently, MRAs are in place with several third countries. Those MRAs are concluded in a number of specific sectors, which might vary from one third country to another. In order to further facilitate trade, and recognising that supply chains of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are global, MRAs concerning conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; can be concluded for products regulated under this Regulation by the Union in accordance with Article 218 TFEU. Cooperation with partner third countries is also important, in order to strengthen cyber resilience globally, as in the long term this will contribute to a strengthened cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; framework both within and outside of the Union.

Consumers means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; should be entitled to enforce their rights in relation to the obligations imposed on economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; under this Regulation through representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; actions pursuant to Directive (EU) 2020/1828 of the European Parliament and of the Council(³³)Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1).. For that purpose, this Regulation should provide that Directive (EU) 2020/1828 is applicable to the representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; actions concerning infringements of this Regulation that harm or can harm the collective interests of consumers means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession;. Annex I to that Directive should therefore be amended accordingly. It is for the Member States to ensure that those amendments are reflected in the transposition measures adopted pursuant to that Directive, although the adoption of national transposition measures in that regard is not a condition for the applicability of that Directive to those representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; actions. The applicability of that Directive to the representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; actions brought with regard to infringements of provisions of this Regulation by economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; that harm or could harm the collective interests of consumers means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; should start from 11 December 2027.

The Commission should periodically evaluate and review this Regulation, in consultation with relevant stakeholders, in particular with a view to determining the need for modification in the light of changes to societal, political, technological or market conditions. This Regulation will facilitate the compliance with supply chain security obligations of entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that fall within the scope of Regulation (EU) 2022/2554 and Directive (EU) 2022/2555 that use products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. The Commission should evaluate, as part of that periodic review, the combined effects of the Union cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; framework.

Economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; should be provided with sufficient time to adapt to the requirements set out in this Regulation. This Regulation should apply from 11 December 2027, with exception of the reporting obligations concerning actively exploited vulnerabilities means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; and severe incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; having an impact on the security of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, which should apply from 11 September 2026 and of the provisions on notification of conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;, which should apply from 11 June 2026.

It is important to provide support to microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, including start-ups, in the implementation of this Regulation and to minimise the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to the implementation resulting from lack of knowledge and expertise in the market, as well as in order to facilitate compliance of manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; with their obligations laid down in this Regulation. The Digital Europe Programme and other relevant Union programmes provide financial and technical support that enable those enterprises to contribute to the growth of the Union economy and to the strengthening of the common level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; in the Union. The European Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; Competence Centre and National Coordination Centres as well as European Digital Innovation Hubs established by the Commission and the Member States at Union or national level could also support companies and public sector organisations and could contribute to the implementation of this Regulation. Within their respective missions and fields of competence, they could provide technical and scientific support to microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium sized enterprises, such as for testing activities and third-party conformity assessments means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;. They could also foster the deployment of tools to facilitate the implementation of this Regulation.

Furthermore, Member States should consider taking complementary action aiming to provide guidance and support for microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, such as the establishment of regulatory sandboxes and dedicated channels for communication. In order to strengthen the level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; in the Union, Member States may also consider providing support to develop capacity and skills related to cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, improving the cyber resilience of economic operators means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;, in particular of microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, and fostering public awareness about the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;.

Since the objective of this Regulation cannot be sufficiently achieved by the Member States but can rather, by reason of the effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(³⁴)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). and delivered an opinion on 9 November 2022(³⁵)OJ C 452, 29.11.2022, p. 23.,