@ansvar/eu-regulations-mcp 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (58) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +242 -0
  3. package/data/seed/ai-act.json +1026 -0
  4. package/data/seed/applicability/dora.json +92 -0
  5. package/data/seed/applicability/gdpr.json +74 -0
  6. package/data/seed/applicability/nis2.json +83 -0
  7. package/data/seed/cra.json +690 -0
  8. package/data/seed/cybersecurity-act.json +534 -0
  9. package/data/seed/dora.json +719 -0
  10. package/data/seed/gdpr.json +732 -0
  11. package/data/seed/mappings/iso27001-dora.json +106 -0
  12. package/data/seed/mappings/iso27001-gdpr.json +114 -0
  13. package/data/seed/mappings/iso27001-nis2.json +98 -0
  14. package/data/seed/nis2.json +492 -0
  15. package/dist/index.d.ts +3 -0
  16. package/dist/index.d.ts.map +1 -0
  17. package/dist/index.js +271 -0
  18. package/dist/index.js.map +1 -0
  19. package/dist/tools/applicability.d.ts +20 -0
  20. package/dist/tools/applicability.d.ts.map +1 -0
  21. package/dist/tools/applicability.js +42 -0
  22. package/dist/tools/applicability.js.map +1 -0
  23. package/dist/tools/article.d.ts +17 -0
  24. package/dist/tools/article.d.ts.map +1 -0
  25. package/dist/tools/article.js +29 -0
  26. package/dist/tools/article.js.map +1 -0
  27. package/dist/tools/compare.d.ts +18 -0
  28. package/dist/tools/compare.d.ts.map +1 -0
  29. package/dist/tools/compare.js +60 -0
  30. package/dist/tools/compare.js.map +1 -0
  31. package/dist/tools/definitions.d.ts +14 -0
  32. package/dist/tools/definitions.d.ts.map +1 -0
  33. package/dist/tools/definitions.js +26 -0
  34. package/dist/tools/definitions.js.map +1 -0
  35. package/dist/tools/list.d.ts +22 -0
  36. package/dist/tools/list.d.ts.map +1 -0
  37. package/dist/tools/list.js +67 -0
  38. package/dist/tools/list.js.map +1 -0
  39. package/dist/tools/map.d.ts +19 -0
  40. package/dist/tools/map.d.ts.map +1 -0
  41. package/dist/tools/map.js +44 -0
  42. package/dist/tools/map.js.map +1 -0
  43. package/dist/tools/search.d.ts +15 -0
  44. package/dist/tools/search.d.ts.map +1 -0
  45. package/dist/tools/search.js +62 -0
  46. package/dist/tools/search.js.map +1 -0
  47. package/package.json +70 -0
  48. package/scripts/build-db.ts +292 -0
  49. package/scripts/check-updates.ts +192 -0
  50. package/scripts/ingest-eurlex.ts +219 -0
  51. package/src/index.ts +294 -0
  52. package/src/tools/applicability.ts +84 -0
  53. package/src/tools/article.ts +61 -0
  54. package/src/tools/compare.ts +94 -0
  55. package/src/tools/definitions.ts +54 -0
  56. package/src/tools/list.ts +116 -0
  57. package/src/tools/map.ts +84 -0
  58. package/src/tools/search.ts +95 -0
package/data/seed/cra.json ADDED
@@ -0,0 +1,690 @@
1
+ {
2
+ "id": "CRA",
3
+ "full_name": "Cyber Resilience Act",
4
+ "celex_id": "32024R2847",
5
+ "effective_date": "2024-12-10",
6
+ "eur_lex_url": "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
7
+ "articles": [
8
+ {
9
+ "number": "1",
10
+ "title": "Subject matter",
11
+ "text": "This Regulation lays down:\n\n(a)\n\nrules for the making available on the market of products with digital elements to ensure the cybersecurity of such products;\n\n(b)\n\nessential cybersecurity requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to those products with respect to cybersecurity;\n\n(c)\n\nessential cybersecurity requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the time the products are expected to be in use, and obligations for economic operators in relation to those processes;\n\n(d)\n\nrules on market surveillance, including monitoring, and enforcement of the rules and requirements referred to in this Article.",
12
+ "chapter": "I"
13
+ },
14
+ {
15
+ "number": "2",
16
+ "title": "Scope",
17
+ "text": "1.   This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.\n\n2.   This Regulation does not apply to products with digital elements to which the following Union legal acts apply:\n\n(a)\n\nRegulation (EU) 2017/745;\n\n(b)\n\nRegulation (EU) 2017/746;\n\n(c)\n\nRegulation (EU) 2019/2144.\n\n3.   This Regulation does not apply to products with digital elements that have been certified in accordance with Regulation (EU) 2018/1139.\n\n4.   This Regulation does not apply to equipment that falls within the scope of Directive 2014/90/EU of the European Parliament and of the Council (36).\n\n5.   The application of this Regulation to products with digital elements covered by other Union rules laying down requirements that address all or some of the risks covered by the essential cybersecurity requirements set out in Annex I may be limited or excluded where:\n\n(a)\n\nsuch limitation or exclusion is consistent with the overall regulatory framework that applies to those products; and\n\n(b)\n\nthe sectoral rules achieve the same or a higher level of protection as that provided for by this Regulation.\n\nThe Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by specifying whether such limitation or exclusion is necessary, the products and rules concerned, as well as the scope of the limitation, if relevant.\n\n6.   This Regulation does not apply to spare parts that are made available on the market to replace identical components in products with digital elements and that are manufactured according to the same specifications as the components that they are intended to replace.\n\n7.   This Regulation does not apply to products with digital elements developed or modified exclusively for national security or defence purposes or to products specifically designed to process classified information.\n\n8.   The obligations laid down in this Regulation shall not entail the supply of information the disclosure of which would be contrary to the essential interests of Member States’ national security, public security or defence.",
18
+ "chapter": "I"
19
+ },
20
+ {
21
+ "number": "3",
22
+ "title": "Definitions",
23
+ "text": "For the purposes of this Regulation, the following definitions apply:\n\n(1)\n\n‘product with digital elements’ means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;\n\n(2)\n\n‘remote data processing’ means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;\n\n(3)\n\n‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;\n\n(4)\n\n‘software’ means the part of an electronic information system which consists of computer code;\n\n(5)\n\n‘hardware’ means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;\n\n(6)\n\n‘component’ means software or hardware intended for integration into an electronic information system;\n\n(7)\n\n‘electronic information system’ means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data;\n\n(8)\n\n‘logical connection’ means a virtual representation of a data connection implemented through a software interface;\n\n(9)\n\n‘physical connection’ means a connection between electronic information systems or components implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio waves;\n\n(10)\n\n‘indirect connection’ means a connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network;\n\n(11)\n\n‘end-point’ means any device that is connected to a network and serves as an entry point to that network;\n\n(12)\n\n‘economic operator’ means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;\n\n(13)\n\n‘manufacturer’ means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;\n\n(14)\n\n‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;\n\n(15)\n\n‘authorised representative’ means a natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasks;\n\n(16)\n\n‘importer’ means a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;\n\n(17)\n\n‘distributor’ means a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;\n\n(18)\n\n‘consumer’ means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession;\n\n(19)\n\n‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;\n\n(20)\n\n‘support period’ means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;\n\n(21)\n\n‘placing on the market’ means the first making available of a product with digital elements on the Union market;\n\n(22)\n\n‘making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;\n\n(23)\n\n‘intended purpose’ means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;\n\n(24)\n\n‘reasonably foreseeable use’ means use that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions;\n\n(25)\n\n‘reasonably foreseeable misuse’ means the use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems;\n\n(26)\n\n‘notifying authority’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;\n\n(27)\n\n‘conformity assessment’ means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;\n\n(28)\n\n‘conformity assessment body’ means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;\n\n(29)\n\n‘notified body’ means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation;\n\n(30)\n\n‘substantial modification’ means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;\n\n(31)\n\n‘CE marking’ means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;\n\n(32)\n\n‘Union harmonisation legislation’ means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies;\n\n(33)\n\n‘market surveillance authority’ means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;\n\n(34)\n\n‘international standard’ means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;\n\n(35)\n\n‘European standard’ means a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012;\n\n(36)\n\n‘harmonised standard’ means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;\n\n(37)\n\n‘cybersecurity risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;\n\n(38)\n\n‘significant cybersecurity risk’ means a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;\n\n(39)\n\n‘software bill of materials’ means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements;\n\n(40)\n\n‘vulnerability’ means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;\n\n(41)\n\n‘exploitable vulnerability’ means a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions;\n\n(42)\n\n‘actively exploited vulnerability’ means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner;\n\n(43)\n\n‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;\n\n(44)\n\n‘incident having an impact on the security of the product with digital elements’ means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;\n\n(45)\n\n‘near miss’ means a near miss as defined in Article 6, point (5), of Directive (EU) 2022/2555;\n\n(46)\n\n‘cyber threat’ means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;\n\n(47)\n\n‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;\n\n(48)\n\n‘free and open-source software’ means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;\n\n(49)\n\n‘recall’ means recall as defined in Article 3, point (22), of Regulation (EU) 2019/1020;\n\n(50)\n\n‘withdrawal’ means withdrawal as defined in Article 3, point (23), of Regulation (EU) 2019/1020;\n\n(51)\n\n‘CSIRT designated as coordinator’ means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555.",
24
+ "chapter": "I"
25
+ },
26
+ {
27
+ "number": "4",
28
+ "title": "Free movement",
29
+ "text": "1.   Member States shall not impede, for the matters covered by this Regulation, the making available on the market of products with digital elements which comply with this Regulation.\n\n2.   At trade fairs, exhibitions, demonstrations or similar events, Member States shall not prevent the presentation or use of a product with digital elements which does not comply with this Regulation, including its prototypes, provided that the product is presented with a visible sign clearly indicating that it does not comply with this Regulation and that it is not to be made available on the market until it does so.\n\n3.   Member States shall not prevent the making available on the market of unfinished software which does not comply with this Regulation, provided that the software is made available only for a limited period required for testing purposes with a visible sign clearly indicating that it does not comply with this Regulation and that it will not be available on the market for purposes other than testing.\n\n4.   Paragraph 3 does not apply to safety components as referred to in Union harmonisation legislation other than this Regulation.",
30
+ "chapter": "I"
31
+ },
32
+ {
33
+ "number": "5",
34
+ "title": "Procurement or use of products with digital elements",
35
+ "text": "1.   This Regulation shall not prevent Member States from subjecting products with digital elements to additional cybersecurity requirements for the procurement or use of those products for specific purposes, including where those products are procured or used for national security or defence purposes, provided that such requirements are consistent with Member States’ obligations laid down in Union law and that they are necessary and proportionate for the achievement of those purposes.\n\n2.   Without prejudice to Directives 2014/24/EU and 2014/25/EU, where products with digital elements that fall within the scope of this Regulation are procured, Member States shall ensure that compliance with the essential cybersecurity requirements set out in Annex I to this Regulation, including the manufacturers’ ability to handle vulnerabilities effectively, are taken into consideration in the procurement process.",
36
+ "chapter": "I"
37
+ },
38
+ {
39
+ "number": "6",
40
+ "title": "Requirements for products with digital elements",
41
+ "text": "Products with digital elements shall be made available on the market only where:\n\n(a)\n\nthey meet the essential cybersecurity requirements set out in Part I of Annex I, provided that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen, and, where applicable, the necessary security updates have been installed; and\n\n(b)\n\nthe processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.",
42
+ "chapter": "I"
43
+ },
44
+ {
45
+ "number": "7",
46
+ "title": "Important products with digital elements",
47
+ "text": "1.   Products with digital elements which have the core functionality of a product category set out in Annex III shall be considered to be important products with digital elements and shall be subject to the conformity assessment procedures referred to in Article 32(2) and (3). The integration of a product with digital elements which has the core functionality of a product category set out in Annex III shall not in itself render the product in which it is integrated subject to the conformity assessment procedures referred to in Article 32(2) and (3).\n\n2.   The categories of products with digital elements referred to in paragraph 1 of this Article, divided into classes I and II as set out in Annex III, meet at least one of the following criteria:\n\n(a)\n\nthe product with digital elements primarily performs functions critical to the cybersecurity of other products, networks or services, including securing authentication and access, intrusion prevention and detection, end-point security or network protection;\n\n(b)\n\nthe product with digital elements performs a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation, such as a central system function, including network management, configuration control, virtualisation or processing of personal data.\n\n3.   The Commission is empowered to adopt delegated acts in accordance with Article 61 to amend Annex III by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list. When assessing the need to amend the list set out in Annex III, the Commission shall take into account the cybersecurity-related functionalities or the function and the level of cybersecurity risk posed by the products with digital elements as set out by the criteria referred to in paragraph 2 of this Article.\n\nThe delegated acts referred to in the first subparagraph of this paragraph shall, where appropriate, provide for a minimum transitional period of 12 months, in particular where a new category of important products with digital elements is added to class I or II or is moved from class I to II as set out in Annex III, before the relevant conformity assessment procedures as referred to in Article 32(2) and (3) start applying, unless a shorter transitional period is justified on imperative grounds of urgency.\n\n4.   By 11 December 2025, the Commission shall adopt an implementing act specifying the technical description of the categories of products with digital elements under classes I and II as set out in Annex III and the technical description of the categories of products with digital elements as set out in Annex IV. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 62(2).",
48
+ "chapter": "I"
49
+ },
50
+ {
51
+ "number": "8",
52
+ "title": "Critical products with digital elements",
53
+ "text": "1.   The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881, to demonstrate conformity with the essential cybersecurity requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted pursuant to Regulation (EU) 2019/881 and is available to manufacturers. Those delegated acts shall specify the required assurance level that shall be proportionate to the level of cybersecurity risk associated with the products with digital elements and shall take account of their intended purpose, including the critical dependency on them by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555.\n\nBefore adopting such delegated acts, the Commission shall carry out an assessment of the potential market impact of the envisaged measures and shall carry out consultations with relevant stakeholders, including the European Cybersecurity Certification Group established under Regulation (EU) 2019/881. The assessment shall take into account the readiness and the capacity level of the Member States for the implementation of the relevant European cybersecurity certification scheme. Where no delegated acts as referred to in the first subparagraph of this paragraph have been adopted, products with digital elements which have the core functionality of a product category as set out in Annex IV shall be subject to the conformity assessment procedures referred to in Article 32(3).\n\nThe delegated acts referred to in the first subparagraph shall provide for a minimum transitional period of six months, unless a shorter transitional period is justified for imperative reasons of urgency.\n\n2.   The Commission is empowered to adopt delegated acts in accordance with Article 61 to amend Annex IV by adding or withdrawing categories of critical products with digital elements. When determining such categories of critical products with digital elements and the required assurance level, in accordance with paragraph 1 of this Article, the Commission shall take into account the criteria referred to in Article 7(2) and ensure that the categories of products with digital elements meet at least one of the following criteria:\n\n(a)\n\nthere is a critical dependency of essential entities as referred to in Article 3 of Directive (EU) 2022/2555 on the category of products with digital elements;\n\n(b)\n\nincidents and exploited vulnerabilities concerning the category of products with digital elements could lead to serious disruptions of critical supply chains across the internal market.\n\nBefore adopting such delegated acts, the Commission shall carry out an assessment of the type referred to in paragraph 1.\n\nThe delegated acts referred to in the first subparagraph shall provide for a minimum transitional period of six months, unless a shorter transitional period is justified for imperative reasons of urgency.",
54
+ "chapter": "I"
55
+ },
56
+ {
57
+ "number": "9",
58
+ "title": "Stakeholder consultation",
59
+ "text": "1.   When preparing measures for the implementation of this Regulation, the Commission shall consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level. In particular, the Commission shall, in a structured manner, where appropriate, consult and seek the views of those stakeholders when:\n\n(a)\n\npreparing the guidance referred to in Article 26;\n\n(b)\n\npreparing the technical descriptions of the product categories set out in Annex III in accordance with Article 7(4), assessing the need for potential updates of the list of product categories in accordance with Article 7(3) and Article 8(2), or carrying out the assessment of the potential market impact referred to in Article 8(1), without prejudice to Article 61;\n\n(c)\n\nundertaking preparatory work for the evaluation and review of this Regulation.\n\n2.   The Commission shall organise regular consultation and information sessions, at least once a year, to gather the views of the stakeholders referred to in paragraph 1 on the implementation of this Regulation.",
60
+ "chapter": "I"
61
+ },
62
+ {
63
+ "number": "10",
64
+ "title": "Enhancing skills in a cyber resilient digital environment",
65
+ "text": "For the purposes of this Regulation and in order to respond to the needs of professionals in support of the implementation of this Regulation, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, shall promote measures and strategies aiming to:\n\n(a)\n\ndevelop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies;\n\n(b)\n\nincrease collaboration between the private sector, economic operators, including via re-skilling or up-skilling for manufacturers’ employees, consumers, training providers as well as public administrations, thereby expanding the options for young people to access jobs in the cybersecurity sector.",
66
+ "chapter": "I"
67
+ },
68
+ {
69
+ "number": "11",
70
+ "title": "General product safety",
71
+ "text": "By way of derogation from Article 2(1), third subparagraph, point (b), of Regulation (EU) 2023/988, Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of that Regulation shall apply to products with digital elements with respect to aspects and risks or categories of risks that are not covered by this Regulation where those products are not subject to specific safety requirements laid down in other ‘Union harmonisation legislation’ as defined in Article 3, point (27), of Regulation (EU) 2023/988.",
72
+ "chapter": "I"
73
+ },
74
+ {
75
+ "number": "12",
76
+ "title": "High-risk AI systems",
77
+ "text": "1.   Without prejudice to the requirements relating to accuracy and robustness set out in Article 15 of Regulation (EU) 2024/1689, products with digital elements which fall within the scope of this Regulation and which are classified as high-risk AI systems pursuant to Article 6 of that Regulation shall be deemed to comply with the cybersecurity requirements set out in Article 15 of that Regulation where:\n\n(a)\n\nthose products fulfil the essential cybersecurity requirements set out in Part I of Annex I;\n\n(b)\n\nthe processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I; and\n\n(c)\n\nthe achievement of the level of cybersecurity protection required under Article 15 of Regulation (EU) 2024/1689 is demonstrated in the EU declaration of conformity issued under this Regulation.\n\n2.   For the products with digital elements and cybersecurity requirements referred to in paragraph 1 of this Article, the relevant conformity assessment procedure provided for in Article 43 of Regulation (EU) 2024/1689 shall apply. For the purposes of that assessment, notified bodies which are competent to control the conformity of the high-risk AI systems under Regulation (EU) 2024/1689 shall also be competent to control the conformity of high-risk AI systems which fall within the scope of this Regulation with the requirements set out in Annex I to this Regulation, provided that the compliance of those notified bodies with the requirements laid down in Article 39 of this Regulation has been assessed in the context of the notification procedure under Regulation (EU) 2024/1689.\n\n3.   By way of derogation from paragraph 2 of this Article, important products with digital elements as listed in Annex III to this Regulation, which are subject to the conformity assessment procedures referred to in Article 32(2), points (a) and (b), and Article 32(3) of this Regulation and critical products with digital elements as listed in Annex IV to this Regulation which are required to obtain a European cybersecurity certificate pursuant to Article 8(1) of this Regulation or, absent that, which are subject to the conformity assessment procedures referred to in Article 32(3) of this Regulation, and which are classified as high-risk AI systems pursuant to Article 6 of Regulation (EU) 2024/1689, and to which the conformity assessment procedure based on internal control as referred to in Annex VI to Regulation (EU) 2024/1689 applies, shall be subject to the conformity assessment procedures provided for in this Regulation in so far as the essential cybersecurity requirements set out in this Regulation are concerned.\n\n4.   Manufacturers of products with digital elements as referred to in paragraph 1 of this Article may participate in the AI regulatory sandboxes referred to in Article 57 of Regulation (EU) 2024/1689.\n\nOBLIGATIONS OF ECONOMIC OPERATORS AND PROVISIONS IN RELATION TO FREE AND OPEN-SOURCE SOFTWARE",
78
+ "chapter": "II"
79
+ },
80
+ {
81
+ "number": "13",
82
+ "title": "Obligations of manufacturers",
83
+ "text": "1.   When placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with the essential cybersecurity requirements set out in Part I of Annex I.\n\n2.   For the purpose of complying with paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.\n\n3.   The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I.\n\n4.   When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment referred to in paragraph 3 of this Article in the technical documentation required pursuant to Article 31 and Annex VII. For products with digital elements as referred to in Article 12, which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.\n\n5.   For the purpose of complying with paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements, including when integrating components of free and open-source software that have not been made available on the market in the course of a commercial activity.\n\n6.   Manufacturers shall, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in Part II of Annex I. Where manufacturers have developed a software or hardware modification to address the vulnerability in that component, they shall share the relevant code or documentation with the person or entity manufacturing or maintaining the component, where appropriate in a machine-readable format.\n\n7.   The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products.\n\n8.   Manufacturers shall ensure, when placing a product with digital elements on the market, and for the support period, that vulnerabilities of that product, including its components, are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I.\n\nManufacturers shall determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements. When determining the support period, manufacturers may also take into account the support periods of products with digital elements offering a similar functionality placed on the market by other manufacturers, the availability of the operating environment, the support periods of integrated components that provide core functions and are sourced from third parties as well as relevant guidance provided by the dedicated administrative cooperation group (ADCO) established pursuant to Article 52(15) and the Commission. The matters to be taken into account in order to determine the support period shall be considered in a manner that ensures proportionality.\n\nWithout prejudice to the second subparagraph, the support period shall be at least five years. Where the product with digital elements is expected to be in use for less than five years, the support period shall correspond to the expected use time.\n\nTaking into account ADCO recommendations as referred to in Article 52(16), the Commission may adopt delegated acts in accordance with Article 61 to supplement this Regulation by specifying the minimum support period for specific product categories where the market surveillance data suggests inadequate support periods.\n\nManufacturers shall include the information that was taken into account to determine the support period of a product with digital elements in the technical documentation as set out in Annex VII.\n\nManufacturers shall have appropriate policies and procedures, including coordinated vulnerability disclosure policies, referred to in Part II, point (5), of Annex I to process and remediate potential vulnerabilities in the product with digital elements reported from internal or external sources.\n\n9.   Manufacturers shall ensure that each security update, as referred to in Part II, point (8), of Annex I, which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years or for the remainder of the support period, whichever is longer.\n\n10.   Where a manufacturer has placed subsequent substantially modified versions of a software product on the market, that manufacturer may ensure compliance with the essential cybersecurity requirement set out in Part II, point (2), of Annex I only for the version that it has last placed on the market, provided that the users of the versions that were previously placed on the market have access to the version last placed on the market free of charge and do not incur additional costs to adjust the hardware and software environment in which they use the original version of that product.\n\n11.   Manufacturers may maintain public software archives enhancing user access to historical versions. In those cases, users shall be clearly informed in an easily accessible manner about risks associated with using unsupported software.\n\n12.   Before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation referred to in Article 31.\n\nThey shall carry out the chosen conformity assessment procedures as referred to in Article 32 or have them carried out.\n\nWhere compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I has been demonstrated by that conformity assessment procedure, manufacturers shall draw up the EU declaration of conformity in accordance with Article 28 and affix the CE marking in accordance with Article 30.\n\n13.   Manufacturers shall keep the technical documentation and the EU declaration of conformity at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.\n\n14.   Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity with this Regulation. Manufacturers shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised standards, European cybersecurity certification schemes or common specifications as referred to in Article 27 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified.\n\n15.   Manufacturers shall ensure that their products with digital elements bear a type, batch or serial number or other element allowing their identification, or, where that is not possible, that that information is provided on their packaging or in a document accompanying the product with digital elements.\n\n16.   Manufacturers shall indicate the name, registered trade name or registered trademark of the manufacturer, and the postal address, email address or other digital contact details, as well as, where applicable, the website where the manufacturer can be contacted, on the product with digital elements, on its packaging or in a document accompanying the product with digital elements. That information shall also be included in the information and instructions to the user set out in Annex II. The contact details shall be in a language which can be easily understood by users and market surveillance authorities.\n\n17.   For the purposes of this Regulation, manufacturers shall designate a single point of contact to enable users to communicate directly and rapidly with them, including in order to facilitate reporting on vulnerabilities of the product with digital elements.\n\nManufacturers shall ensure that the single point of contact is easily identifiable by the users. They shall also include the single point of contact in the information and instructions to the user set out in Annex II.\n\nThe single point of contact shall allow users to choose their preferred means of communication and shall not limit such means to automated tools.\n\n18.   Manufacturers shall ensure that products with digital elements are accompanied by the information and instructions to the user set out in Annex II, in paper or electronic form. Such information and instructions shall be provided in a language which can be easily understood by users and market surveillance authorities. They shall be clear, understandable, intelligible and legible. They shall allow for the secure installation, operation and use of products with digital elements. Manufacturers shall keep the information and instructions to the user set out in Annex II at the disposal of users and market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. Where such information and instructions are provided online, manufacturers shall ensure that they are accessible, user-friendly and available online for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.\n\n19.   Manufacturers shall ensure that the end date of the support period referred to in paragraph 8, including at least the month and the year, is clearly and understandably specified at the time of purchase in an easily accessible manner and, where applicable, on the product with digital elements, its packaging or by digital means.\n\nWhere technically feasible in light of the nature of the product with digital elements, manufacturers shall display a notification to users informing them that their product with digital elements has reached the end of its support period.\n\n20.   Manufacturers shall either provide a copy of the EU declaration of conformity or a simplified EU declaration of conformity with the product with digital elements. Where a simplified EU declaration of conformity is provided, it shall contain the exact internet address at which the full EU declaration of conformity can be accessed.\n\n21.   From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, or to withdraw or recall the product, as appropriate.\n\n22.   Manufacturers shall, upon a reasoned request from a market surveillance authority, provide that authority, in a language which can be easily understood by that authority, with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Annex I. Manufacturers shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by the product with digital elements which they have placed on the market.\n\n23.   A manufacturer that ceases its operations and, as a result, is not able to comply with this Regulation shall inform, before the cessation of operations takes effect, the relevant market surveillance authorities as well as, by any means available and to the extent possible, the users of the relevant products with digital elements placed on the market, of the impending cessation of operations.\n\n24.   The Commission may, by means of implementing acts taking into account European or international standards and best practices, specify the format and elements of the software bill of materials referred to in Part II, point (1), of Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).\n\n25.   In order to assess the dependence of Member States and of the Union as a whole on software components and in particular on components qualifying as free and open-source software, ADCO may decide to conduct a Union wide dependency assessment for specific categories of products with digital elements. For that purpose, market surveillance authorities may request manufacturers of such categories of products with digital elements to provide the relevant software bills of materials as referred to in Part II, point (1), of Annex I. On the basis of such information, the market surveillance authorities may provide ADCO with anonymised and aggregated information about software dependencies. ADCO shall submit a report on the results of the dependency assessment to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555.",
84
+ "chapter": "II"
85
+ },
86
+ {
87
+ "number": "14",
88
+ "title": "Reporting obligations of manufacturers",
89
+ "text": "1.   A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.\n\n2.   For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit:\n\n(a)\n\nan early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;\n\n(b)\n\nunless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;\n\n(c)\n\nunless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following:\n\n(i)\n\na description of the vulnerability, including its severity and impact;\n\n(ii)\n\nwhere available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability;\n\n(iii)\n\ndetails about the security update or other corrective measures that have been made available to remedy the vulnerability.\n\n3.   A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16.\n\n4.   For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit:\n\n(a)\n\nan early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;\n\n(b)\n\nunless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;\n\n(c)\n\nunless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following:\n\n(i)\n\na detailed description of the incident, including its severity and impact;\n\n(ii)\n\nthe type of threat or root cause that is likely to have triggered the incident;\n\n(iii)\n\napplied and ongoing mitigation measures.\n\n5.   For the purposes of paragraph 3, an incident having an impact on the security of the product with digital elements shall be considered to be severe where:\n\n(a)\n\nit negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or\n\n(b)\n\nit has led or is capable of leading to the introduction or execution of malicious code in a product with digital elements or in the network and information systems of a user of the product with digital elements.\n\n6.   Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant status updates about the actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements.\n\n7.   The notifications referred to in paragraphs 1 and 3 of this Article shall be submitted via the single reporting platform referred to in Article 16 using one of the electronic notification end-points referred to in Article 16(1). The notification shall be submitted using the electronic notification end-point of the CSIRT designated as coordinator of the Member State where the manufacturers have their main establishment in the Union and shall be simultaneously accessible to ENISA.\n\nFor the purposes of this Regulation, a manufacturer shall be considered to have its main establishment in the Union in the Member State where the decisions related to the cybersecurity of its products with digital elements are predominantly taken. If such a Member State cannot be determined, the main establishment shall be considered to be in the Member State where the manufacturer concerned has the establishment with the highest number of employees in the Union.\n\nWhere a manufacturer has no main establishment in the Union, it shall submit the notifications referred to in paragraphs 1 and 3 using the electronic notification end-point of the CSIRT designated as coordinator in the Member State determined pursuant to the following order and based on the information available to the manufacturer:\n\n(a)\n\nthe Member State in which the authorised representative acting on behalf of the manufacturer for the highest number of products with digital elements of that manufacturer is established;\n\n(b)\n\nthe Member State in which the importer placing on the market the highest number of products with digital elements of that manufacturer is established;\n\n(c)\n\nthe Member State in which the distributor making available on the market the highest number of products with digital elements of that manufacturer is established;\n\n(d)\n\nthe Member State in which the highest number of users of products with digital elements of that manufacturer are located.\n\nIn relation to the third subparagraph, point (d), a manufacturer may submit notifications related to any subsequent actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements to the same CSIRT designated as coordinator to which it first reported.\n\n8.   After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.\n\n9.   By 11 December 2025, the Commission shall adopt delegated acts in accordance with Article 61 of this Regulation to supplement this Regulation by specifying the terms and conditions for applying the cybersecurity-related grounds in relation to delaying the dissemination of notifications as referred to in Article 16(2) of this Regulation. The Commission shall cooperate with the CSIRTs network established pursuant to Article 15 of Directive (EU) 2022/2555 and ENISA in preparing the draft delegated acts.\n\n10.   The Commission may, by means of implementing acts, specify further the format and procedures of the notifications referred to in this Article as well as in Articles 15 and 16. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2). The Commission shall cooperate with the CSIRTs network and ENISA in preparing those draft implementing acts.",
90
+ "chapter": "II"
91
+ },
92
+ {
93
+ "number": "15",
94
+ "title": "Voluntary reporting",
95
+ "text": "1.   Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA.\n\n2.   Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA.\n\n3.   The CSIRT designated as coordinator or ENISA shall process the notifications referred to in paragraphs 1 and 2 of this Article in accordance with the procedure laid down in Article 16.\n\nThe CSIRT designated as coordinator may prioritise the processing of mandatory notifications over voluntary notifications.\n\n4.   Where a natural or legal person other than the manufacturer notifies an actively exploited vulnerability or a severe incident having an impact on the security of a product with digital elements in accordance with paragraph 1 or 2, the CSIRT designated as coordinator shall without undue delay inform the manufacturer.\n\n5.   The CSIRTs designated as coordinators as well as ENISA shall ensure the confidentiality and appropriate protection of the information provided by a notifying natural or legal person. Without prejudice to the prevention, investigation, detection and prosecution of criminal offences, voluntary reporting shall not result in the imposition of any additional obligations upon a notifying natural or legal person to which it would not have been subject had it not submitted the notification.",
96
+ "chapter": "II"
97
+ },
98
+ {
99
+ "number": "16",
100
+ "title": "Establishment of a single reporting platform",
101
+ "text": "1.   For the purposes of the notifications referred to in Article 14(1) and (3) and Article 15(1) and (2) and in order to simplify the reporting obligations of manufacturers, a single reporting platform shall be established by ENISA. The day-to-day operations of that single reporting platform shall be managed and maintained by ENISA. The architecture of the single reporting platform shall allow Member States and ENISA to put in place their own electronic notification end-points.\n\n2.   After receiving a notification, the CSIRT designated as coordinator initially receiving the notification shall, without delay, disseminate the notification via the single reporting platform to the CSIRTs designated as coordinators on the territory of which the manufacturer has indicated that the product with digital elements has been made available.\n\nIn exceptional circumstances and, in particular, upon request by the manufacturer and in light of the level of sensitivity of the notified information as indicated by the manufacturer under Article 14(2), point (a), of this Regulation, the dissemination of the notification may be delayed based on justified cybersecurity-related grounds for a period of time that is strictly necessary, including where a vulnerability is subject to a coordinated vulnerability disclosure procedure as referred to in Article 12(1) of Directive (EU) 2022/2555. Where a CSIRT decides to withhold a notification, it shall immediately inform ENISA about the decision and provide both a justification for withholding the notification as well as an indication of when it will disseminate the notification in accordance with the dissemination procedure laid down in this paragraph. ENISA may support the CSIRT on the application of cybersecurity-related grounds in relation to delaying the dissemination of the notification.\n\nIn particularly exceptional circumstances, where the manufacturer indicates in the notification referred to in Article 14(2), point (b):\n\n(a)\n\nthat the notified vulnerability has been actively exploited by a malicious actor and, according to the information available, it has been exploited in no other Member State than the one of the CSIRT designated as coordinator to which the manufacturer has notified the vulnerability;\n\n(b)\n\nthat any immediate further dissemination of the notified vulnerability would likely result in the supply of information the disclosure of which would be contrary to the essential interests of that Member State; or\n\n(c)\n\nthat the notified vulnerability poses an imminent high cybersecurity risk stemming from the further dissemination;\n\nonly the information that a notification was made by the manufacturer, the general information about the product, the information on the general nature of the exploit and the information that security related grounds were raised are to be made available simultaneously to ENISA until the full notification is disseminated to the CSIRTs concerned and ENISA. Where, based on that information, ENISA considers that there is a systemic risk affecting security in the internal market, it shall recommend to the recipient CSIRT that it disseminate the full notification to the other CSIRTs designated as coordinators and to ENISA itself.\n\n3.   After receiving a notification of an actively exploited vulnerability in a product with digital elements or of a severe incident having an impact on the security of a product with digital elements, the CSIRTs designated as coordinators shall provide the market surveillance authorities of their respective Member States with the notified information necessary for the market surveillance authorities to fulfil their obligations under this Regulation.\n\n4.   ENISA shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of the single reporting platform and the information submitted or disseminated via the single reporting platform. It shall notify without undue delay any security incident affecting the single reporting platform to the CSIRTs network as well as to the Commission.\n\n5.   ENISA, in cooperation with the CSIRTs network, shall provide and implement specifications on the technical, operational and organisational measures regarding the establishment, maintenance and secure operation of the single reporting platform referred to in paragraph 1, including at least the security arrangements related to the establishment, operation and maintenance of the single reporting platform, as well as the electronic notification end-points set up by the CSIRTs designated as coordinators at national level and ENISA at Union level, including procedural aspects to ensure that, where a notified vulnerability has no corrective or mitigating measures available, information about that vulnerability is shared in line with strict security protocols and on a need-to-know basis.\n\n6.   Where a CSIRT designated as coordinator has been made aware of an actively exploited vulnerability as part of a coordinated vulnerability disclosure procedure as referred to in Article 12(1) of Directive (EU) 2022/2555, the CSIRT designated as coordinator initially receiving the notification may delay the dissemination of the relevant notification via the single reporting platform based on justified cybersecurity-related grounds for a period that is no longer than is strictly necessary and until consent for disclosure by the involved coordinated vulnerability disclosure parties is given. That requirement shall not prevent manufacturers from notifying such a vulnerability on a voluntary basis in accordance with the procedure laid down in this Article.",
102
+ "chapter": "II"
103
+ },
104
+ {
105
+ "number": "17",
106
+ "title": "Other provisions related to reporting",
107
+ "text": "1.   ENISA may submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established under Article 16 of Directive (EU) 2022/2555 information notified pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation if such information is relevant for the coordinated management of large-scale cybersecurity incidents and crises at an operational level. For the purpose of determining such relevance, ENISA may consider technical analyses performed by the CSIRTs network, where available.\n\n2.   Where public awareness is necessary to prevent or mitigate a severe incident having an impact on the security of the product with digital elements or to handle an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the CSIRT designated as coordinator of the relevant Member State may, after consulting the manufacturer concerned and, where appropriate, in cooperation with ENISA, inform the public about the incident or require the manufacturer to do so.\n\n3.   ENISA, on the basis of the notifications received pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation, shall prepare, every 24 months, a technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555. The first such report shall be submitted within 24 months of the date of application of the obligations laid down in Article 14(1) and (3) of this Regulation. ENISA shall include relevant information from its technical reports in its report on the state of cybersecurity in the Union pursuant to Article 18 of Directive (EU) 2022/2555.\n\n4.   The mere act of notification in accordance with Article 14(1) and (3) or Article 15(1) and (2) shall not subject the notifying natural or legal person to increased liability.\n\n5.   After a security update or another form of corrective or mitigating measure is available, ENISA shall, in agreement with the manufacturer of the product with digital elements concerned, add the publicly known vulnerability notified pursuant to Article 14(1) or Article 15(1) of this Regulation to the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555.\n\n6.   The CSIRTs designated as coordinators shall provide helpdesk support in relation to the reporting obligations pursuant to Article 14 to manufacturers and in particular manufacturers that qualify as microenterprises or as small or medium-sized enterprises.",
108
+ "chapter": "II"
109
+ },
110
+ {
111
+ "number": "18",
112
+ "title": "Authorised representatives",
113
+ "text": "1.   A manufacturer may, by a written mandate, appoint an authorised representative.\n\n2.   The obligations laid down in Article 13(1) to (11), Article 13(12), first subparagraph, and Article 13(14) shall not form part of the authorised representative’s mandate.\n\n3.   An authorised representative shall perform the tasks specified in the mandate received from the manufacturer. The authorised representative shall provide a copy of the mandate to the market surveillance authorities upon request. The mandate shall allow the authorised representative to do at least the following:\n\n(a)\n\nkeep the EU declaration of conformity referred to in Article 28 and the technical documentation referred to in Article 31 at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer;\n\n(b)\n\nfurther to a reasoned request from a market surveillance authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the product with digital elements;\n\n(c)\n\ncooperate with the market surveillance authorities, at their request, on any action taken to eliminate the risks posed by a product with digital elements covered by the authorised representative’s mandate.",
114
+ "chapter": "II"
115
+ },
116
+ {
117
+ "number": "19",
118
+ "title": "Obligations of importers",
119
+ "text": "1.   Importers shall place on the market only products with digital elements that comply with the essential cybersecurity requirements set out in Part I of Annex I and where the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.\n\n2.   Before placing a product with digital elements on the market, importers shall ensure that:\n\n(a)\n\nthe appropriate conformity assessment procedures as referred to in Article 32 have been carried out by the manufacturer;\n\n(b)\n\nthe manufacturer has drawn up the technical documentation;\n\n(c)\n\nthe product with digital elements bears the CE marking referred to in Article 30 and is accompanied by the EU declaration of conformity referred to in Article 13(20) and the information and instructions to the user as set out in Annex II in a language which can be easily understood by users and market surveillance authorities;\n\n(d)\n\nthe manufacturer has complied with the requirements set out in Article 13(15), (16) and (19).\n\nFor the purposes of this paragraph, importers shall be able to provide the necessary documents proving the fulfilment of the requirements set out in this Article.\n\n3.   Where an importer considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with this Regulation, the importer shall not place the product on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements presents a significant cybersecurity risk, the importer shall inform the manufacturer and the market surveillance authorities to that effect.\n\nWhere an importer has reason to believe that a product with digital elements may present a significant cybersecurity risk in light of non-technical risk factors, the importer shall inform the market surveillance authorities to that effect. Upon receipt of such information, the market surveillance authorities shall follow the procedures referred to in Article 54(2).\n\n4.   Importers shall indicate their name, registered trade name or registered trademark, the postal address, email address or other digital contact as well as, where applicable, the website at which they can be contacted on the product with digital elements or on its packaging or in a document accompanying the product with digital elements. The contact details shall be in a language easily understood by users and market surveillance authorities.\n\n5.   Importers who know or have reason to believe that a product with digital elements which they have placed on the market is not in conformity with this Regulation shall immediately take the corrective measures necessary to ensure that the product with digital elements is brought into conformity with this Regulation, or to withdraw or recall the product, if appropriate.\n\nUpon becoming aware of a vulnerability in the product with digital elements, importers shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, importers shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of non-compliance and of any corrective measures taken.\n\n6.   Importers shall, for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep a copy of the EU declaration of conformity at the disposal of the market surveillance authorities and ensure that the technical documentation can be made available to those authorities, upon request.\n\n7.   Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I as well as of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements, which they have placed on the market.\n\n8.   Where the importer of a product with digital elements becomes aware that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the importer shall inform the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.",
120
+ "chapter": "II"
121
+ },
122
+ {
123
+ "number": "20",
124
+ "title": "Obligations of distributors",
125
+ "text": "1.   When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements set out in this Regulation.\n\n2.   Before making a product with digital elements available on the market, distributors shall verify that:\n\n(a)\n\nthe product with digital elements bears the CE marking;\n\n(b)\n\nthe manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article 19(4), and have provided all necessary documents to the distributor.\n\n3.   Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect.\n\n4.   Distributors who know or have reason to believe, on the basis of information in their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken.\n\nUpon becoming aware of a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-compliance and of any corrective measures taken.\n\n5.   Distributors shall, further to a reasoned request from a market surveillance authority, provide all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements which they have made available on the market.\n\n6.   Where the distributor of a product with digital elements becomes aware, on the basis of information in its possession, that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the distributor shall inform, without undue delay, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.",
126
+ "chapter": "II"
127
+ },
128
+ {
129
+ "number": "21",
130
+ "title": "Cases in which obligations of manufacturers apply to importers and distributors",
131
+ "text": "An importer or distributor shall be considered to be a manufacturer for the purposes of this Regulation and shall be subject to Articles 13 and 14, where that importer or distributor places a product with digital elements on the market under its name or trademark or carries out a substantial modification of a product with digital elements already placed on the market.",
132
+ "chapter": "II"
133
+ },
134
+ {
135
+ "number": "22",
136
+ "title": "Other cases in which obligations of manufacturers apply",
137
+ "text": "1.   A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of a product with digital elements and makes that product available on the market, shall be considered to be a manufacturer for the purposes of this Regulation.\n\n2.   The person referred to in paragraph 1 of this Article shall be subject to the obligations set out in Articles 13 and 14 for the part of the product with digital elements that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product.",
138
+ "chapter": "II"
139
+ },
140
+ {
141
+ "number": "23",
142
+ "title": "Identification of economic operators",
143
+ "text": "1.   Economic operators shall, on request, provide the market surveillance authorities with the following information:\n\n(a)\n\nthe name and address of any economic operator who has supplied them with a product with digital elements;\n\n(b)\n\nwhere available, the name and address of any economic operator to whom they have supplied a product with digital elements.\n\n2.   Economic operators shall be able to present the information referred to in paragraph 1 for 10 years after they have been supplied with the product with digital elements and for 10 years after they have supplied the product with digital elements.",
144
+ "chapter": "II"
145
+ },
146
+ {
147
+ "number": "24",
148
+ "title": "Obligations of open-source software stewards",
149
+ "text": "1.   Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilities as laid down in Article 15 by the developers of that product and take into account the specific nature of the open-source software steward and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source community.\n\n2.   Open-source software stewards shall cooperate with the market surveillance authorities, at their request, with a view to mitigating the cybersecurity risks posed by a product with digital elements qualifying as free and open-source software.\n\nFurther to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by that authority, with the documentation referred to in paragraph 1, in paper or electronic form.\n\n3.   The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products.",
150
+ "chapter": "II"
151
+ },
152
+ {
153
+ "number": "25",
154
+ "title": "Security attestation of free and open-source software",
155
+ "text": "In order to facilitate the due diligence obligation set out in Article 13(5), in particular as regards manufacturers that integrate free and open-source software components in their products with digital elements, the Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by establishing voluntary security attestation programmes allowing the developers or users of products with digital elements qualifying as free and open-source software as well as other third parties to assess the conformity of such products with all or certain essential cybersecurity requirements or other obligations laid down in this Regulation.",
156
+ "chapter": "II"
157
+ },
158
+ {
159
+ "number": "26",
160
+ "title": "Guidance",
161
+ "text": "1.   In order to facilitate implementation and ensure the consistency of such implementation, the Commission shall publish guidance to assist economic operators in applying this Regulation, with a particular focus on facilitating compliance by microenterprises and small and medium-sized enterprises.\n\n2.   Where it intends to provide guidance as referred to in paragraph 1, the Commission shall address at least the following aspects:\n\n(a)\n\nthe scope of this Regulation, with a particular focus on remote data processing solutions and free and open-source software;\n\n(b)\n\nthe application of support periods in relation to particular categories of products with digital elements;\n\n(c)\n\nguidance targeted at manufacturers subject to this Regulation that are also subject to Union harmonisation legislation other than this Regulation or to other related Union legal acts;\n\n(d)\n\nthe concept of substantial modification.\n\nThe Commission shall also maintain an easy-to-access list of the delegated and implementing acts adopted pursuant to this Regulation.\n\n3.   When preparing the guidance pursuant to this Article, the Commission shall consult relevant stakeholders.\n\nCONFORMITY OF THE PRODUCT WITH DIGITAL ELEMENTS",
162
+ "chapter": "III"
163
+ },
164
+ {
165
+ "number": "27",
166
+ "title": "Presumption of conformity",
167
+ "text": "1.   Products with digital elements and processes put in place by the manufacturer which are in conformity with harmonised standards or parts thereof, the references of which have been published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I covered by those standards or parts thereof.\n\nThe Commission shall, in accordance with Article 10(1) of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised standards for the essential cybersecurity requirements set out in Annex I to this Regulation. When preparing standardisation requests for this Regulation, the Commission shall strive to take into account existing European and international standards for cybersecurity that are in place or under development in order to simplify the development of harmonised standards, in accordance with Regulation (EU) No 1025/2012.\n\n2.   The Commission may adopt implementing acts establishing common specifications covering technical requirements that provide a means to comply with the essential cybersecurity requirements set out in Annex I for products with digital elements that fall within the scope of this Regulation.\n\nThose implementing acts shall be adopted only where the following conditions are fulfilled:\n\n(a)\n\nthe Commission has requested, pursuant to Article 10(1) of Regulation (EU) No 1025/2012, one or more European standardisation organisations to draft a harmonised standard for the essential cybersecurity requirements set out in Annex I and:\n\n(i)\n\nthe request has not been accepted;\n\n(ii)\n\nthe harmonised standards addressing that request are not delivered within the deadline set in accordance with Article 10(1) of Regulation (EU) No 1025/2012; or\n\n(iii)\n\nthe harmonised standards do not comply with the request; and\n\n(b)\n\nno reference to harmonised standards covering the relevant essential cybersecurity requirements set out in Annex I to this Regulation has been published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012 and no such reference is expected to be published within a reasonable period.\n\nThose implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).\n\n3.   Before preparing the draft implementing act referred to in paragraph 2 of this Article, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) No 1025/2012 that it considers that the conditions in paragraph 2 of this Article have been fulfilled.\n\n4.   When preparing the draft implementing act referred to in paragraph 2, the Commission shall take into account the views of relevant bodies and shall duly consult all relevant stakeholders.\n\n5.   Products with digital elements and processes put in place by the manufacturer which are in conformity with the common specifications established by implementing acts referred to in paragraph 2 of this Article, or parts thereof, shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I covered by those common specifications or parts thereof.\n\n6.   Where a harmonised standard is adopted by a European standardisation organisation and proposed to the Commission for the purpose of publishing its reference in the Official Journal of the European Union, the Commission shall assess the harmonised standard in accordance with Regulation (EU) No 1025/2012. When a reference of a harmonised standard is published in the Official Journal of the European Union, the Commission shall repeal the implementing acts referred to in paragraph 2 of this Article, or parts thereof which cover the same essential cybersecurity requirements as those covered by that harmonised standard.\n\n7.   Where a Member State considers that a common specification does not entirely satisfy the essential cybersecurity requirements set out in Annex I, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed explanation and may, if appropriate, amend the implementing act establishing the common specification in question.\n\n8.   Products with digital elements and processes put in place by the manufacturer for which an EU statement of conformity or certificate has been issued under a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881 shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I in so far as the EU statement of conformity or European cybersecurity certificate, or parts thereof, cover those requirements.\n\n9.   The Commission is empowered to adopt delegated acts in accordance with Article 61 of this Regulation to supplement this Regulation by specifying the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity of products with digital elements with the essential cybersecurity requirements or parts thereof as set out in Annex I to this Regulation. Furthermore, the issuance of a European cybersecurity certificate issued under such schemes, at least at assurance level ‘substantial’, eliminates the obligation of a manufacturer to carry out a third-party conformity assessment for the corresponding requirements, as set out in Article 32(2), points (a) and (b), and Article 32(3), points (a) and (b), of this Regulation.",
168
+ "chapter": "III"
169
+ },
170
+ {
171
+ "number": "28",
172
+ "title": "EU declaration of conformity",
173
+ "text": "1.   The EU declaration of conformity shall be drawn up by manufacturers in accordance with Article 13(12) and state that the fulfilment of the applicable essential cybersecurity requirements set out in Annex I has been demonstrated.\n\n2.   The EU declaration of conformity shall have the model structure set out in Annex V and shall contain the elements specified in the relevant conformity assessment procedures set out in Annex VIII. Such a declaration shall be updated as appropriate. It shall be made available in the languages required by the Member State in which the product with digital elements is placed on the market or made available on the market.\n\nThe simplified EU declaration of conformity referred to in Article 13(20) shall have the model structure set out in Annex VI. It shall be made available in the languages required by the Member State in which the product with digital elements is placed on the market or made available on the market.\n\n3.   Where a product with digital elements is subject to more than one Union legal act requiring an EU declaration of conformity, a single EU declaration of conformity shall be drawn up in respect of all such Union legal acts. That declaration shall contain the identification of the Union legal acts concerned, including their publication references.\n\n4.   By drawing up the EU declaration of conformity, the manufacturer shall assume responsibility for the compliance of the product with digital elements.\n\n5.   The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by adding elements to the minimum content of the EU declaration of conformity set out in Annex V to take account of technological developments.",
174
+ "chapter": "III"
175
+ },
176
+ {
177
+ "number": "29",
178
+ "title": "General principles of the CE marking",
179
+ "text": "The CE marking shall be subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008.",
180
+ "chapter": "III"
181
+ },
182
+ {
183
+ "number": "30",
184
+ "title": "Rules and conditions for affixing the CE marking",
185
+ "text": "1.   The CE marking shall be affixed visibly, legibly and indelibly to the product with digital elements. Where that is not possible or not warranted on account of the nature of the product with digital elements, it shall be affixed to the packaging and to the EU declaration of conformity referred to in Article 28 accompanying the product with digital elements. For products with digital elements which are in the form of software, the CE marking shall be affixed either to the EU declaration of conformity referred to in Article 28 or on the website accompanying the software product. In the latter case, the relevant section of the website shall be easily and directly accessible to consumers.\n\n2.   On account of the nature of the product with digital elements, the height of the CE marking affixed to the product with digital elements may be lower than 5 mm, provided that it remains visible and legible.\n\n3.   The CE marking shall be affixed before the product with digital elements is placed on the market. It may be followed by a pictogram or any other mark indicating a special cybersecurity risk or use set out in the implementing acts referred to in paragraph 6.\n\n4.   The CE marking shall be followed by the identification number of the notified body, where that body is involved in the conformity assessment procedure based on full quality assurance (based on module H) referred to in Article 32.\n\nThe identification number of the notified body shall be affixed by the body itself or, under its instructions, by the manufacturer or the manufacturer’s authorised representative.\n\n5.   Member States shall build upon existing mechanisms to ensure correct application of the regime governing the CE marking and shall take appropriate action in the event of improper use of that marking. Where the product with digital elements is subject to Union harmonisation legislation, other than this Regulation, which also provides for the affixing of the CE marking, the CE marking shall indicate that the product also fulfils the requirements set out in such other Union harmonisation legislation.\n\n6.   The Commission may, by means of implementing acts, lay down technical specifications for labels, pictograms or any other marks related to the security of the products with digital elements, their support periods and mechanisms to promote their use and to increase public awareness about the security of products with digital elements. When preparing the draft implementing acts, the Commission shall consult relevant stakeholders, and, if it has already been established pursuant to Article 52(15), ADCO. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).",
186
+ "chapter": "III"
187
+ },
188
+ {
189
+ "number": "31",
190
+ "title": "Technical documentation",
191
+ "text": "1.   The technical documentation shall contain all relevant data or details of the means used by the manufacturer to ensure that the product with digital elements and the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Annex I. It shall at least contain the elements set out in Annex VII.\n\n2.   The technical documentation shall be drawn up before the product with digital elements is placed on the market and shall be continuously updated, where appropriate, at least during the support period.\n\n3.   For products with digital elements as referred to in Article 12, which are also subject to other Union legal acts which provide for technical documentation, a single set of technical documentation shall be drawn up containing the information referred to in Annex VII and the information required by those Union legal acts.\n\n4.   The technical documentation and correspondence relating to any conformity assessment procedure shall be drawn up in an official language of the Member State in which the notified body is established or in a language acceptable to that body.\n\n5.   The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by adding elements to be included in the technical documentation set out in Annex VII to take account of technological developments, as well as developments encountered in the implementation process of this Regulation. To that end, the Commission shall strive to ensure that the administrative burden on microenterprises and small and medium-sized enterprises is proportionate.",
192
+ "chapter": "III"
193
+ },
194
+ {
195
+ "number": "32",
196
+ "title": "Conformity assessment procedures for products with digital elements",
197
+ "text": "1.   The manufacturer shall perform a conformity assessment of the product with digital elements and the processes put in place by the manufacturer to determine whether the essential cybersecurity requirements set out in Annex I are met. The manufacturer shall demonstrate conformity with the essential cybersecurity requirements by using any of the following procedures:\n\n(a)\n\nthe internal control procedure (based on module A) set out in Annex VIII;\n\n(b)\n\nthe EU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII;\n\n(c)\n\na conformity assessment based on full quality assurance (based on module H) set out in Annex VIII; or\n\n(d)\n\nwhere available and applicable, a European cybersecurity certification scheme pursuant to Article 27(9).\n\n2.   Where, in assessing the compliance of an important product with digital elements that falls under class I as set out in Annex III and the processes put in place by its manufacturer with the essential cybersecurity requirements set out in Annex I, the manufacturer has not applied or has applied only in part harmonised standards, common specifications or European cybersecurity certification schemes at assurance level at least ‘substantial’ as referred to in Article 27, or where such harmonised standards, common specifications or European cybersecurity certification schemes do not exist, the product with digital elements concerned and the processes put in place by the manufacturer shall be submitted with regard to those essential cybersecurity requirements to either of the following procedures:\n\n(a)\n\nthe EU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII; or\n\n(b)\n\na conformity assessment based on full quality assurance (based on module H) set out in Annex VIII.\n\n3.   Where the product is an important product with digital elements that falls under class II as set out in Annex III, the manufacturer shall demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using any of the following procedures:\n\n(a)\n\nEU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII;\n\n(b)\n\na conformity assessment based on full quality assurance (based on module H) set out in Annex VIII; or\n\n(c)\n\nwhere available and applicable, a European cybersecurity certification scheme pursuant to Article 27(9) of this Regulation at assurance level at least ‘substantial’ pursuant to Regulation (EU) 2019/881.\n\n4.   Critical products with digital elements listed in Annex IV shall demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using one of the following procedures:\n\n(a)\n\na European cybersecurity certification scheme in accordance with Article 8(1); or\n\n(b)\n\nwhere the conditions in Article 8(1) are not met, any of the procedures referred to in paragraph 3 of this Article.\n\n5.   Manufacturers of products with digital elements qualifying as free and open-source software, which fall under the categories set out in Annex III, shall be able to demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using one of the procedures referred to in paragraph 1 of this Article, provided that the technical documentation referred to in Article 31 is made available to the public at the time of the placing on the market of those products.\n\n6.   The specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups, shall be taken into account when setting the fees for conformity assessment procedures and those fees shall be reduced proportionately to their specific interests and needs.",
198
+ "chapter": "III"
199
+ },
200
+ {
201
+ "number": "33",
202
+ "title": "Support measures for microenterprises and small and medium-sized enterprises, including start-ups",
203
+ "text": "1.   Member States shall, where appropriate, undertake the following actions, tailored to the needs of microenterprises and small enterprises:\n\n(a)\n\norganise specific awareness-raising and training activities about the application of this Regulation;\n\n(b)\n\nestablish a dedicated channel for communication with microenterprises and small enterprises and, as appropriate, local public authorities to provide advice and respond to queries about the implementation of this Regulation;\n\n(c)\n\nsupport testing and conformity assessment activities, including where relevant with the support of the European Cybersecurity Competence Centre.\n\n2.   Member States may, where appropriate, establish cyber resilience regulatory sandboxes. Such regulatory sandboxes shall provide for controlled testing environments for innovative products with digital elements to facilitate their development, design, validation and testing for the purpose of complying with this Regulation for a limited period of time before the placing on the market. The Commission and, where appropriate, ENISA, may provide technical support, advice and tools for the establishment and operation of regulatory sandboxes. The regulatory sandboxes shall be set up under the direct supervision, guidance and support by the market surveillance authorities. Member States shall inform the Commission and the other market surveillance authorities of the establishment of a regulatory sandbox through ADCO. The regulatory sandboxes shall not affect the supervisory and corrective powers of the competent authorities. Member States shall ensure open, fair, and transparent access to regulatory sandboxes, and in particular facilitate access by microenterprises and small enterprises, including start-ups.\n\n3.   In accordance with Article 26, the Commission shall provide guidance for microenterprises and small and medium-sized enterprises in relation to the implementation of this Regulation.\n\n4.   The Commission shall advertise available financial support in the regulatory framework of existing Union programmes, in particular in order to ease the financial burden on microenterprises and small enterprises.\n\n5.   Microenterprises and small enterprises may provide all elements of the technical documentation specified in Annex VII by using a simplified format. For that purpose, the Commission shall, by means of implementing acts, specify the simplified technical documentation form targeted at the needs of microenterprises and small enterprises, including how the elements set out in Annex VII are to be provided. Where a microenterprise or small enterprise opts to provide the information set out in Annex VII in a simplified manner, it shall use the form referred to in this paragraph. Notified bodies shall accept that form for the purposes of conformity assessment.\n\nThose implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).",
204
+ "chapter": "III"
205
+ },
206
+ {
207
+ "number": "34",
208
+ "title": "Mutual recognition agreements",
209
+ "text": "Taking into account the level of technical development and the approach on conformity assessment of a third country, the Union may conclude Mutual Recognition Agreements with third countries, in accordance with Article 218 TFEU, in order to promote and facilitate international trade.\n\nNOTIFICATION OF CONFORMITY ASSESSMENT BODIES",
210
+ "chapter": "IV"
211
+ },
212
+ {
213
+ "number": "35",
214
+ "title": "Notification",
215
+ "text": "1.   Member States shall notify the Commission and the other Member States of bodies authorised to carry out conformity assessments in accordance with this Regulation.\n\n2.   Member States shall strive to ensure, by 11 December 2026 that there is a sufficient number of notified bodies in the Union to carry out conformity assessments, in order to avoid bottlenecks and hindrances to market entry.",
216
+ "chapter": "IV"
217
+ },
218
+ {
219
+ "number": "36",
220
+ "title": "Notifying authorities",
221
+ "text": "1.   Each Member State shall designate a notifying authority that shall be responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and their monitoring, including compliance with Article 41.\n\n2.   Member States may decide that the assessment and monitoring referred to in paragraph 1 shall be carried out by a national accreditation body within the meaning of and in accordance with Regulation (EC) No 765/2008.\n\n3.   Where the notifying authority delegates or otherwise entrusts the assessment, notification or monitoring referred to in paragraph 1 of this Article to a body which is not a governmental entity, that body shall be a legal entity and shall comply mutatis mutandis with Article 37. In addition, it shall have arrangements in place to cover liabilities arising from its activities.\n\n4.   The notifying authority shall take full responsibility for the tasks performed by the body referred to in paragraph 3.",
222
+ "chapter": "IV"
223
+ },
224
+ {
225
+ "number": "37",
226
+ "title": "Requirements relating to notifying authorities",
227
+ "text": "1.   A notifying authority shall be established in such a way that no conflict of interest with conformity assessment bodies occurs.\n\n2.   A notifying authority shall be organised and shall function so as to safeguard the objectivity and impartiality of its activities.\n\n3.   A notifying authority shall be organised in such a way that each decision relating to notification of a conformity assessment body is taken by competent persons different from those who carried out the assessment.\n\n4.   A notifying authority shall not offer or provide any activities that conformity assessment bodies perform or consultancy services on commercial or competitive basis.\n\n5.   A notifying authority shall safeguard the confidentiality of the information it obtains.\n\n6.   A notifying authority shall have a sufficient number of competent personnel at its disposal for the proper performance of its tasks.",
228
+ "chapter": "IV"
229
+ },
230
+ {
231
+ "number": "38",
232
+ "title": "Information obligation on notifying authorities",
233
+ "text": "1.   Member States shall inform the Commission of their procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies, and of any changes thereto.\n\n2.   The Commission shall make the information referred to in paragraph 1 publicly available.",
234
+ "chapter": "IV"
235
+ },
236
+ {
237
+ "number": "39",
238
+ "title": "Requirements relating to notified bodies",
239
+ "text": "1.   For the purposes of notification, a conformity assessment body shall meet the requirements laid down in paragraphs 2 to 12.\n\n2.   A conformity assessment body shall be established under national law and have legal personality.\n\n3.   A conformity assessment body shall be a third-party body independent of the organisation or the product with digital elements it assesses.\n\nA body belonging to a business association or professional federation representing undertakings involved in the design, development, production, provision, assembly, use or maintenance of products with digital elements which it assesses, may, on condition that its independence and the absence of any conflict of interest are demonstrated, be considered to be such a third-party body.\n\n4.   A conformity assessment body, its top level management and the personnel responsible for carrying out the conformity assessment tasks shall not be the designer, developer, manufacturer, supplier, importer, distributor, installer, purchaser, owner, user or maintainer of the products with digital elements which they assess, nor the authorised representative of any of those parties. This shall not preclude the use of assessed products that are necessary for the operations of the conformity assessment body or the use of such products for personal purposes.\n\nA conformity assessment body, its top level management and the personnel responsible for carrying out the conformity assessment tasks shall not be directly involved in the design, development, production, import, distribution, the marketing, installation, use or maintenance of the products with digital elements which they assess, or represent the parties engaged in those activities. They shall not engage in any activity that may conflict with their independence of judgement or integrity in relation to conformity assessment activities for which they are notified. This shall in particular apply to consultancy services.\n\nConformity assessment bodies shall ensure that the activities of their subsidiaries or subcontractors do not affect the confidentiality, objectivity or impartiality of their conformity assessment activities.\n\n5.   Conformity assessment bodies and their personnel shall carry out the conformity assessment activities with the highest degree of professional integrity and the requisite technical competence in the specific field and shall be free from all pressures and inducements, particularly financial, which might influence their judgement or the results of their conformity assessment activities, especially as regards persons or groups of persons with an interest in the results of those activities.\n\n6.   A conformity assessment body shall be capable of carrying out all the conformity assessment tasks referred to in Annex VIII and in relation to which it has been notified, regardless of whether those tasks are carried out by the conformity assessment body itself or on its behalf and under its responsibility.\n\nAt all times and for each conformity assessment procedure and each kind or category of products with digital elements in relation to which it has been notified, a conformity assessment body shall have at its disposal the necessary:\n\n(a)\n\npersonnel with technical knowledge and sufficient and appropriate experience to perform the conformity assessment tasks;\n\n(b)\n\ndescriptions of procedures in accordance with which conformity assessment is to be carried out, ensuring the transparency of and ability to reproduce those procedures. It shall have appropriate policies and procedures in place that distinguish between tasks it carries out as a notified body and other activities;\n\n(c)\n\nprocedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the product technology in question and the mass or serial nature of the production process.\n\nA conformity assessment body shall have the means necessary to perform the technical and administrative tasks connected with the conformity assessment activities in an appropriate manner and shall have access to all necessary equipment or facilities.\n\n7.   The personnel responsible for carrying out conformity assessment activities shall have the following:\n\n(a)\n\nsound technical and vocational training covering all the conformity assessment activities in relation to which the conformity assessment body has been notified;\n\n(b)\n\nsatisfactory knowledge of the requirements of the assessments they carry out and adequate authority to carry out those assessments;\n\n(c)\n\nappropriate knowledge and understanding of the essential cybersecurity requirements set out in Annex I, of the applicable harmonised standards and common specifications, and of the relevant provisions of Union harmonisation legislation and implementing acts;\n\n(d)\n\nthe ability to draw up certificates, records and reports demonstrating that assessments have been carried out.\n\n8.   The impartiality of the conformity assessment bodies, their top level management and of the assessment personnel shall be guaranteed.\n\nThe remuneration of the top level management and assessment personnel of a conformity assessment body shall not depend on the number of assessments carried out or on the results of those assessments.\n\n9.   Conformity assessment bodies shall take out liability insurance unless liability is assumed by their Member State in accordance with national law, or the Member State itself is directly responsible for the conformity assessment.\n\n10.   The personnel of a conformity assessment body shall observe professional secrecy with regard to all information obtained in carrying out their tasks under Annex VIII or any provision of national law giving effect to it, except in relation to the market surveillance authorities of the Member State in which its activities are carried out. Proprietary rights shall be protected. The conformity assessment body shall have documented procedures ensuring compliance with this paragraph.\n\n11.   Conformity assessment bodies shall participate in, or ensure that their assessment personnel are informed of, the relevant standardisation activities and the activities of the notified body coordination group established under Article 51 and apply as general guidance the administrative decisions and documents produced as a result of the work of that group.\n\n12.   Conformity assessment bodies shall operate in accordance with a set of consistent, fair, proportionate and reasonable terms and conditions, while avoiding unnecessary burden for economic operators, in particular taking into account the interests of microenterprises and small and medium-sized enterprises in relation to fees.",
240
+ "chapter": "IV"
241
+ },
242
+ {
243
+ "number": "40",
244
+ "title": "Presumption of conformity of notified bodies",
245
+ "text": "Where a conformity assessment body demonstrates its conformity with the criteria laid down in the relevant harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union it shall be presumed to comply with the requirements set out in Article 39 in so far as the applicable harmonised standards cover those requirements.",
246
+ "chapter": "IV"
247
+ },
248
+ {
249
+ "number": "41",
250
+ "title": "Subsidiaries of and subcontracting by notified bodies",
251
+ "text": "1.   Where a notified body subcontracts specific tasks connected with conformity assessment or has recourse to a subsidiary, it shall ensure that the subcontractor or the subsidiary meets the requirements set out in Article 39 and shall inform the notifying authority accordingly.\n\n2.   Notified bodies shall take full responsibility for the tasks performed by subcontractors or subsidiaries wherever they are established.\n\n3.   Activities may be subcontracted or carried out by a subsidiary only with the agreement of the manufacturer.\n\n4.   Notified bodies shall keep at the disposal of the notifying authority the relevant documents concerning the assessment of the qualifications of the subcontractor or the subsidiary and the work carried out by them under this Regulation.",
252
+ "chapter": "IV"
253
+ },
254
+ {
255
+ "number": "42",
256
+ "title": "Application for notification",
257
+ "text": "1.   A conformity assessment body shall submit an application for notification to the notifying authority of the Member State in which it is established.\n\n2.   That application shall be accompanied by a description of the conformity assessment activities, the conformity assessment procedure or procedures and the product or products with digital elements for which that body claims to be competent, as well as, where applicable, by an accreditation certificate issued by a national accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 39.\n\n3.   Where the conformity assessment body concerned cannot provide an accreditation certificate, it shall provide the notifying authority with all the documentary evidence necessary for the verification, recognition and regular monitoring of its compliance with the requirements laid down in Article 39.",
258
+ "chapter": "IV"
259
+ },
260
+ {
261
+ "number": "43",
262
+ "title": "Notification procedure",
263
+ "text": "1.   Notifying authorities shall notify only conformity assessment bodies which have satisfied the requirements laid down in Article 39.\n\n2.   The notifying authority shall notify the Commission and the other Member States using the New Approach Notified and Designated Organisations information system developed and managed by the Commission.\n\n3.   The notification shall include full details of the conformity assessment activities, the conformity assessment module or modules and product or products with digital elements concerned and the relevant attestation of competence.\n\n4.   Where a notification is not based on an accreditation certificate as referred to in Article 42(2), the notifying authority shall provide the Commission and the other Member States with documentary evidence which attests to the conformity assessment body’s competence and the arrangements in place to ensure that that body will be monitored regularly and will continue to satisfy the requirements laid down in Article 39.\n\n5.   The body concerned may perform the activities of a notified body only where no objections are raised by the Commission or the other Member States within two weeks of a notification where an accreditation certificate is used or within two months of a notification where accreditation is not used.\n\nOnly such a body shall be considered to be a notified body for the purposes of this Regulation.\n\n6.   The Commission and the other Member States shall be notified of any subsequent relevant changes to the notification.",
264
+ "chapter": "IV"
265
+ },
266
+ {
267
+ "number": "44",
268
+ "title": "Identification numbers and lists of notified bodies",
269
+ "text": "1.   The Commission shall assign an identification number to a notified body.\n\nIt shall assign a single such number even where the body is notified under several Union legal acts.\n\n2.   The Commission shall make publicly available the list of the bodies notified under this Regulation, including the identification numbers that have been allocated to them and the activities for which they have been notified.\n\nThe Commission shall ensure that that list is kept up to date.",
270
+ "chapter": "IV"
271
+ },
272
+ {
273
+ "number": "45",
274
+ "title": "Changes to notifications",
275
+ "text": "1.   Where a notifying authority has ascertained or has been informed that a notified body no longer meets the requirements laid down in Article 39, or that it is failing to fulfil its obligations, the notifying authority shall restrict, suspend or withdraw notification as appropriate, depending on the seriousness of the failure to meet those requirements or fulfil those obligations. It shall immediately inform the Commission and the other Member States accordingly.\n\n2.   In the event of restriction, suspension or withdrawal of notification, or where the notified body has ceased its activity, the notifying Member State shall take appropriate steps to ensure that the files of that body are either processed by another notified body or kept available for the responsible notifying and market surveillance authorities at their request.",
276
+ "chapter": "IV"
277
+ },
278
+ {
279
+ "number": "46",
280
+ "title": "Challenge of the competence of notified bodies",
281
+ "text": "1.   The Commission shall investigate all cases where it doubts, or where doubt is brought to its attention regarding, the competence of a notified body to meet, or the continued fulfilment by a notified body of, the requirements and responsibilities to which it is subject.\n\n2.   The notifying Member State shall provide the Commission, on request, with all information relating to the basis for the notification or the maintenance of the competence of the body concerned.\n\n3.   The Commission shall ensure that all sensitive information obtained in the course of its investigations is treated confidentially.\n\n4.   Where the Commission ascertains that a notified body does not meet or no longer meets the requirements for its notification, it shall inform the notifying Member State accordingly and request it to take the necessary corrective measures, including de-notification if necessary.",
282
+ "chapter": "IV"
283
+ },
284
+ {
285
+ "number": "47",
286
+ "title": "Operational obligations of notified bodies",
287
+ "text": "1.   Notified bodies shall carry out conformity assessments in accordance with the conformity assessment procedures provided for in Article 32 and Annex VIII.\n\n2.   Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. Conformity assessment bodies shall perform their activities taking due account of the size of undertakings, in particular as regards microenterprises and small and medium-sized enterprises, the sector in which they operate, their structure, their degree of complexity and the cybersecurity risk level of the products with digital elements and technology in question and the mass or serial nature of the production process.\n\n3.   Notified bodies shall however respect the degree of rigour and the level of protection required for the compliance of products with digital elements with this Regulation.\n\n4.   Where a notified body finds that the requirements set out in Annex I or in corresponding harmonised standards or common specifications as referred to in Article 27 have not been met by a manufacturer, it shall require that manufacturer to take appropriate corrective measures and shall not issue a certificate of conformity.\n\n5.   Where, in the course of the monitoring of conformity following the issuance of a certificate, a notified body finds that a product with digital elements no longer complies with the requirements laid down in this Regulation, it shall require the manufacturer to take appropriate corrective measures and shall suspend or withdraw the certificate if necessary.\n\n6.   Where corrective measures are not taken or do not have the required effect, the notified body shall restrict, suspend or withdraw any certificates, as appropriate.",
288
+ "chapter": "IV"
289
+ },
290
+ {
291
+ "number": "48",
292
+ "title": "Appeal against decisions of notified bodies",
293
+ "text": "Member States shall ensure that an appeal procedure against decisions of the notified bodies is available.",
294
+ "chapter": "IV"
295
+ },
296
+ {
297
+ "number": "49",
298
+ "title": "Information obligation on notified bodies",
299
+ "text": "1.   Notified bodies shall inform the notifying authority of the following:\n\n(a)\n\nany refusal, restriction, suspension or withdrawal of a certificate;\n\n(b)\n\nany circumstances affecting the scope of and conditions for notification;\n\n(c)\n\nany request for information which they have received from market surveillance authorities regarding conformity assessment activities;\n\n(d)\n\non request, conformity assessment activities performed within the scope of their notification and any other activity performed, including cross-border activities and subcontracting.\n\n2.   Notified bodies shall provide the other bodies notified under this Regulation carrying out similar conformity assessment activities covering the same products with digital elements with relevant information on issues relating to negative and, upon request, positive conformity assessment results.",
300
+ "chapter": "IV"
301
+ },
302
+ {
303
+ "number": "50",
304
+ "title": "Exchange of experience",
305
+ "text": "The Commission shall provide for the organisation of the exchange of experience between the Member States’ national authorities responsible for notification policy.",
306
+ "chapter": "IV"
307
+ },
308
+ {
309
+ "number": "51",
310
+ "title": "Coordination of notified bodies",
311
+ "text": "1.   The Commission shall ensure that appropriate coordination and cooperation between notified bodies are put in place and properly operated in the form of a cross-sectoral group of notified bodies.\n\n2.   Member States shall ensure that the bodies notified by them participate in the work of that group, directly or by means of designated representatives.\n\nMARKET SURVEILLANCE AND ENFORCEMENT",
312
+ "chapter": "V"
313
+ },
314
+ {
315
+ "number": "52",
316
+ "title": "Market surveillance and control of products with digital elements in the Union market",
317
+ "text": "1.   Regulation (EU) 2019/1020 shall apply to products with digital elements that fall within the scope of this Regulation.\n\n2.   Each Member State shall designate one or more market surveillance authorities for the purpose of ensuring the effective implementation of this Regulation. Member States may designate an existing or new authority to act as market surveillance authority for this Regulation.\n\n3.   The market surveillance authorities designated under paragraph 2 of this Article shall also be responsible for carrying out market surveillance activities in relation to the obligations for open-source software stewards laid down in Article 24. Where a market surveillance authority finds that an open-source software steward does not comply with the obligations set out in that Article, it shall require the open-source software steward to ensure that all appropriate corrective actions are taken. Open-source software stewards shall ensure that all appropriate corrective action is taken in respect of their obligations under this Regulation.\n\n4.   Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated pursuant to Article 58 of Regulation (EU) 2019/881 and exchange information on a regular basis. With respect to the supervision of the implementation of the reporting obligations pursuant to Article 14 of this Regulation, the designated market surveillance authorities shall cooperate and exchange information on a regular basis with the CSIRTs designated as coordinators and ENISA.\n\n5.   The market surveillance authorities may request a CSIRT designated as coordinator or ENISA to provide technical advice on matters related to the implementation and enforcement of this Regulation. When conducting an investigation under Article 54, market surveillance authorities may request the CSIRT designated as coordinator or ENISA to provide an analysis to support evaluations of compliance of products with digital elements.\n\n6.   Where relevant, the market surveillance authorities shall cooperate with other market surveillance authorities designated on the basis of Union harmonisation legislation other than this Regulation, and exchange information on a regular basis.\n\n7.   Market surveillance authorities shall cooperate, as appropriate, with the authorities supervising Union data protection law. Such cooperation includes informing those authorities of any finding relevant for the fulfilment of their competences, including when issuing guidance and advice pursuant to paragraph 10 if such guidance and advice concerns the processing of personal data.\n\nAuthorities supervising Union data protection law shall have the power to request and access any documentation created or maintained under this Regulation when access to that documentation is necessary for the fulfilment of their tasks. They shall inform the designated market surveillance authorities of the Member State concerned of any such request.\n\n8.   Member States shall ensure that the designated market surveillance authorities are provided with adequate financial and technical resources, including, where appropriate, processing automation tools, as well as with human resources with the necessary cybersecurity skills to fulfil their tasks under this Regulation.\n\n9.   The Commission shall encourage and facilitate the exchange of experience between designated market surveillance authorities.\n\n10.   Market surveillance authorities may provide guidance and advice to economic operators on the implementation of this Regulation, with the support of the Commission and, where appropriate, CSIRTs and ENISA.\n\n11.   Market surveillance authorities shall inform consumers of where to submit complaints that could indicate non-compliance with this Regulation, in accordance with Article 11 of Regulation (EU) 2019/1020, and shall provide information to consumers on where and how to access mechanisms to facilitate reporting of vulnerabilities, incidents and cyber threats that may affect products with digital elements.\n\n12.   Market surveillance authorities shall facilitate, where relevant, the cooperation with relevant stakeholders, including scientific, research and consumer organisations.\n\n13.   The market surveillance authorities shall report to the Commission on an annual basis the outcomes of relevant market surveillance activities. The designated market surveillance authorities shall report, without delay, to the Commission and relevant national competition authorities any information identified in the course of market surveillance activities that may be of potential interest for the application of Union competition law.\n\n14.   For products with digital elements that fall within the scope of this Regulation which are classified as high-risk AI systems pursuant to Article 6 of Regulation (EU) 2024/1689, the market surveillance authorities designated for the purposes of that Regulation shall be the authorities responsible for market surveillance activities required under this Regulation. The market surveillance authorities designated pursuant to Regulation (EU) 2024/1689 shall cooperate, as appropriate, with the market surveillance authorities designated pursuant to this Regulation and, with respect to the supervision of the implementation of the reporting obligations pursuant to Article 14 of this Regulation, with the CSIRTs designated as coordinators and ENISA. Market surveillance authorities designated pursuant to Regulation (EU) 2024/1689 shall in particular inform market surveillance authorities designated pursuant to this Regulation of any finding relevant for the fulfilment of their tasks in relation to the implementation of this Regulation.\n\n15.   ADCO shall be established for the uniform application of this Regulation, pursuant to Article 30(2) of Regulation (EU) 2019/1020. ADCO shall be composed of representatives of the designated market surveillance authorities and, if appropriate, representatives of single liaison offices. ADCO shall also address specific matters related to the market surveillance activities in relation to the obligations placed on open-source software stewards.\n\n16.   Market surveillance authorities shall monitor how manufacturers have applied the criteria referred to in Article 13(8) when determining the support period of their products with digital elements.\n\nADCO shall publish in a publicly accessible and user-friendly form relevant statistics on categories of products with digital elements, including average support periods, as determined by the manufacturer pursuant to Article 13(8), as well as provide guidance that includes indicative support periods for categories of products with digital elements.\n\nWhere the data suggests inadequate support periods for specific categories of products with digital elements, ADCO may issue recommendations to market surveillance authorities to focus their activities on such categories of products with digital elements.",
318
+ "chapter": "V"
319
+ },
320
+ {
321
+ "number": "53",
322
+ "title": "Access to data and documentation",
323
+ "text": "Where necessary to assess the conformity of products with digital elements and the processes put in place by their manufacturers with the essential cybersecurity requirements set out in Annex I, the market surveillance authorities shall, upon a reasoned request, be granted access to the data, in a language easily understood by them, required to assess the design, development, production and vulnerability handling of such products, including related internal documentation of the relevant economic operator.",
324
+ "chapter": "V"
325
+ },
326
+ {
327
+ "number": "54",
328
+ "text": "Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk\n\n1.   Where the market surveillance authority of a Member State has sufficient reason to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk, it shall, without undue delay and, where appropriate, in cooperation with the relevant CSIRT, carry out an evaluation of the product with digital elements concerned in respect of its compliance with all the requirements laid down in this Regulation. The relevant economic operators shall cooperate with the market surveillance authority as necessary.\n\nWhere, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation, it shall without delay require the relevant economic operator to take all appropriate corrective actions to bring the product with digital elements into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the cybersecurity risk, as the market surveillance authority may prescribe.\n\nThe market surveillance authority shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the corrective actions.\n\n2.   When determining the significance of a cybersecurity risk referred to in paragraph 1 of this Article, the market surveillance authorities shall also consider non-technical risk factors, in particular those established as a result of Union level coordinated security risk assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555. Where a market surveillance authority has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, it shall inform the competent authorities designated or established pursuant to Article 8 of Directive (EU) 2022/2555 and cooperate with those authorities as necessary.\n\n3.   Where the market surveillance authority considers that non-compliance is not restricted to its national territory, it shall inform the Commission and the other Member States of the results of the evaluation and of the actions which it has required the economic operator to take.\n\n4.   The economic operator shall ensure that all appropriate corrective action is taken in respect of all the products with digital elements concerned that it has made available on the market throughout the Union.\n\n5.   Where the economic operator does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict that product with digital elements from being made available on its national market, to withdraw it from that market or to recall it.\n\nThat authority shall notify the Commission and the other Member States, without delay, of those measures.\n\n6.   The information referred to in paragraph 5 shall include all available details, in particular the data necessary for the identification of the non-compliant product with digital elements, the origin of that product with digital elements, the nature of the alleged non-compliance and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant economic operator. In particular, the market surveillance authority shall indicate whether the non-compliance is due to one or more of the following:\n\n(a)\n\na failure of the product with digital elements or of the processes put in place by the manufacturer to meet the essential cybersecurity requirements set out in Annex I;\n\n(b)\n\nshortcomings in the harmonised standards, European cybersecurity certification schemes or common specifications, as referred to in Article 27.\n\n7.   The market surveillance authorities of the Member States other than the market surveillance authority of the Member State initiating the procedure shall without delay inform the Commission and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the product with digital elements concerned, and, in the event of disagreement with the notified national measure, of their objections.\n\n8.   Where, within three months of receipt of the notification referred to in paragraph 5 of this Article, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed to be justified. This is without prejudice to the procedural rights of the economic operator concerned in accordance with Article 18 of Regulation (EU) 2019/1020.\n\n9.   The market surveillance authorities of all Member States shall ensure that appropriate restrictive measures are taken in respect of the product with digital elements concerned, such as withdrawal of that product from their market, without delay.",
329
+ "chapter": "V"
330
+ },
331
+ {
332
+ "number": "55",
333
+ "title": "Union safeguard procedure",
334
+ "text": "1.   Where, within three months of receipt of the notification referred to in Article 54(5), objections are raised by a Member State against a measure taken by another Member State, or where the Commission considers the measure to be contrary to Union law, the Commission shall without delay enter into consultation with the relevant Member State and the economic operator or operators and shall evaluate the national measure. On the basis of the results of that evaluation, the Commission shall decide whether the national measure is justified or not within nine months from the notification referred to in Article 54(5) and notify that decision to the Member State concerned.\n\n2.   If the national measure is considered to be justified, all Member States shall take the measures necessary to ensure that the non-compliant product with digital elements is withdrawn from their market, and shall inform the Commission accordingly. If the national measure is not considered to be justified, the Member State concerned shall withdraw the measure.\n\n3.   Where the national measure is considered to be justified and the non-compliance of the product with digital elements is attributed to shortcomings in the harmonised standards, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012.\n\n4.   Where the national measure is considered to be justified and the non-compliance of the product with digital elements is attributed to shortcomings in a European cybersecurity certification scheme as referred to in Article 27, the Commission shall consider whether to amend or repeal any delegated act adopted pursuant to Article 27(9) that specifies the presumption of conformity concerning that certification scheme.\n\n5.   Where the national measure is considered to be justified and the non-compliance of the product with digital elements is attributed to shortcomings in common specifications as referred to in Article 27, the Commission shall consider whether to amend or repeal any implementing act adopted pursuant to Article 27(2) setting out those common specifications.",
335
+ "chapter": "V"
336
+ },
337
+ {
338
+ "number": "56",
339
+ "text": "Procedure at Union level concerning products with digital elements presenting a significant cybersecurity risk\n\n1.   Where the Commission has sufficient reason to consider, including based on information provided by ENISA, that a product with digital elements that presents a significant cybersecurity risk does not comply with the requirements laid down in this Regulation, it shall inform the relevant market surveillance authorities. Where the market surveillance authorities carry out an evaluation of that product with digital elements that may present a significant cybersecurity risk in respect of its compliance with the requirements laid down in this Regulation, the procedures referred to in Articles 54 and 55 shall apply.\n\n2.   Where the Commission has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, it shall inform the relevant market surveillance authorities and, where appropriate, the competent authorities designated or established pursuant to Article 8 of Directive (EU) 2022/2555 and cooperate with those authorities as necessary. The Commission shall also consider the relevance of the identified risks for that product with digital elements in view of its tasks regarding the Union level coordinated security risk assessments of critical supply chains provided for in Article 22 of Directive (EU) 2022/2555, and consult, as necessary, the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555 and ENISA.\n\n3.   In circumstances which justify an immediate intervention to preserve the proper functioning of the internal market and where the Commission has sufficient reason to consider that the product with digital elements referred to in paragraph 1 remains non-compliant with the requirements laid down in this Regulation and no effective measures have been taken by the relevant market surveillance authorities, the Commission shall carry out an evaluation of compliance and may request ENISA to provide an analysis to support it. The Commission shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate with ENISA as necessary.\n\n4.   Based on the evaluation referred to in paragraph 3, the Commission may decide that a corrective or restrictive measure is necessary at Union level. To that end, it shall without delay consult the Member States concerned and the relevant economic operator or operators.\n\n5.   On the basis of the consultation referred to in paragraph 4 of this Article, the Commission may adopt implementing acts to provide for corrective or restrictive measures at Union level, including requiring the products with digital elements concerned to be withdrawn from the market or recalled, within a reasonable period, commensurate with the nature of the risk. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).\n\n6.   The Commission shall immediately communicate the implementing acts referred to in paragraph 5 to the relevant economic operator or operators. Member States shall implement those implementing acts without delay and shall inform the Commission accordingly.\n\n7.   Paragraphs 3 to 6 shall be applicable for the duration of the exceptional situation that justified the Commission’s intervention, provided that the product with digital elements concerned is not brought in compliance with this Regulation.",
340
+ "chapter": "V"
341
+ },
342
+ {
343
+ "number": "57",
344
+ "title": "Compliant products with digital elements which present a significant cybersecurity risk",
345
+ "text": "1.   The market surveillance authority of a Member State shall require an economic operator to take all appropriate measures where, having performed an evaluation under Article 54, it finds that although a product with digital elements and the processes put in place by the manufacturer are in compliance with this Regulation, they present a significant cybersecurity risk as well as a risk to:\n\n(a)\n\nthe health or safety of persons;\n\n(b)\n\nthe compliance with obligations under Union or national law intended to protect fundamental rights;\n\n(c)\n\nthe availability, authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555; or\n\n(d)\n\nother aspects of public interest protection.\n\nThe measures referred to in the first subparagraph may include measures to ensure that the product with digital elements concerned and the processes put in place by the manufacturer no longer present the relevant risks when made available on the market, withdrawal from the market of the product with digital elements concerned, or recalling of it, and shall be commensurate with the nature of those risks.\n\n2.   The manufacturer or other relevant economic operators shall ensure that corrective action is taken in respect of the products with digital elements concerned that they have made available on the market throughout the Union within the timeline established by the market surveillance authority of the Member State referred to in paragraph 1.\n\n3.   The Member State shall immediately inform the Commission and the other Member States about the measures taken pursuant to paragraph 1. That information shall include all available details, in particular the data necessary for the identification of the products with digital elements concerned, the origin and the supply chain of those products with digital elements, the nature of the risk involved and the nature and duration of the national measures taken.\n\n4.   The Commission shall without delay enter into consultation with the Member States and the relevant economic operator and shall evaluate the national measures taken. On the basis of the results of that evaluation, the Commission shall decide whether the measure is justified or not and, where necessary, propose appropriate measures.\n\n5.   The Commission shall address the decision referred to in paragraph 4 to the Member States.\n\n6.   Where the Commission has sufficient reason to consider, including based on information provided by ENISA, that a product with digital elements, although compliant with this Regulation, presents the risks referred to in paragraph 1 of this Article, it shall inform and may request the relevant market surveillance authority or authorities to carry out an evaluation and follow the procedures referred to in Article 54 and in paragraphs 1, 2 and 3 of this Article.\n\n7.   In circumstances which justify an immediate intervention to preserve the proper functioning of the internal market and where the Commission has sufficient reason to consider that the product with digital elements referred to in paragraph 6 continues to present the risks referred to in paragraph 1, and no effective measures have been taken by the relevant national market surveillance authorities, the Commission shall carry out an evaluation of the risks presented by that product with digital elements and may request ENISA to provide an analysis to support that evaluation and shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate with ENISA as necessary.\n\n8.   Based on the evaluation referred to in paragraph 7, the Commission may establish that a corrective or restrictive measure is necessary at Union level. To that end, it shall without delay consult the Member States concerned and the relevant economic operator or operators.\n\n9.   On the basis of the consultation referred to in paragraph 8 of this Article, the Commission may adopt implementing acts to decide on corrective or restrictive measures at Union level, including requiring the products with digital elements concerned to be withdrawn from the market, or recalled, within a reasonable period, commensurate with the nature of the risk. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).\n\n10.   The Commission shall immediately communicate the implementing acts referred to in paragraph 9 to the relevant economic operator or operators. Member States shall implement those implementing acts without delay and shall inform the Commission accordingly.\n\n11.   Paragraphs 6 to 10 shall apply for the duration of the exceptional situation that justified the Commission’s intervention and for as long as the product with digital elements concerned continues to present the risks referred to in paragraph 1.",
346
+ "chapter": "V"
347
+ },
348
+ {
349
+ "number": "58",
350
+ "title": "Formal non-compliance",
351
+ "text": "1.   Where the market surveillance authority of a Member State makes one of the following findings, it shall require the relevant manufacturer to put an end to the non-compliance concerned:\n\n(a)\n\nthe CE marking has been affixed in violation of Articles 29 and 30;\n\n(b)\n\nthe CE marking has not been affixed;\n\n(c)\n\nthe EU declaration of conformity has not been drawn up;\n\n(d)\n\nthe EU declaration of conformity has not been drawn up correctly;\n\n(e)\n\nthe identification number of the notified body which is involved in the conformity assessment procedure, where applicable, has not been affixed;\n\n(f)\n\nthe technical documentation is either not available or not complete.\n\n2.   Where the non-compliance referred to in paragraph 1 persists, the Member State concerned shall take all appropriate measures to restrict or prohibit the product with digital elements from being made available on the market or ensure that it is recalled or withdrawn from the market.",
352
+ "chapter": "V"
353
+ },
354
+ {
355
+ "number": "59",
356
+ "title": "Joint activities of market surveillance authorities",
357
+ "text": "1.   Market surveillance authorities may agree with other relevant authorities to carry out joint activities aimed at ensuring cybersecurity and the protection of consumers with respect to specific products with digital elements placed on the market or made available on the market, in particular products with digital elements that are often found to present cybersecurity risks.\n\n2.   The Commission or ENISA shall propose joint activities for checking compliance with this Regulation to be conducted by market surveillance authorities based on indications or information of potential non-compliance across several Member States of products with digital elements that fall within the scope of this Regulation with the requirements laid down in this Regulation.\n\n3.   The market surveillance authorities and, where applicable, the Commission, shall ensure that the agreement to carry out joint activities does not lead to unfair competition between economic operators and does not negatively affect the objectivity, independence and impartiality of the parties to the agreement.\n\n4.   A market surveillance authority may use any information obtained as a result of the joint activities carried out as part of any investigation that it undertakes.\n\n5.   The market surveillance authority concerned and, where applicable, the Commission, shall make the agreement on joint activities, including the names of the parties involved, available to the public.",
358
+ "chapter": "V"
359
+ },
360
+ {
361
+ "number": "60",
362
+ "title": "Sweeps",
363
+ "text": "1.   Market surveillance authorities shall conduct simultaneous coordinated control actions (sweeps) of particular products with digital elements or categories thereof to check compliance with or to detect infringements to this Regulation. Those sweeps may include inspections of products with digital elements acquired under a cover identity.\n\n2.   Unless otherwise agreed upon by the market surveillance authorities involved, sweeps shall be coordinated by the Commission. The coordinator of the sweep shall, where appropriate, make the aggregated results publicly available.\n\n3.   Where, in the performance of its tasks, including based on the notifications received pursuant to Article 14(1) and (3), ENISA identifies categories of products with digital elements for which sweeps may be organised, it shall submit a proposal for a sweep to the coordinator referred to in paragraph 2 of this Article for the consideration of the market surveillance authorities.\n\n4.   When conducting sweeps, the market surveillance authorities involved may use the investigation powers set out in Articles 52 to 58 and any other powers conferred upon them by national law.\n\n5.   Market surveillance authorities may invite Commission officials, and other accompanying persons authorised by the Commission, to participate in sweeps.\n\nDELEGATED POWERS AND COMMITTEE PROCEDURE",
364
+ "chapter": "VI"
365
+ },
366
+ {
367
+ "number": "61",
368
+ "title": "Exercise of the delegation",
369
+ "text": "1.   The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.\n\n2.   The power to adopt delegated acts referred to in Article 2(5), second subparagraph, Article 7(3), Article 8(1) and (2), Article 13(8), fourth subparagraph, Article 14(9), Article 25, Article 27(9), Article 28(5) and Article 31(5) shall be conferred on the Commission for a period of five years from 10 December 2024. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.\n\n3.   The delegation of power referred to in Article 2(5), second subparagraph, Article 7(3), Article 8(1) and (2), Article 13(8), fourth subparagraph, Article 14(9), Article 25, Article 27(9), Article 28(5) and Article 31(5) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.\n\n4.   Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.\n\n5.   As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.\n\n6.   A delegated act adopted pursuant to Article 2(5), second subparagraph, Article 7(3), Article 8(1) or (2), Article 13(8), fourth subparagraph, Article 14(9), Article 25, Article 27(9), Article 28(5) or Article 31(5) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.",
370
+ "chapter": "VI"
371
+ },
372
+ {
373
+ "number": "62",
374
+ "title": "Committee procedure",
375
+ "text": "1.   The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.\n\n2.   Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.\n\n3.   Where the opinion of the committee is to be obtained by written procedure, that procedure shall be terminated without result when, within the time-limit for delivery of the opinion, the chair of the committee so decides or a committee member so requests.\n\nCONFIDENTIALITY AND PENALTIES",
376
+ "chapter": "VII"
377
+ },
378
+ {
379
+ "number": "63",
380
+ "title": "Confidentiality",
381
+ "text": "1.   All parties involved in the application of this Regulation shall respect the confidentiality of information and data obtained in carrying out their tasks and activities in such a manner as to protect, in particular:\n\n(a)\n\nintellectual property rights and confidential business information or trade secrets of a natural or legal person, including source code, except the cases referred to in Article 5 of Directive (EU) 2016/943 of the European Parliament and of the Council (37);\n\n(b)\n\nthe effective implementation of this Regulation, in particular for the purposes of inspections, investigations or audits;\n\n(c)\n\npublic and national security interests;\n\n(d)\n\nintegrity of criminal or administrative proceedings.\n\n2.   Without prejudice to paragraph 1, information exchanged on a confidential basis between the market surveillance authorities and between market surveillance authorities and the Commission shall not be disclosed without the prior agreement of the originating market surveillance authority.\n\n3.   Paragraphs 1 and 2 shall not affect the rights and obligations of the Commission, Member States and notified bodies with regard to the exchange of information and the dissemination of warnings, nor the obligations of the persons concerned to provide information under criminal law of the Member States.\n\n4.   The Commission and Member States may exchange, where necessary, sensitive information with relevant authorities of third countries with which they have concluded bilateral or multilateral confidentiality arrangements guaranteeing an adequate level of protection.",
382
+ "chapter": "VII"
383
+ },
384
+ {
385
+ "number": "64",
386
+ "title": "Penalties",
387
+ "text": "1.   Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall, without delay, notify the Commission of those rules and measures and shall notify it, without delay, of any subsequent amendment affecting them.\n\n2.   Non-compliance with the essential cybersecurity requirements set out in Annex I and the obligations set out in Articles 13 and 14 shall be subject to administrative fines of up to EUR 15 000 000 or, if the offender is an undertaking, up to 2,5 % of the its total worldwide annual turnover for the preceding financial year, whichever is higher.\n\n3.   Non-compliance with the obligations set out in Articles 18 to 23, Article 28, Article 30(1) to (4), Article 31(1) to (4), Article 32(1), (2) and (3), Article 33(5), and Articles 39, 41, 47, 49 and 53 shall be subject to administrative fines of up to EUR 10 000 000 or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.\n\n4.   The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to EUR 5 000 000 or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.\n\n5.   When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:\n\n(a)\n\nthe nature, gravity and duration of the infringement and of its consequences;\n\n(b)\n\nwhether administrative fines have been already applied by the same or other market surveillance authorities to the same economic operator for a similar infringement;\n\n(c)\n\nthe size, in particular with regard to microenterprises and small and medium sized-enterprises, including start-ups, and the market share of the economic operator committing the infringement.\n\n6.   Market surveillance authorities that apply administrative fines shall communicate that application to the market surveillance authorities of other Member States through the information and communication system referred to in Article 34 of Regulation (EU) 2019/1020.\n\n7.   Each Member State shall lay down rules on whether and to what extent administrative fines may be imposed on public authorities and public bodies established in that Member State.\n\n8.   Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts or other bodies according to the competences established at national level in those Member States. The application of such rules in those Member States shall have an equivalent effect.\n\n9.   Administrative fines may be imposed, depending on the circumstances of each individual case, in addition to any other corrective or restrictive measures applied by the market surveillance authorities for the same infringement.\n\n10.   By way of derogation from paragraphs 3 to 9, the administrative fines referred to in those paragraphs shall not apply to the following:\n\n(a)\n\nmanufacturers that qualify as microenterprises or small enterprises with regard to any failure to meet the deadline referred to in Article 14(2), point (a), or Article 14(4), point (a);\n\n(b)\n\nany infringement of this Regulation by open-source software stewards.",
388
+ "chapter": "VII"
389
+ },
390
+ {
391
+ "number": "65",
392
+ "title": "Representative actions",
393
+ "text": "Directive (EU) 2020/1828 shall apply to the representative actions brought against infringements by economic operators of provisions of this Regulation that harm, or may harm, the collective interests of consumers.\n\nTRANSITIONAL AND FINAL PROVISIONS",
394
+ "chapter": "VIII"
395
+ },
396
+ {
397
+ "number": "66",
398
+ "title": "Amendment to Regulation (EU) 2019/1020",
399
+ "text": "In Annex I to Regulation (EU) 2019/1020, the following point is added:\n\n‘72.\n\nRegulation (EU) 2024/2847 of the European Parliament and of the Council (*1).",
400
+ "chapter": "VIII"
401
+ },
402
+ {
403
+ "number": "67",
404
+ "title": "Amendment to Directive (EU) 2020/1828",
405
+ "text": "In Annex I to Directive (EU) 2020/1828, the following point is added:\n\n‘69.\n\nRegulation (EU) 2024/2847 of the European Parliament and of the Council (*2).",
406
+ "chapter": "VIII"
407
+ },
408
+ {
409
+ "number": "68",
410
+ "title": "Amendment to Regulation (EU) No 168/2013",
411
+ "text": "In Part C1, in the table, of Annex II to Regulation (EU) No 168/2013 of the European Parliament and of the Council (38), the following entry is added:\n\n‘\n\n16\n\n18\n\nprotection of vehicle against cyberattacks\n\nx\n\nx\n\nx\n\nx\n\nx\n\nx\n\nx\n\nx\n\nx\n\nx\n\nx\n\nx\n\nx\n\nx\n\n’.",
412
+ "chapter": "VIII"
413
+ },
414
+ {
415
+ "number": "69",
416
+ "title": "Transitional provisions",
417
+ "text": "1.   EU type-examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements that are subject to Union harmonisation legislation other than this Regulation shall remain valid until 11 June 2028, unless they expire before that date, or unless otherwise specified in such other Union harmonisation legislation, in which case they shall remain valid as referred to in that legislation.\n\n2.   Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification.\n\n3.   By way of derogation from paragraph 2 of this Article, the obligations laid down in Article 14 shall apply to all products with digital elements that fall within the scope of this Regulation that have been placed on the market before 11 December 2027.",
418
+ "chapter": "VIII"
419
+ },
420
+ {
421
+ "number": "70",
422
+ "title": "Evaluation and review",
423
+ "text": "1.   By 11 December 2030 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. Those reports shall be made public.\n\n2.   By 11 September 2028, the Commission shall, after consulting ENISA and the CSIRTs network, submit a report to the European Parliament and to the Council, assessing the effectiveness of the single reporting platform set out in Article 16, as well as the impact of the application of the cybersecurity-related grounds referred to Article 16(2) by the CSIRTs designated as coordinators on the effectiveness of the single reporting platform as regards the timely dissemination of received notifications to other relevant CSIRTs.",
424
+ "chapter": "VIII"
425
+ },
426
+ {
427
+ "number": "71",
428
+ "title": "Entry into force and application",
429
+ "text": "1.   This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.\n\n2.   This Regulation shall apply from 11 December 2027.\n\nHowever, Article 14 shall apply from 11 September 2026 and Chapter IV (Articles 35 to 51) shall apply from 11 June 2026.\n\nThis Regulation shall be binding in its entirety and directly applicable in all Member States.\n\nDone at Strasbourg, 23 October 2024.\n\nFor the European Parliament\n\nThe President\n\nR. METSOLA\n\nFor the Council\n\nThe President\n\nZSIGMOND B. P.\n\n(1)\n\nOJ C 100, 16.3.2023, p. 101.\n\n(2)  Position of the European Parliament of 12 March 2024 (not yet published in the Official Journal) and decision of the Council of 10 October 2024.\n\n(3)  Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).\n\n(4)  Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).\n\n(5)  Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).\n\n(6)\n\nOJ C 67, 8.2.2022, p. 81.\n\n(7)  Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65).\n\n(8)  Directive 2014/25/EU of the European Parliament and of the Council of 26 February 2014 on procurement by entities operating in the water, energy, transport and postal services sectors and repealing Directive 2004/17/EC (OJ L 94, 28.3.2014, p. 243).\n\n(9)  Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1).\n\n(10)  Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).\n\n(11)  Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1).\n\n(12)\n\nOJ L 82, 9.3.2021, p. 30.\n\n(13)  Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1).\n\n(14)  Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive (OJ L 7, 12.1.2022, p. 6).\n\n(15)  Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62).\n\n(16)  Directive (EU) 2024/2853 of the European Parliament and of the Council of 23 October 2024 on liability for defective products and repealing Council Directive 85/374/EEC (OJ L, 2024/2853, 18.11.2024, ELI: http://data.europa.eu/eli/dir/2024/2853/oj).\n\n(17)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).\n\n(18)  Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).\n\n(19)  Regulation (EU) 2024/1781 of the European Parliament and of the Council of 13 June 2024 establishing a framework for the setting of ecodesign requirements for sustainable products, amending Directive (EU) 2020/1828 and Regulation (EU) 2023/1542 and repealing Directive 2009/125/EC (OJ L, 2024/1781, 28.6.2024, ELI: http://data.europa.eu/eli/reg/2024/1781/oj).\n\n(20)  Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (OJ L, 2024/482, 7.2.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/482/oj).\n\n(21)  Regulation (EU) 2023/988 of the European Parliament and of the Council of 10 May 2023 on general product safety, amending Regulation (EU) No 1025/2012 of the European Parliament and of the Council and Directive (EU) 2020/1828 of the European Parliament and the Council, and repealing Directive 2001/95/EC of the European Parliament and of the Council and Council Directive 87/357/EEC (OJ L 135, 23.5.2023, p. 1).\n\n(22)  Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/2024/1689/oj).\n\n(23)  Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).\n\n(24)  Regulation (EU) 2023/1230 of the European Parliament and of the Council of 14 June 2023 on machinery and repealing Directive 2006/42/EC of the European Parliament and of the Council and Council Directive 73/361/EEC (OJ L 165, 29.6.2023, p. 1).\n\n(25)  Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).\n\n(26)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ L 201, 31.7.2002, p. 37).\n\n(27)  Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (OJ L 169, 25.6.2019, p. 1).\n\n(28)  Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).\n\n(29)  Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).\n\n(30)  Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (OJ L 218, 13.8.2008, p. 82).\n\n(31)\n\nOJ L 123, 12.5.2016, p. 1.\n\n(32)  Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13, ELI: http://data.europa.eu/eli/reg/2011/182/oj).\n\n(33)  Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1).\n\n(34)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).\n\n(35)\n\nOJ C 452, 29.11.2022, p. 23.\n\n(36)  Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146).\n\n(37)  Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).\n\n(38)  Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52).\n\nANNEX I\n\nESSENTIAL CYBERSECURITY REQUIREMENTS\n\nPart I Cybersecurity requirements relating to the properties of products with digital elements\n\n(1)\n\nProducts with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.\n\n(2)\n\nOn the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:\n\n(a)\n\nbe made available on the market without known exploitable vulnerabilities;\n\n(b)\n\nbe made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;\n\n(c)\n\nensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;\n\n(d)\n\nensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;\n\n(e)\n\nprotect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;\n\n(f)\n\nprotect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;\n\n(g)\n\nprocess only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);\n\n(h)\n\nprotect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;\n\n(i)\n\nminimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks;\n\n(j)\n\nbe designed, developed and produced to limit attack surfaces, including external interfaces;\n\n(k)\n\nbe designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;\n\n(l)\n\nprovide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;\n\n(m)\n\nprovide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.\n\nPart II Vulnerability handling requirements\n\nManufacturers of products with digital elements shall:\n\n(1)\n\nidentify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products;\n\n(2)\n\nin relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;\n\n(3)\n\napply effective and regular tests and reviews of the security of the product with digital elements;\n\n(4)\n\nonce a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;\n\n(5)\n\nput in place and enforce a policy on coordinated vulnerability disclosure;\n\n(6)\n\ntake measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;\n\n(7)\n\nprovide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;\n\n(8)\n\nensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.\n\nANNEX II\n\nINFORMATION AND INSTRUCTIONS TO THE USER\n\nAt minimum, the product with digital elements shall be accompanied by:\n\n1.\n\nthe name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;\n\n2.\n\nthe single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;\n\n3.\n\nname and type and any additional information enabling the unique identification of the product with digital elements;\n\n4.\n\nthe intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties;\n\n5.\n\nany known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks;\n\n6.\n\nwhere applicable, the internet address at which the EU declaration of conformity can be accessed;\n\n7.\n\nthe type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates;\n\n8.\n\ndetailed instructions or an internet address referring to such detailed instructions and information on:\n\n(a)\n\nthe necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use;\n\n(b)\n\nhow changes to the product with digital elements can affect the security of data;\n\n(c)\n\nhow security-relevant updates can be installed;\n\n(d)\n\nthe secure decommissioning of the product with digital elements, including information on how user data can be securely removed;\n\n(e)\n\nhow the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off;\n\n(f)\n\nwhere the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII.\n\n9.\n\nIf the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed.\n\nANNEX III\n\nIMPORTANT PRODUCTS WITH DIGITAL ELEMENTS\n\nClass I\n\n1.\n\nIdentity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers\n\n2.\n\nStandalone and embedded browsers\n\n3.\n\nPassword managers\n\n4.\n\nSoftware that searches for, removes, or quarantines malicious software\n\n5.\n\nProducts with digital elements with the function of virtual private network (VPN)\n\n6.\n\nNetwork management systems\n\n7.\n\nSecurity information and event management (SIEM) systems\n\n8.\n\nBoot managers\n\n9.\n\nPublic key infrastructure and digital certificate issuance software\n\n10.\n\nPhysical and virtual network interfaces\n\n11.\n\nOperating systems\n\n12.\n\nRouters, modems intended for the connection to the internet, and switches\n\n13.\n\nMicroprocessors with security-related functionalities\n\n14.\n\nMicrocontrollers with security-related functionalities\n\n15.\n\nApplication specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities\n\n16.\n\nSmart home general purpose virtual assistants\n\n17.\n\nSmart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems\n\n18.\n\nInternet connected toys covered by Directive 2009/48/EC of the European Parliament and of the Council (1) that have social interactive features (e.g. speaking or filming) or that have location tracking features\n\n19.\n\nPersonal wearable products to be worn or placed on a human body that have a health monitoring (such as tracking) purpose and to which Regulation (EU) 2017/745 or (EU) No 2017/746 do not apply, or personal wearable products that are intended for the use by and for children\n\nClass II\n\n1.\n\nHypervisors and container runtime systems that support virtualised execution of operating systems and similar environments\n\n2.\n\nFirewalls, intrusion detection and prevention systems\n\n3.\n\nTamper-resistant microprocessors\n\n4.\n\nTamper-resistant microcontrollers\n\n(1)  Directive 2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys (OJ L 170, 30.6.2009, p. 1).\n\nANNEX IV\n\nCRITICAL PRODUCTS WITH DIGITAL ELEMENTS\n\n1.\n\nHardware Devices with Security Boxes\n\n2.\n\nSmart meter gateways within smart metering systems as defined in Article 2, point (23) of Directive (EU) 2019/944 of the European Parliament and of the Council (1) and other devices for advanced security purposes, including for secure cryptoprocessing\n\n3.\n\nSmartcards or similar devices, including secure elements\n\n(1)  Directive (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019 on common rules for the internal market for electricity and amending Directive 2012/27/EU (OJ L 158, 14.6.2019, p. 125).\n\nANNEX V\n\nEU DECLARATION OF CONFORMITY\n\nThe EU declaration of conformity referred to in Article 28, shall contain all of the following information:\n\n1.\n\nName and type and any additional information enabling the unique identification of the product with digital elements\n\n2.\n\nName and address of the manufacturer or its authorised representative\n\n3.\n\nA statement that the EU declaration of conformity is issued under the sole responsibility of the provider\n\n4.\n\nObject of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate)\n\n5.\n\nA statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation\n\n6.\n\nReferences to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared\n\n7.\n\nWhere applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued\n\n8.\n\nAdditional information:\n\nSigned for and on behalf of:\n\n(place and date of issue):\n\n(name, function) (signature):\n\nANNEX VI\n\nSIMPLIFIED EU DECLARATION OF CONFORMITY\n\nThe simplified EU declaration of conformity referred to in Article 13(20) shall be provided as follows:\n\nHereby, … [name of manufacturer] declares that the product with digital elements type … [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/2847 (1).\n\nThe full text of the EU declaration of conformity is available at the following internet address: …\n\n(1)\n\nOJ L, 2024/2847, 20.11.2024, ELI: http://data.europa.eu/eli/reg/2024/2847/oj.\n\nANNEX VII\n\nCONTENT OF THE TECHNICAL DOCUMENTATION\n\nThe technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements:\n\n1.\n\na general description of the product with digital elements, including:\n\n(a)\n\nits intended purpose;\n\n(b)\n\nversions of software affecting compliance with essential cybersecurity requirements;\n\n(c)\n\nwhere the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout;\n\n(d)\n\nuser information and instructions as set out in Annex II;\n\n2.\n\na description of the design, development and production of the product with digital elements and vulnerability handling processes, including:\n\n(a)\n\nnecessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;\n\n(b)\n\nnecessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;\n\n(c)\n\nnecessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes;\n\n3.\n\nan assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable;\n\n4.\n\nrelevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements;\n\n5.\n\na list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;\n\n6.\n\nreports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I;\n\n7.\n\na copy of the EU declaration of conformity;\n\n8.\n\nwhere applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I.\n\nANNEX VIII\n\nCONFORMITY ASSESSMENT PROCEDURES\n\nPart I Conformity assessment procedure based on internal control (based on module A)\n\n1.\n\nInternal control is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2, 3 and 4 of this Part, and ensures and declares on its sole responsibility that the products with digital elements satisfy all the essential cybersecurity requirements set out in Part I of Annex I and the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.\n\n2.\n\nThe manufacturer shall draw up the technical documentation described in Annex VII.\n\n3.\n\nDesign, development, production and vulnerability handling of products with digital elements\n\nThe manufacturer shall take all measures necessary so that the design, development, production and vulnerability handling processes and their monitoring ensure compliance of the manufactured or developed products with digital elements and of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Parts I and II of Annex I.\n\n4.\n\nConformity marking and declaration of conformity\n\n4.1.\n\nThe manufacturer shall affix the CE marking to each individual product with digital elements that satisfies the applicable requirements set out in this Regulation.\n\n4.2.\n\nThe manufacturer shall draw up a written EU declaration of conformity for each product with digital elements in accordance with Article 28 and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request.\n\n5.\n\nAuthorised representatives\n\nThe manufacturer’s obligations set out in point 4 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.\n\nPart II EU-type examination (based on module B)\n\n1.\n\nEU-type examination is the part of a conformity assessment procedure in which a notified body examines the technical design and development of a product with digital elements and the vulnerability handling processes put in place by the manufacturer, and attests that a product with digital elements meets the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.\n\n2.\n\nEU-type examination shall be carried out by assessing the adequacy of the technical design and development of the product with digital elements through the examination of the technical documentation and supporting evidence referred to in point 3, and the examination of specimens of one or more critical parts of the product (combination of production type and design type).\n\n3.\n\nThe manufacturer shall lodge an application for EU-type examination with a single notified body of its choice.\n\nThe application shall include:\n\n3.1.\n\nthe name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;\n\n3.2.\n\na written declaration that the same application has not been lodged with any other notified body;\n\n3.3.\n\nthe technical documentation, which shall make it possible to assess the conformity of the product with digital elements with the applicable essential cybersecurity requirements as set out in Part I of Annex I and the manufacturer’s vulnerability handling processes set out in Part II of Annex I and shall include an adequate analysis and assessment of the risks. The technical documentation shall specify the applicable requirements and cover, as far as relevant for the assessment, the design, manufacture and operation of the product with digital elements. The technical documentation shall contain, wherever applicable, at least the elements set out in Annex VII;\n\n3.4.\n\nthe supporting evidence for the adequacy of the technical design and development solutions and vulnerability handling processes. This supporting evidence shall mention any documents that have been used, in particular where the relevant harmonised standards or technical specifications have not been applied in full. The supporting evidence shall include, where necessary, the results of tests carried out by the appropriate laboratory of the manufacturer, or by another testing laboratory on its behalf and under its responsibility.\n\n4.\n\nThe notified body shall:\n\n4.1.\n\nexamine the technical documentation and supporting evidence to assess the adequacy of the technical design and development of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and of the vulnerability handling processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I;\n\n4.2.\n\nverify that specimens have been developed or manufactured in conformity with the technical documentation, and identify the elements which have been designed and developed in accordance with the applicable provisions of the relevant harmonised standards or technical specifications, as well as the elements which have been designed and developed without applying the relevant provisions of those standards;\n\n4.3.\n\ncarry out appropriate examinations and tests, or have them carried out, to check that, where the manufacturer has chosen to apply the solutions in the relevant harmonised standards or technical specifications for the requirements set out in Annex I, they have been applied correctly;\n\n4.4.\n\ncarry out appropriate examinations and tests, or have them carried out, to check that, where the solutions in the relevant harmonised standards or technical specifications for the requirements set out in Annex I have not been applied, the solutions adopted by the manufacturer meet the corresponding essential cybersecurity requirements;\n\n4.5.\n\nagree with the manufacturer on a location where the examinations and tests will be carried out.\n\n5.\n\nThe notified body shall draw up an evaluation report that records the activities undertaken in accordance with point 4 and their outcomes. Without prejudice to its obligations vis-à-vis the notifying authorities, the notified body shall release the content of that report, in full or in part, only with the agreement of the manufacturer.\n\n6.\n\nWhere the type and the vulnerability handling processes meet the essential cybersecurity requirements set out in Annex I, the notified body shall issue an EU-type examination certificate to the manufacturer. The certificate shall contain the name and address of the manufacturer, the conclusions of the examination, the conditions (if any) for its validity and the necessary data for identification of the approved type and vulnerability handling processes. The certificate may have one or more annexes attached.\n\nThe certificate and its annexes shall contain all relevant information to allow the conformity of manufactured or developed products with digital elements with the examined type and vulnerability handling processes to be evaluated and to allow for in-service control.\n\nWhere the type and the vulnerability handling processes do not satisfy the applicable essential cybersecurity requirements set out in Annex I, the notified body shall refuse to issue an EU-type examination certificate and shall inform the applicant accordingly, giving detailed reasons for its refusal.\n\n7.\n\nThe notified body shall keep itself apprised of any changes in the generally acknowledged state of the art which indicate that the approved type and the vulnerability handling processes may no longer comply with the applicable essential cybersecurity requirements set out in Annex I, and shall determine whether such changes require further investigation. If so, the notified body shall inform the manufacturer accordingly.\n\nThe manufacturer shall inform the notified body that holds the technical documentation relating to the EU-type examination certificate of all modifications to the approved type and the vulnerability handling processes that may affect the conformity with the essential cybersecurity requirements set out in Annex I, or the conditions for validity of the certificate. Such modifications shall require additional approval in the form of an addition to the original EU-type examination certificate.\n\n8.\n\nThe notified body shall carry out periodic audits to ensure that the vulnerability handling processes as set out in Part II of Annex I are implemented adequately.\n\n9.\n\nEach notified body shall inform its notifying authorities concerning the EU-type examination certificates and any additions thereto which it has issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of certificates and any additions thereto refused, suspended or otherwise restricted.\n\nEach notified body shall inform the other notified bodies concerning the EU-type examination certificates and any additions thereto which it has refused, withdrawn, suspended or otherwise restricted, and, upon request, concerning the certificates and additions thereto which it has issued.\n\nThe Commission, the Member States and the other notified bodies may, on request, obtain a copy of the EU-type examination certificates and any additions thereto. On request, the Commission and the Member States may obtain a copy of the technical documentation and the results of the examinations carried out by the notified body. The notified body shall keep a copy of the EU-type examination certificate, its annexes and additions, as well as the technical file including the documentation submitted by the manufacturer, until the expiry of the validity of the certificate.\n\n10.\n\nThe manufacturer shall keep a copy of the EU-type examination certificate, its annexes and additions together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.\n\n11.\n\nThe manufacturer’s authorised representative may lodge the application referred to in point 3 and fulfil the obligations set out in points 7 and 10, provided that the relevant obligations are specified in the mandate.\n\nPart III Conformity to type based on internal production control (based on module C)\n\n1.\n\nConformity to type based on internal production control is the part of a conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 3 of this Part, and ensures and declares that the products with digital elements concerned are in conformity with the type described in the EU-type examination certificate and satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.\n\n2.\n\nProduction\n\nThe manufacturer shall take all measures necessary so that the production and its monitoring ensure conformity of the manufactured products with digital elements with the approved type described in the EU-type examination certificate and with the essential cybersecurity requirements as set out in Part I of Annex I and ensures that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.\n\n3.\n\nConformity marking and declaration of conformity\n\n3.1.\n\nThe manufacturer shall affix the CE marking to each individual product with digital elements that is in conformity with the type described in the EU-type examination certificate and satisfies the applicable requirements set out in this Regulation.\n\n3.2.\n\nThe manufacturer shall draw up a written declaration of conformity for a product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up. A copy of the declaration of conformity shall be made available to the relevant authorities upon request.\n\n4.\n\nAuthorised representative\n\nThe manufacturer’s obligations set out in point 3 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.\n\nPart IV Conformity based on full quality assurance (based on module H)\n\n1.\n\nConformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 5 of this Part, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Part II of Annex I.\n\n2.\n\nDesign, development, production and vulnerability handling of products with digital elements\n\nThe manufacturer shall operate an approved quality system as specified in point 3 for the design, development and final product inspection and testing of the products with digital elements concerned and for handling vulnerabilities, maintain its effectiveness throughout the support period, and shall be subject to surveillance as specified in point 4.\n\n3.\n\nQuality system\n\n3.1.\n\nThe manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned.\n\nThe application shall include:\n\n(a)\n\nthe name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;\n\n(b)\n\nthe technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall, wherever applicable, contain at least the elements as set out in Annex VII;\n\n(c)\n\nthe documentation concerning the quality system; and\n\n(d)\n\na written declaration that the same application has not been lodged with any other notified body.\n\n3.2.\n\nThe quality system shall ensure compliance of the products with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Part II of Annex I.\n\nAll the elements, requirements and provisions adopted by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. That quality system documentation shall permit a consistent interpretation of the quality programmes, plans, manuals and records.\n\nIt shall, in particular, contain an adequate description of:\n\n(a)\n\nthe quality objectives and the organisational structure, responsibilities and powers of the management with regard to design, development, product quality and vulnerability handling;\n\n(b)\n\nthe technical design and development specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part I of Annex I that apply to the products with digital elements will be met;\n\n(c)\n\nthe procedural specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part II of Annex I that apply to the manufacturer will be met;\n\n(d)\n\nthe design and development control, as well as design and development verification techniques, processes and systematic actions that will be used when designing and developing the products with digital elements pertaining to the product category covered;\n\n(e)\n\nthe corresponding production, quality control and quality assurance techniques, processes and systematic actions that will be used;\n\n(f)\n\nthe examinations and tests that will be carried out before, during and after production, and the frequency with which they will be carried out;\n\n(g)\n\nthe quality records, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned;\n\n(h)\n\nthe means of monitoring the achievement of the required design and product quality and the effective operation of the quality system.\n\n3.3.\n\nThe notified body shall assess the quality system to determine whether it satisfies the requirements referred to in point 3.2.\n\nIt shall presume conformity with those requirements in respect of the elements of the quality system that comply with the corresponding specifications of the national standard that implements the relevant harmonised standard or technical specification.\n\nIn addition to experience in quality management systems, the auditing team shall have at least one member experienced as an assessor in the relevant product field and product technology concerned, and shall have knowledge of the applicable requirements set out in this Regulation. The audit shall include an assessment visit to the manufacturer’s premises, where such premises exist. The auditing team shall review the technical documentation referred to in point 3.1 (b), to verify the manufacturer’s ability to identify the applicable requirements set out in this Regulation and to carry out the necessary examinations with a view to ensuring compliance of the product with digital elements with those requirements.\n\nThe manufacturer or its authorised representative shall be notified of the decision.\n\nThe notification shall contain the conclusions of the audit and the reasoned assessment decision.\n\n3.4.\n\nThe manufacturer shall undertake to fulfil the obligations arising out of the quality system as approved and to maintain it so that it remains adequate and efficient.\n\n3.5.\n\nThe manufacturer shall keep the notified body that has approved the quality system informed of any intended change to the quality system.\n\nThe notified body shall evaluate any proposed changes and decide whether the modified quality system will continue to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary.\n\nIt shall notify the manufacturer of its decision. The notification shall contain the conclusions of the examination and the reasoned assessment decision.\n\n4.\n\nSurveillance under the responsibility of the notified body\n\n4.1.\n\nThe purpose of surveillance is to make sure that the manufacturer duly fulfils the obligations arising out of the approved quality system.\n\n4.2.\n\nThe manufacturer shall, for assessment purposes, allow the notified body access to the design, development, production, inspection, testing and storage sites, and shall provide it with all necessary information, in particular:\n\n(a)\n\nthe quality system documentation;\n\n(b)\n\nthe quality records as provided for by the design part of the quality system, such as results of analyses, calculations and tests;\n\n(c)\n\nthe quality records as provided for by the manufacturing part of the quality system, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned.\n\n4.3.\n\nThe notified body shall carry out periodic audits to make sure that the manufacturer maintains and applies the quality system and shall provide the manufacturer with an audit report.\n\n5.\n\nConformity marking and declaration of conformity\n\n5.1.\n\nThe manufacturer shall affix the CE marking, and, under the responsibility of the notified body referred to in point 3.1, the latter’s identification number to each individual product with digital elements that satisfies the requirements set out in Part I of Annex I.\n\n5.2.\n\nThe manufacturer shall draw up a written declaration of conformity for each product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up.\n\nA copy of the declaration of conformity shall be made available to the relevant authorities upon request.\n\n6.\n\nThe manufacturer shall, for a period ending at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep at the disposal of the national authorities:\n\n(a)\n\nthe technical documentation referred to in point 3.1;\n\n(b)\n\nthe documentation concerning the quality system referred to in point 3.1;\n\n(c)\n\nthe change referred to in point 3.5, as approved;\n\n(d)\n\nthe decisions and reports of the notified body referred to in points 3.5 and 4.3.\n\n7.\n\nEach notified body shall inform its notifying authorities of quality system approvals issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of quality system approvals refused, suspended or otherwise restricted.\n\nEach notified body shall inform the other notified bodies of quality system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued.\n\n8.\n\nAuthorised representative\n\nThe manufacturer’s obligations set out in points 3.1, 3.5, 5 and 6 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.\n\nA statement has been made with regard to this act and can be found in OJ C, 2024/6786, 20.11.2024, ELI: http://data.europa.eu/eli/C/2024/6786/oj.\n\nELI: http://data.europa.eu/eli/reg/2024/2847/oj\n\nISSN 1977-0677 (electronic edition)\n\n////////////////////////$(document).ready(function(){generateTOC(true,'', 'Top','false');scrollToCurrentUrlAnchor();});",
430
+ "chapter": "VIII"
431
+ }
432
+ ],
433
+ "definitions": [
434
+ {
435
+ "term": "product with digital elements",
436
+ "definition": "a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;",
437
+ "article": "3"
438
+ },
439
+ {
440
+ "term": "remote data processing",
441
+ "definition": "data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;",
442
+ "article": "3"
443
+ },
444
+ {
445
+ "term": "cybersecurity",
446
+ "definition": "cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;",
447
+ "article": "3"
448
+ },
449
+ {
450
+ "term": "software",
451
+ "definition": "the part of an electronic information system which consists of computer code;",
452
+ "article": "3"
453
+ },
454
+ {
455
+ "term": "hardware",
456
+ "definition": "a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;",
457
+ "article": "3"
458
+ },
459
+ {
460
+ "term": "component",
461
+ "definition": "software or hardware intended for integration into an electronic information system;",
462
+ "article": "3"
463
+ },
464
+ {
465
+ "term": "electronic information system",
466
+ "definition": "a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data;",
467
+ "article": "3"
468
+ },
469
+ {
470
+ "term": "logical connection",
471
+ "definition": "a virtual representation of a data connection implemented through a software interface;",
472
+ "article": "3"
473
+ },
474
+ {
475
+ "term": "physical connection",
476
+ "definition": "a connection between electronic information systems or components implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio waves;",
477
+ "article": "3"
478
+ },
479
+ {
480
+ "term": "indirect connection",
481
+ "definition": "a connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network;",
482
+ "article": "3"
483
+ },
484
+ {
485
+ "term": "end-point",
486
+ "definition": "any device that is connected to a network and serves as an entry point to that network;",
487
+ "article": "3"
488
+ },
489
+ {
490
+ "term": "economic operator",
491
+ "definition": "the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;",
492
+ "article": "3"
493
+ },
494
+ {
495
+ "term": "manufacturer",
496
+ "definition": "a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;",
497
+ "article": "3"
498
+ },
499
+ {
500
+ "term": "open-source software steward",
501
+ "definition": "a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;",
502
+ "article": "3"
503
+ },
504
+ {
505
+ "term": "authorised representative",
506
+ "definition": "a natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasks;",
507
+ "article": "3"
508
+ },
509
+ {
510
+ "term": "importer",
511
+ "definition": "a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;",
512
+ "article": "3"
513
+ },
514
+ {
515
+ "term": "distributor",
516
+ "definition": "a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;",
517
+ "article": "3"
518
+ },
519
+ {
520
+ "term": "consumer",
521
+ "definition": "a natural person who acts for purposes which are outside that person's trade, business, craft or profession;",
522
+ "article": "3"
523
+ },
524
+ {
525
+ "term": "microenterprises",
526
+ "definition": "respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;",
527
+ "article": "3"
528
+ },
529
+ {
530
+ "term": "support period",
531
+ "definition": "the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;",
532
+ "article": "3"
533
+ },
534
+ {
535
+ "term": "placing on the market",
536
+ "definition": "the first making available of a product with digital elements on the Union market;",
537
+ "article": "3"
538
+ },
539
+ {
540
+ "term": "making available on the market",
541
+ "definition": "the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;",
542
+ "article": "3"
543
+ },
544
+ {
545
+ "term": "intended purpose",
546
+ "definition": "the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;",
547
+ "article": "3"
548
+ },
549
+ {
550
+ "term": "reasonably foreseeable use",
551
+ "definition": "use that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions;",
552
+ "article": "3"
553
+ },
554
+ {
555
+ "term": "reasonably foreseeable misuse",
556
+ "definition": "the use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems;",
557
+ "article": "3"
558
+ },
559
+ {
560
+ "term": "notifying authority",
561
+ "definition": "the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;",
562
+ "article": "3"
563
+ },
564
+ {
565
+ "term": "conformity assessment",
566
+ "definition": "the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;",
567
+ "article": "3"
568
+ },
569
+ {
570
+ "term": "conformity assessment body",
571
+ "definition": "a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;",
572
+ "article": "3"
573
+ },
574
+ {
575
+ "term": "notified body",
576
+ "definition": "a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation;",
577
+ "article": "3"
578
+ },
579
+ {
580
+ "term": "substantial modification",
581
+ "definition": "a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;",
582
+ "article": "3"
583
+ },
584
+ {
585
+ "term": "ce marking",
586
+ "definition": "a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;",
587
+ "article": "3"
588
+ },
589
+ {
590
+ "term": "union harmonisation legislation",
591
+ "definition": "Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies;",
592
+ "article": "3"
593
+ },
594
+ {
595
+ "term": "market surveillance authority",
596
+ "definition": "a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;",
597
+ "article": "3"
598
+ },
599
+ {
600
+ "term": "international standard",
601
+ "definition": "an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;",
602
+ "article": "3"
603
+ },
604
+ {
605
+ "term": "european standard",
606
+ "definition": "a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012;",
607
+ "article": "3"
608
+ },
609
+ {
610
+ "term": "harmonised standard",
611
+ "definition": "a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;",
612
+ "article": "3"
613
+ },
614
+ {
615
+ "term": "cybersecurity risk",
616
+ "definition": "the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;",
617
+ "article": "3"
618
+ },
619
+ {
620
+ "term": "significant cybersecurity risk",
621
+ "definition": "a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;",
622
+ "article": "3"
623
+ },
624
+ {
625
+ "term": "software bill of materials",
626
+ "definition": "a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements;",
627
+ "article": "3"
628
+ },
629
+ {
630
+ "term": "vulnerability",
631
+ "definition": "a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;",
632
+ "article": "3"
633
+ },
634
+ {
635
+ "term": "exploitable vulnerability",
636
+ "definition": "a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions;",
637
+ "article": "3"
638
+ },
639
+ {
640
+ "term": "actively exploited vulnerability",
641
+ "definition": "a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner;",
642
+ "article": "3"
643
+ },
644
+ {
645
+ "term": "incident",
646
+ "definition": "an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;",
647
+ "article": "3"
648
+ },
649
+ {
650
+ "term": "incident having an impact on the security of the product with digital elements",
651
+ "definition": "an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;",
652
+ "article": "3"
653
+ },
654
+ {
655
+ "term": "near miss",
656
+ "definition": "a near miss as defined in Article 6, point (5), of Directive (EU) 2022/2555;",
657
+ "article": "3"
658
+ },
659
+ {
660
+ "term": "cyber threat",
661
+ "definition": "a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;",
662
+ "article": "3"
663
+ },
664
+ {
665
+ "term": "personal data",
666
+ "definition": "personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;",
667
+ "article": "3"
668
+ },
669
+ {
670
+ "term": "free and open-source software",
671
+ "definition": "software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;",
672
+ "article": "3"
673
+ },
674
+ {
675
+ "term": "recall",
676
+ "definition": "recall as defined in Article 3, point (22), of Regulation (EU) 2019/1020;",
677
+ "article": "3"
678
+ },
679
+ {
680
+ "term": "withdrawal",
681
+ "definition": "withdrawal as defined in Article 3, point (23), of Regulation (EU) 2019/1020;",
682
+ "article": "3"
683
+ },
684
+ {
685
+ "term": "csirt designated as coordinator",
686
+ "definition": "a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555.",
687
+ "article": "3"
688
+ }
689
+ ]
690
+ }