Ga verder naar contentGa verder naar content en skip ook inhoudsopgave
NDFR
Home

Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)

Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)

CHAPTER I GENERAL PROVISIONS

Article 1 Subject matter

This Regulation lays down:

  1. rules for the making available on the market of products with digital elements to ensure the cybersecurity of such products;

  2. essential cybersecurity requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to those products with respect to cybersecurity;

  3. essential cybersecurity requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the time the products are expected to be in use, and obligations for economic operators in relation to those processes;

  4. rules on market surveillance, including monitoring, and enforcement of the rules and requirements referred to in this Article.

Article 2 Scope

1.

This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.

2.

This Regulation does not apply to products with digital elements to which the following Union legal acts apply:

  1. Regulation (EU) 2017/745;

  2. Regulation (EU) 2017/746;

  3. Regulation (EU) 2019/2144.

3.

This Regulation does not apply to products with digital elements that have been certified in accordance with Regulation (EU) 2018/1139.

4.

This Regulation does not apply to equipment that falls within the scope of Directive 2014/90/EU of the European Parliament and of the Council(1).

5.

The application of this Regulation to products with digital elements covered by other Union rules laying down requirements that address all or some of the risks covered by the essential cybersecurity requirements set out in Annex I may be limited or excluded where:

  1. such limitation or exclusion is consistent with the overall regulatory framework that applies to those products; and

  2. the sectoral rules achieve the same or a higher level of protection as that provided for by this Regulation.

The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by specifying whether such limitation or exclusion is necessary, the products and rules concerned, as well as the scope of the limitation, if relevant.

6.

This Regulation does not apply to spare parts that are made available on the market to replace identical components in products with digital elements and that are manufactured according to the same specifications as the components that they are intended to replace.

7.

This Regulation does not apply to products with digital elements developed or modified exclusively for national security or defence purposes or to products specifically designed to process classified information.

8.

The obligations laid down in this Regulation shall not entail the supply of information the disclosure of which would be contrary to the essential interests of Member States’ national security, public security or defence.

Article 3 Definitions

For the purposes of this Regulation, the following definitions apply:

  1. ‘product with digital elements’ means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;

  2. ‘remote data processing’ means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;

  3. ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;

  4. ‘software’ means the part of an electronic information system which consists of computer code;

  5. ‘hardware’ means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;

  6. ‘component’ means software or hardware intended for integration into an electronic information system;

  7. ‘electronic information system’ means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data;

  8. ‘logical connection’ means a virtual representation of a data connection implemented through a software interface;

  9. ‘physical connection’ means a connection between electronic information systems or components implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio waves;

  10. ‘indirect connection’ means a connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network;

  11. ‘end-point’ means any device that is connected to a network and serves as an entry point to that network;

  12. ‘economic operator’ means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;

  13. ‘manufacturer’ means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;

  14. ‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;

  15. ‘authorised representative’ means a natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasks;

  16. ‘importer’ means a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;

  17. ‘distributor’ means a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;

  18. ‘consumer’ means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession;

  19. ‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;

  20. ‘support period’ means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;

  21. ‘placing on the market’ means the first making available of a product with digital elements on the Union market;

  22. ‘making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;

  23. ‘intended purpose’ means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;

  24. ‘reasonably foreseeable use’ means use that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions;

  25. ‘reasonably foreseeable misuse’ means the use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems;

  26. ‘notifying authority’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;

  27. ‘conformity assessment’ means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;

  28. ‘conformity assessment body’ means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;

  29. ‘notified body’ means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation;

  30. ‘substantial modification’ means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;

  31. ‘CE marking’ means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;

  32. ‘Union harmonisation legislation’ means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies;

  33. ‘market surveillance authority’ means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;

  34. ‘international standard’ means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;

  35. ‘European standard’ means a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012;

  36. ‘harmonised standard’ means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;

  37. ‘cybersecurity risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;

  38. ‘significant cybersecurity risk’ means a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;

  39. ‘software bill of materials’ means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements;

  40. ‘vulnerability’ means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;

  41. ‘exploitable vulnerability’ means a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions;

  42. ‘actively exploited vulnerability’ means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner;

  43. ‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;

  44. ‘incident having an impact on the security of the product with digital elements’ means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;

  45. ‘near miss’ means a near miss as defined in Article 6, point (5), of Directive (EU) 2022/2555;

  46. ‘cyber threat’ means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;

  47. ‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;

  48. ‘free and open-source software’ means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;

  49. ‘recall’ means recall as defined in Article 3, point (22), of Regulation (EU) 2019/1020;

  50. ‘withdrawal’ means withdrawal as defined in Article 3, point (23), of Regulation (EU) 2019/1020;

  51. ‘CSIRT designated as coordinator’ means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555.

Article 4 Free movement

1.

Member States shall not impede, for the matters covered by this Regulation, the making available on the market of products with digital elements which comply with this Regulation.

2.

At trade fairs, exhibitions, demonstrations or similar events, Member States shall not prevent the presentation or use of a product with digital elements which does not comply with this Regulation, including its prototypes, provided that the product is presented with a visible sign clearly indicating that it does not comply with this Regulation and that it is not to be made available on the market until it does so.

3.

Member States shall not prevent the making available on the market of unfinished software which does not comply with this Regulation, provided that the software is made available only for a limited period required for testing purposes with a visible sign clearly indicating that it does not comply with this Regulation and that it will not be available on the market for purposes other than testing.

4.

Paragraph 3 does not apply to safety components as referred to in Union harmonisation legislation other than this Regulation.

Article 5 Procurement or use of products with digital elements

Article 6 Requirements for products with digital elements

Article 7 Important products with digital elements

Article 8 Critical products with digital elements

Article 9 Stakeholder consultation

Article 10 Enhancing skills in a cyber resilient digital environment

Article 11 General product safety

Article 12 High-risk AI systems

CHAPTER II OBLIGATIONS OF ECONOMIC OPERATORS AND PROVISIONS IN RELATION TO FREE AND OPEN-SOURCE SOFTWARE

Article 13 Obligations of manufacturers

Article 14 Reporting obligations of manufacturers

Article 15 Voluntary reporting

Article 16 Establishment of a single reporting platform

Article 17 Other provisions related to reporting

Article 18 Authorised representatives

Article 19 Obligations of importers

Article 20 Obligations of distributors

Article 21 Cases in which obligations of manufacturers apply to importers and distributors

Article 22 Other cases in which obligations of manufacturers apply

Article 23 Identification of economic operators

Article 24 Obligations of open-source software stewards

Article 25 Security attestation of free and open-source software

Article 26 Guidance

CHAPTER III CONFORMITY OF THE PRODUCT WITH DIGITAL ELEMENTS

Article 27 Presumption of conformity

Article 28 EU declaration of conformity

Article 29 General principles of the CE marking

Article 30 Rules and conditions for affixing the CE marking

Article 31 Technical documentation

Article 32 Conformity assessment procedures for products with digital elements

Article 33 Support measures for microenterprises and small and medium-sized enterprises, including start-ups

Article 34 Mutual recognition agreements

CHAPTER IV NOTIFICATION OF CONFORMITY ASSESSMENT BODIES

Article 35 Notification

Article 36 Notifying authorities

Article 37 Requirements relating to notifying authorities

Article 38 Information obligation on notifying authorities

Article 39 Requirements relating to notified bodies

Article 40 Presumption of conformity of notified bodies

Article 41 Subsidiaries of and subcontracting by notified bodies

Article 42 Application for notification

Article 43 Notification procedure

Article 44 Identification numbers and lists of notified bodies

Article 45 Changes to notifications

Article 46 Challenge of the competence of notified bodies

Article 47 Operational obligations of notified bodies

Article 48 Appeal against decisions of notified bodies

Article 49 Information obligation on notified bodies

Article 50 Exchange of experience

Article 51 Coordination of notified bodies

CHAPTER V MARKET SURVEILLANCE AND ENFORCEMENT

Article 52 Market surveillance and control of products with digital elements in the Union market

Article 53 Access to data and documentation

Article 54 Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk

Article 55 Union safeguard procedure

Article 56 Procedure at Union level concerning products with digital elements presenting a significant cybersecurity risk

Article 57 Compliant products with digital elements which present a significant cybersecurity risk

Article 58 Formal non-compliance

Article 59 Joint activities of market surveillance authorities

Article 60 Sweeps

CHAPTER VI DELEGATED POWERS AND COMMITTEE PROCEDURE

Article 61 Exercise of the delegation

Article 62 Committee procedure

CHAPTER VII CONFIDENTIALITY AND PENALTIES

Article 63 Confidentiality

Article 64 Penalties

Article 65 Representative actions

CHAPTER VIII TRANSITIONAL AND FINAL PROVISIONS

Article 66 Amendment to Regulation (EU) 2019/1020

Article 67 Amendment to Directive (EU) 2020/1828

Article 68 Amendment to Regulation (EU) No 168/2013

Article 69 Transitional provisions

Article 70 Evaluation and review

Article 71 Entry into force and application

ANNEX IESSENTIAL CYBERSECURITY REQUIREMENTS

ANNEX IIINFORMATION AND INSTRUCTIONS TO THE USER

ANNEX IIIIMPORTANT PRODUCTS WITH DIGITAL ELEMENTS

ANNEX IVCRITICAL PRODUCTS WITH DIGITAL ELEMENTS

ANNEX VEU DECLARATION OF CONFORMITY

ANNEX VISIMPLIFIED EU DECLARATION OF CONFORMITY

ANNEX VIICONTENT OF THE TECHNICAL DOCUMENTATION

ANNEX VIIICONFORMITY ASSESSMENT PROCEDURES