这是用户在 2025-7-3 10:24 为 https://eur-lex.europa.eu/eli/reg/2024/2847/oj 保存的双语快照页面,由 沉浸式翻译 提供双语支持。了解如何保存?
An official website of the European Union
欧盟官方网站
An official EU website
Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 32024R2847

Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)
欧洲议会和理事会关于 2024 年 10 月 23 日关于具有数字元素的产品的横向网络安全要求的条例 (EU) 2024/2847,以及修订条例 (EU) 第 168/2013 号和 (EU) 2019/1020 号以及指令 (EU) 2020/1828(网络弹性法案)(具有 EEA 相关性文本)

PE/100/2023/REV/1

OJ L, 2024/2847, 20.11.2024, ELI: http://data.europa.eu/eli/reg/2024/2847/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force: This act has been changed. Current consolidated version: 20/11/2024
Legal status of the document 生效:本法案已更改。当前的合并版本:2024 年 11 月 20 日

ELI: http://data.europa.eu/eli/reg/2024/2847/oj

European flag

Official Journal   官方公报
of the European Union  欧洲联盟

EN

L series  L 系列


2024/2847

20.11.2024

REGULATION (EU) 2024/2847 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
欧洲议会和理事会(EU)2024/2847 号条例

of 23 October 2024   2024 年 10 月 23 日

on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)
关于具有数字元素的产品的水平网络安全要求,并修订《(欧盟)第 168/2013 号条例》和《(欧盟)第 2019/1020 号条例》以及《(欧盟)2020/1828 号指令》(网络弹性法)

(Text with EEA relevance)
(包含 EEA 相关内容)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
欧洲议会和欧洲理事会,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
鉴于《欧洲联盟运作条约》,特别是其第 114 条,

Having regard to the proposal from the European Commission,
鉴于欧洲委员会的提案,

After transmission of the draft legislative act to the national parliaments,
法规草案送达各国议会后,

Having regard to the opinion of the European Economic and Social Committee (1),
经欧洲经济和社会委员会(1)意见,

After consulting the Committee of the Regions,
经咨询欧洲地区委员会,

Acting in accordance with the ordinary legislative procedure (2),
依照普通立法程序(2)行事,

Whereas:  鉴于:

(1)

Cybersecurity is one of the key challenges for the Union. The number and variety of connected devices will rise exponentially in the coming years. Cyberattacks represent a matter of public interest as they have a critical impact not only on the Union’s economy, but also on democracy as well as consumer safety and health. It is therefore necessary to strengthen the Union’s approach to cybersecurity, address cyber resilience at Union level and improve the functioning of the internal market by laying down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market. Two major problems adding costs for users and society should be addressed: a low level of cybersecurity of products with digital elements, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.
网络安全是欧盟面临的关键挑战之一。未来几年,联网设备的数量和种类将呈指数级增长。网络攻击关乎公共利益,因为它们不仅对欧盟经济,而且对民主、消费者安全和健康都产生重大影响。因此,有必要加强欧盟的网络安全措施,在欧盟层面应对网络弹性,并通过制定统一的法律框架,为在欧盟市场上销售具有数字元素的产品设定必要的网络安全要求,从而改进内部市场的运行。应解决两个主要问题,这些问题增加了用户和社会的成本:具有数字元素的产品网络安全水平低,体现在广泛存在的漏洞以及不足且不一致的安全更新措施来解决这些漏洞;用户对信息缺乏足够的了解和获取途径,这妨碍他们选择具有足够网络安全属性的产品或以安全方式使用这些产品。

(2)

This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s lifecycle. It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements, for example by improving transparency with regard to the support period for products with digital elements made available on the market.
本条例旨在为开发安全产品(包含数字元素)设定边界条件,确保硬件和软件产品在投放市场时漏洞更少,并要求制造商在产品生命周期内认真对待安全问题。它还旨在创造条件,使用户在选择和使用包含数字元素的产品时能够考虑网络安全,例如,通过提高透明度,了解市场上提供的包含数字元素的产品的维护期。

(3)

Relevant Union law in force comprises several sets of horizontal rules that address certain aspects linked to cybersecurity from different angles, including measures to improve the security of the digital supply chain. However, existing Union law related to cybersecurity, including Regulation (EU) 2019/881 of the European Parliament and of the Council (3) and Directive (EU) 2022/2555 of the European Parliament and of the Council (4), does not directly cover mandatory requirements for the security of products with digital elements.
现行有效的欧盟法律包含多套横向规则,从不同角度解决与网络安全相关的某些方面,包括改进数字供应链安全的措施。然而,现行欧盟网络安全相关法律,包括欧洲议会和理事会(2019/881)条例(3)和欧洲议会和理事会(2022/2555)指令(4),并未直接涵盖包含数字元素的产品安全方面的强制性要求。

(4)

While existing Union law applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. The various acts and initiatives taken thus far at Union and national levels only partially address the identified cybersecurity-related problems and risks, creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers and users of those products and adding an unnecessary burden on businesses and organisations to comply with a number of requirements and obligations for similar types of products. The cybersecurity of those products has a particularly strong cross-border dimension, as products with digital elements manufactured in one Member State or third country are often used by organisations and consumers across the entire internal market. This makes it necessary to regulate the field at Union level to ensure a harmonised regulatory framework and legal certainty for users, organisations and businesses, including microenterprises and small and medium-sized enterprises as defined in the Annex to Commission Recommendation 2003/361/EC (5). The Union regulatory landscape should be harmonised by introducing horizontal cybersecurity requirements for products with digital elements. In addition, legal certainty for economic operators and users, as well as a better harmonisation of the internal market and proportionality for microenterprises and small and medium-sized enterprises, creating more viable conditions for economic operators aiming to enter that market, should be ensured across the Union.
虽然现有的欧盟法律适用于某些带有数字元素的产品,但目前没有建立涵盖所有带有数字元素产品的横向欧盟监管框架,以规定全面的网络安全要求。迄今为止在欧盟和国家层面采取的各种法案和举措,仅部分解决了已识别的网络安全相关问题和风险,在内部市场形成了立法碎片化,增加了制造商和这些产品用户的法律不确定性,并为企业和组织遵守类似产品类型的众多要求和义务增加了不必要的负担。这些产品的网络安全具有特别强的跨境维度,因为在一个成员国或第三国制造的带有数字元素的产品,通常会被整个内部市场的组织和消费者使用。 这使得在欧盟层面规范该领域成为必要,以确保用户、组织和企业(包括《委员会建议 2003/361/EC 附件》中所定义的微型企业和小微企业)拥有统一的监管框架和法律确定性。欧盟监管框架应通过为具有数字元素的产品引入横向网络安全要求而实现协调。此外,应在整个欧盟确保经济运营者和用户的法律确定性,以及内部市场的更好协调性和对微型企业和小微企业的比例性,从而为希望进入该市场的经济运营者创造更有利的条件。

(5)

As regards microenterprises and small and medium-sized enterprises, when determining the category an enterprise falls into, the provisions of the Annex to Recommendation 2003/361/EC should be applied in their entirety. Therefore, when calculating the staff headcount and financial ceilings determining the enterprise categories, the provisions of Article 6 of the Annex to Recommendation 2003/361/EC on establishing the data of an enterprise in consideration of specific types of enterprises, such as partner enterprises or linked enterprises, should also be applied.
关于微型企业和小微企业,在确定企业类别时,应完整适用建议 2003/361/EC 附录的规定。因此,在计算员工人数和财务上限以确定企业类别时,还应适用建议 2003/361/EC 附录第 6 条关于考虑特定类型企业(例如合作企业或关联企业)的企业数据确定的规定。

(6)

The Commission should provide guidance to assist economic operators, in particular microenterprises and small and medium-sized enterprises, in the application of this Regulation. Such guidance should cover, inter alia, the scope of this Regulation, in particular remote data processing and its implications for free and open-source software developers, the application of the criteria used to determine support periods for products with digital elements, the interplay between this Regulation and other Union law and the concept of substantial modification.
委员会应提供指导,帮助经济运营者,特别是微型企业和小微企业,应用本条例。此类指导应涵盖,但不限于,本条例的适用范围,特别是远程数据处理及其对自由和开源软件开发者的影响,用于确定具有数字元素的产品支持期限的标准的应用,本条例与其他欧盟法律之间的相互作用以及实质性修改的概念。

(7)

At Union level, various programmatic and political documents, such as the Joint communication of the Commission and the High Representative of the Union for Foreign Affairs and Security Policy of 16 December 2020, entitled ‘The EU’s Cybersecurity Strategy for the Digital Decade’, the Council Conclusions of 2 December 2020 on the cybersecurity of connected devices and of 23 May 2022 on the development of the European Union’s cyber posture and the European Parliament resolution of 10 June 2021 on the EU’s Cybersecurity Strategy for the Digital Decade (6), have called for specific Union cybersecurity requirements for digital or connected products, with several third countries introducing measures to address this issue on their own initiative. In the final report of the Conference on the Future of Europe, citizens called for ‘a stronger role for the EU in countering cybersecurity threats’. In order for the Union to play a leading international role in the field of cybersecurity, it is important to establish an ambitious regulatory framework.
在欧盟层面,各种规划性和政治性文件,例如 2020 年 12 月 16 日欧盟委员会和欧盟外交与安全政策高级代表联合发布的题为“欧盟数字十年网络安全战略”的联合公报,2020 年 12 月 2 日关于联网设备网络安全的理事会结论,2022 年 5 月 23 日关于发展欧盟网络态势的理事会结论,以及 2021 年 6 月 10 日欧洲议会关于欧盟数字十年网络安全战略的决议(6),呼吁对数字或联网产品制定具体的欧盟网络安全要求,同时一些第三国也主动出台措施解决这个问题。在欧洲未来峰会的最终报告中,公民呼吁“欧盟在应对网络安全威胁方面发挥更重要的作用”。为了让欧盟在网络安全领域发挥国际领导作用,建立一个雄心勃勃的监管框架至关重要。

(8)

To increase the overall level of cybersecurity of all products with digital elements placed on the internal market, it is necessary to introduce objective-oriented and technology-neutral essential cybersecurity requirements for those products that apply horizontally.
为了提高所有在内市场销售的具有数字元素的产品的整体网络安全水平,有必要为这些产品引入面向目标且技术中立的横向适用基本网络安全要求。

(9)

Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors. As a result, even hardware and software considered to be less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or to move laterally across systems. Manufacturers should therefore ensure that all products with digital elements are designed and developed in accordance with the essential cybersecurity requirements laid down in this Regulation. That obligation relates to both products that can be connected physically via hardware interfaces and products that are connected logically, such as via network sockets, pipes, files, application programming interfaces or any other types of software interface. As cyber threats can propagate through various products with digital elements before reaching a certain target, for example by chaining together multiple vulnerability exploits, manufacturers should also ensure the cybersecurity of products with digital elements that are only indirectly connected to other devices or networks.
在某些条件下,所有在大型电子信息系统中集成或连接的具有数字元素的产品都可能成为恶意行为者的攻击媒介。因此,即使被认为不太关键的硬件和软件也可能促使设备或网络的初始受损,使恶意行为者能够获得系统特权访问或在系统之间横向移动。因此,制造商应确保所有具有数字元素的产品的设计和开发符合本法规中规定的基本网络安全要求。该义务适用于可以通过硬件接口物理连接的产品,以及通过网络套接字、管道、文件、应用程序编程接口或任何其他类型的软件接口逻辑连接的产品。由于网络威胁可能在到达特定目标之前通过各种具有数字元素的产品传播,例如通过链接多个漏洞利用,制造商还应确保仅间接连接到其他设备或网络的具有数字元素的产品的网络安全。

(10)

By laying down cybersecurity requirements for placing on the market products with digital elements, it is intended that the cybersecurity of those products for consumers and businesses alike be enhanced. Those requirements will also ensure that cybersecurity is taken into account throughout supply chains, making final products with digital elements and their components more secure. This also includes requirements for placing on the market consumer products with digital elements intended for vulnerable consumers, such as toys and baby monitoring systems. Consumer products with digital elements categorised in this Regulation as important products with digital elements present a higher cybersecurity risk by performing a function which carries a significant risk of adverse effects in terms of its intensity and ability to damage the health, security or safety of users of such products, and should undergo a stricter conformity assessment procedure. This applies to such products as smart home products with security functionalities, including smart door locks, baby monitoring systems and alarm systems, connected toys and personal wearable health technology. Furthermore, the stricter conformity assessment procedures that other products with digital elements categorised in this Regulation as important or critical products with digital elements are required to undergo, will contribute to preventing potential negative impacts on consumers of the exploitation of vulnerabilities.
通过制定数字产品上市的网络安全要求,旨在增强消费者和企业使用的这些产品的网络安全。这些要求还将确保在整个供应链中考虑网络安全,从而使最终包含数字元素的产品及其组件更加安全。这也包括对面向弱势消费者的数字产品(例如玩具和婴儿监护系统)上市的规定。本法规中将数字产品归类为重要数字产品的消费产品,由于其功能在强度和对用户健康、安全或人身安全造成不利影响的能力方面存在重大风险,因此其网络安全风险更高,应接受更严格的合规性评估程序。这适用于诸如具有安全功能的智能家居产品(包括智能门锁、婴儿监护系统和报警系统)、联网玩具以及个人可穿戴健康技术等产品。 此外,本法规将对包含数字元素且被归类为重要或关键产品的其他产品,强制执行更严格的合规性评估程序,这将有助于防止消费者因利用漏洞而遭受潜在的负面影响。

(11)

The purpose of this Regulation is to ensure a high level of cybersecurity of products with digital elements and their integrated remote data processing solutions. Such remote data processing solutions should be defined as data processing at a distance for which the software is designed and developed by or on behalf of the manufacturer of the product with digital elements concerned, the absence of which would prevent the product with digital elements from performing one of its functions. That approach ensures that such products are adequately secured in their entirety by their manufacturers, irrespective of whether data is processed or stored locally on the user’s device or remotely by the manufacturer. At the same time, processing or storage at a distance falls within the scope of this Regulation only in so far as it is necessary for a product with digital elements to perform its functions. Such processing or storage at a distance includes the situation where a mobile application requires access to an application programming interface or to a database provided by means of a service developed by the manufacturer. In such a case, the service falls within the scope of this Regulation as a remote data processing solution. The requirements concerning the remote data processing solutions falling within the scope of this Regulation do therefore not entail technical, operational or organisational measures aiming to manage the risks posed to the security of a manufacturer’s network and information systems as a whole.
本条例旨在确保具有数字元素的产品及其集成远程数据处理解决方案的高水平网络安全。此类远程数据处理解决方案应定义为在距离较远的地方进行的数据处理,其软件由产品制造商或其代表设计和开发,其缺失将阻止该具有数字元素的产品执行其功能之一。这种方法确保这些产品由其制造商充分安全,无论数据是在用户的设备上本地处理或存储,还是由制造商远程处理。与此同时,远程处理或存储仅在对具有数字元素的产品执行其功能而言是必要的范围内,才属于本条例的适用范围。此类远程处理或存储包括以下情况:移动应用程序需要访问制造商开发的服务提供的应用程序编程接口或数据库。 在这种情况下,该服务作为远程数据处理解决方案,属于本条例的适用范围。因此,本条例涵盖的远程数据处理解决方案的要求,并不包含旨在管理对制造商网络和信息系统整体安全构成的风险的技术、运营或组织措施。

(12)

Cloud solutions constitute remote data processing solutions within the meaning of this Regulation only if they meet the definition laid down in this Regulation. For example, cloud enabled functionalities provided by a manufacturer of smart home devices that enable users to control the device at a distance fall within the scope of this Regulation. On the other hand, websites that do not support the functionality of a product with digital elements, or cloud services designed and developed outside the responsibility of a manufacturer of a product with digital elements do not fall within the scope of this Regulation. Directive (EU) 2022/2555 applies to cloud computing services and cloud service models, such as Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS). Entities providing cloud computing services in the Union which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, fall within the scope of that Directive.
云解决方案仅在其符合本法规的定义时,才构成本法规意义下的远程数据处理解决方案。例如,智能家居设备制造商提供的云端功能,使用户能够远程控制设备,属于本法规的适用范围。另一方面,不具备数字产品功能的网站,或由数字产品制造商以外的实体设计和开发的云服务,不属于本法规的适用范围。指令 (EU) 2022/2555 适用于云计算服务和云服务模型,例如软件即服务 (SaaS)、平台即服务 (PaaS) 或基础设施即服务 (IaaS)。欧盟境内提供云计算服务的实体,如果根据 2003/361/EC 建议书附件第 2 条的规定属于中小型企业,或者超过该条第 1 款规定的中小型企业上限,则属于该指令的适用范围。

(13)

In line with the objective of this Regulation to remove obstacles to the free movement of products with digital elements, Member States should not impede, for the matters covered by this Regulation, the making available on the market of products with digital elements which comply with this Regulation. Therefore, for matters harmonised by this Regulation, Member States cannot impose additional cybersecurity requirements for the making available on the market of products with digital elements. Any entity, public or private, can however establish additional requirements to those laid down in this Regulation for the procurement or use of products with digital elements for its specific purposes, and can therefore choose to use products with digital elements that meet stricter or more specific cybersecurity requirements than those applicable for the making available on the market under this Regulation. Without prejudice to Directives 2014/24/EU (7) and 2014/25/EU (8) of the European Parliament and of the Council, when procuring products with digital elements, which must comply with the essential cybersecurity requirements laid down in this Regulation, including those relating to vulnerability handling, Member States should ensure that such requirements are taken into consideration in the procurement process and that the manufacturers’ ability to effectively apply cybersecurity measures and manage cyber threats are also taken into consideration. Furthermore, Directive (EU) 2022/2555 sets out cybersecurity risk-management measures for essential and important entities as referred to in Article 3 of that Directive that could entail supply chain security measures that require the use by such entities of products with digital elements meeting stricter cybersecurity requirements than those laid down in this Regulation. In accordance with Directive (EU) 2022/2555 and in line with its minimum harmonisation principle, Member States can therefore impose additional cybersecurity requirements for the use of information and communications technology (ICT) products by essential or important entities pursuant to that Directive in order to ensure a higher level of cybersecurity, provided that such requirements are consistent with Member States’ obligations laid down in Union law. Matters not covered by this Regulation can include non-technical factors relating to products with digital elements and the manufacturers thereof. Member States can therefore lay down national measures, including restrictions on products with digital elements or suppliers of such products that take account of non-technical factors. National measures relating to such factors are required to comply with Union law.
为实现本条例消除数字元素产品自由流通障碍的目标,成员国不应妨碍符合本条例规定的数字元素产品投放市场。因此,对于本条例协调的事项,成员国不得对数字元素产品投放市场附加任何网络安全要求。然而,任何实体,无论是公共的还是私有的,都可以为其特定目的的数字元素产品采购或使用,制定超出本条例规定的额外要求,因此可以选择使用比本条例规定的投放市场网络安全要求更严格或更具体的数字元素产品。 未损害欧洲议会和理事会指令 2014/24/EU (7) 和 2014/25/EU (8) 的前提下,在采购包含数字元素的产品时,这些产品必须符合本法规规定的基本网络安全要求,包括与漏洞处理相关的要求。成员国应确保在采购过程中考虑这些要求,并考虑制造商有效实施网络安全措施和应对网络威胁的能力。此外,指令 (EU) 2022/2555 为与该指令第 3 条所述的基本和重要实体规定的网络安全风险管理措施,可能需要这些实体使用符合比本法规规定的更严格的网络安全要求的包含数字元素的产品,从而涉及供应链安全措施。 根据指令 (欧盟) 2022/2555 及其最低协调原则,成员国可以根据该指令,为确保更高水平的网络安全,对重要或关键实体使用信息和通信技术 (ICT) 产品施加额外的网络安全要求,前提是这些要求与成员国在欧盟法律中规定的义务相符。本法规未涵盖的内容可能包括与具有数字元素的产品及其制造商相关的非技术因素。因此,成员国可以制定国家措施,包括对具有数字元素的产品或此类产品的供应商的限制,这些措施要考虑非技术因素。关于这些因素的国家措施必须遵守欧盟法律。

(14)

This Regulation should be without prejudice to the Member States’ responsibility for safeguarding national security, in compliance with Union law. Member States should be able to subject products with digital elements that are procured or used for national security or defence purposes to additional measures, provided that such measures are consistent with Member States’ obligations laid down in Union law.
本条例不应损害成员国保障国家安全的责任,且应遵守欧盟法律。成员国应能够对用于国家安全或国防目的的包含数字元素的产品实施额外措施,但这些措施应与成员国在欧盟法律中规定的义务相符。

(15)

This Regulation applies to economic operators only in relation to products with digital elements made available on the market, hence supplied for distribution or use on the Union market in the course of a commercial activity. Supply in the course of a commercial activity might be characterised not only by charging a price for a product with digital elements, but also by charging a price for technical support services where this does not serve only the recuperation of actual costs, by an intention to monetise, for instance by providing a software platform through which the manufacturer monetises other services, by requiring as a condition for use the processing of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software, or by accepting donations exceeding the costs associated with the design, development and provision of a product with digital elements. Accepting donations without the intention of making a profit should not be considered to be a commercial activity.
本条例仅适用于经济运营者,且仅针对在市场上提供的带有数字元素的产品,即在欧盟市场上进行商业活动过程中供应用于分销或使用的产品。商业活动中的供应不仅可能包括为带有数字元素的产品收取价格,还可能包括收取技术支持服务的费用,其中此类费用并非仅用于收回实际成本;例如,通过提供制造商可从中获利的软件平台来实现盈利;以要求用户处理个人数据为使用条件,而这些数据处理并非仅为了改进软件的安全、兼容性或互操作性;或接受超过设计、开发和提供带有数字元素的产品相关成本的捐款。接受捐款而不以盈利为目的不应被视为商业活动。

(16)

Products with digital elements provided as part of the delivery of a service for which a fee is charged solely to recover the actual costs directly related to the operation of that service, such as may be the case with certain products with digital elements provided by public administration entities, should not be considered on those grounds alone to be a commercial activity for the purposes of this Regulation. Furthermore, products with digital elements which are developed or modified by a public administration entity exclusively for its own use should not be considered to be made available on the market within the meaning of this Regulation.
作为服务交付的一部分提供的包含数字元素的产品,如果其收费仅用于收回与该服务运营直接相关的实际成本,例如某些公共管理实体提供的包含数字元素的产品,则仅凭此理由不应被视为本条例规定的商业活动。此外,由公共管理实体专门为其自身使用开发或修改的包含数字元素的产品,不应被视为在本条例意义下在市场上提供。

(17)

Software and data that are openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market. To foster the development and deployment of free and open-source software, in particular by microenterprises and small and medium-sized enterprises, including start-ups, individuals, not-for-profit organisations, and academic research organisations, the application of this Regulation to products with digital elements qualifying as free and open-source software supplied for distribution or use in the course of a commercial activity should take into account the nature of the different development models of software distributed and developed under free and open-source software licences.
公开共享的软件和数据,用户可以自由访问、使用、修改和重新分发它们或其修改版本,有助于促进市场研究和创新。为了促进自由和开源软件的开发和部署,特别是微型企业和小微企业(包括初创企业)、个人、非营利组织和学术研究机构,本条例对作为自由和开源软件的数字产品(在商业活动中供应用于分发或使用)的适用,应考虑到根据自由和开源软件许可证分发和开发的软件的不同开发模式的性质。

(18)

Free and open-source software is understood as software the source code of which is openly shared and the licensing of which provides for all rights to make it freely accessible, usable, modifiable and redistributable. Free and open-source software is developed, maintained and distributed openly, including via online platforms. In relation to economic operators that fall within the scope of this Regulation, only free and open-source software made available on the market, and therefore supplied for distribution or use in the course of a commercial activity, should fall within the scope of this Regulation. The mere circumstances under which the product with digital elements has been developed, or how the development has been financed, should therefore not be taken into account when determining the commercial or non-commercial nature of that activity. More specifically, for the purposes of this Regulation and in relation to the economic operators that fall within its scope, to ensure that there is a clear distinction between the development and supply phases, the provision of products with digital elements qualifying as free and open-source software that are not monetised by their manufacturers should not be considered to be a commercial activity. Furthermore, the supply of products with digital elements qualifying as free and open-source software components intended for integration by other manufacturers into their own products with digital elements should be considered to be making available on the market only if the component is monetised by its original manufacturer. For instance, the mere fact that an open-source software product with digital elements receives financial support from manufacturers or that manufacturers contribute to the development of such a product should not in itself determine that the activity is of commercial nature. In addition, the mere presence of regular releases should not in itself lead to the conclusion that a product with digital elements is supplied in the course of a commercial activity. Finally, for the purposes of this Regulation, the development of products with digital elements qualifying as free and open-source software by not-for-profit organisations should not be considered to be a commercial activity provided that the organisation is set up in such a way that ensures that all earnings after costs are used to achieve not-for-profit objectives. This Regulation does not apply to natural or legal persons who contribute with source code to products with digital elements qualifying as free and open-source software that are not under their responsibility.
自由和开源软件是指其源代码公开共享,且许可证赋予所有人自由访问、使用、修改和重新分发的权利的软件。自由和开源软件的开发、维护和分发是公开进行的,包括通过在线平台。关于本法规涵盖的经济运营者,只有在市场上可用的自由和开源软件,因此是在商业活动中供分发或使用的软件,才应属于本法规的适用范围。因此,在确定该活动的商业或非商业性质时,不应考虑该产品包含数字元素的方式开发,或其开发资金来源等情况。 更具体地说,为了本条规定的目的,以及与本条规范围内的经济运营者相关,为了确保开发阶段和供应阶段之间有明确区别,提供不因其制造商而获利的、符合自由和开源软件的数字元素产品,不应被视为商业活动。此外,供应符合自由和开源软件组件的数字元素产品,供其他制造商将其整合到其自身带有数字元素的产品中,仅当该组件由其原始制造商获利时,才应被视为投放市场。例如,一个带有数字元素的开源软件产品获得制造商的资金支持,或者制造商为该产品做出贡献,本身并不意味着该活动具有商业性质。此外,定期发布的存在本身也不应得出带有数字元素的产品是在商业活动过程中供应的结论。 最后,为了本条规定的目的,非营利组织开发具有数字元素且符合自由和开源软件标准的产品,不应被视为商业活动,前提是该组织的设立方式能够确保所有成本后的收益用于实现非营利目标。本条规不适用于那些为不属于其责任范围内的具有数字元素且符合自由和开源软件标准的产品贡献源代码的自然人或法人。

(19)

Taking into account the importance for cybersecurity of many products with digital elements qualifying as free and open-source software that are published, but not made available on the market within the meaning of this Regulation, legal persons who provide support on a sustained basis for the development of such products which are intended for commercial activities, and who play a main role in ensuring the viability of those products (open-source software stewards), should be subject to a light-touch and tailor-made regulatory regime. Open-source software stewards include certain foundations as well as entities that develop and publish free and open-source software in a business context, including not-for-profit entities. The regulatory regime should take account of their specific nature and compatibility with the type of obligations imposed. It should only cover products with digital elements qualifying as free and open-source software that are ultimately intended for commercial activities, such as for integration into commercial services or into monetised products with digital elements. For the purposes of that regulatory regime, an intention for integration into monetised products with digital elements includes cases where manufacturers that integrate a component into their own products with digital elements either contribute to the development of that component in a regular manner or provide regular financial assistance to ensure the continuity of a software product. The provision of sustained support to the development of a product with digital elements includes but is not limited to the hosting and managing of software development collaboration platforms, the hosting of source code or software, the governing or managing of products with digital elements qualifying as free and open-source software as well as the steering of the development of such products. Given that the light-touch and tailor-made regulatory regime does not subject those acting as open-source software stewards to the same obligations as those acting as manufacturers under this Regulation, they should not be permitted to affix the CE marking to the products with digital elements whose development they support.
考虑到许多具有数字元素且被认定为自由和开源软件的产品对网络安全的意义,这些产品虽然已发布,但在本条例意义下并未在市场上提供,那些持续为开发此类产品(供商业活动使用)提供支持,并在确保这些产品可行性方面发挥主要作用的法人实体(开源软件管理者),应适用轻触式和量身定制的监管制度。开源软件管理者包括某些基金会以及在商业环境中开发和发布自由和开源软件的实体,包括非营利实体。监管制度应考虑到其特定性质及其与所施加义务类型的兼容性。它仅应涵盖最终用于商业活动的产品,例如集成到商业服务或具有数字元素的增值产品中。 为适用该监管制度,将产品整合到具有数字元素的货币化产品中的意图包括:制造商将组件整合到其自身带有数字元素的产品中,并定期参与该组件的开发,或定期提供资金支持以确保软件产品的持续性。持续支持具有数字元素的产品的开发,包括但不限于:托管和管理软件开发协作平台、托管源代码或软件、管理或控制符合免费和开源软件标准的具有数字元素的产品,以及指导此类产品的开发。鉴于轻触式和定制化监管制度不会将那些充当开源软件管理者的义务与本法规下作为制造商的义务等同,他们不应被允许将 CE 标记贴在他们支持开发的具有数字元素的产品上。

(20)

The sole act of hosting products with digital elements on open repositories, including through package managers or on collaboration platforms, does not in itself constitute the making available on the market of a product with digital elements. Providers of such services should be considered to be distributors only if they make such software available on the market and hence supply it for distribution or use on the Union market in the course of a commercial activity.
仅凭在开放式仓库中托管带有数字元素的产品,包括通过包管理器或协作平台,本身并不构成将带有数字元素的产品投放市场。只有当此类服务提供商将此类软件投放市场,并在欧盟市场进行商业活动中供应其用于分发或使用时,才应被视为分销商。

(21)

In order to support and facilitate the due diligence of manufacturers that integrate free and open-source software components that are not subject to the essential cybersecurity requirements set out in this Regulation into their products with digital elements, the Commission should be able to establish voluntary security attestation programmes, either by a delegated act supplementing this Regulation or by requesting a European cybersecurity certification scheme pursuant to Article 48 of Regulation (EU) 2019/881 that takes into account the specificities of the free and open-source software development models. The security attestation programmes should be conceived in such a way that not only natural or legal persons developing or contributing to the development of a product with digital elements qualifying as free and open-source software can initiate or finance a security attestation but also third parties, such as manufacturers that integrate such products into their own products with digital elements, users, or Union and national public administrations.
为了支持和便利那些在其数字产品中集成未受本条例规定的基本网络安全要求约束的自由和开源软件组件的制造商进行尽职调查,委员会应能够建立自愿性安全认证计划,可以通过补充本条例的授权法案,或通过请求根据(欧盟)2019/881 号条例第 48 条建立一个考虑自由和开源软件开发模式特性的欧洲网络安全认证计划来实现。安全认证计划应设计得不仅允许开发或参与开发符合自由和开源软件定义的数字产品的人或组织发起或资助安全认证,而且还允许第三方,例如将此类产品集成到其自身数字产品中的制造商、用户或欧盟和国家公共管理机构。

(22)

In view of the public cybersecurity objectives of this Regulation and in order to improve the situational awareness of Member States as regards the Union’s dependency on software components and in particular on potentially free and open-source software components, a dedicated administrative cooperation group (ADCO) established by this Regulation should be able to decide to jointly undertake a Union dependency assessment. Market surveillance authorities should be able to request manufacturers of categories of products with digital elements established by ADCO to submit the software bills of materials (SBOMs) that they have generated pursuant to this Regulation. In order to protect the confidentiality of SBOMs, market surveillance authorities should submit relevant information about dependencies to ADCO in an anonymised and aggregated manner.
鉴于本条例的公共网络安全目标,以及为了提高成员国对欧盟软件组件(特别是潜在的自由和开源软件组件)依赖状况的认知,本条例设立的专门行政合作小组(ADCO)应能够决定共同开展欧盟依赖性评估。市场监管机构应能够要求 ADCO 确定的包含数字元素的产品类别制造商提交他们根据本条例生成的软件材料清单 (SBOM)。为了保护 SBOM 的机密性,市场监管机构应以匿名和汇总的方式向 ADCO 提交有关依赖性的相关信息。

(23)

The effectiveness of the implementation of this Regulation will also depend on the availability of adequate cybersecurity skills. At Union level, various programmatic and political documents, including the Commission communication of 18 April 2023 on Closing the cybersecurity talent gap to boost the EU’s competitiveness, growth and resilience and the Council Conclusions of 22 May 2023 on the EU Policy on Cyber Defence acknowledged the cybersecurity skills gap in the Union and the need to address such challenges as a matter of priority, in both the public and private sectors. With a view to ensuring an effective implementation of this Regulation, Member States should ensure that adequate resources are available for the appropriate staffing of the market surveillance authorities and conformity assessment bodies to perform their tasks as laid down in this Regulation. Those measures should enhance workforce mobility in the cybersecurity field and their associated career pathways. They should also contribute to making the cybersecurity workforce more resilient and inclusive, also in terms of gender. Member States should therefore take measures to ensure that those tasks are carried out by adequately trained professionals, with the necessary cybersecurity skills. Similarly, manufacturers should ensure that their staff has the necessary skills to comply with their obligations as laid down in this Regulation. Member States and the Commission, in line with their prerogatives and competences and the specific tasks conferred upon them by this Regulation, should take measures to support manufacturers and in particular microenterprises and small and medium-sized enterprises, including start-ups, also in areas such as skill development, for the purposes of compliance with their obligations as laid down in this Regulation. Furthermore, as Directive (EU) 2022/2555 requires Member States to adopt policies promoting and developing training on cybersecurity and cybersecurity skills as part of their national cybersecurity strategies, Member States may also consider, when adopting such strategies, addressing the cybersecurity skills needs resulting from this Regulation, including those relating to re-skilling and up-skilling.
本法规的实施效果还将取决于充足的网络安全技能。在欧盟层面,包括 2023 年 4 月 18 日关于弥合网络安全人才缺口以提升欧盟竞争力、增长和复原力的委员会沟通,以及 2023 年 5 月 22 日关于欧盟网络防御政策的理事会结论在内的各种规划和政治文件,都承认欧盟存在网络安全技能缺口,并需要优先解决公共和私营部门面临的此类挑战。为了确保本法规的有效实施,成员国应确保市场监管机构和符合性评估机构拥有充足的资源,以执行本法规规定的任务。这些措施应促进网络安全领域的劳动力流动及其相关的职业发展路径。它们还应有助于使网络安全劳动力更加具有弹性和包容性,包括在性别方面。 因此,成员国应采取措施,确保这些任务由经过充分培训且具备必要网络安全技能的专业人员执行。同样,制造商应确保其员工具备遵守本法规规定的义务所需的技能。成员国和委员会,根据其特权、权限以及本法规赋予它们的具体任务,应采取措施支持制造商,特别是微型企业和小微企业,包括初创企业,包括技能发展等领域,以遵守本法规定的义务。此外,由于指令 (EU) 2022/2555 要求成员国在其国家网络安全战略中制定促进和发展网络安全和网络安全技能培训的政策,成员国在制定此类战略时,也可以考虑解决本法规带来的网络安全技能需求,包括与技能再培训和提升相关的需求。

(24)

A secure internet is indispensable for the functioning of critical infrastructures and for society as a whole. Directive (EU) 2022/2555 aims at ensuring a high level of cybersecurity of services provided by essential and important entities as referred to in Article 3 of that Directive, including digital infrastructure providers that support core functions of the open internet, ensure internet access and provide internet services. It is therefore important that the products with digital elements necessary for digital infrastructure providers to ensure the functioning of the internet are developed in a secure manner and that they comply with well-established internet security standards. This Regulation, which applies to all connectable hardware and software products, also aims at facilitating the compliance of digital infrastructure providers with the supply chain requirements under Directive (EU) 2022/2555 by ensuring that the products with digital elements that they use for the provision of their services are developed in a secure manner and that they have access to timely security updates for such products.
一个安全的互联网对于关键基础设施和整个社会运作至关重要。指令 (EU) 2022/2555 旨在确保由指令第 3 条所述的必要和重要实体提供的服务的网络安全水平高,包括支持开放互联网核心功能、确保互联网接入和提供互联网服务的数字基础设施提供商。因此,对于数字基础设施提供商确保互联网运行所需的具有数字元素的产品,以安全的方式开发并遵守已建立的互联网安全标准至关重要。本条例适用于所有可连接的硬件和软件产品,也旨在通过确保他们用于提供服务的具有数字元素的产品以安全的方式开发,并能及时获得此类产品的安全更新,从而促进数字基础设施提供商遵守指令 (EU) 2022/2555 的供应链要求。

(25)

Regulation (EU) 2017/745 of the European Parliament and of the Council (9) lays down rules on medical devices and Regulation (EU) 2017/746 of the European Parliament and of the Council (10) lays down rules on in vitro diagnostic medical devices. Those Regulations address cybersecurity risks and follow particular approaches that are also addressed in this Regulation. More specifically, Regulations (EU) 2017/745 and (EU) No 2017/746 lay down essential requirements for medical devices that function through an electronic system or that are software themselves. Certain non-embedded software and the whole lifecycle approach are also covered by those Regulations. Those requirements mandate manufacturers to develop and build their products by applying risk management principles and by setting out requirements concerning IT security measures, as well as corresponding conformity assessment procedures. Furthermore, specific guidance on cybersecurity for medical devices is in place since December 2019, providing manufacturers of medical devices, including in vitro diagnostic devices, with guidance on how to fulfil all the relevant essential requirements set out in Annex I to those Regulations with regard to cybersecurity. Products with digital elements to which either of those Regulations apply should not therefore be subject to this Regulation.
欧洲议会和理事会(9)的条例 (EU) 2017/745 规定了医疗器械的规则,而欧洲议会和理事会(10)的条例 (EU) 2017/746 规定了体外诊断医疗器械的规则。这些条例处理了网络安全风险,并遵循本条例中也涉及的特定方法。更具体地说,条例 (EU) 2017/745 和 (EU) 2017/746 规定了通过电子系统运行或本身就是软件的医疗器械的基本要求。某些非嵌入式软件和整个生命周期方法也包含在这些条例中。这些要求要求制造商应用风险管理原则并制定关于 IT 安全措施的要求,以及相应的符合性评估程序,来开发和构建其产品。 此外,自 2019 年 12 月起,针对医疗器械的网络安全指南已到位,为医疗器械制造商(包括体外诊断设备制造商)提供了关于如何满足这些法规附件 I 中关于网络安全的相关基本要求的指导。因此,具有数字元素且上述任何法规适用的产品,不应受本法规的约束。

(26)

Products with digital elements that are developed or modified exclusively for national security or defence purposes or products that are specifically designed to process classified information fall outside the scope of this Regulation. Member States are encouraged to ensure the same or a higher level of protection for those products as for those falling within the scope of this Regulation.
专门为国家安全或国防目的开发或修改的具有数字元素的产品,或专门设计用于处理机密信息的产 品,不在本条例的适用范围之内。成员国应鼓励为这些产品提供与本条例适用范围内的产品相同或更高水平的保护。

(27)

Regulation (EU) 2019/2144 of the European Parliament and of the Council (11) establishes requirements for the type-approval of vehicles, and of their systems and components, introducing certain cybersecurity requirements, including on the operation of a certified cybersecurity management system, on software updates, covering organisations’ policies and processes for cybersecurity risks related to the entire lifecycle of vehicles, equipment and services in compliance with the applicable United Nations regulations on technical specifications and cybersecurity, in particular UN Regulation No 155 – Uniform provisions concerning the approval of vehicles with regards to cybersecurity and cybersecurity management system (12) and providing for specific conformity assessment procedures. In the area of aviation, the principal objective of Regulation (EU) 2018/1139 of the European Parliament and of the Council (13) is to establish and maintain a high uniform level of civil aviation safety in the Union. It creates a framework for essential requirements for airworthiness for aeronautical products, parts and equipment, including software, that includes obligations to protect against information security threats. The certification process under Regulation (EU) 2018/1139 ensures the level of assurance aimed for by this Regulation. Products with digital elements to which Regulation (EU) 2019/2144 applies and products certified in accordance with Regulation (EU) 2018/1139 should not therefore be subject to the essential cybersecurity requirements and conformity assessment procedures set out in this Regulation.
欧洲议会和理事会(11)的《2019/2144 号条例》规定了车辆及其系统和部件的类型认可要求,引入了某些网络安全要求,包括关于认证网络安全管理系统的运作、软件更新,涵盖组织在整个车辆、设备和服务生命周期中与网络安全风险相关的政策和流程,符合适用的联合国技术规范和网络安全条例,特别是联合国第 155 号条例——关于车辆网络安全和网络安全管理系统认可的统一规定(12),并规定了具体的符合性评估程序。在航空领域,欧洲议会和理事会(13)的《2018/1139 号条例》的主要目标是建立和维护欧盟境内高水平的民用航空安全。 它为航空产品、部件和设备(包括软件)的适航性制定了基本要求框架,其中包括防范信息安全威胁的义务。根据《欧盟条例 (EU) 2018/1139》的认证流程,确保了本条例所追求的保证水平。因此,包含数字元素且适用《欧盟条例 (EU) 2019/2144》的产品以及根据《欧盟条例 (EU) 2018/1139》认证的产品,不应受本条例规定的基本网络安全要求和符合性评估程序的约束。

(28)

This Regulation lays down horizontal cybersecurity rules which are not specific to sectors or to certain products with digital elements. Nevertheless, sectoral or product-specific Union rules could be introduced, laying down requirements that address all or some of the risks covered by the essential cybersecurity requirements set out in this Regulation. In such cases, the application of this Regulation to products with digital elements covered by other Union rules laying down requirements that address all or some of the risks covered by the essential cybersecurity requirements set out in this Regulation may be limited or excluded where such limitation or exclusion is consistent with the overall regulatory framework applying to those products and where the sectoral rules achieve at least the same level of protection as the one provided for by this Regulation. The Commission should be empowered to adopt delegated acts to supplement this Regulation by identifying such products and rules. For existing Union law where such limitation or exclusion should apply, this Regulation contains specific provisions to clarify its relation with that Union law.
本条例制定了适用于所有行业的通用网络安全规则,不针对特定行业或具有数字元素的特定产品。然而,可以引入特定行业或特定产品的欧盟规则,制定要求,以应对本条例中规定的基本网络安全要求所涵盖的所有或部分风险。在这些情况下,如果这种限制或排除与适用于这些产品的总体监管框架一致,并且行业规则至少达到本条例所提供的相同保护水平,则本条例对其他欧盟规则涵盖的具有数字元素的产品的适用范围可能受到限制或排除。委员会应获得授权,通过确定此类产品和规则,以采用委托法案补充本条例。对于现有欧盟法律,如果应适用此类限制或排除,本条例包含具体条款,以阐明其与该欧盟法律的关系。

(29)

In order to ensure that products with digital elements made available on the market can be repaired effectively and their durability extended, an exemption should be provided for spare parts. That exemption should cover both spare parts that have the purpose of repairing legacy products made available before the date of application of this Regulation and spare parts that have already undergone a conformity assessment procedure pursuant to this Regulation.
为了确保在市场上提供的带有数字元素的产品能够有效地进行维修并延长其使用寿命,应为备件提供豁免。该豁免应涵盖用于维修在该法规生效日期之前提供的旧款产品的备件,以及已根据本法规完成一致性评估程序的备件。

(30)

Commission Delegated Regulation (EU) 2022/30 (14) specifies that a number of essential requirements set out in Article 3(3), points (d), (e) and (f), of Directive 2014/53/EU of the European Parliament and of the Council (15), relating to network harm and misuse of network resources, personal data and privacy, and fraud, apply to certain radio equipment. Commission Implementing Decision C(2022) 5637 of 5 August 2022 on a standardisation request to the European Committee for Standardisation and the European Committee for Electrotechnical Standardisation lays down requirements for the development of specific standards further specifying how those essential requirements should be addressed. The essential cybersecurity requirements set out in this Regulation include all the elements of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of Directive 2014/53/EU. Furthermore, the essential cybersecurity requirements set out in this Regulation are aligned with the objectives of the requirements for specific standards included in that standardisation request. Therefore, when the Commission repeals or amends Delegated Regulation (EU) 2022/30 with the consequence that it ceases to apply to certain products subject to this Regulation, the Commission and the European standardisation organisations should take into account the standardisation work carried out in the context of Implementing Decision C(2022) 5637 in the preparation and development of harmonised standards to facilitate the implementation of this Regulation. During the transitional period for the application of this Regulation, the Commission should provide guidance to manufacturers subject to this Regulation that are also subject to Delegated Regulation (EU) 2022/30 to facilitate the demonstration of compliance with the two Regulations.
欧盟委员会授权条例 (EU) 2022/30 (14) 指明,指令 2014/53/EU(欧洲议会和理事会)第 3 条第 3 款 (d)、(e) 和 (f) 点中关于网络危害和网络资源滥用、个人数据和隐私以及欺诈的若干基本要求,适用于某些无线电设备。欧盟委员会 2022 年 8 月 5 日关于向欧洲标准化委员会和欧洲电工标准化委员会提出标准化请求的执行决定 C(2022) 5637 规定了开发具体标准的要求,进一步说明了如何解决这些基本要求。本条例中规定的基本网络安全要求包括指令 2014/53/EU 第 3 条第 3 款 (d)、(e) 和 (f) 点中提及的所有基本要求。此外,本条例中规定的基本网络安全要求与该标准化请求中包含的特定标准要求的目标保持一致。 因此,当委员会废止或修订委托法规(欧盟)2022/30,导致其不再适用于本法规规定的某些产品时,委员会和欧洲标准化组织应在制定和开发协调标准时,考虑到在执行决定 C(2022) 5637 框架内开展的标准化工作,以促进本法规的实施。在该法规的过渡期内,委员会应向受本法规和委托法规(欧盟)2022/30 双重约束的制造商提供指导,以方便其证明符合两项法规的要求。

(31)

Directive (EU) 2024/2853 of the European Parliament and of the Council (16) is complementary to this Regulation. That Directive sets out liability rules for defective products so that injured persons can claim compensation when a damage has been caused by defective products. It establishes the principle that the manufacturer of a product is liable for damages caused by a lack of safety in their product irrespective of fault (strict liability). Where such a lack of safety consists in a lack of security updates after the placing on the market of the product, and this causes damage, the liability of the manufacturer could be triggered. Obligations for manufacturers that concern the provision of such security updates should be laid down in this Regulation.
欧洲议会和理事会指令 (EU) 2024/2853 (16) 补充本条例。该指令规定了缺陷产品的责任规则,以便在缺陷产品造成损害时,受害者可以索赔。它确立了产品制造商对产品安全缺陷造成的损害负有责任的原则,无论是否存在过错(严格责任)。如果此类安全缺陷在于产品投放市场后缺乏安全更新,并且由此造成损害,则制造商的责任可能会被触发。本条例应规定制造商就提供此类安全更新的义务。

(32)

This Regulation should be without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council (17), including to provisions relating to the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance of processing operations by controllers and processors with that Regulation. Such operations could be embedded in a product with digital elements. Data protection by design and by default, and cybersecurity in general, are key elements of Regulation (EU) 2016/679. By protecting consumers and organisations from cybersecurity risks, the essential cybersecurity requirements laid down in this Regulation are also to contribute to enhancing the protection of personal data and privacy of individuals. Synergies on both standardisation and certification of cybersecurity aspects should be considered through the cooperation between the Commission, the European standardisation organisations, the European Union Agency for Cybersecurity (ENISA), the European Data Protection Board established by Regulation (EU) 2016/679, and the national data protection supervisory authorities. Synergies between this Regulation and Union data protection law should also be created in the area of market surveillance and enforcement. To that end, national market surveillance authorities designated under this Regulation should cooperate with authorities supervising the application of Union data protection law. The latter should also have access to information relevant for accomplishing their tasks.
本条例不应损害欧洲议会和理事会(第 17 条)的(EU)2016/679 条例,包括关于建立数据保护认证机制和数据保护印章及标记的规定,以证明控制者和处理者的数据处理操作符合该条例。此类操作可能嵌入具有数字元素的产品中。以设计和默认方式保护数据,以及一般意义上的网络安全,是(EU)2016/679 条例的关键要素。通过保护消费者和组织免受网络安全风险,本条例中规定的基本网络安全要求也有助于增强个人数据的保护和个人隐私。应通过委员会、欧洲标准化组织、欧洲网络安全局 (ENISA)、(EU)2016/679 条例设立的欧洲数据保护委员会以及各成员国数据保护监督机构之间的合作,考虑在标准化和网络安全认证方面的协同效应。 本法规与欧盟数据保护法在市场监管和执法领域也应建立协同效应。为此,根据本法规指定的国家市场监管机构应与监督欧盟数据保护法实施的机构进行合作。后者也应获得完成其任务所需的相关信息。

(33)

To the extent that their products fall within the scope of this Regulation, providers of European Digital Identity Wallets as referred to in Article 5a(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council (18), should comply with both the horizontal essential cybersecurity requirements set out in this Regulation and the specific security requirements set out in Article 5a of Regulation (EU) No 910/2014. In order to facilitate compliance, wallet providers should be able to demonstrate the compliance of European Digital Identity Wallets with the requirements set out in this Regulation and in Regulation (EU) No 910/2014, respectively, by certifying their products under a European cybersecurity certification scheme established under Regulation (EU) 2019/881 and for which the Commission has specified, by means of delegated acts, a presumption of conformity with this Regulation, in so far as the certificate, or parts thereof, covers those requirements.
就其产品落入本法规适用范围而言,根据欧洲议会和理事会(第 18 号)第 910/2014 号法规第 5a 条第 2 款所指的欧洲数字身份钱包提供商,应遵守本法规中规定的横向基本网络安全要求以及第 910/2014 号法规第 5a 条中规定的特定安全要求。为了便于遵守,钱包提供商应能够证明欧洲数字身份钱包分别符合本法规和第 910/2014 号法规中规定的要求,方法是根据根据第 2019/881 号法规建立的欧洲网络安全认证计划认证其产品,并且欧盟委员会已通过委任法案明确规定了该认证,就其证书(或其部分)涵盖这些要求而言,该认证被认定为符合本法规。

(34)

When integrating components sourced from third parties in products with digital elements during the design and development phase, manufacturers should, in order to ensure that the products are designed, developed and produced in accordance with the essential cybersecurity requirements set out in this Regulation, exercise due diligence with regard to those components, including free and open-source software components that have not been made available on the market. The appropriate level of due diligence depends on the nature and the level of cybersecurity risk associated with a given component, and should, for that purpose, take into account one or more of the following actions: verifying, as applicable, that the manufacturer of a component has demonstrated conformity with this Regulation, including by checking if the component already bears the CE marking; verifying that a component receives regular security updates, such as by checking its security updates history; verifying that a component is free from vulnerabilities registered in the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555 or other publicly accessible vulnerability databases; or carrying out additional security tests. The vulnerability handling obligations set out in this Regulation, which manufacturers have to comply with when placing a product with digital elements on the market and for the support period, apply to products with digital elements in their entirety, including to all integrated components. Where, in the exercise of due diligence, the manufacturer of the product with digital elements identifies a vulnerability in a component, including in a free and open-source component, it should inform the person or entity manufacturing or maintaining the component, address and remediate the vulnerability, and, where applicable, provide the person or entity with the applied security fix.
在设计和开发包含数字元素的产品时,当集成来自第三方组件时,制造商应谨慎对待这些组件,包括未在市场上发布的免费和开源软件组件,以确保产品符合本法规中规定的基本网络安全要求。 适当的尽职调查程度取决于与特定组件相关的性质和网络安全风险级别,为此,应考虑一项或多项以下措施:如适用,核实组件制造商是否已证明符合本法规的要求,包括检查组件是否已标有 CE 标记;核实组件是否定期接收安全更新,例如检查其安全更新历史;核实组件是否未包含在根据《指令 (EU) 2022/2555》第 12(2) 条建立的欧洲漏洞数据库或其他公开可访问的漏洞数据库中注册的漏洞;或进行额外的安全测试。本法规中规定的漏洞处理义务,制造商在将具有数字元素的产品投放市场和支持期间必须遵守,适用于其所有数字元素的产品,包括所有集成组件。 如果产品制造商在尽职调查中发现数字组件(包括自由和开源组件)存在漏洞,则应通知组件的制造商或维护者,解决并修复该漏洞,并在适用情况下,向该制造商或维护者提供已应用的安全修补程序。

(35)

Immediately after the transitional period for the application of this Regulation, a manufacturer of a product with digital elements that integrates one or several components sourced from third parties which are also subject to this Regulation may not be able to verify, as part of its due diligence obligation, that the manufacturers of those components have demonstrated conformity with this Regulation by checking, for instance, if the components already bear the CE marking. This may be the case where the components have been integrated before this Regulation becomes applicable to the manufacturers of those components. In such a case, a manufacturer integrating such components should exercise due diligence through other means.
在《条例》过渡期结束后,如果一个产品制造商的产品包含数字元素,并整合了来自第三方且也受本条例约束的一个或多个组件,则该制造商可能无法在其尽职调查义务范围内,通过检查组件是否已标有 CE 标记等方式,来验证这些组件的制造商是否已证明符合本条例。这种情况可能发生在这些组件已在该条例适用于这些组件的制造商之前被整合到产品中。在这种情况下,整合这些组件的制造商应通过其他方式进行尽职调查。

(36)

Products with digital elements should bear the CE marking to visibly, legibly and indelibly indicate their conformity with this Regulation so that they can move freely within the internal market. Member States should not create unjustified obstacles to the placing on the market of products with digital elements that comply with the requirements laid down in this Regulation and bear the CE marking. Furthermore, at trade fairs, exhibitions and demonstrations or similar events, Member States should not prevent the presentation or use of a product with digital elements which does not comply with this Regulation, including its prototypes, provided that the product is presented with a visible sign clearly indicating that the product does not comply with this Regulation and that it is not to be made available on the market until it does so.
带有数字元素的产品应标注 CE 标记,以清晰、可见且永久地表明其符合本条例,以便其在内部市场内自由流通。成员国不应为符合本条例要求并已标注 CE 标记的带有数字元素的产品的投放市场设置不合理的障碍。此外,在贸易展览会、展会和演示或类似活动中,成员国不应阻止展示或使用不符合本条例的产品(包括其原型),前提是该产品附有清晰可见的标志,明确表明该产品不符合本条例,且在符合本条例之前不得投放市场。

(37)

In order to ensure that manufacturers can release software for testing purposes before subjecting their products with digital elements to conformity assessment, Member States should not prevent the making available of unfinished software, such as alpha versions, beta versions or release candidates, provided that the unfinished software is made available only for the time necessary to test it and gather feedback. Manufacturers should ensure that software made available under those conditions is released only following a risk assessment and that it complies to the extent possible with the security requirements relating to the properties of products with digital elements laid down in this Regulation. Manufacturers should also implement the vulnerability handling requirements to the extent possible. Manufacturers should not force users to upgrade to versions only released for testing purposes.
为了确保制造商能够在将具有数字元素的产品提交符合性评估之前,发布用于测试的软件,成员国不应阻止提供未完成的软件,例如 alpha 版本、beta 版本或候选版本,前提是仅在测试和收集反馈所需的时间内提供未完成的软件。制造商应确保在进行风险评估并尽可能符合本法规中关于具有数字元素的产品属性的安全要求后,才发布根据这些条件提供的软件。制造商还应尽可能地实施漏洞处理要求。制造商不应强迫用户升级到仅用于测试目的的版本。

(38)

In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essential cybersecurity requirements should be set out for such products. Those essential cybersecurity requirements, including vulnerability management handling requirements, apply to each individual product with digital elements when placed on the market, irrespective of whether the product with digital elements is manufactured as an individual unit or in series. For example, for a product type, each individual product with digital elements should have received all security patches or updates available to address relevant security issues when it is placed on the market. Where products with digital elements are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturer in the initial risk assessment and that may imply that they no longer meet the relevant essential cybersecurity requirements, the modification should be considered to be substantial. For example, repairs could be assimilated to maintenance operations provided that they do not modify a product with digital elements already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended purpose for which the product has been assessed may be changed.
为了确保在市场上销售的带有数字元素的产品不会对个人和组织造成网络安全风险,应为这些产品制定必要的网络安全要求。这些必要的网络安全要求,包括漏洞管理处理要求,适用于每件在市场上销售的带有数字元素的产品,无论该产品是作为独立单元还是批量生产。例如,对于某一产品类型,每件带有数字元素的产品在投放市场时,都应已接收所有可用的安全补丁或更新,以解决相关的安全问题。如果带有数字元素的产品随后通过物理或数字方式进行修改,而这种修改方式并非制造商在最初的风险评估中所预见,并且可能意味着该产品不再满足相关的必要网络安全要求,则应将此修改视为重大修改。 例如,如果维修不会以影响已投放市场的带有数字元素的产品的合规性,或改变产品评估的预期用途的方式来修改该产品,则可以将其视为维护操作。

(39)

As is the case for physical repairs or modifications, a product with digital elements should be considered to be substantially modified by a software change where the software update modifies the intended purpose of that product and those changes were not foreseen by the manufacturer in the initial risk assessment, or where the nature of the hazard has changed or the level of cybersecurity risk has increased because of the software update, and the updated version of the product is made available on the market. Where a security update which is designed to decrease the level of cybersecurity risk of a product with digital elements does not modify the intended purpose of a product with digital elements, it is not considered to be a substantial modification. This usually includes situations where a security update entails only minor adjustments of the source code. For example, this could be the case where a security update addresses a known vulnerability, including by modifying functions or the performance of a product with digital elements for the sole purpose of decreasing the level of cybersecurity risk. Similarly, a minor functionality update, such as a visual enhancement or the addition of new pictograms or languages to the user interface, should not generally be considered to be a substantial modification. Conversely, where a feature update modifies the original intended functions or the type or performance of a product with digital elements and meets the above criteria, it should be considered to be a substantial modification, as the addition of new features typically leads to a broader attack surface, thereby increasing the cybersecurity risk. For example, this could be the case where a new input element is added to an application, requiring the manufacturer to ensure adequate input validation. In assessing whether a feature update is considered to be a substantial modification it is not relevant whether it is provided as a separate update or in combination with a security update. The Commission should issue guidance on how to determine what constitutes a substantial modification.
对于物理修理或修改的情况,具有数字元素的产品应被视为通过软件更改而发生实质性修改,其中软件更新修改了该产品的预期用途,并且这些更改未在制造商最初的风险评估中预见,或者由于软件更新,危险的性质发生了变化或网络安全风险水平提高了,并且该产品的更新版本已投放市场。如果安全更新旨在降低具有数字元素的产品的网络安全风险,但并未修改具有数字元素的产品的预期用途,则它不应被视为实质性修改。这通常包括安全更新仅涉及源代码的少量调整的情况。例如,这可能是安全更新解决已知漏洞的情况,包括通过修改功能或产品(具有数字元素)的性能来唯一地降低网络安全风险的情况。 类似地,小功能更新,例如视觉增强或在用户界面中添加新的图标或语言,通常不应被视为重大修改。相反,如果功能更新修改了最初的预期功能,或改变了具有数字元素的产品的类型或性能,并且符合上述标准,则应将其视为重大修改,因为新功能的添加通常会扩大攻击面,从而增加网络安全风险。例如,如果应用程序添加了新的输入元素,则制造商需要确保足够的输入验证,这种情况就属于此类。在评估功能更新是否构成重大修改时,其以单独更新或与安全更新组合提供的方式并不相关。委员会应发布指导,说明如何确定什么是重大修改。

(40)

Taking into account the iterative nature of software development, manufacturers that have placed subsequent versions of a software product on the market as a result of a subsequent substantial modification of that product should be able to provide security updates for the support period only for the version of the software product that they have last placed on the market. They should be able to do so only if the users of the relevant previous product versions have access to the product version last placed on the market free of charge and do not incur additional costs to adjust the hardware or software environment in which they operate the product. This could, for instance, be the case where a desktop operating system upgrade does not require new hardware, such as a faster central processing unit or more memory. Nonetheless, the manufacturer should continue to comply, for the support period, with other vulnerability-handling requirements, such as having a policy on coordinated vulnerability disclosure or measures in place to facilitate the sharing of information about potential vulnerabilities for all subsequent substantially modified versions of the software product placed on the market. Manufacturers should be able to provide minor security or functionality updates that do not constitute a substantial modification only for the latest version or sub-version of a software product that has not been substantially modified. At the same time, where a hardware product, such as a smartphone, is not compatible with the latest version of the operating system it was originally delivered with, the manufacturer should continue to provide security updates at least for the latest compatible version of the operating system for the support period.
考虑到软件开发的迭代性质,制造商如果因软件产品后续的重大修改而将该产品的后续版本投放市场,则应仅为其最后投放市场的软件产品版本提供支持期内的安全更新。他们仅在相关先前产品版本的使用者能够免费访问最后投放市场的该产品版本,并且无需额外费用调整其运行该产品的硬件或软件环境的情况下,才能这样做。例如,如果桌面操作系统升级不需要新的硬件,例如更快的中央处理器或更多内存,则情况可能如此。 尽管如此,在支持期内,制造商应继续遵守其他漏洞处理要求,例如制定协调漏洞披露政策或采取措施,以促进关于所有后续实质性修改的软件产品版本中潜在漏洞信息的共享。制造商应能够仅为尚未实质性修改的软件产品的最新版本或子版本提供小的安全或功能更新。同时,如果硬件产品(例如智能手机)与最初交付时所附的操作系统最新版本不兼容,制造商应继续至少为支持期内的最新兼容操作系统版本提供安全更新。

(41)

In line with the commonly established concept of substantial modification for products regulated by Union harmonisation legislation, where a substantial modification occurs that may affect the compliance of a product with digital elements with this Regulation or when the intended purpose of that product changes, it is appropriate that the compliance of the product with digital elements is verified and that, where applicable, it undergoes a new conformity assessment. Where applicable, if the manufacturer undertakes a conformity assessment involving a third party, a change that might lead to a substantial modification should be notified to the third party.
根据欧盟协调立法规定的产品实质性修改的普遍概念,当产品发生可能影响其数字元素符合本法规的情况,或产品预期用途发生改变时,有必要验证该产品数字元素的符合性,并在适用情况下进行新的符合性评估。如果制造商进行的符合性评估涉及第三方,则适用情况下,任何可能导致实质性修改的变更应通知第三方。

(42)

Where a product with digital elements is subject to ‘refurbishment’, ‘maintenance’ and ‘repair’ as defined in Article 2, points (18), (19) and (20), of Regulation (EU) 2024/1781 of the European Parliament and of the Council (19), this does not necessarily lead to a substantial modification of the product, for instance if the intended purpose and functionalities are not changed and the level of risk remains unaffected. However, an upgrade of a product with digital elements by the manufacturer might lead to changes in the design and development of that product and might therefore affect its intended purpose and compliance with the requirements set out in this Regulation.
如果一款带有数字元素的产品根据《欧洲议会和理事会(欧盟)2024/1781 号条例》第 2 条第(18)、(19)和(20)点所定义的“翻新”、“维护”和“修理”,则并不一定意味着产品发生了实质性修改,例如,如果其预期用途和功能未发生改变,以及风险等级保持不变。然而,制造商对带有数字元素的产品进行升级可能会导致产品设计和开发发生变化,因此可能会影响其预期用途以及本条例规定的要求的合规性。

(43)

Products with digital elements should be considered to be important if the negative impact of the exploitation of potential vulnerabilities in the product can be severe due to, inter alia, the cybersecurity-related functionality or a function carrying a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products with digital elements or to the health, security or safety of its users through direct manipulation, such as a central system function, including network management, configuration control, virtualisation or processing of personal data. In particular, vulnerabilities in products with digital elements that have a cybersecurity-related functionality, such as boot managers, can lead to a propagation of security issues throughout the supply chain. The severity of the impact of an incident may also increase where the product primarily performs a central system function, including network management, configuration control, virtualisation or processing of personal data.
具有数字元素的产品,如果其潜在漏洞被利用可能造成严重负面影响,则应被视为重要产品。例如,由于与网络安全相关的功能,或由于其功能具有显著的负面影响风险(就其强度、扰乱、控制或损害大量其他具有数字元素的产品的能力而言),或通过直接操纵(例如中央系统功能,包括网络管理、配置控制、虚拟化或个人数据处理)对用户健康、安全或安全造成危害。特别是,具有网络安全相关功能的产品(例如引导管理器)中的漏洞可能导致安全问题在整个供应链中传播。当该产品主要执行中央系统功能(包括网络管理、配置控制、虚拟化或个人数据处理)时,事件的影响严重程度也可能增加。

(44)

Certain categories of products with digital elements should be subject to stricter conformity assessment procedures, while keeping a proportionate approach. For that purpose, important products with digital elements should be divided into two classes, reflecting the level of cybersecurity risk linked to those categories of products. An incident involving important products with digital elements that fall under class II might lead to greater negative impacts than an incident involving important products with digital elements that fall under class I, for instance due to the nature of their cybersecurity-related function or the performance of another function which carries a significant risk of adverse effects. As an indication of such greater negative impacts, products with digital elements that fall under class II could either perform a cybersecurity-related functionality or another function which carries a significant risk of adverse effects that is higher than for those listed in class I, or meet both of the aforementioned criteria. Important products with digital elements that fall under class II should therefore be subject to a stricter conformity assessment procedure.
某些带有数字元素的产品类别应适用更严格的合规性评估程序,同时保持比例原则。为此,应将具有数字元素的重要产品划分为两类,反映这些产品类别相关的网络安全风险水平。例如,涉及第二类具有数字元素的重要产品的事件可能比涉及第一类具有数字元素的重要产品的事件造成更大的负面影响,例如,由于其网络安全相关功能的性质,或由于执行另一项具有重大不利影响风险的功能。作为此类更大负面影响的指示,第二类具有数字元素的产品可能执行网络安全相关功能,或执行另一项具有高于第一类产品的重大不利影响风险的功能,或者同时满足上述两个标准。因此,第二类具有数字元素的重要产品应适用更严格的合规性评估程序。

(45)

Important products with digital elements as referred to in this Regulation should be understood as products which have the core functionality of a category of important products with digital elements that is set out in this Regulation. For example, this Regulation sets out categories of important products with digital elements which are defined by their core functionality as firewalls or intrusion detection or prevention systems in class II. As a result, firewalls and intrusion detection or prevention systems are subject to mandatory third-party conformity assessment. This is not the case for other products with digital elements not categorised as important products with digital elements which may integrate firewalls or intrusion detection or prevention systems. The Commission should adopt an implementing act to specify the technical description of the categories of important products with digital elements that fall under classes I and II as set out in this Regulation.
本法规所指具有数字元素的重要产品,应理解为具有本法规所列重要具有数字元素产品类别核心功能的产品。例如,本法规列出了重要具有数字元素产品的类别,这些类别按其核心功能定义为二类防火墙或入侵检测/预防系统。因此,防火墙和入侵检测/预防系统受强制性第三方符合性评估。对于其他不属于重要具有数字元素产品类别的产品(即使它们可能整合了防火墙或入侵检测/预防系统),则并非如此。委员会应通过执行法案,详细说明本法规中所列 I 类和 II 类重要具有数字元素产品类别的技术描述。

(46)

The categories of critical products with digital elements set out in this Regulation have a cybersecurity-related functionality and perform a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products with digital elements through direct manipulation. Furthermore, those categories of products with digital elements are considered to be critical dependencies for essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555. The categories of critical products with digital elements set out in an annex to this Regulation, due to their criticality, already widely use various forms of certification, and are also covered by the European Common Criteria-based cybersecurity certification scheme (EUCC) set out in Commission Implementing Regulation (EU) 2024/482 (20). Therefore, in order to ensure a common adequate cybersecurity protection of critical products with digital elements in the Union, it could be adequate and proportionate to subject such categories of product, by means of a delegated act, to mandatory European cybersecurity certification where a relevant European cybersecurity certification scheme covering those products is already in place and an assessment of the potential market impact of the envisaged mandatory certification has been carried out by the Commission. That assessment should consider both the supply and demand side, including whether there is sufficient demand for the products with digital elements concerned from both Member States and users for European cybersecurity certification to be required, as well as the purposes for which the products with digital elements are intended to be used, including the critical dependency on them by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555. The assessment should also analyse the potential effects of the mandatory certification on the availability of those products on the internal market and the capabilities and the readiness of the Member States for the implementation of the relevant European cybersecurity certification schemes.
本法规中规定的具有数字元素的关键产品类别具有与网络安全相关的功能,并执行一种功能,其在强度和扰乱、控制或通过直接操纵损害大量其他具有数字元素的产品的能力方面,具有显著的负面影响风险。此外,这些具有数字元素的产品类别被认为是《(EU) 2022/2555 号指令》第 3 条第 1 款所述的关键实体的关键依赖项。本法规附件中规定的具有数字元素的关键产品类别,由于其关键性,已广泛使用各种认证形式,并且也受欧盟共同标准(EUCC)基于网络安全认证方案(见欧盟委员会执行条例 (EU) 2024/482 (20))的约束。 因此,为了确保欧盟关键数字产品拥有共同的充分网络安全保护,通过委任法案,对这类产品强制实施欧洲网络安全认证可能恰当且比例适当。前提是,已存在涵盖这些产品的相关欧洲网络安全认证方案,并且委员会已评估了拟议强制认证的潜在市场影响。该评估应考虑供需两方面,包括欧盟成员国和用户对相关数字产品是否具有足够的市场需求,以需要欧洲网络安全认证,以及这些数字产品的预期用途,包括其对关键实体的依赖性,正如《(EU) 2022/2555 号指令》第 3 条第 1 款所述。 评估还应分析强制性认证对这些产品在内市场的供应情况,以及成员国实施相关欧洲网络安全认证计划的能力和准备情况。

(47)

Delegated acts requiring mandatory European cybersecurity certification should determine the products with digital elements that have the core functionality of a category of critical products with digital elements set out in this Regulation that are to be subject to mandatory certification, as well as the required assurance level, which should be at least ‘substantial’. The required assurance level should be proportionate to the level of cybersecurity risk associated with the product with digital elements. For instance, where the product with digital elements has the core functionality of a category of critical products with digital elements set out in this Regulation and is intended for the use in a sensitive or critical environment, such as products intended for the use of essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555, it may require the highest assurance level.
需要强制实施欧洲网络安全认证的委托法案应确定哪些具有数字元素的产品,其核心功能属于本法规中规定的关键产品类别(具有数字元素),应受强制认证,以及所需的保证级别,该级别应至少为“重大”。所需的保证级别应与该产品(具有数字元素)相关的网络安全风险水平相称。例如,如果该产品(具有数字元素)具有本法规中规定的关键产品类别(具有数字元素)的核心功能,并且旨在用于敏感或关键环境,例如旨在用于《指令 (EU) 2022/2555》第 3(1) 条所述的关键实体的产品,则可能需要最高的保证级别。

(48)

In order to ensure a common adequate cybersecurity protection in the Union of products with digital elements that have the core functionality of a category of critical products with digital elements set out in this Regulation, the Commission should also be empowered to adopt delegated acts to amend this Regulation by adding or withdrawing categories of critical products with digital elements for which manufacturers could be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 to demonstrate conformity with this Regulation. A new category of critical products with digital elements can be added to those categories if there is a critical dependency on them by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555 or, if affected by incidents or when containing exploited vulnerabilities, this could lead to disruptions of critical supply chains. When assessing the need for adding or withdrawing categories of critical products with digital elements by means of a delegated act, the Commission should be able to take into account whether the Member States have identified at national level products with digital elements that have a critical role for the resilience of essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555 and which increasingly face supply chain cyberattacks, with potential serious disruptive effects. Furthermore, the Commission should be able to take into account the outcome of the Union level coordinated security risk assessment of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555.
为了确保欧盟产品在数字元素方面拥有共同的充分网络安全保护,这些产品具有本法规中所列关键产品类别(含数字元素)的核心功能,委员会应获得授权,通过修正案增加或删除需要制造商根据《(欧盟)2019/881 号条例》获得欧洲网络安全证书以证明符合本法规的关键产品类别(含数字元素)。如果关键实体(指《(欧盟)2022/2555 号指令》第 3 条第 1 款)对其存在关键依赖,或者受事件影响或包含被利用的漏洞,可能导致关键供应链中断,则可以新增关键产品类别(含数字元素)。 在评估是否需要通过委托法案新增或撤销具有数字元素的关键产品类别时,委员会应能够考虑成员国在国家层面是否已确定具有数字元素的产品,这些产品对《2022/2555 号欧盟指令》第 3 条第 1 款所述重要实体的弹性发挥关键作用,并且日益面临供应链网络攻击,可能造成严重破坏性影响。此外,委员会应能够考虑根据《2022/2555 号欧盟指令》第 22 条开展的欧盟层面协调的关键供应链安全风险评估结果。

(49)

The Commission should ensure that a wide range of relevant stakeholders are consulted in a structured and regular manner when preparing measures for the implementation of this Regulation. This should particularly be the case where the Commission assesses the need for potential updates to the lists of categories of important or critical products with digital elements, where relevant manufacturers should be consulted and their views taken into account in order to analyse the cybersecurity risks as well as the balance of costs and benefits of designating such categories of products as important or critical.
委员会应确保在制定本条例实施措施时,以结构化和定期的方式咨询广泛的相关利益攸关方。尤其是在委员会评估更新包含数字元素的重要或关键产品类别清单的必要性时,应咨询相关制造商,并考虑其意见,以分析网络安全风险以及将此类产品类别指定为重要或关键的成本效益平衡。

(50)

This Regulation addresses cybersecurity risks in a targeted manner. Products with digital elements might, however, pose other safety risks, that are not always related to cybersecurity but can be a consequence of a security breach. Those risks should continue to be regulated by relevant Union harmonisation legislation other than this Regulation. If no Union harmonisation legislation other than this Regulation is applicable, they should be subject to Regulation (EU) 2023/988 of the European Parliament and of the Council (21). Therefore, in light of the targeted nature of this Regulation, as a derogation from Article 2(1), third subparagraph, point (b), of Regulation (EU) 2023/988, Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of Regulation (EU) 2023/988 should apply to products with digital elements with respect to safety risks not covered by this Regulation, if those products are not subject to specific requirements laid down in Union harmonisation legislation other than this Regulation within the meaning of Article 3, point (27), of Regulation (EU) 2023/988.
本条例以有针对性的方式处理网络安全风险。然而,具有数字元素的产品可能还会带来其他安全风险,这些风险并非总是与网络安全相关,但可能是安全漏洞的后果。这些风险应继续由除本条例外的相关欧盟协调立法进行规范。如果除本条例外的任何欧盟协调立法都不适用,则应适用欧洲议会和理事会(21)的(欧盟)2023/988 号条例。因此,鉴于本条例的针对性,作为对(欧盟)2023/988 号条例第 2 条第 1 款第三分段第(b)点、第三章第一节、第五章和第七章以及第九至十一章的例外,如果这些产品未受除本条例外的欧盟协调立法规定的具体要求(根据(欧盟)2023/988 号条例第 3 条第(27)点),则对于本条例未涵盖的安全风险,应将具有数字元素的产品适用(欧盟)2023/988 号条例的第三章第一节、第五章和第七章以及第九至十一章。

(51)

Products with digital elements classified as high-risk AI systems pursuant to Article 6 of Regulation (EU) 2024/1689 of the European Parliament and of the Council (22) which fall within the scope of this Regulation should comply with the essential cybersecurity requirements set out in this Regulation. Where those high-risk AI systems fulfil the essential cybersecurity requirements set out in this Regulation, they should be deemed to comply with the cybersecurity requirements set out in Article 15 of Regulation (EU) 2024/1689 in so far as those requirements are covered by the EU declaration of conformity or parts thereof issued under this Regulation. For that purpose, the assessment of the cybersecurity risks associated with a product with digital elements classified as a high-risk AI system pursuant to Regulation (EU) 2024/1689 that is to be taken into account during the planning, design, development, production, delivery and maintenance phases of such product, as required under this Regulation, should take into account risks to the cyber resilience of an AI system as regards attempts by unauthorised third parties to alter its use, behaviour or performance, including AI specific vulnerabilities such as data poisoning or adversarial attacks, as well as, as relevant, risks to fundamental rights, in accordance with Regulation (EU) 2024/1689. As regards the conformity assessment procedures relating to the essential cybersecurity requirements for a product with digital elements that falls within the scope of this Regulation and that is classified as a high-risk AI system, Article 43 of Regulation (EU) 2024/1689 should apply as a rule instead of the relevant provisions of this Regulation. However, that rule should not result in a reduction of the necessary level of assurance for important or critical products with digital elements as referred to in this Regulation. Therefore, by way of derogation from that rule, high-risk AI systems that fall within the scope of Regulation (EU) 2024/1689 which are also important or critical products with digital elements as referred to in this Regulation and to which the conformity assessment procedure based on internal control referred to in Annex VI to Regulation (EU) 2024/1689 applies, should be subject to the conformity assessment procedures provided for in this Regulation in so far as the essential cybersecurity requirements set out in this Regulation are concerned. In such a case, for all the other aspects covered by Regulation (EU) 2024/1689 the relevant provisions on conformity assessment based on internal control set out in Annex VI to that Regulation should apply.
根据欧洲议会和理事会(欧盟)第 2024/1689 号条例第 6 条,被归类为高风险人工智能系统的包含数字元素的产品,如果本条例涵盖其范围,则应遵守本条例中规定的基本网络安全要求。如果这些高风险人工智能系统满足本条例中规定的基本网络安全要求,则应视为符合欧盟第 2024/1689 号条例第 15 条规定的网络安全要求,只要这些要求包含在本条例项下签发的欧盟符合性声明或其部分内容。 为此,在规划、设计、开发、生产、交付和维护此类产品阶段,应根据本法规,评估与具有数字元素的产品相关的网络安全风险,该产品根据条例 (EU) 2024/1689 被归类为高风险人工智能系统。评估应考虑人工智能系统的网络弹性风险,包括未经授权的第三方试图更改其使用、行为或性能,包括人工智能特有的漏洞,例如数据中毒或对抗性攻击,以及,如有必要,根据条例 (EU) 2024/1689,风险对基本权利。关于与具有数字元素的产品相关的合规性评估程序,该产品属于本法规的适用范围,并被归类为高风险人工智能系统,条例 (EU) 2024/1689 的第 43 条应作为规则适用,而不是本法规的相关条款。 然而,该规则不应导致对本法规所指的具有数字元素的重要或关键产品所需的保证水平降低。因此,作为对该规则的例外,高风险人工智能系统(属于《(欧盟)2024/1689 号条例》的范围,并且也是本法规所指的具有数字元素的重要或关键产品,且适用《(欧盟)2024/1689 号条例》附件六中基于内部控制的符合性评估程序),应在其规定的基本网络安全要求方面,受本法规规定的符合性评估程序的约束。在这种情况下,对于《(欧盟)2024/1689 号条例》涵盖的其他所有方面,应适用该条例附件六中关于基于内部控制的符合性评估的相关规定。

(52)

In order to improve the security of products with digital elements placed on the internal market it is necessary to lay down essential cybersecurity requirements applicable to such products. Those essential cybersecurity requirements should be without prejudice to the Union level coordinated security risk assessments of critical supply chains provided for in Article 22 of Directive (EU) 2022/2555, which take into account both technical and, where relevant, non-technical risk factors, such as undue influence by a third country on suppliers. Furthermore, they should be without prejudice to the Member States’ prerogative to lay down additional requirements that take account of non-technical factors for the purpose of ensuring a high level of resilience, including those defined in Commission Recommendation (EU) 2019/534 (23), in the EU coordinated risk assessment of the cybersecurity of 5G networks and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555.
为了提高在内市场上销售的具有数字元素的产品安全性,有必要制定适用于此类产品的基本网络安全要求。这些基本网络安全要求不应损害《欧盟(EU) 2022/2555 号指令》第 22 条规定的欧盟层面协调关键供应链安全风险评估,这些评估应考虑技术风险和(如有必要)非技术风险因素,例如第三方国家对供应商的不当影响。此外,这些要求不应损害成员国制定额外要求的权利,这些额外要求应考虑到确保高水平弹性的非技术因素,包括欧盟 2019/534 号委员会建议(23)中定义的因素,以及欧盟协调的 5G 网络网络安全风险评估和欧盟 5G 网络安全工具箱(由根据《欧盟(EU) 2022/2555 号指令》第 14 条设立的合作小组商定)中定义的因素。

(53)

Manufacturers of products falling within the scope of Regulation (EU) 2023/1230 of the European Parliament and of the Council (24) which are also products with digital elements as defined in this Regulation should comply with both the essential cybersecurity requirements set out in this Regulation and the essential health and safety requirements set out in Regulation (EU) 2023/1230. The essential cybersecurity requirements set out in this Regulation and certain essential requirements set out in Regulation (EU) 2023/1230 might address similar cybersecurity risks. Therefore, the compliance with the essential cybersecurity requirements set out in this Regulation could facilitate the compliance with the essential requirements that also cover certain cybersecurity risks as set out in Regulation (EU) 2023/1230, and in particular those regarding the protection against corruption and safety and reliability of control systems set out in sections 1.1.9 and 1.2.1 of Annex III to that Regulation. Such synergies have to be demonstrated by the manufacturer, for instance by applying, where available, harmonised standards or other technical specifications covering relevant essential cybersecurity requirements following a risk assessment covering those cybersecurity risks. The manufacturer should also follow the applicable conformity assessment procedures set out in this Regulation and in Regulation (EU) 2023/1230. The Commission and the European standardisation organisations, in the preparatory work supporting the implementation of this Regulation and of Regulation (EU) 2023/1230 and the related standardisation processes, should promote consistency in how the cybersecurity risks are to be assessed and in how those risks are to be covered by harmonised standards with regard to the relevant essential requirements. In particular, the Commission and the European standardisation organisations should take into account this Regulation in the preparation and development of harmonised standards to facilitate the implementation of Regulation (EU) 2023/1230 as regards in particular the cybersecurity aspects related to the protection against corruption and safety and reliability of control systems set out in sections 1.1.9 and 1.2.1 of Annex III to that Regulation. The Commission should provide guidance to support manufacturers subject to this Regulation that are also subject to Regulation (EU) 2023/1230, in particular to facilitate the demonstration of compliance with relevant essential requirements set out in this Regulation and in Regulation (EU) 2023/1230.
欧盟议会和理事会(24)第 2023/1230 号条例(EU)范围内的产品制造商,如果这些产品还包含本条例所定义的数字元素,应同时遵守本条例规定的基本网络安全要求和第 2023/1230 号条例(EU)规定的基本健康和安全要求。本条例规定的基本网络安全要求以及第 2023/1230 号条例规定的某些基本要求,可能涉及类似的网络安全风险。因此,遵守本条例规定的基本网络安全要求,可能有助于遵守第 2023/1230 号条例(EU)中也涵盖某些网络安全风险的基本要求,特别是关于防腐蚀和控制系统安全可靠性的要求,如该条例附件三第 1.1.9 节和第 1.2.1 节所述。 制造商应通过例如应用现有协调标准或涵盖相关基本网络安全要求的其他技术规范(在进行涵盖这些网络安全风险的风险评估后)来证明这些协同效应。制造商还应遵循本法规和法规 (EU) 2023/1230 中规定的适用一致性评估程序。委员会和欧洲标准化组织,在支持本法规和法规 (EU) 2023/1230 实施以及相关标准化流程的准备工作中,应促进如何评估网络安全风险以及如何通过协调标准涵盖这些风险的连贯性,以满足相关基本要求。 委员会和欧洲标准化组织应在制定和开发协调标准时,考虑本条例,以促进《条例 (欧盟) 2023/1230》的实施,特别是关于附件三第 1.1.9 节和 1.2.1 节中规定的与防腐败、控制系统安全性和可靠性相关的网络安全方面。委员会应为受本条例和《条例 (欧盟) 2023/1230》双重约束的制造商提供指导,特别是为其提供便利,使其能够证明符合本条例和《条例 (欧盟) 2023/1230》中规定的相关基本要求。

(54)

In order to ensure that products with digital elements are secure both at the time of their placing on the market as well as during the time the product with digital elements is expected to be in use, it is necessary to lay down essential cybersecurity requirements for vulnerability handling and essential cybersecurity requirements relating to the properties of products with digital elements. While manufacturers should comply with all essential cybersecurity requirements related to vulnerability handling throughout the support period, they should determine which other essential cybersecurity requirements related to the product properties are relevant for the type of product with digital elements concerned. For that purpose, manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements to identify relevant risks and relevant essential cybersecurity requirements in order to make available their products with digital elements without known exploitable vulnerabilities that might have an impact on the security of those products and to appropriately apply suitable harmonised standards, common specifications or European or international standards.
为了确保带有数字元素的产品在投放市场时以及预期使用期间都安全,有必要制定关于漏洞处理和与数字元素产品特性相关的基本网络安全要求。虽然制造商应在整个支持期内遵守所有与漏洞处理相关的基本网络安全要求,但他们应确定哪些其他与产品特性相关的基本网络安全要求与所涉及的带有数字元素的产品类型相关。 为此,制造商应评估与具有数字元素的产品相关的网络安全风险,以识别相关的风险和相关的基本网络安全要求,从而使其具有数字元素的产品能够在没有已知可利用漏洞的情况下提供,这些漏洞可能会影响这些产品的安全性,并适当地应用合适的协调标准、通用规范或欧洲或国际标准。

(55)

Where certain essential cybersecurity requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment included in the technical documentation. This could be the case where an essential cybersecurity requirement is incompatible with the nature of a product with digital elements. For example, the intended purpose of a product with digital elements may require the manufacturer to follow widely recognised interoperability standards even if its security features are no longer considered to be state of the art. Similarly, other Union law requires manufacturers to apply specific interoperability requirements. Where an essential cybersecurity requirement is not applicable to a product with digital elements, but the manufacturer has identified cybersecurity risks in relation to that essential cybersecurity requirement, it should take measures to address those risks by other means, for instance by limiting the intended purpose of the product to trusted environments or by informing the users about those risks.
如果某些必要的网络安全要求不适用于具有数字元素的产品,制造商应在其技术文档中包含的网络安全风险评估中提供明确的理由。这种情况可能出现在必要的网络安全要求与具有数字元素的产品的性质不相容时。例如,具有数字元素的产品的预期用途可能要求制造商遵循广为认可的互操作性标准,即使其安全功能不再被认为是先进水平。同样,其他欧盟法律要求制造商应用特定的互操作性要求。如果一个必要的网络安全要求不适用于具有数字元素的产品,但制造商已识别出与该必要网络安全要求相关的网络安全风险,则应采取措施通过其他方式解决这些风险,例如将产品的预期用途限制在受信任的环境中,或向用户告知这些风险。

(56)

One of the most important measures for users to take in order to protect their products with digital elements from cyberattacks is to install the latest available security updates as soon as possible. Manufacturers should therefore design their products and put in place processes to ensure that products with digital elements include functions that enable the notification, distribution, download and installation of security updates automatically, in particular in the case of consumer products. They should also provide the possibility to approve the download and installation of the security updates as a final step. Users should retain the ability to deactivate automatic updates, with a clear and easy-to-use mechanism, supported by clear instructions on how users can opt out. The requirements relating to automatic updates as set out in an annex to this Regulation are not applicable to products with digital elements primarily intended to be integrated as components into other products. They also do not apply to products with digital elements for which users would not reasonably expect automatic updates, including products with digital elements intended to be used in professional ICT networks, and especially in critical and industrial environments where an automatic update could cause interference with operations. Irrespective of whether a product with digital elements is designed to receive automatic updates or not, its manufacturer should inform users about vulnerabilities and make security updates available without delay. Where a product with digital elements has a user interface or similar technical means allowing direct interaction with its users, the manufacturer should make use of such features to inform users that their product with digital elements has reached the end of the support period. Notifications should be limited to what is necessary in order to ensure the effective reception of this information and should not have a negative impact on the user experience of the product with digital elements.
为了保护包含数字元素的产品免受网络攻击,用户最重要的是尽快安装最新的安全更新。因此,制造商应设计其产品并建立流程,确保包含数字元素的产品具有自动通知、分发、下载和安装安全更新的功能,尤其是在消费类产品的情况下。他们还应提供在最终步骤中批准下载和安装安全更新的可能性。用户应保留停用自动更新的能力,并提供清晰易用的机制,以及清晰的说明,指导用户如何选择退出。本法规附件中规定的自动更新要求不适用于主要作为组件集成到其他产品中的包含数字元素的产品。 它们也不适用于用户不合理地期望自动更新的带有数字元素的产品,包括旨在用于专业信息通信技术(ICT)网络,尤其是在自动更新可能导致运营干扰的关键性和工业环境中的产品。无论带有数字元素的产品是否设计为接收自动更新,其制造商都应及时向用户通报漏洞并提供安全更新。如果带有数字元素的产品具有用户界面或类似的技术手段,允许其用户进行直接交互,制造商应利用此类功能通知用户,他们的带有数字元素的产品已到达支持期结束。通知应仅限于确保有效接收此信息的必要内容,并且不应对带有数字元素的产品的用户体验产生负面影响。

(57)

To improve the transparency of vulnerability handling processes and to ensure that users are not required to install new functionality updates for the sole purpose of receiving the latest security updates, manufacturers should ensure, where technically feasible, that new security updates are provided separately from functionality updates.
为了提高漏洞处理流程的透明度,并确保用户无需仅为了获得最新的安全更新而安装新的功能更新,制造商应确保,在技术上可行的情况下,将新的安全更新与功能更新分开提供。

(58)

The joint communication of the Commission and the High Representative of the Union for Foreign Affairs and Security Policy of 20 June 2023 entitled ‘European Economic Security Strategy’ stated that the Union needs to maximise the benefits of its economic openness while minimising the risks from economic dependencies on high-risk vendors, through a common strategic framework for Union economic security. Dependencies on high-risk suppliers of products with digital elements may pose a strategic risk that needs to be addressed at Union level, especially where the products with digital elements are intended for the use by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555. Such risks may be linked, but not limited, to the jurisdiction applicable to the manufacturer, the characteristics of its corporate ownership and the links of control to a third-country government where it is established, in particular where a third country engages in economic espionage or irresponsible state behaviour in cyberspace and its legislation allows arbitrary access to any kind of company operations or data, including commercially sensitive data, and can impose obligations for intelligence purposes without democratic checks and balances, oversight mechanisms, due process or the right to appeal to an independent court or tribunal. When determining the significance of a cybersecurity risk within the meaning of this Regulation, the Commission and the market surveillance authorities, as per their responsibilities as set out in this Regulation, should also consider non-technical risk factors, in particular those established as a result of Union level coordinated security risk assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555.
2023 年 6 月 20 日,欧盟委员会和欧盟对外行动和安全政策高级代表联合发布的题为“欧盟经济安全战略”的沟通文件指出,欧盟需要通过一个共同的欧盟经济安全战略框架,最大限度地发挥其经济开放性的优势,同时最大限度地降低对高风险供应商的经济依赖风险。对包含数字元素产品的风险高供应商的依赖可能构成需要在欧盟层面解决的战略风险,特别是当这些包含数字元素的产品旨在供《欧盟(EU)2022/2555 号指令》第 3 条第 1 款所述的必要实体使用时。 这些风险可能与制造商适用的管辖权、其公司所有权的特征以及与设立该制造商的第三国政府的控制联系有关,尤其是在第三国从事网络经济间谍活动或网络空间中的不负责任的国家行为,并且其立法允许任意访问任何类型的公司运营或数据,包括商业敏感数据,以及可以为情报目的强加义务,而无需民主的制衡、监督机制、正当程序或向独立法院或仲裁庭上诉的权利。在确定本法规意义下的网络安全风险时,委员会和市场监管机构,根据本法规规定的职责,还应考虑非技术风险因素,特别是那些根据《(欧盟)2022/2555 号指令》第 22 条开展的欧盟层面协调的重点供应链安全风险评估结果确定的风险因素。

(59)

For the purpose of ensuring the security of products with digital elements after their placing on the market, manufacturers should determine the support period, which should reflect the time the product with digital elements is expected to be in use. In determining a support period, a manufacturer should take into account in particular reasonable user expectations, the nature of the product, as well as relevant Union law determining the lifetime of products with digital elements. Manufacturers should also be able to take into account other relevant factors. Criteria should be applied in a manner that ensures proportionality in the determination of the support period. Upon request, a manufacturer should provide market surveillance authorities with the information that was taken into account to determine the support period of a product with digital elements.
为了确保在产品投放市场后具有数字元素的产品安全,制造商应确定支持期,该期应反映该产品预计的使用时间。在确定支持期时,制造商应特别考虑合理的用户预期、产品性质以及相关的欧盟法律,该法律规定了具有数字元素的产品的使用寿命。制造商还应能够考虑其他相关因素。应以确保支持期确定的比例性为原则来应用标准。经请求,制造商应向市场监管机构提供用于确定具有数字元素的产品支持期的相关信息。

(60)

The support period for which the manufacturer ensures the effective handling of vulnerabilities should be no less than five years, unless the lifetime of the product with digital elements is less than five years, in which case the manufacturer should ensure the vulnerability handling for that lifetime. Where the time the product with digital elements is reasonably expected to be in use is longer than five years, as is often the case for hardware components such as motherboards or microprocessors, network devices such as routers, modems or switches, as well as software, such as operating systems or video-editing tools, manufacturers should accordingly ensure longer support periods. In particular, products with digital elements intended for use in industrial settings, such as industrial control systems, are often in use for significantly longer periods of time. A manufacturer should be able to define a support period of less than five years only where this is justified by the nature of the product with digital elements concerned and where that product is expected to be in use for less than five years, in which case the support period should correspond to the expected use time. For instance, the lifetime of a contact tracing application intended for use during a pandemic could be limited to the duration of the pandemic. Moreover, some software applications can by nature only be made available on the basis of a subscription model, in particular where the application becomes unavailable to the user and is consequently not in use anymore once the subscription expires.
制造商应确保漏洞处理的支持期限不少于五年,除非该带有数字元素的产品使用寿命少于五年,在这种情况下,制造商应确保该漏洞处理支持期限与产品使用寿命一致。如果带有数字元素的产品合理预期使用时间超过五年,例如主板、微处理器、路由器、调制解调器或交换机等硬件组件,以及操作系统或视频编辑工具等软件,制造商应相应地确保更长的支持期限。特别是,用于工业环境(例如工业控制系统)的带有数字元素的产品通常使用时间显著更长。制造商仅在产品性质证明且预期使用时间少于五年时,才能定义少于五年的支持期限,在这种情况下,支持期限应与预期使用时间相对应。 例如,旨在在疫情期间使用的接触追踪应用的有效期可能仅限于疫情持续的时间。此外,某些软件应用的性质决定了它们只能以订阅模式提供,特别是当应用在订阅到期后对用户不可用,因此不再被使用时。

(61)

When products with digital elements reach the end of their support periods, in order to ensure that vulnerabilities can be handled after the end of the support period, manufacturers should consider releasing the source code of such products with digital elements either to other undertakings which commit to extending the provision of vulnerability handling services or to the public. Where manufacturers release the source code to other undertakings, they should be able to protect the ownership of the product with digital elements and prevent the dissemination of the source code to the public, for example through contractual arrangements.
当带有数字元素的产品到达其支持期末时,为了确保在支持期结束后能够处理漏洞,制造商应考虑向其他承诺提供漏洞处理服务的企业或公众发布此类带有数字元素的产品的源代码。当制造商向其他企业发布源代码时,他们应该能够保护带有数字元素的产品的所有权,并防止源代码向公众传播,例如通过合同安排。

(62)

In order to ensure that manufacturers across the Union determine similar support periods for comparable products with digital elements, ADCO should publish statistics on the average support periods determined by manufacturers for categories of products with digital elements and issue guidance indicating appropriate support periods for such categories. In addition, with a view to ensuring a harmonised approach across the internal market, the Commission should be able to adopt delegated acts to specify minimum support periods for specific product categories where the data provided by market surveillance authorities suggests that the support periods determined by manufacturers are either systematically not in line with the criteria for determining the support periods as laid down in this Regulation or that manufacturers in different Member States unjustifiably determine different support periods.
为了确保欧盟各制造商对具有数字元素的类似产品确定相似的支持期,ADCO 应发布制造商为具有数字元素的产品类别确定的平均支持期统计数据,并发布指导,指示这些类别的适当支持期。此外,为了确保整个内市场采取协调一致的方法,委员会应能够通过委任法案来规定特定产品类别的最低支持期,因为市场监管机构提供的数据表明,制造商确定的支持期要么系统地不符合本法规规定的支持期确定标准,要么制造商在不同成员国不合理地确定不同的支持期。

(63)

Manufacturers should set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on and receiving information about the vulnerabilities of the product with digital element. They should make the single point of contact easily accessible for users and clearly indicate its availability, keeping this information up to date. Where manufacturers choose to offer automated tools, e.g. chat boxes, they should also offer a phone number or other digital means of contact, such as an email address or a contact form. The single point of contact should not rely exclusively on automated tools.
制造商应设立一个单一联系点,方便用户与其沟通,包括报告和接收关于具有数字元素的产品漏洞的信息。他们应使单一联系点易于用户访问,并清晰地表明其可用性,并保持信息的及时更新。如果制造商选择提供自动化工具,例如聊天机器人,他们还应提供电话号码或其他数字联系方式,例如电子邮件地址或联系表格。单一联系点不应仅依赖于自动化工具。

(64)

Manufacturers should make their products with digital elements available on the market with a secure by default configuration and provide security updates to users free of charge. Manufacturers should only be able to deviate from the essential cybersecurity requirements in relation to tailor-made products that are fitted to a particular purpose for a particular business user and where both the manufacturer and the user have explicitly agreed to a different set of contractual terms.
制造商应在其产品中包含可供市场使用的数字元素,并默认配置安全,并免费向用户提供安全更新。制造商仅可在定制产品(针对特定用途和特定商业用户)且制造商和用户均明确同意不同合同条款的情况下,偏离必要的网络安全要求。

(65)

Manufacturers should notify simultaneously via the single reporting platform both the computer security incident response team (CSIRT) designated as coordinator as well as ENISA of actively exploited vulnerabilities contained in products with digital elements, as well as severe incidents having an impact on the security of those products. The notifications should be submitted using the electronic notification end-point of a CSIRT designated as coordinator and should be simultaneously accessible to ENISA.
制造商应通过单一报告平台同时通知指定为协调员的计算机安全事件响应小组 (CSIRT) 和 ENISA,产品中包含的积极利用漏洞以及对这些产品安全产生严重影响的事件。通知应使用指定为协调员的 CSIRT 的电子通知终端提交,并且应同时可供 ENISA 访问。

(66)

Manufacturers should notify actively exploited vulnerabilities to ensure that the CSIRTs designated as coordinators, and ENISA, have an adequate overview of such vulnerabilities and are provided with the information necessary to fulfil their tasks as set out in Directive (EU) 2022/2555 and raise the overall level of cybersecurity of essential and important entities as referred to in Article 3 of that Directive, as well as to ensure the effective functioning of market surveillance authorities. As most products with digital elements are marketed across the entire internal market, any exploited vulnerability in a product with digital elements should be considered to be a threat to the functioning of the internal market. ENISA should, in agreement with the manufacturer, disclose fixed vulnerabilities to the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555. The European vulnerability database will assist manufacturers in detecting known exploitable vulnerabilities in their products, in order to ensure that secure products are made available on the market.
制造商应主动通报已遭利用的漏洞,以确保指定为协调员的 CSIRT 和 ENISA 对此类漏洞有充分的了解,并提供其履行《指令 (EU) 2022/2555》中规定的任务所需的信息,从而提高关键和重要实体(如该指令第 3 条所述)的整体网络安全水平,并确保市场监管机构的有效运作。由于大多数带有数字元素的产品都在整个内市场销售,产品中任何已遭利用的数字元素漏洞都应被视为对内市场运行的威胁。ENISA 应与制造商协商,将已修复的漏洞披露给根据《指令 (EU) 2022/2555》第 12(2) 条建立的欧洲漏洞数据库。欧洲漏洞数据库将帮助制造商检测其产品中已知的可利用漏洞,以确保安全的产品投放市场。

(67)

Manufacturers should also notify any severe incident having an impact on the security of the product with digital elements to the CSIRT designated as coordinator and ENISA. In order to ensure that users can react quickly to severe incidents having an impact on the security of their products with digital elements, manufacturers should also inform their users about any such incident and, where applicable, about any corrective measures that the users can deploy to mitigate the impact of the incident, for example by publishing relevant information on their websites or, where the manufacturer is able to contact the users and where justified by the cybersecurity risks, by reaching out to the users directly.
制造商还应将对产品数字元素安全造成严重影响的任何事件通知指定为协调员的 CSIRT 和 ENISA。为了确保用户能够迅速应对对产品数字元素安全造成严重影响的事件,制造商还应告知用户任何此类事件,并在适用情况下,告知用户可部署的任何纠正措施以减轻事件的影响,例如,在其网站上发布相关信息,或者,如果制造商能够联系用户并且由网络安全风险证明有必要,则直接联系用户。

(68)

Actively exploited vulnerabilities concern instances where a manufacturer establishes that a security breach affecting its users or any other natural or legal persons has resulted from a malicious actor making use of a flaw in one of the products with digital elements made available on the market by the manufacturer. Examples of such vulnerabilities could be weaknesses in a product’s identification and authentication functions. Vulnerabilities that are discovered with no malicious intent for purposes of good faith testing, investigation, correction or disclosure to promote the security or safety of the system owner and its users should not be subject to mandatory notification. Severe incidents having an impact on the security of the product with digital elements, on the other hand, refer to situations where a cybersecurity incident affects the development, production or maintenance processes of the manufacturer in such a way that it could result in an increased cybersecurity risk for users or other persons. Such a severe incident could include a situation where an attacker has successfully introduced malicious code into the release channel via which the manufacturer releases security updates to users.
积极利用的漏洞是指制造商确定安全漏洞影响其用户或任何其他自然人或法人,并且该漏洞是由恶意行为者利用制造商在市场上提供的具有数字元素的产品中的缺陷造成的。此类漏洞的示例包括产品身份验证和身份验证功能中的缺陷。出于善意测试、调查、纠正或披露目的,为了提升系统所有者及其用户的安全或安全性而发现的漏洞,不应受强制通知。另一方面,严重事件会对具有数字元素的产品安全产生影响,指的是网络安全事件以这样一种方式影响制造商的开发、生产或维护流程,从而可能增加用户或其他人员的网络安全风险。 如此严重的事件可能包括攻击者成功地将恶意代码引入制造商向用户发布安全更新的发布渠道的情况。

(69)

To ensure that notifications can be disseminated quickly to all relevant CSIRTs designated as coordinators and to enable manufacturers to submit a single notification at each stage of the notification process, a single reporting platform with national electronic notification end-points should be established by ENISA. The day-to-day operations of the single reporting platform should be managed and maintained by ENISA. The CSIRTs designated as coordinators should inform their respective market surveillance authorities about notified vulnerabilities or incidents. The single reporting platform should be designed in such a way that it ensures the confidentiality of notifications, in particular as regards vulnerabilities for which a security update is not yet available. In addition, ENISA should put in place procedures to handle information in a secure and confidential manner. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555.
为确保通知能够迅速分发给所有指定的协调员 CSIRT,并使制造商能够在通知流程的每个阶段提交单一通知,ENISA 应建立一个具有国家电子通知终端的单一报告平台。ENISA 应负责单一报告平台的日常运营和维护。指定的协调员 CSIRT 应将已通知的漏洞或事件告知其各自的市场监管机构。单一报告平台应设计成确保通知的机密性,特别是对于尚无安全更新的漏洞。此外,ENISA 应建立处理信息的安全和保密程序。基于收集的信息,ENISA 应编写一份两年一度的技术报告,报告新兴的数字产品网络安全风险趋势,并提交给根据《指令 (EU) 2022/2555》第 14 条设立的合作小组。

(70)

In exceptional circumstances and in particular upon request by the manufacturer, the CSIRT designated as coordinator initially receiving a notification should be able to decide to delay its dissemination to the other relevant CSIRTs designated as coordinators via the single reporting platform where this can be justified on cybersecurity-related grounds and for a period of time that is strictly necessary. The CSIRT designated as coordinator should immediately inform ENISA about the decision to delay and on which grounds, as well as when it intends to disseminate further. The Commission should develop, through a delegated act, specifications on the terms and conditions for when cybersecurity-related grounds could be applied and should cooperate with the CSIRTs network established pursuant to Article 15 of Directive (EU) 2022/2555, and ENISA in preparing the draft delegated act. Examples of cybersecurity-related grounds include an ongoing coordinated vulnerability disclosure procedure or situations in which a manufacturer is expected to provide a mitigating measure shortly and the cybersecurity risks of an immediate dissemination via the single reporting platform outweigh its benefits. If requested by the CSIRT designated as coordinator, ENISA should be able to support that CSIRT on the application of cybersecurity-related grounds in relation to delaying the dissemination of the notification based on the information ENISA has received from that CSIRT on the decision to withhold a notification on those cybersecurity-related grounds. Furthermore, in particularly exceptional circumstances, ENISA should not receive all the details of a notification of an actively exploited vulnerability in a simultaneous manner. This would be the case when the manufacturer marks in its notification that the notified vulnerability has been actively exploited by a malicious actor and that, according to the information available, it has been exploited in no other Member State than the one of the CSIRT designated as coordinator to which the manufacturer has notified the vulnerability, when any immediate further dissemination of the notified vulnerability would likely result in the supply of information the disclosure of which would be contrary to the essential interests of that Member State, or when the notified vulnerability poses an imminent high cybersecurity risk stemming from the further dissemination. In such cases, ENISA will only receive simultaneous access to the information that a notification was made by the manufacturer, general information about the product with digital elements concerned, the information about the general nature of the exploit and information about the fact that those security grounds were raised by the manufacturer and that the full content of the notification is therefore withheld. The full notification should then be made available to ENISA and other relevant CSIRTs designated as coordinators when the CSIRT designated as coordinator initially receiving the notification finds that those security grounds, reflecting particularly exceptional circumstances as established in this Regulation, cease to exist. Where, based on the information available, ENISA considers that there is a systemic risk affecting the security of the internal market, ENISA should recommend to the recipient CSIRT to disseminate the full notification to the other CSIRTs designated as coordinators and to ENISA itself.
在特殊情况下,特别是制造商提出请求时,最初收到通知并被指定为协调员的 CSIRT 可以决定推迟通过单一报告平台向其他相关被指定为协调员的 CSIRT 发布通知,前提是此举可以在网络安全方面得到合理说明,并且推迟时间严格必要。被指定为协调员的 CSIRT 应立即向 ENISA 通报推迟的决定及其理由,以及其何时打算进一步发布信息。委员会应通过一项授权法案制定关于何时可以适用网络安全相关理由的条款和条件,并应与根据《指令 (EU) 2022/2555》第 15 条设立的 CSIRT 网络以及 ENISA 合作,以起草授权法案草案。 网络安全相关的理由包括正在进行的协调漏洞披露程序,或制造商预计很快会提供缓解措施的情况,以及通过单一报告平台立即传播的网络安全风险超过其益处的情况。如果由指定为协调员的 CSIRT 要求,ENISA 应能够支持该 CSIRT 在延迟发布通知方面应用网络安全相关的理由,基于 ENISA 从该 CSIRT 收到的关于出于网络安全相关理由而暂缓发布通知的决定信息。此外,在极少数特殊情况下,ENISA 不应以同时的方式收到所有关于正在积极利用漏洞的通知细节。 这种情况发生在制造商在其通知中标记,已知漏洞已被恶意行为者积极利用,并且根据现有信息,该漏洞仅在已指定为协调员的 CSIRT 所在的成员国中被利用,而制造商已向其报告了该漏洞,同时如果立即进一步传播该已知漏洞,可能会导致披露信息违反该成员国的根本利益,或者已知漏洞会造成进一步传播带来的紧迫的高网络安全风险时。 在这种情况下,ENISA 将仅同时获得制造商已提交通知的信息、有关受影响数字产品的总体信息、有关利用方式的总体信息以及制造商已提出这些安全理由且因此未披露通知完整内容的信息。 当最初收到通知的 CSIRT 发现那些安全理由(特别是本条例中规定的特殊情况)不再存在时,应向 ENISA 和其他指定为协调员的 CSIRT 提供完整的通知。如果根据现有信息,ENISA 认为存在影响内部市场安全的系统性风险,ENISA 应建议接收通知的 CSIRT 将完整通知分发给其他指定为协调员的 CSIRT 和 ENISA 本身。

(71)

When manufacturers notify an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, they should indicate how sensitive they consider the notified information to be. The CSIRT designated as coordinator initially receiving the notification should take this information into account when assessing whether the notification gives rise to exceptional circumstances that justify a delay in the dissemination of the notification to the other relevant CSIRTs designated as coordinators based on justified cybersecurity-related grounds. It should also take that information into account when assessing whether the notification of an actively exploited vulnerability gives rise to particularly exceptional circumstances that justify that the full notification is not made available simultaneously to ENISA. Finally, CSIRTs designated as coordinators should be able to take that information into account when determining appropriate measures to mitigate the risks stemming from such vulnerabilities and incidents.
当制造商通知已积极利用的漏洞或对具有数字元素的产品安全产生严重影响的事件时,他们应说明他们认为通知信息的敏感性如何。最初收到通知的指定协调员 CSIRT 在评估该通知是否构成特殊情况,从而证明基于合理的网络安全理由而延迟向其他相关指定协调员 CSIRT 分发通知时,应考虑此信息。在评估通知的积极利用漏洞是否构成特别特殊的情况,从而证明无需同时向 ENISA 提供完整通知时,也应考虑该信息。最后,指定为协调员的 CSIRT 应能够考虑该信息,以确定减轻此类漏洞和事件带来的风险的适当措施。

(72)

In order to simplify the reporting of information required under this Regulation, in consideration of other complementary reporting requirements laid down in Union law, such as Regulation (EU) 2016/679, Regulation (EU) 2022/2554 of the European Parliament and of the Council (25), Directive 2002/58/EC of the European Parliament and of the Council (26) and Directive (EU) 2022/2555, as well as to decrease the administrative burden for entities, Member States are encouraged to consider providing at national level single entry points for such reporting requirements. The use of such national single entry points for the reporting of security incidents under Regulation (EU) 2016/679 and Directive 2002/58/EC should not affect the application of the provisions of Regulation (EU) 2016/679 and Directive 2002/58/EC, in particular those relating to the independence of the authorities referred to therein. When establishing the single reporting platform referred to in this Regulation, ENISA should take into account the possibility for the national electronic notification end-points referred to in this Regulation to be integrated into national single entry points that may also integrate other notifications required under Union law.
为了简化本法规要求的信息报告,并考虑到欧盟法律中其他补充报告要求,例如《欧盟条例 (EU) 2016/679》、《欧洲议会及理事会条例 (EU) 2022/2554》(25)、《欧洲议会及理事会指令 2002/58/EC》(26) 和指令 (EU) 2022/2555,以及为了减少实体的行政负担,鼓励成员国在国家层面考虑提供此类报告要求的单一入口点。在报告根据《欧盟条例 (EU) 2016/679》和《指令 2002/58/EC》的安全事件时,使用此类国家单一入口点不应影响《欧盟条例 (EU) 2016/679》和《指令 2002/58/EC》规定的条款的适用,特别是其中关于相关机构独立性的条款。 在建立本法规所述的单一报告平台时,ENISA 应考虑本法规所述的国家电子通知终端点可整合到国家单一入口点,这些单一入口点也可能整合根据欧盟法律要求的其他通知。

(73)

When establishing the single reporting platform referred to in this Regulation and in order to benefit from past experience, ENISA should consult other Union institutions or agencies that are managing platforms or databases subject to stringent security requirements, such as the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). ENISA should also analyse potential complementarities with the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555.
在建立本法规所述的单一报告平台,并为了借鉴以往经验,ENISA 应咨询其他欧盟机构或机构,这些机构或机构正在管理受严格安全要求约束的平台或数据库,例如欧盟自由、安全和司法领域大型 IT 系统运营管理机构 (eu-LISA)。ENISA 还应分析其与根据《(欧盟) 2022/2555 指令》第 12(2) 条建立的欧洲漏洞数据库的潜在互补性。

(74)

Manufacturers and other natural and legal persons should be able to notify to a CSIRT designated as coordinator or ENISA, on a voluntary basis, any vulnerability contained in a product with digital elements, cyber threats that could affect the risk profile of a product with digital elements, any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident.
制造商及其他自然人和法人应能够自愿向指定为协调员的 CSIRT 或 ENISA 告知其产品(包含数字元素)中存在的任何漏洞、可能影响产品(包含数字元素)风险概况的网络威胁、以及对产品(包含数字元素)安全造成影响的任何事件,以及可能导致此类事件发生的险些未遂事件。

(75)

Member States should aim to address, to the extent possible, the challenges faced by vulnerability researchers, including their potential exposure to criminal liability, in accordance with national law. Given that natural and legal persons researching vulnerabilities could in some Member States be exposed to criminal and civil liability, Member States are encouraged to adopt guidelines as regards the non-prosecution of information security researchers and an exemption from civil liability for their activities.
成员国应力求尽可能解决漏洞研究人员面临的挑战,包括他们可能面临的刑事责任,这应符合国家法律。鉴于在某些成员国,研究漏洞的自然人和法人可能会面临刑事和民事责任,鼓励成员国制定关于不追究信息安全研究人员刑事责任以及豁免其民事责任的指导方针。

(76)

Manufacturers of products with digital elements should put in place coordinated vulnerability disclosure policies to facilitate the reporting of vulnerabilities by individuals or entities either directly to the manufacturer or indirectly, and where requested anonymously, via CSIRTs designated as coordinators for the purposes of coordinated vulnerability disclosure in accordance with Article 12(1) of Directive (EU) 2022/2555. Manufacturers’ coordinated vulnerability disclosure policy should specify a structured process through which vulnerabilities are reported to a manufacturer in a manner allowing the manufacturer to diagnose and remedy such vulnerabilities before detailed vulnerability information is disclosed to third parties or to the public. Moreover, manufacturers should also consider publishing their security policies in machine-readable format. Given the fact that information about exploitable vulnerabilities in widely used products with digital elements can be sold at high prices on the black market, manufacturers of such products should be able to use programmes, as part of their coordinated vulnerability disclosure policies, to incentivise the reporting of vulnerabilities by ensuring that individuals or entities receive recognition and compensation for their efforts. This refers to so-called ‘bug bounty programmes’.
数字产品制造商应制定协调的漏洞披露政策,以便个人或实体可以直接向制造商或间接地(如有要求,匿名地)通过根据《指令 (EU) 2022/2555》第 12(1) 条指定为协调漏洞披露的 CSIRT 向制造商报告漏洞。制造商的协调漏洞披露政策应规定一种结构化的流程,通过该流程以允许制造商诊断和修复漏洞的方式向制造商报告漏洞,然后再将详细的漏洞信息披露给第三方或公众。此外,制造商还应考虑以机器可读格式发布其安全策略。 鉴于在黑市上,关于广泛使用的包含数字元素的产品中可利用漏洞的信息可以高价出售,因此此类产品的制造商应该能够利用计划,作为其协调的漏洞披露政策的一部分,通过确保个人或实体因其努力而获得认可和补偿来激励漏洞报告。这指的是所谓的“漏洞赏金计划”。

(77)

In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up an SBOM. An SBOM can provide those who manufacture, purchase, and operate software with information that enhances their understanding of the supply chain, which has multiple benefits, in particular it helps manufacturers and users to track known newly emerged vulnerabilities and cybersecurity risks. It is of particular importance that manufacturers ensure that their products with digital elements do not contain vulnerable components developed by third parties. Manufacturers should not be obliged to make the SBOM public.
为了方便漏洞分析,制造商应识别和记录产品中包含的具有数字元素的组件,包括制定 SBOM。SBOM 可以为制造、采购和运营软件的各方提供信息,从而增强他们对供应链的理解,这具有多重益处,特别是帮助制造商和用户跟踪已知的新出现漏洞和网络安全风险。制造商尤其应确保其包含数字元素的产品不包含由第三方开发的易受攻击的组件。制造商无需公开 SBOM。

(78)

Under the new complex business models linked to online sales, a business operating online can provide a variety of services. Depending on the nature of the services provided in relation to a given product with digital elements, the same entity may fall within different categories of business models or economic operators. Where an entity provides only online intermediation services for a given product with digital elements and is merely a provider of an online marketplace as defined in Article 3, point (14), of Regulation (EU) 2023/988, it does not qualify as one of the types of economic operator defined in this Regulation. Where the same entity is a provider of an online marketplace and also acts as an economic operator as defined in this Regulation for the sale of particular products with digital elements, it should be subject to the obligations set out in this Regulation for that type of economic operator. For instance, if the provider of an online marketplace also distributes a product with digital elements, then, with respect to the sale of that product, it would be considered to be a distributor. Similarly, if the entity in question sells its own branded products with digital elements, it would qualify as a manufacturer and would thus have to comply with the applicable requirements for manufacturers. Also, some entities can qualify as fulfilment service providers as defined in Article 3, point (11), of Regulation (EU) 2019/1020 of the European Parliament and of the Council (27) if they offer such services. Such cases would need to be assessed on a case-by-case basis. Given the prominent role that online marketplaces have in enabling electronic commerce, they should strive to cooperate with the market surveillance authorities of the Member States in order to help ensure that products with digital elements purchased through online marketplaces comply with the cybersecurity requirements laid down in this Regulation.
根据与在线销售相关的复杂商业模式,在线运营的企业可以提供各种服务。根据所提供服务与具有数字元素的特定产品之间的性质,同一实体可能属于不同的商业模式或经济运营者类别。如果一个实体仅为具有数字元素的特定产品提供在线中介服务,并且仅仅是《(欧盟)2023/988 号条例》第 3 条第(14)款所定义的在线市场提供商,则不符合本条例所定义的经济运营者类型。如果同一实体既是在线市场提供商,又是本条例所定义的特定具有数字元素产品销售的经济运营者,则应受本条例为该类型经济运营者规定的义务约束。例如,如果在线市场提供商还分销具有数字元素的产品,那么,关于该产品的销售,它将被视为分销商。 同样,如果该实体销售其自身带有数字元素的品牌产品,则应被视为制造商,并因此必须遵守适用于制造商的规定。此外,如果他们提供此类服务,某些实体可以根据欧洲议会和理事会(欧盟)法规 2019/1020 第 3 条第 (11) 款的定义,被认定为履行服务提供商 (27)。此类情况需要逐案评估。鉴于在线市场在促进电子商务中的重要作用,它们应努力与成员国的市场监管机构合作,以确保通过在线市场购买的带有数字元素的产品符合本法规规定的网络安全要求。

(79)

In order to facilitate assessment of conformity with the requirements laid down in this Regulation, there should be a presumption of conformity for products with digital elements which are in conformity with harmonised standards, which translate the essential cybersecurity requirements set out in this Regulation into detailed technical specifications, and which are adopted in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council (28). That Regulation provides for a procedure for objections to harmonised standards where those standards do not entirely satisfy the requirements set out in this Regulation. The standardisation process should ensure a balanced representation of interests and effective participation of civil society stakeholders, including consumer organisations. International standards that are in line with the level of cybersecurity protection aimed for by the essential cybersecurity requirements set out in this Regulation should also be taken into account, in order to facilitate the development of harmonised standards and the implementation of this Regulation, as well as to facilitate compliance for companies, in particular microenterprises and small and medium-sized enterprises and those operating globally.
为了便于评估产品是否符合本法规规定的要求,对于符合已协调标准的具有数字元素的产品,应推定其符合性。这些已协调标准将本法规规定的基本网络安全要求转化为详细的技术规范,并根据欧洲议会和理事会(欧盟)第 1025/2012 号条例(28)通过。该条例规定了对不完全满足本法规规定的已协调标准提出异议的程序。标准化过程应确保利益的平衡代表性和公民社会利益相关者(包括消费者组织)的有效参与。 应考虑符合本法规规定的基本网络安全要求的网络安全保护水平的国际标准,以便促进协调标准的制定和本法规的实施,以及促进企业,特别是微型企业、小型和中型企业以及全球运营企业的合规性。

(80)

The timely development of harmonised standards during the transitional period for the application of this Regulation and their availability before the date of application of this Regulation will be particularly important for its effective implementation. This is, in particular, the case for important products with digital elements that fall under class I. The availability of harmonised standards will enable manufacturers of such products to perform the conformity assessments via the internal control procedure and can therefore avoid bottlenecks and delays in the activities of conformity assessment bodies.
在适用本法规的过渡期内,及时制定协调标准,并在本法规生效日期之前使其可获得,对于其有效实施至关重要。对于属于 I 类的重要具有数字元素的产品而言,尤其如此。协调标准的可用性将使此类产品的制造商能够通过内部控制程序进行符合性评估,从而避免符合性评估机构活动中的瓶颈和延误。

(81)

Regulation (EU) 2019/881 establishes a voluntary European cybersecurity certification framework for ICT products, ICT processes and ICT services. European cybersecurity certification schemes provide a common framework of trust for users to use products with digital elements that fall within the scope of this Regulation. This Regulation should consequently create synergies with Regulation (EU) 2019/881. In order to facilitate the assessment of conformity with the requirements laid down in this Regulation, products with digital elements that are certified or for which a statement of conformity has been issued under a European cybersecurity scheme pursuant to Regulation (EU) 2019/881 that has been identified by the Commission in an implementing act, shall be presumed to be in compliance with the essential cybersecurity requirements set out in this Regulation in so far as the European cybersecurity certificate or statement of conformity or parts thereof cover those requirements. The need for new European cybersecurity certification schemes for products with digital elements should be assessed in the light of this Regulation, including when preparing the Union rolling work programme in accordance with Regulation (EU) 2019/881. Where there is a need for a new scheme covering products with digital elements, including in order to facilitate compliance with this Regulation, the Commission can request ENISA to prepare candidate schemes in accordance with Article 48 of Regulation (EU) 2019/881. Such future European cybersecurity certification schemes covering products with digital elements should take into account the essential cybersecurity requirements and conformity assessment procedures as set out in this Regulation and facilitate compliance with this Regulation. For European cybersecurity certification schemes that enter into force before the entry into force of this Regulation, further specifications may be needed on detailed aspects of how a presumption of conformity can apply. The Commission, by means of delegated acts, should be empowered to specify under which conditions the European cybersecurity certification schemes can be used to demonstrate conformity with the essential cybersecurity requirements set out in this Regulation. Furthermore, to avoid undue administrative burdens, there should be no obligation for manufacturers to carry out a third-party conformity assessment as provided for in this Regulation for corresponding requirements where a European cybersecurity certificate has been issued under such European cybersecurity certification schemes at least at level ‘substantial’.
《条例 (欧盟) 2019/881》建立了一个自愿的欧洲网络安全产品认证框架,适用于信息通信技术 (ICT) 产品、ICT 流程和 ICT 服务。欧洲网络安全认证方案为用户提供了一个共同的信任框架,使他们能够使用符合本条例范围内的具有数字元素的产品。本条例应因此与《条例 (欧盟) 2019/881》产生协同效应。为了便于评估符合本条例规定的要求,根据《条例 (欧盟) 2019/881》在欧洲网络安全方案下获得认证或已出具符合性声明的具有数字元素的产品,如果欧盟委员会在实施法案中已识别,则应被视为符合本条例规定的基本网络安全要求,只要欧洲网络安全证书或符合性声明或其部分涵盖了这些要求。 应结合本条例评估对具有数字元素的产品制定新的欧洲网络安全认证方案的需求,包括在根据条例 (EU) 2019/881 制定欧盟滚动工作计划时。如有必要制定涵盖具有数字元素的产品的新方案,包括为了促进遵守本条例,委员会可以要求 ENISA 根据条例 (EU) 2019/881 第 48 条起草候选方案。未来涵盖具有数字元素的产品的欧洲网络安全认证方案应考虑本条例中规定的基本网络安全要求和符合性评估程序,并促进遵守本条例。对于在该条例生效前生效的欧洲网络安全认证方案,可能需要进一步说明关于符合性推定如何适用的具体方面。 委员会应授权通过委任法案,规定在哪些条件下,欧洲网络安全认证方案可用于证明符合本法规中规定的基本网络安全要求。此外,为避免不必要的行政负担,对于已根据此类欧洲网络安全认证方案至少达到“显著”级别的欧洲网络安全证书已颁发的对应要求,制造商不应有进行第三方符合性评估的义务,如本法规所述。

(82)

Upon entry into force of Implementing Regulation (EU) 2024/482 which concerns products that fall within the scope of this Regulation, such as hardware security modules and microprocessors, the Commission should be able to specify, by means of a delegated act, how the EUCC provides a presumption of conformity with the essential cybersecurity requirements as set out in this Regulation or parts thereof. Furthermore, such a delegated act may specify how a certificate issued under the EUCC eliminates the obligation for manufacturers to carry out a third-party assessment as required pursuant to this Regulation for corresponding requirements.
《实施条例 (欧盟) 2024/482》生效后,该条例涉及本条例范围内的产品,例如硬件安全模块和微处理器,委员会应能够通过一项授权法案明确说明欧盟网络安全认证体系 (EUCC) 如何提供符合本条例或其部分规定的基本网络安全要求的合规性推定。此外,该授权法案可以明确说明,根据欧盟网络安全认证体系 (EUCC) 颁发的证书如何免除制造商根据本条例为相应要求进行第三方评估的义务。

(83)

The current European standardisation framework, which is based on the New Approach principles set out in Council Resolution of 7 May 1985 on a new approach to technical harmonization and standards and on Regulation (EU) No 1025/2012, represents the framework by default to elaborate standards that provide for a presumption of conformity with the relevant essential cybersecurity requirements set out in this Regulation. European standards should be market-driven, take into account the public interest, as well as the policy objectives clearly stated in the Commission’s request to one or more European standardisation organisations to draft harmonised standards, within a set deadline, and be based on consensus. However, in the absence of relevant references to harmonised standards, the Commission should be able to adopt implementing acts establishing common specifications for the essential cybersecurity requirements set out in this Regulation, provided that in doing so it duly respects the role and functions of European standardisation organisations, as an exceptional fall back solution to facilitate the manufacturer’s obligation to comply with those essential cybersecurity requirements, where the standardisation process is blocked or where there are delays in the establishment of appropriate harmonised standards. If such delay is due to the technical complexity of the standard in question, this should be considered by the Commission before considering whether to establish common specifications.
目前欧洲标准化框架,基于 1985 年 5 月 7 日理事会关于技术协调和标准新方法的决议以及(欧盟)第 1025/2012 号条例中规定的新方法原则,是制定标准的默认框架,该框架确保与本条例中规定的相关关键网络安全要求相符的推定一致性。欧洲标准应以市场为导向,兼顾公共利益,以及委员会要求一个或多个欧洲标准化组织在规定的期限内起草协调标准的政策目标,并应基于共识。 然而,如果缺乏相关的协调标准,欧盟委员会应能够通过实施法案,制定涵盖本法规中规定的基本网络安全要求的共同规范,前提是其在这样做时应充分尊重欧洲标准化组织的作用和职能,作为一种例外情况的最终解决方案,以促进制造商遵守这些基本网络安全要求的义务,尤其是在标准化进程受阻或适当的协调标准的制定存在延误的情况下。如果此类延误是由于相关标准的技术复杂性所致,欧盟委员会在考虑是否制定共同规范之前应予以考虑。

(84)

With a view to establishing, in the most efficient way, common specifications that cover the essential cybersecurity requirements set out in this Regulation, the Commission should involve relevant stakeholders in the process.
为了以最有效的方式制定涵盖本法规中规定的基本网络安全要求的共同规范,欧盟委员会应在制定过程中让相关利益攸关方参与其中。

(85)

‘Reasonable period’ has the meaning, in relation to the publication of a reference to harmonised standards in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012, of a period during which the publication in the Official Journal of the European Union of the reference to the standard, its corrigendum or its amendment is expected and which should not exceed one year after the deadline for drafting a European standard set in accordance with Regulation (EU) No 1025/2012.
“合理期限”是指根据《欧盟条例 (EU) 第 1025/2012 号》在欧盟官方公报上发布与协调标准相关的引用的期限,在此期间,预期欧盟官方公报将刊登该标准的引用、更正或修订,且该期限不应超过根据《欧盟条例 (EU) 第 1025/2012 号》规定的制定欧洲标准的截止日期后一年。

(86)

In order to facilitate the assessment of conformity with the essential cybersecurity requirements set out in this Regulation, there should be a presumption of conformity for products with digital elements that are in conformity with the common specifications adopted by the Commission pursuant to this Regulation for the purpose of expressing detailed technical specifications of those requirements.
为了便于评估产品是否符合本法规规定的基本网络安全要求,对于符合委员会根据本法规采用的共同规范(用于表达这些要求的详细技术规范)的具有数字元素的产品,应推定其符合性。

(87)

The application of harmonised standards, common specifications or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 providing presumption of conformity in relation to the essential cybersecurity requirements applicable to products with digital elements will facilitate the assessment of conformity by the manufacturers. If the manufacturer chooses not to apply such means for certain requirements, it has to indicate in their technical documentation how the compliance is reached otherwise. Furthermore, the application of harmonised standards, common specifications or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 providing presumption of conformity by manufacturers would facilitate the check of compliance of products with digital elements by market surveillance authorities. Therefore, manufacturers of products with digital elements are encouraged to apply such harmonised standards, common specifications or European cybersecurity certification schemes.
根据(欧盟)2019/881 号条例采用的协调标准、通用规范或欧洲网络安全认证方案,在与具有数字元素的产品相关的基本网络安全要求方面,可推定符合性,这将有助于制造商评估产品符合性。如果制造商选择不针对某些要求应用这些手段,则必须在其技术文档中说明如何达到合规性。此外,根据(欧盟)2019/881 号条例采用的协调标准、通用规范或欧洲网络安全认证方案,可推定制造商符合性,这将有助于市场监管机构检查具有数字元素的产品的合规性。因此,鼓励具有数字元素的产品制造商应用此类协调标准、通用规范或欧洲网络安全认证方案。

(88)

Manufacturers should draw up an EU declaration of conformity to provide information required under this Regulation on the conformity of products with digital elements with the essential cybersecurity requirements set out in this Regulation and, where applicable, of the other relevant Union harmonisation legislation by which the product with digital elements is covered. Manufacturers may also be required to draw up an EU declaration of conformity by other Union legal acts. To ensure effective access to information for market surveillance purposes, a single EU declaration of conformity should be drawn up in respect of compliance with all relevant Union legal acts. In order to reduce the administrative burden on economic operators, it should be possible for that single EU declaration of conformity to be a dossier made up of relevant individual declarations of conformity.
制造商应制定欧盟符合性声明,以提供本法规规定的关于具有数字元素的产品符合本法规规定的基本网络安全要求以及(如有适用)其他相关欧盟协调立法的信息。制造商也可能受其他欧盟法律行为的要求而制定欧盟符合性声明。为了确保有效地获取用于市场监管的信息,应制定一份关于遵守所有相关欧盟法律行为的单一欧盟符合性声明。为了减少经济经营者的行政负担,单一欧盟符合性声明应可以是一个由相关单独符合性声明组成的档案。

(89)

The CE marking, indicating the conformity of a product, is the visible consequence of a whole process comprising conformity assessment in a broad sense. The general principles governing the CE marking are set out in Regulation (EC) No 765/2008 of the European Parliament and of the Council (29). Rules governing the affixing of the CE marking on products with digital elements should be laid down in this Regulation. The CE marking should be the only marking which guarantees that products with digital elements comply with the requirements set out in this Regulation.
CE 标记,表示产品符合性,是整个过程(包括广义的符合性评估)的可见结果。欧盟议会和理事会(29)第 765/2008 号法规(EC)阐述了 CE 标记的一般原则。本法规应规定在带有数字元素的产品上贴附 CE 标记的规则。CE 标记应是唯一保证带有数字元素的产品符合本法规规定的要求的标记。

(90)

In order to allow economic operators to demonstrate conformity with the essential cybersecurity requirements set out in this Regulation and to allow market surveillance authorities to ensure that products with digital elements made available on the market comply with those requirements, it is necessary to provide for conformity assessment procedures. Decision No 768/2008/EC of the European Parliament and of the Council (30) establishes modules for conformity assessment procedures in proportion to the level of risk involved and the level of security required. In order to ensure inter-sectoral coherence and to avoid ad-hoc variants, conformity assessment procedures adequate for verifying the conformity of products with digital elements with the essential cybersecurity requirements set out in this Regulation should be based on those modules. The conformity assessment procedures should examine and verify both product and process-related requirements covering the whole lifecycle of products with digital elements, including planning, design, development or production, testing and maintenance of the product with digital elements.
为了使经济运营者能够证明其符合本法规规定的基本网络安全要求,并使市场监管机构能够确保在市场上提供的具有数字元素的产品符合这些要求,有必要规定符合性评估程序。欧洲议会和理事会第 768/2008/EC 号决定(30)建立了与风险水平和所需安全水平成比例的符合性评估程序模块。为了确保部门间的一致性和避免特例,用于验证具有数字元素的产品符合本法规规定的基本网络安全要求的符合性评估程序,应基于这些模块。符合性评估程序应检查和验证涵盖具有数字元素的产品整个生命周期的产品和流程相关要求,包括产品的规划、设计、开发或生产、测试和维护。

(91)

Conformity assessment of products with digital elements that are not listed as important or critical products with digital elements in this Regulation can be carried out by the manufacturer under its own responsibility following the internal control procedure based on module A of Decision No 768/2008/EC in accordance with this Regulation. This also applies to cases where a manufacturer chooses not to apply in whole or in part an applicable harmonised standard, common specification or European cybersecurity certification scheme. The manufacturer retains the flexibility to choose a stricter conformity assessment procedure involving a third party. Under the internal control conformity assessment procedure, the manufacturer ensures and declares on its sole responsibility that the product with digital elements and the processes of the manufacturer meet the applicable essential cybersecurity requirements set out in this Regulation. If an important product with digital elements falls under class I, additional assurance is required to demonstrate conformity with the essential cybersecurity requirements set out in this Regulation. The manufacturer should apply harmonised standards, common specifications or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 which have been identified by the Commission in an implementing act if it wants to carry out the conformity assessment under its own responsibility (module A). If the manufacturer does not apply such harmonised standards, common specifications or European cybersecurity certification schemes, the manufacturer should undergo conformity assessment involving a third party (based on modules B and C or module H). Taking into account the administrative burden on manufacturers and the fact that cybersecurity plays an important role in the design and development phase of tangible and intangible products with digital elements, conformity assessment procedures based on modules B and C or module H of Decision No 768/2008/EC have been chosen as most appropriate for assessing the compliance of important products with digital elements in a proportionate and effective manner. The manufacturer that carries out the third-party conformity assessment can choose the procedure that best suits its design and production process. Given the even greater cybersecurity risk linked with the use of important products with digital elements that fall under class II, the conformity assessment should always involve a third party, even where the product complies fully or partly with harmonised standards, common specifications or European cybersecurity certification schemes. Manufacturers of important products with digital elements qualifying as free and open-source software should be able to follow the internal control procedure based on module A, provided that they make the technical documentation available to the public.
符合性评估那些在本法规中未列为重要或关键数字产品的产品,可由制造商在其自身责任下,根据第 768/2008/EC 号决定的 A 模块内部控制程序进行,并符合本法规的要求。这也适用于制造商选择不全部或部分适用相关协调标准、通用规范或欧洲网络安全认证方案的情况。制造商保留选择涉及第三方更严格的符合性评估程序的灵活性。在内部控制符合性评估程序下,制造商对其自身负责确保并声明,带有数字元素的产品及其制造流程符合本法规中规定的适用网络安全基本要求。如果重要的数字产品属于 I 类,则需要额外的保证来证明其符合本法规中规定的网络安全基本要求。 制造商如需自行负责 (模块 A) 进行符合性评估,应适用根据《欧盟条例 (EU) 2019/881》采用的协调标准、通用规范或欧洲网络安全认证方案,这些标准、规范或方案已由委员会在实施法案中确定。如果制造商不适用此类协调标准、通用规范或欧洲网络安全认证方案,则应进行涉及第三方的符合性评估 (基于模块 B 和 C 或模块 H)。考虑到制造商的行政负担以及网络安全在具有数字元素的实体和非实体产品的设计和开发阶段的重要作用,选择基于第 768/2008/EC 号决定的模块 B 和 C 或模块 H 的符合性评估程序,以一种比例适当且有效的方式评估具有数字元素的重要产品的合规性。进行第三方符合性评估的制造商可以选择最适合其设计和生产流程的程序。 鉴于使用包含数字元素且属于 II 类的重要产品所带来的网络安全风险更大,符合性评估应始终涉及第三方,即使该产品完全或部分符合协调标准、共同规范或欧洲网络安全认证方案。制造商可根据模块 A 的内部控制程序,生产符合自由和开源软件定义的重要数字产品,前提是他们将技术文档公开。

(92)

While the creation of tangible products with digital elements usually requires manufacturers to make substantial efforts throughout the design, development and production phases, the creation of products with digital elements in the form of software almost exclusively focuses on design and development, while the production phase plays a minor role. Nonetheless, in many cases software products still need to be compiled, built, packaged, made available for download or copied onto physical media before being placed on the market. Those activities should be considered to be activities amounting to production when applying the relevant conformity assessment modules to verify the compliance of the product with the essential cybersecurity requirements set out in this Regulation across the design, development and production phases.
虽然具有数字元素的实体产品通常需要制造商在设计、开发和生产阶段付出大量努力,但以软件形式的具有数字元素的产品的创建几乎完全集中在设计和开发阶段,而生产阶段则作用较小。尽管如此,在许多情况下,软件产品仍然需要编译、构建、打包、提供下载或复制到物理介质上,才能投放市场。在应用相关合规性评估模块验证产品符合本法规规定的所有设计、开发和生产阶段的必要网络安全要求时,应将这些活动视为生产活动。

(93)

In relation to microenterprises and small enterprises, in order to ensure proportionality, it is appropriate to alleviate administrative costs without affecting the level of cybersecurity protection of products with digital elements that fall within the scope of this Regulation or the level playing field among manufacturers. It is therefore appropriate for the Commission to establish a simplified technical documentation form targeted at the needs of microenterprises and small enterprises. The simplified technical documentation form adopted by the Commission should cover all the applicable elements related to technical documentation set out in this Regulation and specify how a microenterprise or a small enterprise can provide the requested elements in a concise way, such as the description of the design, development and production of the product with digital elements. In doing so, the form would contribute to alleviating the administrative compliance burden by providing the enterprises concerned with legal certainty about the extent and detail of information to be provided. Microenterprises and small enterprises should be able to choose to provide the applicable elements related to technical documentation in extensive form and not take advantage of the simplified technical form available to them.
关于微型企业和小微企业,为了确保比例原则,有必要减轻行政负担,同时不影响本法规涵盖的具有数字元素的产品的网络安全保护水平,以及制造商之间的公平竞争环境。因此,委员会应制定一份针对微型企业和小微企业需求的简化技术文档表格。委员会采用的简化技术文档表格应涵盖本法规中所有相关的技术文档要素,并具体说明微型企业或小微企业如何以简洁的方式提供所需要素,例如对具有数字元素的产品的设计、开发和生产的描述。通过这样做,该表格将有助于减轻行政合规负担,并为相关企业提供关于所需提供信息的范围和细节的法律确定性。 微型企业和小微企业应可以选择以详细形式提供与技术文件相关的适用要素,而不应利用可供其使用的简化技术形式。

(94)

In order to promote and protect innovation, it is important that the interests of manufacturers that are microenterprises or small or medium-sized enterprises, in particular microenterprises and small enterprises, including start-ups, are taken into particular account. To that end, Member States could develop initiatives which are targeted at manufacturers that are microenterprises or small enterprises, including on training, awareness raising, information communication, testing and third-party conformity assessment activities, as well as the establishment of sandboxes. Translation costs related to mandatory documentation, such as the technical documentation and the information and instructions to the user required pursuant to this Regulation, and communication with authorities, may constitute a significant cost for manufacturers, in particular those of a smaller size. Therefore, Member States should be able to consider that one of the languages determined and accepted by them for relevant manufacturers’ documentation and for communication with manufacturers is one which is broadly understood by the largest possible number of users.
为了促进和保护创新,务必特别关注微型企业或小型或中型企业(特别是微型企业和小企业),包括初创企业,的利益。为此,成员国可以开展针对微型企业或小型企业的举措,包括培训、提高认识、信息沟通、测试和第三方符合性评估活动,以及建立沙盒环境。根据本条例要求的强制性文件,例如技术文件以及用户所需的信息和说明,以及与主管部门的沟通,其翻译成本可能构成制造商,特别是小型制造商的重大成本。因此,成员国应能够考虑,由他们确定和接受的用于相关制造商文件和与制造商沟通的语言之一,应是尽可能被最多用户理解的语言。

(95)

In order to ensure a smooth application of this Regulation, Member States should strive to ensure, before the date of application of this Regulation, that a sufficient number of notified bodies is available to carry out third-party conformity assessments. The Commission should seek to assist Member States and other relevant parties in this endeavour, in order to avoid bottlenecks and hindrances to market entry for manufacturers. Targeted training activities led by Member States, including where appropriate with the support of the Commission, can contribute to the availability of skilled professionals including to support the activities of notified bodies under this Regulation. Furthermore, in light of the costs that third-party conformity assessment may entail, funding initiatives at Union and national level that seek to alleviate such costs for microenterprises and small enterprises should be considered.
为了确保本条例的顺利实施,成员国应努力确保,在本条例生效日期之前,有足够数量的已通报机构能够开展第三方符合性评估。委员会应寻求协助成员国及其他相关方,以避免市场准入瓶颈和障碍,为制造商创造便利。成员国主导的定向培训活动,包括在适当情况下获得委员会的支持,有助于提供包括支持本条例下已通报机构活动在内的熟练专业人员。此外,鉴于第三方符合性评估可能造成的成本,应考虑在欧盟和国家层面开展旨在减轻微型企业和小企业此类成本的资助计划。

(96)

In order to ensure proportionality, conformity assessment bodies, when setting the fees for conformity assessment procedures, should take into account the specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups. In particular, conformity assessment bodies should apply the relevant examination procedure and tests provided for in this Regulation only where appropriate and following a risk-based approach.
为了确保比例原则,合格评定机构在制定合格评定程序费用时,应考虑微型企业、小型和中型企业,包括初创企业的具体利益和需求。特别是,合格评定机构应仅在适当且遵循风险评估方法的情况下,适用本条例中规定的相关审查程序和测试。

(97)

The objectives of regulatory sandboxes should be to foster innovation and competitiveness for businesses by establishing controlled testing environments before the placing on the market of products with digital elements. Regulatory sandboxes should contribute to improve legal certainty for all actors that fall within the scope of this Regulation and facilitate and accelerate access to the Union market for products with digital elements, in particular when provided by microenterprises and small enterprises, including start-ups.
监管沙盒的目标应是通过在产品投放市场前建立受控测试环境,从而促进企业的创新和竞争力,这些产品具有数字元素。监管沙盒应有助于提高所有受本条例规制范围内的行为者的法律确定性,并促进和加快具有数字元素的产品(特别是由微型企业和小企业,包括初创企业提供的产品)进入欧盟市场的途径。

(98)

In order to carry out third-party conformity assessment for products with digital elements, conformity assessment bodies should be notified by the national notifying authorities to the Commission and the other Member States, provided they comply with a set of requirements, in particular on independence, competence and absence of conflicts of interest.
为了对具有数字元素的产品进行第三方合格评定,合格评定机构应经国家通报机构向欧盟委员会及其他成员国通报,前提是他们符合一系列要求,特别是独立性、能力和利益冲突的缺失。

(99)

In order to ensure a consistent level of quality in the performance of conformity assessment of products with digital elements, it is also necessary to lay down requirements for notifying authorities and other bodies involved in the assessment, notification and monitoring of notified bodies. The system set out in this Regulation should be complemented by the accreditation system provided for in Regulation (EC) No 765/2008. Since accreditation is an essential means of verifying the competence of conformity assessment bodies, it should also be used for the purposes of notification.
为了确保对具有数字元素的产品进行符合性评估的性能具有持续的质量水平,有必要制定关于通知机构及参与评估、通知和监督已获通知机构的其他机构的要求。本法规中规定的体系应由《第 765/2008/EC 号条例》中规定的认可体系补充。由于认可是验证符合性评估机构能力的关键手段,因此也应将其用于通知目的。

(100)

Conformity assessment bodies that have been accredited and notified under Union law laying down requirements similar to those laid down in this Regulation, such as a conformity assessment body that has been notified for a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881 or notified under Delegated Regulation (EU) 2022/30, should be newly assessed and notified under this Regulation. However, synergies can be defined by relevant authorities regarding any overlapping requirements in order to prevent an unnecessary financial and administrative burden and to ensure a smooth and timely notification process.
根据欧盟法律,已获得认可并已通报的符合性评估机构,其要求与本法规规定的要求类似,例如根据《条例 (欧盟) 2019/881》通过的欧洲网络安全认证计划或根据《授权条例 (欧盟) 2022/30》通报的符合性评估机构,应根据本法规进行重新评估和通报。然而,相关主管部门可以就任何重叠的要求定义协同效应,以避免不必要的财务和行政负担,并确保顺利和及时的通报流程。

(101)

Transparent accreditation as provided for in Regulation (EC) No 765/2008, ensuring the necessary level of confidence in certificates of conformity, should be considered by the national public authorities throughout the Union to be the preferred means of demonstrating the technical competence of conformity assessment bodies. However, national authorities may consider that they possess the appropriate means of carrying out that evaluation themselves. In such cases, in order to ensure the appropriate level of credibility of evaluations carried out by other national authorities, they should provide the Commission and the other Member States with the necessary documentary evidence demonstrating the compliance of the conformity assessment bodies evaluated with the relevant regulatory requirements.
透明的认可,如《欧盟委员会条例》(EC) 第 765/2008 号所规定,确保对合格证书的必要信任度,应被欧盟各成员国的公共机构视为证明合格评定机构技术能力的首选方式。然而,国家机构可能认为自身拥有进行此评估的适当手段。在这种情况下,为了确保其他国家机构进行评估的适当可信度,他们应向欧盟委员会及其他成员国提供必要的证明文件,以证明所评估的合格评定机构符合相关的法规要求。

(102)

Conformity assessment bodies frequently subcontract parts of their activities linked to the assessment of conformity or have recourse to a subsidiary. In order to safeguard the level of protection required for a product with digital elements to be placed on the market, it is essential that conformity assessment subcontractors and subsidiaries fulfil the same requirements as notified bodies in relation to the performance of conformity assessment tasks.
符合性评估机构经常将与其符合性评估相关的部分活动外包或委托给子公司。为了保障具有数字元素的产品投放市场所需的保护水平,符合性评估分包商和子公司在执行符合性评估任务方面必须满足与已通知机构相同的要求。

(103)

The notification of a conformity assessment body should be sent by the notifying authority to the Commission and the other Member States via the New Approach Notified and Designated Organisations (NANDO) information system. The NANDO information system is the electronic notification tool developed and managed by the Commission where a list of all notified bodies can be found.
符合性评估机构的通知应由通知机构通过新方法已通知和指定组织 (NANDO) 信息系统发送给委员会和其他成员国。NANDO 信息系统是委员会开发和管理的电子通知工具,其中包含所有已通知机构的列表。

(104)

Since notified bodies may offer their services throughout the Union, it is appropriate to give the other Member States and the Commission the opportunity to raise objections concerning a notified body. It is therefore important to provide for a period during which any doubts or concerns as to the competence of conformity assessment bodies can be clarified before they start operating as notified bodies.
由于通报机构可以在整个联盟范围内提供服务,因此有必要让其他成员国和委员会有机会就通报机构提出异议。因此,在通报机构开始运营之前,提供一个期间,以澄清有关合格评定机构能力的任何疑问或担忧,非常重要。

(105)

In the interests of competitiveness, it is crucial that notified bodies apply the conformity assessment procedures without creating unnecessary burden for economic operators. For the same reason, and to ensure equal treatment of economic operators, consistency in the technical application of the conformity assessment procedures needs to be ensured. That should be best achieved through appropriate coordination and cooperation between notified bodies.
为了促进竞争力,通报机构在实施符合性评估程序时,务必避免为经济运营者造成不必要的负担。出于同样的原因,并为了确保经济运营者获得同等对待,必须确保符合性评估程序在技术应用上的一致性。这应通过通报机构之间的适当协调与合作来最好地实现。

(106)

Market surveillance is an essential instrument in ensuring the proper and uniform application of Union law. It is therefore appropriate to put in place a legal framework within which market surveillance can be carried out in an appropriate manner. The rules on Union market surveillance and control of products entering the Union market provided for in Regulation (EU) 2019/1020 apply to products with digital elements that fall within the scope of this Regulation.
市场监管是确保欧盟法律得到适当和统一适用的一项重要工具。因此,建立一个合适的法律框架,使市场监管能够以恰当的方式进行,是合适的。关于欧盟市场监管和控制进入欧盟市场的产品的规则,如(欧盟)2019/1020 号条例所规定的,适用于本条例范围内具有数字元素的产品。

(107)

In accordance with Regulation (EU) 2019/1020, a market surveillance authority carries out market surveillance in the territory of the Member State that designates it. This Regulation should not prevent Member States from choosing the competent authorities to carry out market surveillance tasks. Each Member State should designate one or more market surveillance authorities in its territory. Member States should be able to choose to designate any existing or new authority to act as market surveillance authority, including competent authorities designated or established pursuant to Article 8 of Directive (EU) 2022/2555, national cybersecurity certification authorities designated pursuant to Article 58 of Regulation (EU) 2019/881 or market surveillance authorities designated for the purposes of Directive 2014/53/EU. Economic operators should fully cooperate with market surveillance authorities and other competent authorities. Each Member State should inform the Commission and the other Member States of its market surveillance authorities and the areas of competence of each of those authorities and should ensure the necessary resources and skills to carry out the market surveillance tasks relating to this Regulation. Pursuant to Article 10(2) and (3) of Regulation (EU) 2019/1020, each Member State should appoint a single liaison office that should be responsible, inter alia, for representing the coordinated position of the market surveillance authorities and assisting in the cooperation between market surveillance authorities in different Member States.
根据《欧盟条例 (EU) 2019/1020》,市场监管机构在其指定成员国的领土内开展市场监管。本条例不应阻止成员国选择负责执行市场监管任务的机构。每个成员国应在其境内指定一个或多个市场监管机构。成员国可以任命任何现有或新成立的机构为市场监管机构,包括根据指令 (EU) 2022/2555 第 8 条指定的或设立的机构、根据条例 (EU) 2019/881 第 58 条指定的国家网络安全认证机构或根据指令 2014/53/EU 指定的市场监管机构。经济运营者应与市场监管机构及其他主管机构充分合作。 每个成员国应将本国市场监管机构及其各自的职权范围通知委员会及其他成员国,并确保拥有开展与本法规相关的市场监管任务所需资源和技能。根据(欧盟)条例 2019/1020 第 10 条第 2 款和第 3 款,每个成员国应指定一个单一联络处,该联络处除其他外,应负责代表市场监管机构的协调立场,并协助不同成员国市场监管机构之间的合作。

(108)

A dedicated ADCO for the cyber resilience of products with digital elements should be established for the uniform application of this Regulation, pursuant to Article 30(2) of Regulation (EU) 2019/1020. ADCO should be composed of representatives of the designated market surveillance authorities and, if appropriate, representatives of the single liaison offices. The Commission should support and encourage cooperation between market surveillance authorities through the Union Product Compliance Network established pursuant to Article 29 of Regulation (EU) 2019/1020 and comprising representatives from each Member State, including a representative of each single liaison office as referred to in Article 10 of that Regulation and an optional national expert, the chairs of ADCOs, and representatives from the Commission. The Commission should participate in the meetings of the Union Product Compliance Network, its sub-groups and ADCO. It should also assist ADCO by means of an executive secretariat that provides technical and logistic support. ADCO may also invite independent experts to participate, and liaise with other ADCOs, such as that established under Directive 2014/53/EU.
为确保本法规的统一适用,应根据《(欧盟)2019/1020 号条例》第 30 条第 2 款,设立一个专门负责产品网络安全(cyber resilience)的 ADCO(产品网络安全协调机构)。ADCO 应由指定市场监管机构的代表和(如有必要)单一联络处的代表组成。委员会应支持和鼓励市场监管机构通过根据《(欧盟)2019/1020 号条例》第 29 条设立的欧盟产品合规网络进行合作,该网络由每个成员国的代表组成,包括每个单一联络处的代表(如该条例第 10 条所述)以及一个可选的国家专家、ADCO 主席以及委员会代表。委员会应参与欧盟产品合规网络、其子组和 ADCO 的会议。它还应通过提供技术和后勤支持的执行秘书处来协助 ADCO。ADCO 还可以邀请独立专家参与,并与其他 ADCO(例如根据指令 2014/53/EU 设立的 ADCO)进行联系。

(109)

Market surveillance authorities, through ADCO established under this Regulation, should cooperate closely and should be able to develop guidance documents to facilitate market surveillance activities at national level, such as by developing best practices and indicators to effectively check the compliance of products with digital elements with this Regulation.
市场监管机构,通过本法规设立的 ADCO,应密切合作,并能够制定指导文件,以促进国家层面的市场监管活动,例如制定最佳实践和指标,有效检查具有数字元素的产品是否符合本法规。

(110)

In order to ensure timely, proportionate and effective measures in relation to products with digital elements presenting a significant cybersecurity risk, a Union safeguard procedure under which interested parties are informed of measures intended to be taken with regard to such products should be provided for. This should also allow market surveillance authorities, in cooperation with the relevant economic operators, to act at an earlier stage where necessary. Where the Member States and the Commission agree as to the justification of a measure taken by a Member State, no further involvement of the Commission should be required, except where non-compliance can be attributed to shortcomings of a harmonised standard.
为了确保及时、相称且有效地应对具有数字元素且存在重大网络安全风险的产品,应建立一个欧盟保障程序,告知相关方拟采取的措施。这还应允许市场监管机构与相关经济运营者合作,在必要时尽早采取行动。如果成员国和委员会就成员国采取的措施的合理性达成一致,则无需进一步的委员会介入,除非不符合规定的情况可归因于协调标准的缺陷。

(111)

In certain cases, a product with digital elements which complies with this Regulation can nonetheless present a significant cybersecurity risk or pose a risk to the health or safety of persons, to compliance with obligations under Union or national law intended to protect fundamental rights, to the availability, authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555 or to other aspects of public interest protection. Therefore it is necessary to establish rules which ensure mitigation of those risks. As a result, market surveillance authorities should take measures to require the economic operator to ensure that the product no longer presents that risk, or to recall or withdraw it, depending on the risk. As soon as a market surveillance authority restricts or forbids the free movement of a product with digital elements in such way, the Member State should notify without delay the Commission and the other Member States of the provisional measures, indicating the reasons and justification for the decision. Where a market surveillance authority adopts such measures against products with digital elements presenting a risk, the Commission should enter into consultation with the Member States and the relevant economic operator or operators without delay and should evaluate the national measure. On the basis of the results of this evaluation, the Commission should decide whether the national measure is justified or not. The Commission should address its decision to all Member States and immediately communicate it to them and the relevant economic operator or operators. If the measure is considered to be justified, the Commission should also consider whether to adopt proposals to revise the relevant Union law.
在某些情况下,即使一款符合本法规的带有数字元素的产品,仍然可能构成重大网络安全风险,或对个人健康或安全构成风险,或对旨在保护基本权利的欧盟或国家法律义务、使用电子信息系统提供的服务的可用性、真实性、完整性或机密性构成风险,这些服务由《指令 (EU) 2022/2555》第 3(1) 条所述的必要实体提供,或对公共利益保护的其他方面构成风险。因此,有必要制定确保减轻这些风险的规则。结果,市场监管机构应采取措施,要求经济运营者确保该产品不再构成该风险,或根据风险情况对其进行召回或撤回。一旦市场监管机构限制或禁止此类带有数字元素的产品的自由流通,成员国应立即通知欧盟委员会和其他成员国有关临时措施,并说明做出该决定的理由和依据。 如果市场监管机构对具有数字元素且存在风险的产品采取此类措施,欧盟委员会应立即与成员国和相关经济运营者协商,并评估该国家措施。基于评估结果,欧盟委员会应决定该国家措施是否合理。欧盟委员会应将决定告知所有成员国,并立即通知他们以及相关的经济运营者。如果该措施被认为是合理的,欧盟委员会还应考虑是否提出修订相关欧盟法律的建议。

(112)

For products with digital elements presenting a significant cybersecurity risk, and where there is reason to believe that they do not comply with this Regulation, or for products that comply with this Regulation, but that present other important risks, such as risks to the health or safety of persons, to compliance with obligations under Union or national law intended to protect fundamental rights or to the availability, authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555, the Commission should be able to request ENISA to carry out an evaluation. Based on that evaluation, the Commission should be able to adopt, by means of implementing acts, corrective or restrictive measures at Union level, including requiring the products with digital elements concerned to be withdrawn from the market or recalled, within a reasonable period, commensurate with the nature of the risk. The Commission should be able to have recourse to such intervention only in exceptional circumstances that justify an immediate intervention to preserve the proper functioning of the internal market, and only where no effective measures have been taken by market surveillance authorities to remedy the situation. Such exceptional circumstances may be emergency situations where, for example, a non-compliant product with digital elements is widely made available by the manufacturer throughout several Member States, used also in key sectors by entities that fall within the scope of Directive (EU) 2022/2555 while containing known vulnerabilities that are being exploited by malicious actors and for which the manufacturer does not provide available patches. The Commission should be able to intervene in such emergency situations only for the duration of the exceptional circumstances and if non-compliance with this Regulation or the important risks presented persist.
对于具有构成重大网络安全风险的数字元素的产品,以及有理由相信其不符合本条例的情况,或者对于符合本条例但存在其他重要风险的产品,例如对人员健康或安全的风险,对旨在保护基本权利的欧盟或国家法律义务的遵守,或对使用电子信息系统提供的服务的可用性、真实性、完整性或机密性(由《指令 (EU) 2022/2555》第 3(1) 条所述的必要实体提供),委员会应能够要求 ENISA 进行评估。基于该评估,委员会应能够通过实施法案,在欧盟层面采取纠正或限制性措施,包括要求相关具有数字元素的产品在与风险性质相称的合理期限内从市场上撤回或召回。 委员会应仅在极少数情况下才可采取干预措施,即那些为了维护内市场正常运作而需要立即干预的情况,并且市场监管机构尚未采取有效措施解决问题时。此类例外情况可能包括紧急情况,例如,制造商在多个成员国广泛提供不符合规定的带有数字元素的产品,该产品还在关键领域被《欧盟条例 (EU) 2022/2555》涵盖的实体使用,同时该产品包含已知的恶意行为者正在利用的漏洞,而制造商未提供可用的补丁。委员会应仅在紧急情况持续期间且如果继续存在违反本条例或重大风险时,才能进行干预。

(113)

Where there are indications of non-compliance with this Regulation in several Member States, market surveillance authorities should be able to carry out joint activities with other authorities, with a view to verifying compliance and identifying cybersecurity risks of products with digital elements.
如果多个成员国出现本法规不遵守的情况,市场监管机构应能够与其他机构开展联合行动,以核实产品合规性并识别具有数字元素的产品的网络安全风险。

(114)

Simultaneous coordinated control actions (sweeps) are specific enforcement actions by market surveillance authorities that can further enhance product security. Sweeps should, in particular, be conducted where market trends, consumer complaints or other indications suggest that certain categories of products with digital elements are often found to present cybersecurity risks. Furthermore, when determining the product categories to be subjected to sweeps, market surveillance authorities should also take into account circumstances relating to non-technical risk factors. To that end, market surveillance authorities should be able to take into account the results of Union level coordinated security risk assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555, including circumstances relating to non-technical risk factors. ENISA should submit proposals for categories of products with digital elements for which sweeps could be organised to the market surveillance authorities, based, inter alia, on the notifications of vulnerabilities and incidents it receives.
同步协调的检查行动(大范围检查)是市场监管机构进行的特定执法行动,可以进一步提高产品安全性。特别是,当市场趋势、消费者投诉或其他迹象表明某些带有数字元素的产品类别经常存在网络安全风险时,应进行大范围检查。此外,在确定要进行大范围检查的产品类别时,市场监管机构还应考虑与非技术风险因素相关的因素。为此,市场监管机构应能够考虑根据《2022/2555 号指令》第 22 条开展的欧盟层面关键供应链协调安全风险评估的结果,包括与非技术风险因素相关的因素。ENISA 应根据其收到的漏洞和事件报告,向市场监管机构提交可组织大范围检查的带有数字元素的产品类别建议。

(115)

In light of its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, ENISA should be able to propose joint activities to be conducted by market surveillance authorities based on indications or information regarding potential non-compliance with this Regulation of products with digital elements across several Member States or identify categories of products for which sweeps should be organised. In exceptional circumstances, ENISA should be able, at the request of the Commission, to conduct evaluations in respect of specific products with digital elements that present a significant cybersecurity risk, where an immediate intervention is required to preserve the proper functioning of the internal market.
鉴于其专业知识和任务,ENISA 应能够支持本法规的实施过程。特别是,ENISA 应能够根据多个成员国产品中包含数字元素的潜在不符合本法规的情况,提出市场监管机构应开展的联合活动,或确定应组织检查的特定产品类别。在特殊情况下,应欧盟委员会要求,ENISA 应能够对特定包含数字元素且存在重大网络安全风险的产品进行评估,以确保维护内市场正常运作。

(116)

This Regulation confers certain tasks upon ENISA which require appropriate resources in terms of both expertise and human resources in order to enable ENISA to carry out those tasks effectively. The Commission will propose the necessary budgetary resources for ENISA’s establishment plan, in accordance with the procedure set out in Article 29 of Regulation (EU) 2019/881, when preparing the draft general budget of the Union. During that process, the Commission will consider ENISA’s overall resources to enable it to fulfil its tasks, including those conferred on ENISA pursuant to this Regulation.
本条例赋予 ENISA 一些任务,这些任务需要在专业知识和人力资源方面拥有适当的资源,以便 ENISA 有效地完成这些任务。委员会将在拟订欧盟一般预算时,根据《条例 (EU) 2019/881》第 29 条规定的程序,提出 ENISA 建设计划所需的预算资源。在此过程中,委员会将考虑 ENISA 的整体资源,使其能够完成其任务,包括根据本条例赋予 ENISA 的任务。

(117)

In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union (TFEU) should be delegated to the Commission in respect of updating an annex to this Regulation listing the important products with digital elements. Power to adopt acts in accordance with that Article should be delegated to the Commission to identify products with digital elements covered by other Union rules which achieve the same level of protection as this Regulation, specifying whether a limitation or exclusion from the scope of this Regulation would be necessary as well as the scope of that limitation, if applicable. Power to adopt acts in accordance with that Article should also be delegated to the Commission in respect of the potential mandating of certification under a European cybersecurity certification scheme of the critical products with digital elements set out in an annex to this Regulation, as well as for updating the list of critical products with digital elements based on criticality criteria set out in this Regulation, and for specifying the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity with the essential cybersecurity requirements or parts thereof as set out in an annex to this Regulation. Power to adopt acts should also be delegated to the Commission to specify the minimum support period for specific product categories where the market surveillance data suggests inadequate support periods, as well as to specify the terms and conditions for applying the cybersecurity-related grounds in relation to delaying the dissemination of notifications of actively exploited vulnerabilities. Furthermore, power to adopt acts should be delegated to the Commission to establish voluntary security attestation programmes for assessing the conformity of products with digital elements qualifying as free and open-source software with all or certain essential cybersecurity requirements or other obligations laid down in this Regulation, as well as to specify the minimum content of the EU declaration of conformity and to supplement the elements to be included in the technical documentation. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (31). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. The power to adopt delegated acts pursuant to this Regulation should be conferred on the Commission for a period of five years from 10 December 2024. The Commission should draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power should be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.
为了确保必要时能够调整监管框架,应将根据《欧洲联盟运作条约》(TFEU)第 290 条采取行动的权力委托给委员会,以更新本法规附录,该附录列出具有数字元素的重要产品。应将根据该条例采取行动的权力委托给委员会,以确定受其他欧盟规则涵盖的具有数字元素的产品,这些规则能够达到与本法规相同的保护水平,并具体说明是否需要对本法规的范围进行限制或排除,以及适用情况下该限制的范围。 根据该条,委员会还应被授权采取行动,以就本法规附件中列出的具有数字元素的关键产品,在欧洲网络安全认证计划下进行潜在认证;以及根据本法规中规定的关键性标准更新具有数字元素的关键产品清单;以及具体说明根据(欧盟)2019/881 号法规采用的欧洲网络安全认证计划,这些计划可用于证明符合本法规附件中规定的基本网络安全要求或其部分要求。委员会还应被授权采取行动,以确定特定产品类别所需的最低支持期限,在市场监管数据表明支持期限不足的情况下;以及确定与延迟主动利用漏洞的通知传播相关的网络安全相关理由的适用条款和条件。 此外,应将制定法规的权力委托给委员会,以便其建立自愿性安全认证计划,用于评估产品与符合自由和开源软件(或其部分)数字元素的合规性,以及满足本法规规定的所有或部分关键网络安全要求或其他义务;并指定欧盟符合性声明的最低内容,以及补充技术文档中应包含的要素。委员会在其准备工作中,包括专家层面,进行适当的协商至关重要,并且这些协商应遵循 2016 年 4 月 13 日关于更好立法工作的机构间协议(31)中规定的原则。特别是,为了确保在制定委托法案方面拥有平等的参与权,欧洲议会和理事会应与成员国专家同时收到所有文件,并且其专家系统地获得参与委托法案准备工作的委员会专家组会议的访问权。 根据本条例,授予委员会在 2024 年 12 月 10 日起五年内制定委任法案的权力。委员会应在五年期结束前九个月内就权力委托事宜提交报告。除非欧洲议会或理事会最迟在每个期间结束前三个月内反对延长,否则权力委托应默示延长相同期限。

(118)

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to specify the technical description of the categories of important products with digital elements set out in an annex to this Regulation, specify the format and elements of the SBOM, specify further the format and procedure of the notifications of actively exploited vulnerabilities and severe incidents having an impact on the security of products with digital elements submitted by manufacturers, establish common specifications covering technical requirements that provide a means to comply with the essential cybersecurity requirements set out in an annex to this Regulation, lay down technical specifications for labels, pictograms or any other marks related to the security of the products with digital elements, their support period and mechanisms to promote their use and to increase public awareness about the security of products with digital elements, specify the simplified documentation form targeted at the needs of microenterprises and small enterprises, and decide on corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention to preserve the proper functioning of the internal market. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (32).
为了确保本条例的统一实施条件,应授予委员会执行权力,以具体说明本条例附件中列出的具有数字元素的重要产品类别技术描述,具体说明 SBOM 的格式和要素,进一步说明制造商提交的主动利用漏洞和对具有数字元素的产品安全产生影响的严重事件的通知格式和程序,制定涵盖满足本条例附件中规定的基本网络安全要求的技术要求的通用规范,制定关于具有数字元素的产品安全、其支持期以及促进其使用和提高公众对具有数字元素的产品安全意识的标签、图示或其他标志的技术规范,规定针对微型企业和小企业的简化文档形式,并在特殊情况下,就需要立即干预以维护内市场正常运作的情况,决定欧盟层面的纠正或限制措施。 这些权力应依照欧洲议会和理事会(欧盟)第 182/2011 号条例行使(32)。

(119)

In order to ensure trusting and constructive cooperation of market surveillance authorities at Union and national level, all parties involved in the application of this Regulation should respect the confidentiality of information and data obtained in carrying out their tasks.
为了确保欧盟和国家层面的市场监管机构能够建立信任并开展建设性合作,所有参与本条例实施的各方都应尊重在执行其任务时获得的信息和数据的保密性。

(120)

In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to impose or request the imposition of administrative fines. Maximum levels for administrative fines to be provided for in national law for non-compliance with the obligations laid down in this Regulation should therefore be established. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account and, as a minimum, those explicitly established in this Regulation, including whether the manufacturer is a microenterprise or a small or medium-sized enterprise, including a start-up, and whether administrative fines have been already applied by the same or other market surveillance authorities to the same economic operator for a similar infringement. Such circumstances could be either aggravating, in situations where the infringement by the same economic operator persists on the territory of Member States other than that where an administrative fine has already been applied, or mitigating, in ensuring that any other administrative fine considered by another market surveillance authority for the same economic operator or the same type of infringement should already take account, along with other relevant specific circumstances, of a penalty and the quantum thereof imposed in other Member States. In all such cases, the cumulative administrative fine that could be applied by market surveillance authorities of several Member States to the same economic operator for the same type of infringement should ensure the respect of the principle of proportionality. Given that administrative fines do not apply to microenterprises or small enterprises for a failure to meet the 24-hour deadline for the early warning notification of actively exploited vulnerabilities or severe incidents having an impact on the security of the product with digital elements, nor to open-source software stewards for any infringement of this Regulation, and subject to the principle that penalties should be effective, proportionate and dissuasive, Member States should not impose other kinds of penalties with pecuniary character on those entities.
为了确保本条例规定的义务得到有效执行,每个市场监管机构应拥有对违规行为处以或要求处以行政罚款的权力。因此,国家法律应规定本条例规定的义务违反行为的行政罚款最高限额。在确定每一起案件的行政罚款数额时,应考虑所有相关情况,至少应考虑本条例明确规定的情况,包括制造商是否为微型企业、小型或中型企业,包括初创企业,以及同一或其他市场监管机构是否已对同一经济经营者因类似违规行为处以过往行政罚款。 此类情况可能加重,例如,同一经济运营者在已处以行政罚款的成员国以外的其他成员国境内继续侵权;也可能减轻,例如,确保其他市场监管机构对同一经济运营者或相同类型的侵权行为考虑的任何其他行政罚款,应已考虑其他相关具体情况,以及在其他成员国已处罚的数额。 在所有这些情况下,几个成员国的市场监管机构可能对同一经济运营者因相同类型的侵权行为处以的累积行政罚款,应确保遵守比例原则。 鉴于行政罚款不适用于微型企业或小型企业未能遵守 24 小时主动利用漏洞或严重事件(对具有数字元素的产品安全产生影响)的早期预警通知期限,也不适用于开源软件管理者因违反本条例而受到处罚,并且遵循惩罚应有效、适当和具有威慑力的原则,成员国不应对这些实体处以其他具有金钱性质的惩罚。

(121)

Where administrative fines are imposed on a person that is not an undertaking, the competent authority should take account of the general level of income in the Member State as well as the economic situation of the person when considering the appropriate amount of the fine. It should be for the Member States to determine whether and to what extent public authorities should be subject to administrative fines.
对非企业个人处以行政罚款时,主管机关应考虑成员国一般收入水平以及该人的经济状况,以确定合适的罚款数额。成员国应自行决定公共机构是否以及在何种程度上应受行政罚款的约束。

(122)

Member States should examine, taking into account national circumstances, the possibility of using the revenues from the penalties as provided for in this Regulation or their financial equivalent to support cybersecurity policies and increase the level of cybersecurity in the Union by, inter alia, increasing the number of qualified cybersecurity professionals, strengthening capacity building for microenterprises and small and medium-sized enterprises and improving public awareness of cyber threats.
成员国应考虑本法规规定的罚款收入或其等值资金,并结合本国情况,探讨将其用于支持网络安全政策,提高欧盟的网络安全水平,例如增加合格网络安全专业人员的数量,加强微型企业和小微企业的产能建设,并提高公众对网络威胁的认识。

(123)

In its relationships with third countries, the Union endeavours to promote international trade in regulated products. A broad variety of measures can be applied in order to facilitate trade, including several legal instruments such as bilateral (inter-governmental) Mutual Recognition Agreements (MRAs) for conformity assessment and marking of regulated products. MRAs are established between the Union and third countries which are on a comparable level of technical development and have a compatible approach concerning conformity assessment. Those agreements are based on the mutual acceptance of certificates, marks of conformity and test reports issued by the conformity assessment bodies of either party in conformity with the legislation of the other party. Currently, MRAs are in place with several third countries. Those MRAs are concluded in a number of specific sectors, which might vary from one third country to another. In order to further facilitate trade, and recognising that supply chains of products with digital elements are global, MRAs concerning conformity assessment can be concluded for products regulated under this Regulation by the Union in accordance with Article 218 TFEU. Cooperation with partner third countries is also important, in order to strengthen cyber resilience globally, as in the long term this will contribute to a strengthened cybersecurity framework both within and outside of the Union.
在与第三国的关系中,联盟致力于促进受管制产品的国际贸易。为了促进贸易,可以采取多种措施,包括一些法律工具,例如用于符合性评估和受管制产品标记的双边(政府间)互认协议(MRA)。MRA 缔结于联盟与技术发展水平相当且在符合性评估方面具有兼容方法的第三国之间。这些协议基于相互接受由一方的符合性评估机构根据另一方法规签发的证书、符合性标志和测试报告。目前,联盟已与一些第三国签订了 MRA。这些 MRA 涵盖多个特定领域,可能因第三国而异。 为了进一步促进贸易,并认识到具有数字元素的产品供应链是全球性的,根据《条例》规定的产品,欧盟可根据第 218 条 TFEU 缔结关于符合性评估的互认协议。为了在全球范围内加强网络弹性,与合作伙伴的第三方国家进行合作也至关重要,因为从长远来看,这将有助于加强欧盟内外网络安全框架。

(124)

Consumers should be entitled to enforce their rights in relation to the obligations imposed on economic operators under this Regulation through representative actions pursuant to Directive (EU) 2020/1828 of the European Parliament and of the Council (33). For that purpose, this Regulation should provide that Directive (EU) 2020/1828 is applicable to the representative actions concerning infringements of this Regulation that harm or can harm the collective interests of consumers. Annex I to that Directive should therefore be amended accordingly. It is for the Member States to ensure that those amendments are reflected in the transposition measures adopted pursuant to that Directive, although the adoption of national transposition measures in that regard is not a condition for the applicability of that Directive to those representative actions. The applicability of that Directive to the representative actions brought with regard to infringements of provisions of this Regulation by economic operators that harm or could harm the collective interests of consumers should start from 11 December 2027.
消费者应有权通过根据欧洲议会和理事会指令 (EU) 2020/1828 (33) 的代表诉讼,来强制执行本条例规定的经济经营者义务。为此,本条例应规定,指令 (EU) 2020/1828 适用于关于本条例侵权行为的代表诉讼,这些侵权行为损害或可能损害消费者的集体利益。因此,该指令的附件 I 应相应修改。成员国应确保这些修改反映在根据该指令通过的转置措施中,尽管就此事而言,国家转置措施的通过并非该指令适用于这些代表诉讼的条件。该指令适用于针对经济经营者违反本条例条款、损害或可能损害消费者集体利益的代表诉讼,应从 2027 年 12 月 11 日开始。

(125)

The Commission should periodically evaluate and review this Regulation, in consultation with relevant stakeholders, in particular with a view to determining the need for modification in the light of changes to societal, political, technological or market conditions. This Regulation will facilitate the compliance with supply chain security obligations of entities that fall within the scope of Regulation (EU) 2022/2554 and Directive (EU) 2022/2555 that use products with digital elements. The Commission should evaluate, as part of that periodic review, the combined effects of the Union cybersecurity framework.
委员会应定期评估和审查本条例,并与相关利益攸关方协商,特别是为了根据社会、政治、技术或市场状况的变化确定修改的必要性。本条例将有助于符合《(欧盟)2022/2554 号条例》和《(欧盟)2022/2555 号指令》范围内的实体遵守供应链安全义务,这些实体使用带有数字元素的产品。委员会应在其定期审查中评估欧盟网络安全框架的综合影响。

(126)

Economic operators should be provided with sufficient time to adapt to the requirements set out in this Regulation. This Regulation should apply from 11 December 2027, with exception of the reporting obligations concerning actively exploited vulnerabilities and severe incidents having an impact on the security of products with digital elements, which should apply from 11 September 2026 and of the provisions on notification of conformity assessment bodies, which should apply from 11 June 2026.
经济运营商应有足够的时间适应本条例规定的要求。本条例应于 2027 年 12 月 11 日生效,但关于主动利用漏洞和对带有数字元素的产品安全产生影响的严重事件的报告义务除外,该义务应于 2026 年 9 月 11 日生效;关于合格评定机构通知义务的规定,应于 2026 年 6 月 11 日生效。

(127)

It is important to provide support to microenterprises and small and medium-sized enterprises, including start-ups, in the implementation of this Regulation and to minimise the risks to the implementation resulting from lack of knowledge and expertise in the market, as well as in order to facilitate compliance of manufacturers with their obligations laid down in this Regulation. The Digital Europe Programme and other relevant Union programmes provide financial and technical support that enable those enterprises to contribute to the growth of the Union economy and to the strengthening of the common level of cybersecurity in the Union. The European Cybersecurity Competence Centre and National Coordination Centres as well as European Digital Innovation Hubs established by the Commission and the Member States at Union or national level could also support companies and public sector organisations and could contribute to the implementation of this Regulation. Within their respective missions and fields of competence, they could provide technical and scientific support to microenterprises and small and medium sized enterprises, such as for testing activities and third-party conformity assessments. They could also foster the deployment of tools to facilitate the implementation of this Regulation.
为支持微型企业、小型和中型企业(包括初创企业)实施本条例,并尽量减少因市场缺乏知识和专业技能而导致的实施风险,以及为了促进制造商遵守本条例规定的义务,提供支持至关重要。数字欧洲计划及其他相关欧盟计划提供财务和技术支持,使这些企业能够为欧盟经济增长和加强欧盟共同网络安全水平做出贡献。欧盟网络安全能力中心和国家协调中心以及欧盟委员会和成员国在欧盟或国家层面设立的欧洲数字创新中心也可以支持企业和公共部门组织,并有助于实施本条例。 在各自的任务和职权范围内,他们可以为微型企业和小微企业提供技术和科学支持,例如测试活动和第三方符合性评估。他们还可以促进工具的部署,以促进本法规的实施。

(128)

Furthermore, Member States should consider taking complementary action aiming to provide guidance and support for microenterprises and small and medium-sized enterprises, such as the establishment of regulatory sandboxes and dedicated channels for communication. In order to strengthen the level of cybersecurity in the Union, Member States may also consider providing support to develop capacity and skills related to cybersecurity of products with digital elements, improving the cyber resilience of economic operators, in particular of microenterprises and small and medium-sized enterprises, and fostering public awareness about the cybersecurity of products with digital elements.
此外,成员国应考虑采取补充行动,旨在为微型企业和小微企业提供指导和支持,例如建立监管沙盒和专门的沟通渠道。为了加强欧盟的网络安全水平,成员国还可考虑为发展与数字产品网络安全相关的能力和技能提供支持,提高经济运营商(特别是微型企业和小微企业)的网络弹性,并提高公众对数字产品网络安全的认识。

(129)

Since the objective of this Regulation cannot be sufficiently achieved by the Member States but can rather, by reason of the effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
由于本条例的目标不能由成员国充分实现,而由于行动的影响,可在欧盟层面更好地实现,因此,欧盟可根据《欧洲联盟条约》第 5 条规定的互补性原则采取措施。根据该条规定的比例原则,本条例不超出实现该目标所必需的范围。

(130)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (34) and delivered an opinion on 9 November 2022 (35),
欧洲数据保护监督员已根据欧洲议会和理事会(欧盟)第 2018/1725 号条例第 42(1) 条(34)进行咨询,并于 2022 年 11 月 9 日发表了意见(35)。

HAVE ADOPTED THIS REGULATION:
已通过本条例:

CHAPTER I  第一章

GENERAL PROVISIONS  一般规定

Article 1  第一条

Subject matter  主题

This Regulation lays down:
本条例规定:

(a)

rules for the making available on the market of products with digital elements to ensure the cybersecurity of such products;
用于确保此类产品网络安全的,在市场上提供具有数字元素的产品的规则;

(b)

essential cybersecurity requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to those products with respect to cybersecurity;
具有数字元素的产品的设计、开发和生产的必要网络安全要求,以及经济运营者与其网络安全相关的产品义务

(c)

essential cybersecurity requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the time the products are expected to be in use, and obligations for economic operators in relation to those processes;
制造商为确保具有数字元素的产品在预期使用期间的网络安全而实施的漏洞处理流程的必要网络安全要求,以及经济运营者在此类流程中的义务;

(d)

rules on market surveillance, including monitoring, and enforcement of the rules and requirements referred to in this Article.
关于市场监管的规则,包括监测以及本条所述规则和要求的执行。

Article 2  第 2 条

Scope  适用范围

1.   This Regulation applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
1. 本条例适用于在市场上提供的具有数字元素的产品,其预期用途或合理预见的用途包括与设备或网络的直接或间接逻辑或物理数据连接。

2.   This Regulation does not apply to products with digital elements to which the following Union legal acts apply:
2. 本条例不适用于适用以下欧盟法律行为的产品的数字元素:

(a)

Regulation (EU) 2017/745;
《欧盟条例 (EU) 2017/745》;

(b)

Regulation (EU) 2017/746;
《欧盟条例 (EU) 2017/746》;

(c)

Regulation (EU) 2019/2144.
《欧盟条例 (EU) 2019/2144》。

3.   This Regulation does not apply to products with digital elements that have been certified in accordance with Regulation (EU) 2018/1139.
3. 本条例不适用于已根据条例 (EU) 2018/1139 认证的具有数字元素的产品。

4.   This Regulation does not apply to equipment that falls within the scope of Directive 2014/90/EU of the European Parliament and of the Council (36).
4. 本条例不适用于属于欧洲议会和理事会指令 2014/90/EU 范围内的设备 (36)。

5.   The application of this Regulation to products with digital elements covered by other Union rules laying down requirements that address all or some of the risks covered by the essential cybersecurity requirements set out in Annex I may be limited or excluded where:
5.   如果其他欧盟规则已对涵盖附件 I 中规定的基本网络安全要求中所有或部分风险的产品制定了要求,则本条例对包含数字元素的产品的适用范围可能受限或排除,前提是:

(a)

such limitation or exclusion is consistent with the overall regulatory framework that applies to those products; and
此类限制或排除符合适用于这些产品的总体监管框架;且

(b)

the sectoral rules achieve the same or a higher level of protection as that provided for by this Regulation.
该行业规则实现了与本条例所提供的相同或更高水平的保护。

The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by specifying whether such limitation or exclusion is necessary, the products and rules concerned, as well as the scope of the limitation, if relevant.
根据第 61 条,委员会有权采用委托法案,以补充本条例,具体说明此类限制或排除是否必要,涉及的产品和规则,以及限制的范围(如有)。

6.   This Regulation does not apply to spare parts that are made available on the market to replace identical components in products with digital elements and that are manufactured according to the same specifications as the components that they are intended to replace.
6. 本条例不适用于在市场上提供以替换具有数字元素的产品中相同组件的备件,并且这些备件的制造符合其预期替换的组件的相同规格。

7.   This Regulation does not apply to products with digital elements developed or modified exclusively for national security or defence purposes or to products specifically designed to process classified information.
7. 本条例不适用于专门为国家安全或国防目的而开发或修改的具有数字元素的产品,或专门用于处理机密信息的 产品。

8.   The obligations laid down in this Regulation shall not entail the supply of information the disclosure of which would be contrary to the essential interests of Member States’ national security, public security or defence.
8. 本条例规定的义务不应要求提供其披露会损害欧盟成员国国家安全、公共安全或国防根本利益的信息。

Article 3  第三条

Definitions  定义

For the purposes of this Regulation, the following definitions apply:
为本条例的目的,采用以下定义:

(1)

‘product with digital elements’ means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;
“具有数字元素的产品”是指软件或硬件产品及其远程数据处理解决方案,包括单独投放市场的软件或硬件组件;

(2)

‘remote data processing’ means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;
“远程数据处理”是指在距离较远的地方进行的数据处理,其软件由制造商设计和开发,或在制造商的责任下进行,并且其缺失将阻止具有数字元素的产品执行其功能之一;

(3)

‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;
“网络安全”是指《(欧盟)2019/881 号条例》第 2 条第(1)款所定义的网络安全;

(4)

‘software’ means the part of an electronic information system which consists of computer code;
“软件”是指电子信息系统中由计算机代码组成的部分;

(5)

‘hardware’ means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;
“硬件” 指物理电子信息系统,或其能够处理、存储或传输数字数据的部件;

(6)

‘component’ means software or hardware intended for integration into an electronic information system;
“组件” 指用于集成到电子信息系统中的软件或硬件;

(7)

‘electronic information system’ means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data;
“电子信息系统” 指包括电气或电子设备,能够处理、存储或传输数字数据的系统;

(8)

‘logical connection’ means a virtual representation of a data connection implemented through a software interface;
“逻辑连接” 指通过软件接口实现的数据连接的虚拟表示;

(9)

‘physical connection’ means a connection between electronic information systems or components implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio waves;
“物理连接” 指的是通过物理方式实现的电子信息系统或组件之间的连接,包括通过电、光或机械接口、电线或无线电波

(10)

‘indirect connection’ means a connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network;
“间接连接”是指连接到设备或网络的连接,并非直接连接,而是作为更大系统的一部分,该系统可以直接连接到该设备或网络

(11)

‘end-point’ means any device that is connected to a network and serves as an entry point to that network;
“终端”是指连接到网络并作为该网络入口的任何设备;

(12)

‘economic operator’ means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;
“经济运营者”是指制造商、授权代表、进口商、分销商或其他自然人或法人,其根据本条例,对制造包含数字元素的产品或将包含数字元素的产品投放市场负有义务;

(13)

‘manufacturer’ means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;
“制造商”是指开发或制造包含数字元素的产品,或拥有其名称或商标下设计、开发或制造包含数字元素的产品,并将其投放市场(无论是否收费)的自然人或法人

(14)

‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;
“开放源代码软件维护者”是指除制造商以外的法人,其目的或目标是系统地、持续地为特定包含数字元素的产品开发提供支持,这些产品符合自由和开放源代码软件的资格,并用于商业活动,且确保这些产品的可行性

(15)

‘authorised representative’ means a natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasks;
“授权代表”是指在欧盟境内设立的自然人或法人,已获得制造商的书面授权,代表其执行特定任务;

(16)

‘importer’ means a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;
“进口商”是指在欧盟境内设立的自然人或法人,将带有欧盟境外自然人或法人名称或商标的具有数字元素的产品投放市场;

(17)

‘distributor’ means a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;
“经销商”是指供应链中,除制造商或进口商之外的自然人或法人,在不影响产品属性的情况下,将具有数字元素的产品投放欧盟市场;

(18)

‘consumer’ means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession;
“消费者”是指以非商业、专业或职业目的行事之自然人;

(19)

‘microenterprises’, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;
“微型企业”、“小型企业”和“中型企业”分别指《2003/361/EC 建议》附件中所定义的微型企业、小型企业和中型企业

(20)

‘support period’ means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;
“支持期”是指制造商有义务确保具有数字元素的产品的漏洞得到有效处理,并符合附件 I 第 II 部分规定的基本网络安全要求的期间

(21)

‘placing on the market’ means the first making available of a product with digital elements on the Union market;
“投放市场” 指首次将具有数字元素的产品投放欧盟市场;

(22)

‘making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
“在市场上提供” 指在商业活动中,向欧盟市场供应具有数字元素的产品,用于分销或使用,无论是否收取费用;

(23)

‘intended purpose’ means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;
“预期用途” 指制造商预期具有数字元素的产品的用途,包括具体的使用环境和条件,如制造商在使用说明、宣传或销售材料和声明以及技术文档中所提供的相关信息;

(24)

‘reasonably foreseeable use’ means use that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions;
“合理预见的使用” 指并非制造商在使用说明、宣传或销售材料和声明以及技术文档中提供的预期用途,但可能由合理预见的人类行为或技术操作或交互导致的使用;

(25)

‘reasonably foreseeable misuse’ means the use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems;
“合理预见到的滥用”是指以不符合其预期用途的方式使用具有数字元素的产品,但这种方式可能源于合理预见的人类行为或与其他系统的交互

(26)

‘notifying authority’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;
“通知机构”是指负责建立和执行评估、指定和通知符合性评定机构及其监测程序的国家机构

(27)

‘conformity assessment’ means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;
“符合性评估”是指验证附件 I 中规定的基本网络安全要求是否得到满足的过程

(28)

‘conformity assessment body’ means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;
“符合性评定机构” 指《第 765/2008 号条例》第二条第(13)款所定义的符合性评定机构

(29)

‘notified body’ means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation;
“指定机构”是指根据第 43 条及其他相关的欧盟协调立法指定的符合性评估机构

(30)

‘substantial modification’ means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;
“实质性修改”是指产品投放市场后,其数字元素发生变更,从而影响该产品数字元素符合附件一第一部分规定的基本网络安全要求,或导致该数字元素产品的预期用途发生改变

(31)

‘CE marking’ means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;
“CE 标记” 指的是制造商用来表明其包含数字元素的产品及其所实施的流程符合附件 I 中规定的基本网络安全要求以及其他适用欧盟协调立法中关于其贴标规定的标记

(32)

‘Union harmonisation legislation’ means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies;
“联盟协调立法” 指《条例 (欧盟) 2019/1020》附件 I 中列出的联盟立法,以及任何其他协调产品上市条件的联盟立法,这些立法适用于该条例

(33)

‘market surveillance authority’ means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;
“市场监督机构” 指《(欧盟)2019/1020 号条例》第 3 条第 4 款所定义的市场监督机构;

(34)

‘international standard’ means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;
“国际标准” 指《欧盟条例 (EU) 第 1025/2012 号》第 2 条第 (1)(a) 款所定义的国际标准;

(35)

‘European standard’ means a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012;
“欧洲标准” 指《欧盟条例 (EU) 第 1025/2012 号》第 2 条第 (1)(b) 款所定义的欧洲标准;

(36)

‘harmonised standard’ means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;
“协调标准” 指《欧盟条例 (EU) 第 1025/2012 号》第 2 条第 (1)(c) 款所定义的协调标准;

(37)

‘cybersecurity risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;
“网络安全风险” 指由事件造成的潜在损失或中断,应以该损失或中断的程度和事件发生的可能性相结合来表示;

(38)

‘significant cybersecurity risk’ means a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;
“重大网络安全风险”是指根据其技术特征,可以假设其发生事件的可能性很高,可能导致严重负面影响,包括造成大量物质或非物质损失或中断的网络安全风险;

(39)

‘software bill of materials’ means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements;
“软件材料清单”是指包含产品数字元素软件组件的详细信息和供应链关系的正式记录

(40)

‘vulnerability’ means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;
“脆弱性”是指具有数字元素的产品的弱点、易受攻击性或缺陷,可被网络威胁利用

(41)

‘exploitable vulnerability’ means a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions;
“可利用漏洞”是指在实际操作条件下,攻击者有可能有效利用的漏洞;

(42)

‘actively exploited vulnerability’ means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner;
“主动利用漏洞”是指存在可靠证据表明恶意行为者未经系统所有者许可,已在系统中利用该漏洞;

(43)

‘incident’ means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;
“事件”是指《(欧盟)2022/2555 号指令》第 6 条第(6)款所定义的事件;

(44)

‘incident having an impact on the security of the product with digital elements’ means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;
“对具有数字元素的产品安全产生影响的事件”是指会或可能对具有数字元素的产品保护数据或功能的可用性、真实性、完整性或机密性产生负面影响的事件;

(45)

‘near miss’ means a near miss as defined in Article 6, point (5), of Directive (EU) 2022/2555;
“近失误” 指《2022/2555 号欧盟指令》第 6 条第 5 款所定义的“近失误”;

(46)

‘cyber threat’ means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;
“网络威胁” 指《2019/881 号欧盟条例》第 2 条第 8 款所定义的“网络威胁”;

(47)

‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;
“个人数据” 指《2016/679 号欧盟条例》第 4 条第 1 款所定义的“个人数据”;

(48)

‘free and open-source software’ means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;
“自由和开源软件” 指其源代码公开共享,并根据提供所有权利使其自由访问、使用、修改和重新分发的自由和开源许可证提供的软件;

(49)

‘recall’ means recall as defined in Article 3, point (22), of Regulation (EU) 2019/1020;
“召回” 指《条例 (欧盟) 2019/1020》第 3 条第 (22) 款所定义的召回

(50)

‘withdrawal’ means withdrawal as defined in Article 3, point (23), of Regulation (EU) 2019/1020;
“撤回” 指《条例 (欧盟) 2019/1020》第 3 条第 (23) 款所定义的撤回;

(51)

‘CSIRT designated as coordinator’ means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555.
“指定为协调员的 CSIRT” 指根据指令 (欧盟) 2022/2555 第 12 条第 (1) 款指定的 CSIRT。

Article 4  第 4 条

Free movement  自由流通

1.   Member States shall not impede, for the matters covered by this Regulation, the making available on the market of products with digital elements which comply with this Regulation.
1.   成员国不得阻碍符合本条例规定的具有数字元素的产品投放市场。

2.   At trade fairs, exhibitions, demonstrations or similar events, Member States shall not prevent the presentation or use of a product with digital elements which does not comply with this Regulation, including its prototypes, provided that the product is presented with a visible sign clearly indicating that it does not comply with this Regulation and that it is not to be made available on the market until it does so.
2.   在贸易展览会、展览会、演示会或类似活动中,成员国不得阻止展示或使用不符合本条例规定的具有数字元素的产品,包括其原型,前提是该产品附有清晰标示其不符合本条例且在符合本条例之前不得投放市场的醒目标志。

3.   Member States shall not prevent the making available on the market of unfinished software which does not comply with this Regulation, provided that the software is made available only for a limited period required for testing purposes with a visible sign clearly indicating that it does not comply with this Regulation and that it will not be available on the market for purposes other than testing.
3.   成员国不得阻止未完成且不符合本条例规定的软件投放市场,前提是该软件仅限于测试目的,且在有限的测试时间内提供,并附有清晰标示其不符合本条例且仅限于测试用途的醒目标志。

4.   Paragraph 3 does not apply to safety components as referred to in Union harmonisation legislation other than this Regulation.
第 3 段不适用于本条例以外的欧盟协调立法中所指的安全部件。

Article 5  第 5 条

Procurement or use of products with digital elements
数字元素产品的采购或使用

1.   This Regulation shall not prevent Member States from subjecting products with digital elements to additional cybersecurity requirements for the procurement or use of those products for specific purposes, including where those products are procured or used for national security or defence purposes, provided that such requirements are consistent with Member States’ obligations laid down in Union law and that they are necessary and proportionate for the achievement of those purposes.
1. 本条例不应阻止成员国对具有数字元素的产品,在采购或使用这些产品用于特定目的时,实施额外的网络安全要求,包括当这些产品用于国家安全或国防目的时,但这些要求必须符合成员国在欧盟法律中规定的义务,并且对于实现这些目的而言是必要且相称的。

2.   Without prejudice to Directives 2014/24/EU and 2014/25/EU, where products with digital elements that fall within the scope of this Regulation are procured, Member States shall ensure that compliance with the essential cybersecurity requirements set out in Annex I to this Regulation, including the manufacturers’ ability to handle vulnerabilities effectively, are taken into consideration in the procurement process.
2. 在不影响《2014/24/EU 指令》和《2014/25/EU 指令》的前提下,当采购包含数字元素的产品且这些产品适用本法规时,成员国应确保在采购过程中考虑本法规附件 I 中规定的基本网络安全要求,包括制造商有效处理漏洞的能力。

Article 6  第 6 条

Requirements for products with digital elements
带有数字元素的产品要求

Products with digital elements shall be made available on the market only where:
带有数字元素的产品,仅在以下情况下才能投放市场:

(a)

they meet the essential cybersecurity requirements set out in Part I of Annex I, provided that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen, and, where applicable, the necessary security updates have been installed; and
如果它们安装、维护得当,用于预期用途或可合理预见的条件下,并且适用情况下已安装必要的安全更新,则它们符合附件 I 第 I 部分规定的基本网络安全要求;

(b)

the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.
制造商实施的流程符合附件 I 第 II 部分规定的基本网络安全要求。

Article 7  第七条

Important products with digital elements
具有数字元素的重要产品

1.   Products with digital elements which have the core functionality of a product category set out in Annex III shall be considered to be important products with digital elements and shall be subject to the conformity assessment procedures referred to in Article 32(2) and (3). The integration of a product with digital elements which has the core functionality of a product category set out in Annex III shall not in itself render the product in which it is integrated subject to the conformity assessment procedures referred to in Article 32(2) and (3).
1. 具有数字元素的产品,其核心功能属于附件 III 中列出的产品类别,应被视为具有数字元素的重要产品,并应适用第 32 条第 (2) 款和第 (3) 款所述的符合性评估程序。将具有数字元素且核心功能属于附件 III 中列出的产品类别产品集成到另一产品中,本身并不使该集成产品受第 32 条第 (2) 款和第 (3) 款所述的符合性评估程序的约束。

2.   The categories of products with digital elements referred to in paragraph 1 of this Article, divided into classes I and II as set out in Annex III, meet at least one of the following criteria:
2. 本文第 1 款所述具有数字元素的产品类别,按附件三划分为 I 类和 II 类,至少符合下列标准之一:

(a)

the product with digital elements primarily performs functions critical to the cybersecurity of other products, networks or services, including securing authentication and access, intrusion prevention and detection, end-point security or network protection;
该产品包含数字元素,主要执行对其他产品、网络或服务的网络安全至关重要的功能,包括身份验证和访问安全、入侵预防和检测、终端安全或网络保护;

(b)

the product with digital elements performs a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users through direct manipulation, such as a central system function, including network management, configuration control, virtualisation or processing of personal data.
该包含数字元素的产品执行一项功能,其在强度和扰乱、控制或损害大量其他产品或用户健康、安全或福祉的能力方面,存在重大不利影响风险,例如中央系统功能,包括网络管理、配置控制、虚拟化或个人数据处理。

3.   The Commission is empowered to adopt delegated acts in accordance with Article 61 to amend Annex III by including in the list a new category within each class of the categories of products with digital elements and specifying its definition, moving a category of products from one class to the other or withdrawing an existing category from that list. When assessing the need to amend the list set out in Annex III, the Commission shall take into account the cybersecurity-related functionalities or the function and the level of cybersecurity risk posed by the products with digital elements as set out by the criteria referred to in paragraph 2 of this Article.
委员会有权根据第 61 条采取委托法案,修订附件三,在每类具有数字元素的产品类别中增加一个新类别及其定义,将某一产品类别从一类移至另一类,或从该清单中撤销现有类别。在评估修订附件三中所列清单的必要性时,委员会应考虑与网络安全相关的功能或数字元素产品所带来的功能和网络安全风险水平,如本文第 2 款所述标准。

The delegated acts referred to in the first subparagraph of this paragraph shall, where appropriate, provide for a minimum transitional period of 12 months, in particular where a new category of important products with digital elements is added to class I or II or is moved from class I to II as set out in Annex III, before the relevant conformity assessment procedures as referred to in Article 32(2) and (3) start applying, unless a shorter transitional period is justified on imperative grounds of urgency.
本段第一款所述的授权法案,在适当情况下,应规定至少 12 个月的过渡期,特别是当新增一类具有数字元素的重要产品到 I 类或 II 类,或将产品从 I 类移至 II 类(如附件 III 所述)时,应在根据第 32 条第 (2) 款和第 (3) 款规定的相关符合性评估程序开始适用之前,规定过渡期,除非出于紧急的必要理由,可以证明较短的过渡期是合理的。

4.   By 11 December 2025, the Commission shall adopt an implementing act specifying the technical description of the categories of products with digital elements under classes I and II as set out in Annex III and the technical description of the categories of products with digital elements as set out in Annex IV. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 62(2).
4. 到 2025 年 12 月 11 日,委员会应通过一项执行法规,具体说明附件三中 I 类和 II 类具有数字元素的产品类别以及附件四中具有数字元素的产品类别的技术描述。该执行法规应根据第 62 条第 2 款所述的审查程序通过。

Article 8  第 8 条

Critical products with digital elements
带有数字元素的关键产品

1.   The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation to determine which products with digital elements that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881, to demonstrate conformity with the essential cybersecurity requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity certification scheme covering those categories of products with digital elements has been adopted pursuant to Regulation (EU) 2019/881 and is available to manufacturers. Those delegated acts shall specify the required assurance level that shall be proportionate to the level of cybersecurity risk associated with the products with digital elements and shall take account of their intended purpose, including the critical dependency on them by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555.
委员会有权根据第 61 条采取补充本条例的授权法案,以确定哪些具有数字元素的产品,其核心功能属于本条例附件 IV 中规定的产品类别,需要根据(欧盟)2019/881 号条例采用的欧洲网络安全认证计划,获得至少“实质性”保证级别的欧洲网络安全证书,以证明符合本条例附件 I 或其部分规定的基本网络安全要求,前提是已根据(欧盟)2019/881 号条例通过并向制造商提供涵盖这些具有数字元素的产品类别的欧洲网络安全认证计划。这些授权法案应具体规定所需的保证级别,该级别应与具有数字元素的产品相关的网络安全风险水平相称,并应考虑其预期用途,包括其对《(欧盟)2022/2555 号指令》第 3 条第 1 款所述关键实体的依赖性。

Before adopting such delegated acts, the Commission shall carry out an assessment of the potential market impact of the envisaged measures and shall carry out consultations with relevant stakeholders, including the European Cybersecurity Certification Group established under Regulation (EU) 2019/881. The assessment shall take into account the readiness and the capacity level of the Member States for the implementation of the relevant European cybersecurity certification scheme. Where no delegated acts as referred to in the first subparagraph of this paragraph have been adopted, products with digital elements which have the core functionality of a product category as set out in Annex IV shall be subject to the conformity assessment procedures referred to in Article 32(3).
在采用此类委任法案之前,委员会应评估拟议措施的潜在市场影响,并与相关利益攸关方进行磋商,包括根据条例 (欧盟) 2019/881 设立的欧洲网络安全认证小组。评估应考虑成员国实施相关欧洲网络安全认证计划的准备情况和能力水平。如果本段第一款所述的委任法案未被采纳,则具有数字元素且核心功能属于附件 IV 所列产品类别的产品,应适用第 32 条第 3 款所述的符合性评估程序。

The delegated acts referred to in the first subparagraph shall provide for a minimum transitional period of six months, unless a shorter transitional period is justified for imperative reasons of urgency.
第一款所述的授权法案应规定至少六个月的过渡期,除非出于紧急的必要原因,较短的过渡期是合理的。

2.   The Commission is empowered to adopt delegated acts in accordance with Article 61 to amend Annex IV by adding or withdrawing categories of critical products with digital elements. When determining such categories of critical products with digital elements and the required assurance level, in accordance with paragraph 1 of this Article, the Commission shall take into account the criteria referred to in Article 7(2) and ensure that the categories of products with digital elements meet at least one of the following criteria:
2. 委员会有权根据第 61 条采取委任行为,修改附件 IV,新增或删除具有数字元素的关键产品类别。在确定此类具有数字元素的关键产品类别及其所需保证级别时,根据本文第 1 款,委员会应考虑第 7 条第 2 款所述标准,并确保具有数字元素的产品类别至少满足以下标准之一:

(a)

there is a critical dependency of essential entities as referred to in Article 3 of Directive (EU) 2022/2555 on the category of products with digital elements;
存在对《关于数字产品类别的指令 (EU) 2022/2555》第 3 条所述关键实体的关键依赖性;

(b)

incidents and exploited vulnerabilities concerning the category of products with digital elements could lead to serious disruptions of critical supply chains across the internal market.
涉及具有数字元素的产品类别的事故和被利用的漏洞可能导致整个内市场关键供应链的严重中断。

Before adopting such delegated acts, the Commission shall carry out an assessment of the type referred to in paragraph 1.
在采用此类委任法案之前,委员会应进行第一款所述类型的评估。

The delegated acts referred to in the first subparagraph shall provide for a minimum transitional period of six months, unless a shorter transitional period is justified for imperative reasons of urgency.
第一款所述的授权法案应规定至少六个月的过渡期,除非出于紧急的必要原因,较短的过渡期是合理的。

Article 9  第九条

Stakeholder consultation
利益相关者协商

1.   When preparing measures for the implementation of this Regulation, the Commission shall consult and take into account the views of relevant stakeholders, such as relevant Member State authorities, private sector undertakings, including microenterprises and small and medium-sized enterprises, the open-source software community, consumer associations, academia, and relevant Union agencies and bodies as well as expert groups established at Union level. In particular, the Commission shall, in a structured manner, where appropriate, consult and seek the views of those stakeholders when:
在拟定本条例实施措施时,委员会应咨询并考虑相关利益攸关方的意见,例如相关成员国当局、私营部门企业,包括微型企业和小微企业、开源软件社区、消费者协会、学术界以及相关的欧盟机构和机构,以及在欧盟层面设立的专家组。特别是,委员会应以结构化方式,在适当情况下,咨询并征求这些利益攸关方的意见。

(a)

preparing the guidance referred to in Article 26;
准备第 26 条提及的指导

(b)

preparing the technical descriptions of the product categories set out in Annex III in accordance with Article 7(4), assessing the need for potential updates of the list of product categories in accordance with Article 7(3) and Article 8(2), or carrying out the assessment of the potential market impact referred to in Article 8(1), without prejudice to Article 61;
根据附件三规定的产品类别,按照第 7 条第 4 款准备技术描述;根据第 7 条第 3 款和第 8 条第 2 款评估更新产品类别清单的必要性;或根据第 8 条第 1 款进行潜在市场影响评估,但不影响第 61 条;

(c)

undertaking preparatory work for the evaluation and review of this Regulation.
开展本法规的评估和审查准备工作。

2.   The Commission shall organise regular consultation and information sessions, at least once a year, to gather the views of the stakeholders referred to in paragraph 1 on the implementation of this Regulation.
2. 委员会应至少每年组织一次定期磋商和信息交流会,以收集第 1 款所述利益相关者对本法规实施的意见。

Article 10

Enhancing skills in a cyber resilient digital environment

For the purposes of this Regulation and in order to respond to the needs of professionals in support of the implementation of this Regulation, Member States with, where appropriate, the support of the Commission, the European Cybersecurity Competence Centre and ENISA, while fully respecting the responsibility of the Member States in the education field, shall promote measures and strategies aiming to:

(a)

develop cybersecurity skills and create organisational and technological tools to ensure sufficient availability of skilled professionals in order to support the activities of the market surveillance authorities and conformity assessment bodies;

(b)

increase collaboration between the private sector, economic operators, including via re-skilling or up-skilling for manufacturers’ employees, consumers, training providers as well as public administrations, thereby expanding the options for young people to access jobs in the cybersecurity sector.

Article 11

General product safety

By way of derogation from Article 2(1), third subparagraph, point (b), of Regulation (EU) 2023/988, Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of that Regulation shall apply to products with digital elements with respect to aspects and risks or categories of risks that are not covered by this Regulation where those products are not subject to specific safety requirements laid down in other ‘Union harmonisation legislation’ as defined in Article 3, point (27), of Regulation (EU) 2023/988.

Article 12

High-risk AI systems

1.   Without prejudice to the requirements relating to accuracy and robustness set out in Article 15 of Regulation (EU) 2024/1689, products with digital elements which fall within the scope of this Regulation and which are classified as high-risk AI systems pursuant to Article 6 of that Regulation shall be deemed to comply with the cybersecurity requirements set out in Article 15 of that Regulation where:

(a)

those products fulfil the essential cybersecurity requirements set out in Part I of Annex I;

(b)

the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I; and

(c)

the achievement of the level of cybersecurity protection required under Article 15 of Regulation (EU) 2024/1689 is demonstrated in the EU declaration of conformity issued under this Regulation.

2.   For the products with digital elements and cybersecurity requirements referred to in paragraph 1 of this Article, the relevant conformity assessment procedure provided for in Article 43 of Regulation (EU) 2024/1689 shall apply. For the purposes of that assessment, notified bodies which are competent to control the conformity of the high-risk AI systems under Regulation (EU) 2024/1689 shall also be competent to control the conformity of high-risk AI systems which fall within the scope of this Regulation with the requirements set out in Annex I to this Regulation, provided that the compliance of those notified bodies with the requirements laid down in Article 39 of this Regulation has been assessed in the context of the notification procedure under Regulation (EU) 2024/1689.

3.   By way of derogation from paragraph 2 of this Article, important products with digital elements as listed in Annex III to this Regulation, which are subject to the conformity assessment procedures referred to in Article 32(2), points (a) and (b), and Article 32(3) of this Regulation and critical products with digital elements as listed in Annex IV to this Regulation which are required to obtain a European cybersecurity certificate pursuant to Article 8(1) of this Regulation or, absent that, which are subject to the conformity assessment procedures referred to in Article 32(3) of this Regulation, and which are classified as high-risk AI systems pursuant to Article 6 of Regulation (EU) 2024/1689, and to which the conformity assessment procedure based on internal control as referred to in Annex VI to Regulation (EU) 2024/1689 applies, shall be subject to the conformity assessment procedures provided for in this Regulation in so far as the essential cybersecurity requirements set out in this Regulation are concerned.

4.   Manufacturers of products with digital elements as referred to in paragraph 1 of this Article may participate in the AI regulatory sandboxes referred to in Article 57 of Regulation (EU) 2024/1689.

CHAPTER II

OBLIGATIONS OF ECONOMIC OPERATORS AND PROVISIONS IN RELATION TO FREE AND OPEN-SOURCE SOFTWARE

Article 13

Obligations of manufacturers

1.   When placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with the essential cybersecurity requirements set out in Part I of Annex I.

2.   For the purpose of complying with paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.

3.   The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I.

4.   When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment referred to in paragraph 3 of this Article in the technical documentation required pursuant to Article 31 and Annex VII. For products with digital elements as referred to in Article 12, which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.

5.   For the purpose of complying with paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements, including when integrating components of free and open-source software that have not been made available on the market in the course of a commercial activity.

6.   Manufacturers shall, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in Part II of Annex I. Where manufacturers have developed a software or hardware modification to address the vulnerability in that component, they shall share the relevant code or documentation with the person or entity manufacturing or maintaining the component, where appropriate in a machine-readable format.

7.   The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products.

8.   Manufacturers shall ensure, when placing a product with digital elements on the market, and for the support period, that vulnerabilities of that product, including its components, are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I.

Manufacturers shall determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements. When determining the support period, manufacturers may also take into account the support periods of products with digital elements offering a similar functionality placed on the market by other manufacturers, the availability of the operating environment, the support periods of integrated components that provide core functions and are sourced from third parties as well as relevant guidance provided by the dedicated administrative cooperation group (ADCO) established pursuant to Article 52(15) and the Commission. The matters to be taken into account in order to determine the support period shall be considered in a manner that ensures proportionality.

Without prejudice to the second subparagraph, the support period shall be at least five years. Where the product with digital elements is expected to be in use for less than five years, the support period shall correspond to the expected use time.

Taking into account ADCO recommendations as referred to in Article 52(16), the Commission may adopt delegated acts in accordance with Article 61 to supplement this Regulation by specifying the minimum support period for specific product categories where the market surveillance data suggests inadequate support periods.

Manufacturers shall include the information that was taken into account to determine the support period of a product with digital elements in the technical documentation as set out in Annex VII.

Manufacturers shall have appropriate policies and procedures, including coordinated vulnerability disclosure policies, referred to in Part II, point (5), of Annex I to process and remediate potential vulnerabilities in the product with digital elements reported from internal or external sources.

9.   Manufacturers shall ensure that each security update, as referred to in Part II, point (8), of Annex I, which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years or for the remainder of the support period, whichever is longer.

10.   Where a manufacturer has placed subsequent substantially modified versions of a software product on the market, that manufacturer may ensure compliance with the essential cybersecurity requirement set out in Part II, point (2), of Annex I only for the version that it has last placed on the market, provided that the users of the versions that were previously placed on the market have access to the version last placed on the market free of charge and do not incur additional costs to adjust the hardware and software environment in which they use the original version of that product.

11.   Manufacturers may maintain public software archives enhancing user access to historical versions. In those cases, users shall be clearly informed in an easily accessible manner about risks associated with using unsupported software.

12.   Before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation referred to in Article 31.

They shall carry out the chosen conformity assessment procedures as referred to in Article 32 or have them carried out.

Where compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I has been demonstrated by that conformity assessment procedure, manufacturers shall draw up the EU declaration of conformity in accordance with Article 28 and affix the CE marking in accordance with Article 30.

13.   Manufacturers shall keep the technical documentation and the EU declaration of conformity at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.

14.   Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity with this Regulation. Manufacturers shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised standards, European cybersecurity certification schemes or common specifications as referred to in Article 27 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified.

15.   Manufacturers shall ensure that their products with digital elements bear a type, batch or serial number or other element allowing their identification, or, where that is not possible, that that information is provided on their packaging or in a document accompanying the product with digital elements.

16.   Manufacturers shall indicate the name, registered trade name or registered trademark of the manufacturer, and the postal address, email address or other digital contact details, as well as, where applicable, the website where the manufacturer can be contacted, on the product with digital elements, on its packaging or in a document accompanying the product with digital elements. That information shall also be included in the information and instructions to the user set out in Annex II. The contact details shall be in a language which can be easily understood by users and market surveillance authorities.

17.   For the purposes of this Regulation, manufacturers shall designate a single point of contact to enable users to communicate directly and rapidly with them, including in order to facilitate reporting on vulnerabilities of the product with digital elements.

Manufacturers shall ensure that the single point of contact is easily identifiable by the users. They shall also include the single point of contact in the information and instructions to the user set out in Annex II.

The single point of contact shall allow users to choose their preferred means of communication and shall not limit such means to automated tools.

18.   Manufacturers shall ensure that products with digital elements are accompanied by the information and instructions to the user set out in Annex II, in paper or electronic form. Such information and instructions shall be provided in a language which can be easily understood by users and market surveillance authorities. They shall be clear, understandable, intelligible and legible. They shall allow for the secure installation, operation and use of products with digital elements. Manufacturers shall keep the information and instructions to the user set out in Annex II at the disposal of users and market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. Where such information and instructions are provided online, manufacturers shall ensure that they are accessible, user-friendly and available online for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.

19.   Manufacturers shall ensure that the end date of the support period referred to in paragraph 8, including at least the month and the year, is clearly and understandably specified at the time of purchase in an easily accessible manner and, where applicable, on the product with digital elements, its packaging or by digital means.

Where technically feasible in light of the nature of the product with digital elements, manufacturers shall display a notification to users informing them that their product with digital elements has reached the end of its support period.

20.   Manufacturers shall either provide a copy of the EU declaration of conformity or a simplified EU declaration of conformity with the product with digital elements. Where a simplified EU declaration of conformity is provided, it shall contain the exact internet address at which the full EU declaration of conformity can be accessed.

21.   From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, or to withdraw or recall the product, as appropriate.

22.   Manufacturers shall, upon a reasoned request from a market surveillance authority, provide that authority, in a language which can be easily understood by that authority, with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Annex I. Manufacturers shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by the product with digital elements which they have placed on the market.

23.   A manufacturer that ceases its operations and, as a result, is not able to comply with this Regulation shall inform, before the cessation of operations takes effect, the relevant market surveillance authorities as well as, by any means available and to the extent possible, the users of the relevant products with digital elements placed on the market, of the impending cessation of operations.

24.   The Commission may, by means of implementing acts taking into account European or international standards and best practices, specify the format and elements of the software bill of materials referred to in Part II, point (1), of Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

25.   In order to assess the dependence of Member States and of the Union as a whole on software components and in particular on components qualifying as free and open-source software, ADCO may decide to conduct a Union wide dependency assessment for specific categories of products with digital elements. For that purpose, market surveillance authorities may request manufacturers of such categories of products with digital elements to provide the relevant software bills of materials as referred to in Part II, point (1), of Annex I. On the basis of such information, the market surveillance authorities may provide ADCO with anonymised and aggregated information about software dependencies. ADCO shall submit a report on the results of the dependency assessment to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555.

Article 14

Reporting obligations of manufacturers

1.   A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.

2.   For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit:

(a)

an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

(b)

unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

(c)

unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following:

(i)

a description of the vulnerability, including its severity and impact;

(ii)

where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability;

(iii)

details about the security update or other corrective measures that have been made available to remedy the vulnerability.

3.   A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16.

4.   For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit:

(a)

an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

(b)

unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be;

(c)

unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following:

(i)

a detailed description of the incident, including its severity and impact;

(ii)

the type of threat or root cause that is likely to have triggered the incident;

(iii)

applied and ongoing mitigation measures.

5.   For the purposes of paragraph 3, an incident having an impact on the security of the product with digital elements shall be considered to be severe where:

(a)

it negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or

(b)

it has led or is capable of leading to the introduction or execution of malicious code in a product with digital elements or in the network and information systems of a user of the product with digital elements.

6.   Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant status updates about the actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements.

7.   The notifications referred to in paragraphs 1 and 3 of this Article shall be submitted via the single reporting platform referred to in Article 16 using one of the electronic notification end-points referred to in Article 16(1). The notification shall be submitted using the electronic notification end-point of the CSIRT designated as coordinator of the Member State where the manufacturers have their main establishment in the Union and shall be simultaneously accessible to ENISA.

For the purposes of this Regulation, a manufacturer shall be considered to have its main establishment in the Union in the Member State where the decisions related to the cybersecurity of its products with digital elements are predominantly taken. If such a Member State cannot be determined, the main establishment shall be considered to be in the Member State where the manufacturer concerned has the establishment with the highest number of employees in the Union.

Where a manufacturer has no main establishment in the Union, it shall submit the notifications referred to in paragraphs 1 and 3 using the electronic notification end-point of the CSIRT designated as coordinator in the Member State determined pursuant to the following order and based on the information available to the manufacturer:

(a)

the Member State in which the authorised representative acting on behalf of the manufacturer for the highest number of products with digital elements of that manufacturer is established;

(b)

the Member State in which the importer placing on the market the highest number of products with digital elements of that manufacturer is established;

(c)

the Member State in which the distributor making available on the market the highest number of products with digital elements of that manufacturer is established;

(d)

the Member State in which the highest number of users of products with digital elements of that manufacturer are located.

In relation to the third subparagraph, point (d), a manufacturer may submit notifications related to any subsequent actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements to the same CSIRT designated as coordinator to which it first reported.

8.   After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.

9.   By 11 December 2025, the Commission shall adopt delegated acts in accordance with Article 61 of this Regulation to supplement this Regulation by specifying the terms and conditions for applying the cybersecurity-related grounds in relation to delaying the dissemination of notifications as referred to in Article 16(2) of this Regulation. The Commission shall cooperate with the CSIRTs network established pursuant to Article 15 of Directive (EU) 2022/2555 and ENISA in preparing the draft delegated acts.

10.   The Commission may, by means of implementing acts, specify further the format and procedures of the notifications referred to in this Article as well as in Articles 15 and 16. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2). The Commission shall cooperate with the CSIRTs network and ENISA in preparing those draft implementing acts.

Article 15

Voluntary reporting

1.   Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA.

2.   Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA.

3.   The CSIRT designated as coordinator or ENISA shall process the notifications referred to in paragraphs 1 and 2 of this Article in accordance with the procedure laid down in Article 16.

The CSIRT designated as coordinator may prioritise the processing of mandatory notifications over voluntary notifications.

4.   Where a natural or legal person other than the manufacturer notifies an actively exploited vulnerability or a severe incident having an impact on the security of a product with digital elements in accordance with paragraph 1 or 2, the CSIRT designated as coordinator shall without undue delay inform the manufacturer.

5.   The CSIRTs designated as coordinators as well as ENISA shall ensure the confidentiality and appropriate protection of the information provided by a notifying natural or legal person. Without prejudice to the prevention, investigation, detection and prosecution of criminal offences, voluntary reporting shall not result in the imposition of any additional obligations upon a notifying natural or legal person to which it would not have been subject had it not submitted the notification.

Article 16

Establishment of a single reporting platform

1.   For the purposes of the notifications referred to in Article 14(1) and (3) and Article 15(1) and (2) and in order to simplify the reporting obligations of manufacturers, a single reporting platform shall be established by ENISA. The day-to-day operations of that single reporting platform shall be managed and maintained by ENISA. The architecture of the single reporting platform shall allow Member States and ENISA to put in place their own electronic notification end-points.

2.   After receiving a notification, the CSIRT designated as coordinator initially receiving the notification shall, without delay, disseminate the notification via the single reporting platform to the CSIRTs designated as coordinators on the territory of which the manufacturer has indicated that the product with digital elements has been made available.

In exceptional circumstances and, in particular, upon request by the manufacturer and in light of the level of sensitivity of the notified information as indicated by the manufacturer under Article 14(2), point (a), of this Regulation, the dissemination of the notification may be delayed based on justified cybersecurity-related grounds for a period of time that is strictly necessary, including where a vulnerability is subject to a coordinated vulnerability disclosure procedure as referred to in Article 12(1) of Directive (EU) 2022/2555. Where a CSIRT decides to withhold a notification, it shall immediately inform ENISA about the decision and provide both a justification for withholding the notification as well as an indication of when it will disseminate the notification in accordance with the dissemination procedure laid down in this paragraph. ENISA may support the CSIRT on the application of cybersecurity-related grounds in relation to delaying the dissemination of the notification.

In particularly exceptional circumstances, where the manufacturer indicates in the notification referred to in Article 14(2), point (b):

(a)

that the notified vulnerability has been actively exploited by a malicious actor and, according to the information available, it has been exploited in no other Member State than the one of the CSIRT designated as coordinator to which the manufacturer has notified the vulnerability;

(b)

that any immediate further dissemination of the notified vulnerability would likely result in the supply of information the disclosure of which would be contrary to the essential interests of that Member State; or

(c)

that the notified vulnerability poses an imminent high cybersecurity risk stemming from the further dissemination;

only the information that a notification was made by the manufacturer, the general information about the product, the information on the general nature of the exploit and the information that security related grounds were raised are to be made available simultaneously to ENISA until the full notification is disseminated to the CSIRTs concerned and ENISA. Where, based on that information, ENISA considers that there is a systemic risk affecting security in the internal market, it shall recommend to the recipient CSIRT that it disseminate the full notification to the other CSIRTs designated as coordinators and to ENISA itself.

3.   After receiving a notification of an actively exploited vulnerability in a product with digital elements or of a severe incident having an impact on the security of a product with digital elements, the CSIRTs designated as coordinators shall provide the market surveillance authorities of their respective Member States with the notified information necessary for the market surveillance authorities to fulfil their obligations under this Regulation.

4.   ENISA shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of the single reporting platform and the information submitted or disseminated via the single reporting platform. It shall notify without undue delay any security incident affecting the single reporting platform to the CSIRTs network as well as to the Commission.

5.   ENISA, in cooperation with the CSIRTs network, shall provide and implement specifications on the technical, operational and organisational measures regarding the establishment, maintenance and secure operation of the single reporting platform referred to in paragraph 1, including at least the security arrangements related to the establishment, operation and maintenance of the single reporting platform, as well as the electronic notification end-points set up by the CSIRTs designated as coordinators at national level and ENISA at Union level, including procedural aspects to ensure that, where a notified vulnerability has no corrective or mitigating measures available, information about that vulnerability is shared in line with strict security protocols and on a need-to-know basis.

6.   Where a CSIRT designated as coordinator has been made aware of an actively exploited vulnerability as part of a coordinated vulnerability disclosure procedure as referred to in Article 12(1) of Directive (EU) 2022/2555, the CSIRT designated as coordinator initially receiving the notification may delay the dissemination of the relevant notification via the single reporting platform based on justified cybersecurity-related grounds for a period that is no longer than is strictly necessary and until consent for disclosure by the involved coordinated vulnerability disclosure parties is given. That requirement shall not prevent manufacturers from notifying such a vulnerability on a voluntary basis in accordance with the procedure laid down in this Article.

Article 17

Other provisions related to reporting

1.   ENISA may submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established under Article 16 of Directive (EU) 2022/2555 information notified pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation if such information is relevant for the coordinated management of large-scale cybersecurity incidents and crises at an operational level. For the purpose of determining such relevance, ENISA may consider technical analyses performed by the CSIRTs network, where available.

2.   Where public awareness is necessary to prevent or mitigate a severe incident having an impact on the security of the product with digital elements or to handle an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the CSIRT designated as coordinator of the relevant Member State may, after consulting the manufacturer concerned and, where appropriate, in cooperation with ENISA, inform the public about the incident or require the manufacturer to do so.

3.   ENISA, on the basis of the notifications received pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation, shall prepare, every 24 months, a technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555. The first such report shall be submitted within 24 months of the date of application of the obligations laid down in Article 14(1) and (3) of this Regulation. ENISA shall include relevant information from its technical reports in its report on the state of cybersecurity in the Union pursuant to Article 18 of Directive (EU) 2022/2555.

4.   The mere act of notification in accordance with Article 14(1) and (3) or Article 15(1) and (2) shall not subject the notifying natural or legal person to increased liability.

5.   After a security update or another form of corrective or mitigating measure is available, ENISA shall, in agreement with the manufacturer of the product with digital elements concerned, add the publicly known vulnerability notified pursuant to Article 14(1) or Article 15(1) of this Regulation to the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555.

6.   The CSIRTs designated as coordinators shall provide helpdesk support in relation to the reporting obligations pursuant to Article 14 to manufacturers and in particular manufacturers that qualify as microenterprises or as small or medium-sized enterprises.

Article 18

Authorised representatives

1.   A manufacturer may, by a written mandate, appoint an authorised representative.

2.   The obligations laid down in Article 13(1) to (11), Article 13(12), first subparagraph, and Article 13(14) shall not form part of the authorised representative’s mandate.

3.   An authorised representative shall perform the tasks specified in the mandate received from the manufacturer. The authorised representative shall provide a copy of the mandate to the market surveillance authorities upon request. The mandate shall allow the authorised representative to do at least the following:

(a)

keep the EU declaration of conformity referred to in Article 28 and the technical documentation referred to in Article 31 at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer;

(b)

further to a reasoned request from a market surveillance authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the product with digital elements;

(c)

cooperate with the market surveillance authorities, at their request, on any action taken to eliminate the risks posed by a product with digital elements covered by the authorised representative’s mandate.

Article 19

Obligations of importers

1.   Importers shall place on the market only products with digital elements that comply with the essential cybersecurity requirements set out in Part I of Annex I and where the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.

2.   Before placing a product with digital elements on the market, importers shall ensure that:

(a)

the appropriate conformity assessment procedures as referred to in Article 32 have been carried out by the manufacturer;

(b)

the manufacturer has drawn up the technical documentation;

(c)

the product with digital elements bears the CE marking referred to in Article 30 and is accompanied by the EU declaration of conformity referred to in Article 13(20) and the information and instructions to the user as set out in Annex II in a language which can be easily understood by users and market surveillance authorities;

(d)

the manufacturer has complied with the requirements set out in Article 13(15), (16) and (19).

For the purposes of this paragraph, importers shall be able to provide the necessary documents proving the fulfilment of the requirements set out in this Article.

3.   Where an importer considers or has reason to believe that a product with digital elements or the processes put in place by the manufacturer are not in conformity with this Regulation, the importer shall not place the product on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements presents a significant cybersecurity risk, the importer shall inform the manufacturer and the market surveillance authorities to that effect.

Where an importer has reason to believe that a product with digital elements may present a significant cybersecurity risk in light of non-technical risk factors, the importer shall inform the market surveillance authorities to that effect. Upon receipt of such information, the market surveillance authorities shall follow the procedures referred to in Article 54(2).

4.   Importers shall indicate their name, registered trade name or registered trademark, the postal address, email address or other digital contact as well as, where applicable, the website at which they can be contacted on the product with digital elements or on its packaging or in a document accompanying the product with digital elements. The contact details shall be in a language easily understood by users and market surveillance authorities.

5.   Importers who know or have reason to believe that a product with digital elements which they have placed on the market is not in conformity with this Regulation shall immediately take the corrective measures necessary to ensure that the product with digital elements is brought into conformity with this Regulation, or to withdraw or recall the product, if appropriate.

Upon becoming aware of a vulnerability in the product with digital elements, importers shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, importers shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of non-compliance and of any corrective measures taken.

6.   Importers shall, for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep a copy of the EU declaration of conformity at the disposal of the market surveillance authorities and ensure that the technical documentation can be made available to those authorities, upon request.

7.   Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I as well as of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements, which they have placed on the market.

8.   Where the importer of a product with digital elements becomes aware that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the importer shall inform the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.

Article 20

Obligations of distributors

1.   When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements set out in this Regulation.

2.   Before making a product with digital elements available on the market, distributors shall verify that:

(a)

the product with digital elements bears the CE marking;

(b)

the manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article 19(4), and have provided all necessary documents to the distributor.

3.   Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect.

4.   Distributors who know or have reason to believe, on the basis of information in their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken.

Upon becoming aware of a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-compliance and of any corrective measures taken.

5.   Distributors shall, further to a reasoned request from a market surveillance authority, provide all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements which they have made available on the market.

6.   Where the distributor of a product with digital elements becomes aware, on the basis of information in its possession, that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the distributor shall inform, without undue delay, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.

Article 21

Cases in which obligations of manufacturers apply to importers and distributors

An importer or distributor shall be considered to be a manufacturer for the purposes of this Regulation and shall be subject to Articles 13 and 14, where that importer or distributor places a product with digital elements on the market under its name or trademark or carries out a substantial modification of a product with digital elements already placed on the market.

Article 22

Other cases in which obligations of manufacturers apply

1.   A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of a product with digital elements and makes that product available on the market, shall be considered to be a manufacturer for the purposes of this Regulation.

2.   The person referred to in paragraph 1 of this Article shall be subject to the obligations set out in Articles 13 and 14 for the part of the product with digital elements that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product.

Article 23

Identification of economic operators

1.   Economic operators shall, on request, provide the market surveillance authorities with the following information:

(a)

the name and address of any economic operator who has supplied them with a product with digital elements;

(b)

where available, the name and address of any economic operator to whom they have supplied a product with digital elements.

2.   Economic operators shall be able to present the information referred to in paragraph 1 for 10 years after they have been supplied with the product with digital elements and for 10 years after they have supplied the product with digital elements.

Article 24

Obligations of open-source software stewards

1.   Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilities as laid down in Article 15 by the developers of that product and take into account the specific nature of the open-source software steward and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source community.

2.   Open-source software stewards shall cooperate with the market surveillance authorities, at their request, with a view to mitigating the cybersecurity risks posed by a product with digital elements qualifying as free and open-source software.

Further to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by that authority, with the documentation referred to in paragraph 1, in paper or electronic form.

3.   The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products.

Article 25

Security attestation of free and open-source software

In order to facilitate the due diligence obligation set out in Article 13(5), in particular as regards manufacturers that integrate free and open-source software components in their products with digital elements, the Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by establishing voluntary security attestation programmes allowing the developers or users of products with digital elements qualifying as free and open-source software as well as other third parties to assess the conformity of such products with all or certain essential cybersecurity requirements or other obligations laid down in this Regulation.

Article 26

Guidance

1.   In order to facilitate implementation and ensure the consistency of such implementation, the Commission shall publish guidance to assist economic operators in applying this Regulation, with a particular focus on facilitating compliance by microenterprises and small and medium-sized enterprises.

2.   Where it intends to provide guidance as referred to in paragraph 1, the Commission shall address at least the following aspects:

(a)

the scope of this Regulation, with a particular focus on remote data processing solutions and free and open-source software;

(b)

the application of support periods in relation to particular categories of products with digital elements;

(c)

guidance targeted at manufacturers subject to this Regulation that are also subject to Union harmonisation legislation other than this Regulation or to other related Union legal acts;

(d)

the concept of substantial modification.

The Commission shall also maintain an easy-to-access list of the delegated and implementing acts adopted pursuant to this Regulation.

3.   When preparing the guidance pursuant to this Article, the Commission shall consult relevant stakeholders.

CHAPTER III

CONFORMITY OF THE PRODUCT WITH DIGITAL ELEMENTS

Article 27

Presumption of conformity

1.   Products with digital elements and processes put in place by the manufacturer which are in conformity with harmonised standards or parts thereof, the references of which have been published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I covered by those standards or parts thereof.

The Commission shall, in accordance with Article 10(1) of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised standards for the essential cybersecurity requirements set out in Annex I to this Regulation. When preparing standardisation requests for this Regulation, the Commission shall strive to take into account existing European and international standards for cybersecurity that are in place or under development in order to simplify the development of harmonised standards, in accordance with Regulation (EU) No 1025/2012.

2.   The Commission may adopt implementing acts establishing common specifications covering technical requirements that provide a means to comply with the essential cybersecurity requirements set out in Annex I for products with digital elements that fall within the scope of this Regulation.

Those implementing acts shall be adopted only where the following conditions are fulfilled:

(a)

the Commission has requested, pursuant to Article 10(1) of Regulation (EU) No 1025/2012, one or more European standardisation organisations to draft a harmonised standard for the essential cybersecurity requirements set out in Annex I and:

(i)

the request has not been accepted;

(ii)

the harmonised standards addressing that request are not delivered within the deadline set in accordance with Article 10(1) of Regulation (EU) No 1025/2012; or

(iii)

the harmonised standards do not comply with the request; and

(b)

no reference to harmonised standards covering the relevant essential cybersecurity requirements set out in Annex I to this Regulation has been published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012 and no such reference is expected to be published within a reasonable period.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

3.   Before preparing the draft implementing act referred to in paragraph 2 of this Article, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) No 1025/2012 that it considers that the conditions in paragraph 2 of this Article have been fulfilled.

4.   When preparing the draft implementing act referred to in paragraph 2, the Commission shall take into account the views of relevant bodies and shall duly consult all relevant stakeholders.

5.   Products with digital elements and processes put in place by the manufacturer which are in conformity with the common specifications established by implementing acts referred to in paragraph 2 of this Article, or parts thereof, shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I covered by those common specifications or parts thereof.

6.   Where a harmonised standard is adopted by a European standardisation organisation and proposed to the Commission for the purpose of publishing its reference in the Official Journal of the European Union, the Commission shall assess the harmonised standard in accordance with Regulation (EU) No 1025/2012. When a reference of a harmonised standard is published in the Official Journal of the European Union, the Commission shall repeal the implementing acts referred to in paragraph 2 of this Article, or parts thereof which cover the same essential cybersecurity requirements as those covered by that harmonised standard.

7.   Where a Member State considers that a common specification does not entirely satisfy the essential cybersecurity requirements set out in Annex I, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed explanation and may, if appropriate, amend the implementing act establishing the common specification in question.

8.   Products with digital elements and processes put in place by the manufacturer for which an EU statement of conformity or certificate has been issued under a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881 shall be presumed to be in conformity with the essential cybersecurity requirements set out in Annex I in so far as the EU statement of conformity or European cybersecurity certificate, or parts thereof, cover those requirements.

9.   The Commission is empowered to adopt delegated acts in accordance with Article 61 of this Regulation to supplement this Regulation by specifying the European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity of products with digital elements with the essential cybersecurity requirements or parts thereof as set out in Annex I to this Regulation. Furthermore, the issuance of a European cybersecurity certificate issued under such schemes, at least at assurance level ‘substantial’, eliminates the obligation of a manufacturer to carry out a third-party conformity assessment for the corresponding requirements, as set out in Article 32(2), points (a) and (b), and Article 32(3), points (a) and (b), of this Regulation.

Article 28

EU declaration of conformity

1.   The EU declaration of conformity shall be drawn up by manufacturers in accordance with Article 13(12) and state that the fulfilment of the applicable essential cybersecurity requirements set out in Annex I has been demonstrated.

2.   The EU declaration of conformity shall have the model structure set out in Annex V and shall contain the elements specified in the relevant conformity assessment procedures set out in Annex VIII. Such a declaration shall be updated as appropriate. It shall be made available in the languages required by the Member State in which the product with digital elements is placed on the market or made available on the market.

The simplified EU declaration of conformity referred to in Article 13(20) shall have the model structure set out in Annex VI. It shall be made available in the languages required by the Member State in which the product with digital elements is placed on the market or made available on the market.

3.   Where a product with digital elements is subject to more than one Union legal act requiring an EU declaration of conformity, a single EU declaration of conformity shall be drawn up in respect of all such Union legal acts. That declaration shall contain the identification of the Union legal acts concerned, including their publication references.

4.   By drawing up the EU declaration of conformity, the manufacturer shall assume responsibility for the compliance of the product with digital elements.

5.   The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by adding elements to the minimum content of the EU declaration of conformity set out in Annex V to take account of technological developments.

Article 29

General principles of the CE marking

The CE marking shall be subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008.

Article 30

Rules and conditions for affixing the CE marking

1.   The CE marking shall be affixed visibly, legibly and indelibly to the product with digital elements. Where that is not possible or not warranted on account of the nature of the product with digital elements, it shall be affixed to the packaging and to the EU declaration of conformity referred to in Article 28 accompanying the product with digital elements. For products with digital elements which are in the form of software, the CE marking shall be affixed either to the EU declaration of conformity referred to in Article 28 or on the website accompanying the software product. In the latter case, the relevant section of the website shall be easily and directly accessible to consumers.

2.   On account of the nature of the product with digital elements, the height of the CE marking affixed to the product with digital elements may be lower than 5 mm, provided that it remains visible and legible.

3.   The CE marking shall be affixed before the product with digital elements is placed on the market. It may be followed by a pictogram or any other mark indicating a special cybersecurity risk or use set out in the implementing acts referred to in paragraph 6.

4.   The CE marking shall be followed by the identification number of the notified body, where that body is involved in the conformity assessment procedure based on full quality assurance (based on module H) referred to in Article 32.

The identification number of the notified body shall be affixed by the body itself or, under its instructions, by the manufacturer or the manufacturer’s authorised representative.

5.   Member States shall build upon existing mechanisms to ensure correct application of the regime governing the CE marking and shall take appropriate action in the event of improper use of that marking. Where the product with digital elements is subject to Union harmonisation legislation, other than this Regulation, which also provides for the affixing of the CE marking, the CE marking shall indicate that the product also fulfils the requirements set out in such other Union harmonisation legislation.

6.   The Commission may, by means of implementing acts, lay down technical specifications for labels, pictograms or any other marks related to the security of the products with digital elements, their support periods and mechanisms to promote their use and to increase public awareness about the security of products with digital elements. When preparing the draft implementing acts, the Commission shall consult relevant stakeholders, and, if it has already been established pursuant to Article 52(15), ADCO. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

Article 31

Technical documentation

1.   The technical documentation shall contain all relevant data or details of the means used by the manufacturer to ensure that the product with digital elements and the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Annex I. It shall at least contain the elements set out in Annex VII.

2.   The technical documentation shall be drawn up before the product with digital elements is placed on the market and shall be continuously updated, where appropriate, at least during the support period.

3.   For products with digital elements as referred to in Article 12, which are also subject to other Union legal acts which provide for technical documentation, a single set of technical documentation shall be drawn up containing the information referred to in Annex VII and the information required by those Union legal acts.

4.   The technical documentation and correspondence relating to any conformity assessment procedure shall be drawn up in an official language of the Member State in which the notified body is established or in a language acceptable to that body.

5.   The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by adding elements to be included in the technical documentation set out in Annex VII to take account of technological developments, as well as developments encountered in the implementation process of this Regulation. To that end, the Commission shall strive to ensure that the administrative burden on microenterprises and small and medium-sized enterprises is proportionate.

Article 32

Conformity assessment procedures for products with digital elements

1.   The manufacturer shall perform a conformity assessment of the product with digital elements and the processes put in place by the manufacturer to determine whether the essential cybersecurity requirements set out in Annex I are met. The manufacturer shall demonstrate conformity with the essential cybersecurity requirements by using any of the following procedures:

(a)

the internal control procedure (based on module A) set out in Annex VIII;

(b)

the EU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII;

(c)

a conformity assessment based on full quality assurance (based on module H) set out in Annex VIII; or

(d)

where available and applicable, a European cybersecurity certification scheme pursuant to Article 27(9).

2.   Where, in assessing the compliance of an important product with digital elements that falls under class I as set out in Annex III and the processes put in place by its manufacturer with the essential cybersecurity requirements set out in Annex I, the manufacturer has not applied or has applied only in part harmonised standards, common specifications or European cybersecurity certification schemes at assurance level at least ‘substantial’ as referred to in Article 27, or where such harmonised standards, common specifications or European cybersecurity certification schemes do not exist, the product with digital elements concerned and the processes put in place by the manufacturer shall be submitted with regard to those essential cybersecurity requirements to either of the following procedures:

(a)

the EU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII; or

(b)

a conformity assessment based on full quality assurance (based on module H) set out in Annex VIII.

3.   Where the product is an important product with digital elements that falls under class II as set out in Annex III, the manufacturer shall demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using any of the following procedures:

(a)

EU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII;

(b)

a conformity assessment based on full quality assurance (based on module H) set out in Annex VIII; or

(c)

where available and applicable, a European cybersecurity certification scheme pursuant to Article 27(9) of this Regulation at assurance level at least ‘substantial’ pursuant to Regulation (EU) 2019/881.

4.   Critical products with digital elements listed in Annex IV shall demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using one of the following procedures:

(a)

a European cybersecurity certification scheme in accordance with Article 8(1); or

(b)

where the conditions in Article 8(1) are not met, any of the procedures referred to in paragraph 3 of this Article.

5.   Manufacturers of products with digital elements qualifying as free and open-source software, which fall under the categories set out in Annex III, shall be able to demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using one of the procedures referred to in paragraph 1 of this Article, provided that the technical documentation referred to in Article 31 is made available to the public at the time of the placing on the market of those products.

6.   The specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups, shall be taken into account when setting the fees for conformity assessment procedures and those fees shall be reduced proportionately to their specific interests and needs.

Article 33

Support measures for microenterprises and small and medium-sized enterprises, including start-ups

1.   Member States shall, where appropriate, undertake the following actions, tailored to the needs of microenterprises and small enterprises:

(a)

organise specific awareness-raising and training activities about the application of this Regulation;

(b)

establish a dedicated channel for communication with microenterprises and small enterprises and, as appropriate, local public authorities to provide advice and respond to queries about the implementation of this Regulation;

(c)

support testing and conformity assessment activities, including where relevant with the support of the European Cybersecurity Competence Centre.

2.   Member States may, where appropriate, establish cyber resilience regulatory sandboxes. Such regulatory sandboxes shall provide for controlled testing environments for innovative products with digital elements to facilitate their development, design, validation and testing for the purpose of complying with this Regulation for a limited period of time before the placing on the market. The Commission and, where appropriate, ENISA, may provide technical support, advice and tools for the establishment and operation of regulatory sandboxes. The regulatory sandboxes shall be set up under the direct supervision, guidance and support by the market surveillance authorities. Member States shall inform the Commission and the other market surveillance authorities of the establishment of a regulatory sandbox through ADCO. The regulatory sandboxes shall not affect the supervisory and corrective powers of the competent authorities. Member States shall ensure open, fair, and transparent access to regulatory sandboxes, and in particular facilitate access by microenterprises and small enterprises, including start-ups.

3.   In accordance with Article 26, the Commission shall provide guidance for microenterprises and small and medium-sized enterprises in relation to the implementation of this Regulation.

4.   The Commission shall advertise available financial support in the regulatory framework of existing Union programmes, in particular in order to ease the financial burden on microenterprises and small enterprises.

5.   Microenterprises and small enterprises may provide all elements of the technical documentation specified in Annex VII by using a simplified format. For that purpose, the Commission shall, by means of implementing acts, specify the simplified technical documentation form targeted at the needs of microenterprises and small enterprises, including how the elements set out in Annex VII are to be provided. Where a microenterprise or small enterprise opts to provide the information set out in Annex VII in a simplified manner, it shall use the form referred to in this paragraph. Notified bodies shall accept that form for the purposes of conformity assessment.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

Article 34

Mutual recognition agreements

Taking into account the level of technical development and the approach on conformity assessment of a third country, the Union may conclude Mutual Recognition Agreements with third countries, in accordance with Article 218 TFEU, in order to promote and facilitate international trade.

CHAPTER IV

NOTIFICATION OF CONFORMITY ASSESSMENT BODIES

Article 35

Notification

1.   Member States shall notify the Commission and the other Member States of bodies authorised to carry out conformity assessments in accordance with this Regulation.

2.   Member States shall strive to ensure, by 11 December 2026 that there is a sufficient number of notified bodies in the Union to carry out conformity assessments, in order to avoid bottlenecks and hindrances to market entry.

Article 36

Notifying authorities

1.   Each Member State shall designate a notifying authority that shall be responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and their monitoring, including compliance with Article 41.

2.   Member States may decide that the assessment and monitoring referred to in paragraph 1 shall be carried out by a national accreditation body within the meaning of and in accordance with Regulation (EC) No 765/2008.

3.   Where the notifying authority delegates or otherwise entrusts the assessment, notification or monitoring referred to in paragraph 1 of this Article to a body which is not a governmental entity, that body shall be a legal entity and shall comply mutatis mutandis with Article 37. In addition, it shall have arrangements in place to cover liabilities arising from its activities.

4.   The notifying authority shall take full responsibility for the tasks performed by the body referred to in paragraph 3.

Article 37

Requirements relating to notifying authorities

1.   A notifying authority shall be established in such a way that no conflict of interest with conformity assessment bodies occurs.

2.   A notifying authority shall be organised and shall function so as to safeguard the objectivity and impartiality of its activities.

3.   A notifying authority shall be organised in such a way that each decision relating to notification of a conformity assessment body is taken by competent persons different from those who carried out the assessment.

4.   A notifying authority shall not offer or provide any activities that conformity assessment bodies perform or consultancy services on commercial or competitive basis.

5.   A notifying authority shall safeguard the confidentiality of the information it obtains.

6.   A notifying authority shall have a sufficient number of competent personnel at its disposal for the proper performance of its tasks.

Article 38

Information obligation on notifying authorities

1.   Member States shall inform the Commission of their procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies, and of any changes thereto.

2.   The Commission shall make the information referred to in paragraph 1 publicly available.

Article 39

Requirements relating to notified bodies

1.   For the purposes of notification, a conformity assessment body shall meet the requirements laid down in paragraphs 2 to 12.

2.   A conformity assessment body shall be established under national law and have legal personality.

3.   A conformity assessment body shall be a third-party body independent of the organisation or the product with digital elements it assesses.

A body belonging to a business association or professional federation representing undertakings involved in the design, development, production, provision, assembly, use or maintenance of products with digital elements which it assesses, may, on condition that its independence and the absence of any conflict of interest are demonstrated, be considered to be such a third-party body.

4.   A conformity assessment body, its top level management and the personnel responsible for carrying out the conformity assessment tasks shall not be the designer, developer, manufacturer, supplier, importer, distributor, installer, purchaser, owner, user or maintainer of the products with digital elements which they assess, nor the authorised representative of any of those parties. This shall not preclude the use of assessed products that are necessary for the operations of the conformity assessment body or the use of such products for personal purposes.

A conformity assessment body, its top level management and the personnel responsible for carrying out the conformity assessment tasks shall not be directly involved in the design, development, production, import, distribution, the marketing, installation, use or maintenance of the products with digital elements which they assess, or represent the parties engaged in those activities. They shall not engage in any activity that may conflict with their independence of judgement or integrity in relation to conformity assessment activities for which they are notified. This shall in particular apply to consultancy services.

Conformity assessment bodies shall ensure that the activities of their subsidiaries or subcontractors do not affect the confidentiality, objectivity or impartiality of their conformity assessment activities.

5.   Conformity assessment bodies and their personnel shall carry out the conformity assessment activities with the highest degree of professional integrity and the requisite technical competence in the specific field and shall be free from all pressures and inducements, particularly financial, which might influence their judgement or the results of their conformity assessment activities, especially as regards persons or groups of persons with an interest in the results of those activities.

6.   A conformity assessment body shall be capable of carrying out all the conformity assessment tasks referred to in Annex VIII and in relation to which it has been notified, regardless of whether those tasks are carried out by the conformity assessment body itself or on its behalf and under its responsibility.

At all times and for each conformity assessment procedure and each kind or category of products with digital elements in relation to which it has been notified, a conformity assessment body shall have at its disposal the necessary:

(a)

personnel with technical knowledge and sufficient and appropriate experience to perform the conformity assessment tasks;

(b)

descriptions of procedures in accordance with which conformity assessment is to be carried out, ensuring the transparency of and ability to reproduce those procedures. It shall have appropriate policies and procedures in place that distinguish between tasks it carries out as a notified body and other activities;

(c)

procedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the product technology in question and the mass or serial nature of the production process.

A conformity assessment body shall have the means necessary to perform the technical and administrative tasks connected with the conformity assessment activities in an appropriate manner and shall have access to all necessary equipment or facilities.

7.   The personnel responsible for carrying out conformity assessment activities shall have the following:

(a)

sound technical and vocational training covering all the conformity assessment activities in relation to which the conformity assessment body has been notified;

(b)

satisfactory knowledge of the requirements of the assessments they carry out and adequate authority to carry out those assessments;

(c)

appropriate knowledge and understanding of the essential cybersecurity requirements set out in Annex I, of the applicable harmonised standards and common specifications, and of the relevant provisions of Union harmonisation legislation and implementing acts;

(d)

the ability to draw up certificates, records and reports demonstrating that assessments have been carried out.

8.   The impartiality of the conformity assessment bodies, their top level management and of the assessment personnel shall be guaranteed.

The remuneration of the top level management and assessment personnel of a conformity assessment body shall not depend on the number of assessments carried out or on the results of those assessments.

9.   Conformity assessment bodies shall take out liability insurance unless liability is assumed by their Member State in accordance with national law, or the Member State itself is directly responsible for the conformity assessment.

10.   The personnel of a conformity assessment body shall observe professional secrecy with regard to all information obtained in carrying out their tasks under Annex VIII or any provision of national law giving effect to it, except in relation to the market surveillance authorities of the Member State in which its activities are carried out. Proprietary rights shall be protected. The conformity assessment body shall have documented procedures ensuring compliance with this paragraph.

11.   Conformity assessment bodies shall participate in, or ensure that their assessment personnel are informed of, the relevant standardisation activities and the activities of the notified body coordination group established under Article 51 and apply as general guidance the administrative decisions and documents produced as a result of the work of that group.

12.   Conformity assessment bodies shall operate in accordance with a set of consistent, fair, proportionate and reasonable terms and conditions, while avoiding unnecessary burden for economic operators, in particular taking into account the interests of microenterprises and small and medium-sized enterprises in relation to fees.

Article 40

Presumption of conformity of notified bodies

Where a conformity assessment body demonstrates its conformity with the criteria laid down in the relevant harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union it shall be presumed to comply with the requirements set out in Article 39 in so far as the applicable harmonised standards cover those requirements.

Article 41

Subsidiaries of and subcontracting by notified bodies

1.   Where a notified body subcontracts specific tasks connected with conformity assessment or has recourse to a subsidiary, it shall ensure that the subcontractor or the subsidiary meets the requirements set out in Article 39 and shall inform the notifying authority accordingly.

2.   Notified bodies shall take full responsibility for the tasks performed by subcontractors or subsidiaries wherever they are established.

3.   Activities may be subcontracted or carried out by a subsidiary only with the agreement of the manufacturer.

4.   Notified bodies shall keep at the disposal of the notifying authority the relevant documents concerning the assessment of the qualifications of the subcontractor or the subsidiary and the work carried out by them under this Regulation.

Article 42

Application for notification

1.   A conformity assessment body shall submit an application for notification to the notifying authority of the Member State in which it is established.

2.   That application shall be accompanied by a description of the conformity assessment activities, the conformity assessment procedure or procedures and the product or products with digital elements for which that body claims to be competent, as well as, where applicable, by an accreditation certificate issued by a national accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 39.

3.   Where the conformity assessment body concerned cannot provide an accreditation certificate, it shall provide the notifying authority with all the documentary evidence necessary for the verification, recognition and regular monitoring of its compliance with the requirements laid down in Article 39.

Article 43

Notification procedure

1.   Notifying authorities shall notify only conformity assessment bodies which have satisfied the requirements laid down in Article 39.

2.   The notifying authority shall notify the Commission and the other Member States using the New Approach Notified and Designated Organisations information system developed and managed by the Commission.

3.   The notification shall include full details of the conformity assessment activities, the conformity assessment module or modules and product or products with digital elements concerned and the relevant attestation of competence.

4.   Where a notification is not based on an accreditation certificate as referred to in Article 42(2), the notifying authority shall provide the Commission and the other Member States with documentary evidence which attests to the conformity assessment body’s competence and the arrangements in place to ensure that that body will be monitored regularly and will continue to satisfy the requirements laid down in Article 39.

5.   The body concerned may perform the activities of a notified body only where no objections are raised by the Commission or the other Member States within two weeks of a notification where an accreditation certificate is used or within two months of a notification where accreditation is not used.

Only such a body shall be considered to be a notified body for the purposes of this Regulation.

6.   The Commission and the other Member States shall be notified of any subsequent relevant changes to the notification.

Article 44

Identification numbers and lists of notified bodies

1.   The Commission shall assign an identification number to a notified body.

It shall assign a single such number even where the body is notified under several Union legal acts.

2.   The Commission shall make publicly available the list of the bodies notified under this Regulation, including the identification numbers that have been allocated to them and the activities for which they have been notified.

The Commission shall ensure that that list is kept up to date.

Article 45

Changes to notifications

1.   Where a notifying authority has ascertained or has been informed that a notified body no longer meets the requirements laid down in Article 39, or that it is failing to fulfil its obligations, the notifying authority shall restrict, suspend or withdraw notification as appropriate, depending on the seriousness of the failure to meet those requirements or fulfil those obligations. It shall immediately inform the Commission and the other Member States accordingly.

2.   In the event of restriction, suspension or withdrawal of notification, or where the notified body has ceased its activity, the notifying Member State shall take appropriate steps to ensure that the files of that body are either processed by another notified body or kept available for the responsible notifying and market surveillance authorities at their request.

Article 46

Challenge of the competence of notified bodies

1.   The Commission shall investigate all cases where it doubts, or where doubt is brought to its attention regarding, the competence of a notified body to meet, or the continued fulfilment by a notified body of, the requirements and responsibilities to which it is subject.

2.   The notifying Member State shall provide the Commission, on request, with all information relating to the basis for the notification or the maintenance of the competence of the body concerned.

3.   The Commission shall ensure that all sensitive information obtained in the course of its investigations is treated confidentially.

4.   Where the Commission ascertains that a notified body does not meet or no longer meets the requirements for its notification, it shall inform the notifying Member State accordingly and request it to take the necessary corrective measures, including de-notification if necessary.

Article 47

Operational obligations of notified bodies

1.   Notified bodies shall carry out conformity assessments in accordance with the conformity assessment procedures provided for in Article 32 and Annex VIII.

2.   Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. Conformity assessment bodies shall perform their activities taking due account of the size of undertakings, in particular as regards microenterprises and small and medium-sized enterprises, the sector in which they operate, their structure, their degree of complexity and the cybersecurity risk level of the products with digital elements and technology in question and the mass or serial nature of the production process.

3.   Notified bodies shall however respect the degree of rigour and the level of protection required for the compliance of products with digital elements with this Regulation.

4.   Where a notified body finds that the requirements set out in Annex I or in corresponding harmonised standards or common specifications as referred to in Article 27 have not been met by a manufacturer, it shall require that manufacturer to take appropriate corrective measures and shall not issue a certificate of conformity.

5.   Where, in the course of the monitoring of conformity following the issuance of a certificate, a notified body finds that a product with digital elements no longer complies with the requirements laid down in this Regulation, it shall require the manufacturer to take appropriate corrective measures and shall suspend or withdraw the certificate if necessary.

6.   Where corrective measures are not taken or do not have the required effect, the notified body shall restrict, suspend or withdraw any certificates, as appropriate.

Article 48

Appeal against decisions of notified bodies

Member States shall ensure that an appeal procedure against decisions of the notified bodies is available.

Article 49

Information obligation on notified bodies

1.   Notified bodies shall inform the notifying authority of the following:

(a)

any refusal, restriction, suspension or withdrawal of a certificate;

(b)

any circumstances affecting the scope of and conditions for notification;

(c)

any request for information which they have received from market surveillance authorities regarding conformity assessment activities;

(d)

on request, conformity assessment activities performed within the scope of their notification and any other activity performed, including cross-border activities and subcontracting.

2.   Notified bodies shall provide the other bodies notified under this Regulation carrying out similar conformity assessment activities covering the same products with digital elements with relevant information on issues relating to negative and, upon request, positive conformity assessment results.

Article 50

Exchange of experience

The Commission shall provide for the organisation of the exchange of experience between the Member States’ national authorities responsible for notification policy.

Article 51

Coordination of notified bodies

1.   The Commission shall ensure that appropriate coordination and cooperation between notified bodies are put in place and properly operated in the form of a cross-sectoral group of notified bodies.

2.   Member States shall ensure that the bodies notified by them participate in the work of that group, directly or by means of designated representatives.

CHAPTER V

MARKET SURVEILLANCE AND ENFORCEMENT

Article 52

Market surveillance and control of products with digital elements in the Union market

1.   Regulation (EU) 2019/1020 shall apply to products with digital elements that fall within the scope of this Regulation.

2.   Each Member State shall designate one or more market surveillance authorities for the purpose of ensuring the effective implementation of this Regulation. Member States may designate an existing or new authority to act as market surveillance authority for this Regulation.

3.   The market surveillance authorities designated under paragraph 2 of this Article shall also be responsible for carrying out market surveillance activities in relation to the obligations for open-source software stewards laid down in Article 24. Where a market surveillance authority finds that an open-source software steward does not comply with the obligations set out in that Article, it shall require the open-source software steward to ensure that all appropriate corrective actions are taken. Open-source software stewards shall ensure that all appropriate corrective action is taken in respect of their obligations under this Regulation.

4.   Where relevant, the market surveillance authorities shall cooperate with the national cybersecurity certification authorities designated pursuant to Article 58 of Regulation (EU) 2019/881 and exchange information on a regular basis. With respect to the supervision of the implementation of the reporting obligations pursuant to Article 14 of this Regulation, the designated market surveillance authorities shall cooperate and exchange information on a regular basis with the CSIRTs designated as coordinators and ENISA.

5.   The market surveillance authorities may request a CSIRT designated as coordinator or ENISA to provide technical advice on matters related to the implementation and enforcement of this Regulation. When conducting an investigation under Article 54, market surveillance authorities may request the CSIRT designated as coordinator or ENISA to provide an analysis to support evaluations of compliance of products with digital elements.

6.   Where relevant, the market surveillance authorities shall cooperate with other market surveillance authorities designated on the basis of Union harmonisation legislation other than this Regulation, and exchange information on a regular basis.

7.   Market surveillance authorities shall cooperate, as appropriate, with the authorities supervising Union data protection law. Such cooperation includes informing those authorities of any finding relevant for the fulfilment of their competences, including when issuing guidance and advice pursuant to paragraph 10 if such guidance and advice concerns the processing of personal data.

Authorities supervising Union data protection law shall have the power to request and access any documentation created or maintained under this Regulation when access to that documentation is necessary for the fulfilment of their tasks. They shall inform the designated market surveillance authorities of the Member State concerned of any such request.

8.   Member States shall ensure that the designated market surveillance authorities are provided with adequate financial and technical resources, including, where appropriate, processing automation tools, as well as with human resources with the necessary cybersecurity skills to fulfil their tasks under this Regulation.

9.   The Commission shall encourage and facilitate the exchange of experience between designated market surveillance authorities.

10.   Market surveillance authorities may provide guidance and advice to economic operators on the implementation of this Regulation, with the support of the Commission and, where appropriate, CSIRTs and ENISA.

11.   Market surveillance authorities shall inform consumers of where to submit complaints that could indicate non-compliance with this Regulation, in accordance with Article 11 of Regulation (EU) 2019/1020, and shall provide information to consumers on where and how to access mechanisms to facilitate reporting of vulnerabilities, incidents and cyber threats that may affect products with digital elements.

12.   Market surveillance authorities shall facilitate, where relevant, the cooperation with relevant stakeholders, including scientific, research and consumer organisations.

13.   The market surveillance authorities shall report to the Commission on an annual basis the outcomes of relevant market surveillance activities. The designated market surveillance authorities shall report, without delay, to the Commission and relevant national competition authorities any information identified in the course of market surveillance activities that may be of potential interest for the application of Union competition law.

14.   For products with digital elements that fall within the scope of this Regulation which are classified as high-risk AI systems pursuant to Article 6 of Regulation (EU) 2024/1689, the market surveillance authorities designated for the purposes of that Regulation shall be the authorities responsible for market surveillance activities required under this Regulation. The market surveillance authorities designated pursuant to Regulation (EU) 2024/1689 shall cooperate, as appropriate, with the market surveillance authorities designated pursuant to this Regulation and, with respect to the supervision of the implementation of the reporting obligations pursuant to Article 14 of this Regulation, with the CSIRTs designated as coordinators and ENISA. Market surveillance authorities designated pursuant to Regulation (EU) 2024/1689 shall in particular inform market surveillance authorities designated pursuant to this Regulation of any finding relevant for the fulfilment of their tasks in relation to the implementation of this Regulation.

15.   ADCO shall be established for the uniform application of this Regulation, pursuant to Article 30(2) of Regulation (EU) 2019/1020. ADCO shall be composed of representatives of the designated market surveillance authorities and, if appropriate, representatives of single liaison offices. ADCO shall also address specific matters related to the market surveillance activities in relation to the obligations placed on open-source software stewards.

16.   Market surveillance authorities shall monitor how manufacturers have applied the criteria referred to in Article 13(8) when determining the support period of their products with digital elements.

ADCO shall publish in a publicly accessible and user-friendly form relevant statistics on categories of products with digital elements, including average support periods, as determined by the manufacturer pursuant to Article 13(8), as well as provide guidance that includes indicative support periods for categories of products with digital elements.

Where the data suggests inadequate support periods for specific categories of products with digital elements, ADCO may issue recommendations to market surveillance authorities to focus their activities on such categories of products with digital elements.

Article 53

Access to data and documentation

Where necessary to assess the conformity of products with digital elements and the processes put in place by their manufacturers with the essential cybersecurity requirements set out in Annex I, the market surveillance authorities shall, upon a reasoned request, be granted access to the data, in a language easily understood by them, required to assess the design, development, production and vulnerability handling of such products, including related internal documentation of the relevant economic operator.

Article 54

Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk

1.   Where the market surveillance authority of a Member State has sufficient reason to consider that a product with digital elements, including its vulnerability handling, presents a significant cybersecurity risk, it shall, without undue delay and, where appropriate, in cooperation with the relevant CSIRT, carry out an evaluation of the product with digital elements concerned in respect of its compliance with all the requirements laid down in this Regulation. The relevant economic operators shall cooperate with the market surveillance authority as necessary.

Where, in the course of that evaluation, the market surveillance authority finds that the product with digital elements does not comply with the requirements laid down in this Regulation, it shall without delay require the relevant economic operator to take all appropriate corrective actions to bring the product with digital elements into compliance with those requirements, to withdraw it from the market, or to recall it within a reasonable period, commensurate with the nature of the cybersecurity risk, as the market surveillance authority may prescribe.

The market surveillance authority shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the corrective actions.

2.   When determining the significance of a cybersecurity risk referred to in paragraph 1 of this Article, the market surveillance authorities shall also consider non-technical risk factors, in particular those established as a result of Union level coordinated security risk assessments of critical supply chains carried out in accordance with Article 22 of Directive (EU) 2022/2555. Where a market surveillance authority has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, it shall inform the competent authorities designated or established pursuant to Article 8 of Directive (EU) 2022/2555 and cooperate with those authorities as necessary.

3.   Where the market surveillance authority considers that non-compliance is not restricted to its national territory, it shall inform the Commission and the other Member States of the results of the evaluation and of the actions which it has required the economic operator to take.

4.   The economic operator shall ensure that all appropriate corrective action is taken in respect of all the products with digital elements concerned that it has made available on the market throughout the Union.

5.   Where the economic operator does not take adequate corrective action within the period referred to in paragraph 1, second subparagraph, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict that product with digital elements from being made available on its national market, to withdraw it from that market or to recall it.

That authority shall notify the Commission and the other Member States, without delay, of those measures.

6.   The information referred to in paragraph 5 shall include all available details, in particular the data necessary for the identification of the non-compliant product with digital elements, the origin of that product with digital elements, the nature of the alleged non-compliance and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant economic operator. In particular, the market surveillance authority shall indicate whether the non-compliance is due to one or more of the following:

(a)

a failure of the product with digital elements or of the processes put in place by the manufacturer to meet the essential cybersecurity requirements set out in Annex I;

(b)

shortcomings in the harmonised standards, European cybersecurity certification schemes or common specifications, as referred to in Article 27.

7.   The market surveillance authorities of the Member States other than the market surveillance authority of the Member State initiating the procedure shall without delay inform the Commission and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the product with digital elements concerned, and, in the event of disagreement with the notified national measure, of their objections.

8.   Where, within three months of receipt of the notification referred to in paragraph 5 of this Article, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed to be justified. This is without prejudice to the procedural rights of the economic operator concerned in accordance with Article 18 of Regulation (EU) 2019/1020.

9.   The market surveillance authorities of all Member States shall ensure that appropriate restrictive measures are taken in respect of the product with digital elements concerned, such as withdrawal of that product from their market, without delay.

Article 55

Union safeguard procedure

1.   Where, within three months of receipt of the notification referred to in Article 54(5), objections are raised by a Member State against a measure taken by another Member State, or where the Commission considers the measure to be contrary to Union law, the Commission shall without delay enter into consultation with the relevant Member State and the economic operator or operators and shall evaluate the national measure. On the basis of the results of that evaluation, the Commission shall decide whether the national measure is justified or not within nine months from the notification referred to in Article 54(5) and notify that decision to the Member State concerned.

2.   If the national measure is considered to be justified, all Member States shall take the measures necessary to ensure that the non-compliant product with digital elements is withdrawn from their market, and shall inform the Commission accordingly. If the national measure is not considered to be justified, the Member State concerned shall withdraw the measure.

3.   Where the national measure is considered to be justified and the non-compliance of the product with digital elements is attributed to shortcomings in the harmonised standards, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012.

4.   Where the national measure is considered to be justified and the non-compliance of the product with digital elements is attributed to shortcomings in a European cybersecurity certification scheme as referred to in Article 27, the Commission shall consider whether to amend or repeal any delegated act adopted pursuant to Article 27(9) that specifies the presumption of conformity concerning that certification scheme.

5.   Where the national measure is considered to be justified and the non-compliance of the product with digital elements is attributed to shortcomings in common specifications as referred to in Article 27, the Commission shall consider whether to amend or repeal any implementing act adopted pursuant to Article 27(2) setting out those common specifications.

Article 56

Procedure at Union level concerning products with digital elements presenting a significant cybersecurity risk

1.   Where the Commission has sufficient reason to consider, including based on information provided by ENISA, that a product with digital elements that presents a significant cybersecurity risk does not comply with the requirements laid down in this Regulation, it shall inform the relevant market surveillance authorities. Where the market surveillance authorities carry out an evaluation of that product with digital elements that may present a significant cybersecurity risk in respect of its compliance with the requirements laid down in this Regulation, the procedures referred to in Articles 54 and 55 shall apply.

2.   Where the Commission has sufficient reason to consider that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, it shall inform the relevant market surveillance authorities and, where appropriate, the competent authorities designated or established pursuant to Article 8 of Directive (EU) 2022/2555 and cooperate with those authorities as necessary. The Commission shall also consider the relevance of the identified risks for that product with digital elements in view of its tasks regarding the Union level coordinated security risk assessments of critical supply chains provided for in Article 22 of Directive (EU) 2022/2555, and consult, as necessary, the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555 and ENISA.

3.   In circumstances which justify an immediate intervention to preserve the proper functioning of the internal market and where the Commission has sufficient reason to consider that the product with digital elements referred to in paragraph 1 remains non-compliant with the requirements laid down in this Regulation and no effective measures have been taken by the relevant market surveillance authorities, the Commission shall carry out an evaluation of compliance and may request ENISA to provide an analysis to support it. The Commission shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate with ENISA as necessary.

4.   Based on the evaluation referred to in paragraph 3, the Commission may decide that a corrective or restrictive measure is necessary at Union level. To that end, it shall without delay consult the Member States concerned and the relevant economic operator or operators.

5.   On the basis of the consultation referred to in paragraph 4 of this Article, the Commission may adopt implementing acts to provide for corrective or restrictive measures at Union level, including requiring the products with digital elements concerned to be withdrawn from the market or recalled, within a reasonable period, commensurate with the nature of the risk. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

6.   The Commission shall immediately communicate the implementing acts referred to in paragraph 5 to the relevant economic operator or operators. Member States shall implement those implementing acts without delay and shall inform the Commission accordingly.

7.   Paragraphs 3 to 6 shall be applicable for the duration of the exceptional situation that justified the Commission’s intervention, provided that the product with digital elements concerned is not brought in compliance with this Regulation.

Article 57

Compliant products with digital elements which present a significant cybersecurity risk

1.   The market surveillance authority of a Member State shall require an economic operator to take all appropriate measures where, having performed an evaluation under Article 54, it finds that although a product with digital elements and the processes put in place by the manufacturer are in compliance with this Regulation, they present a significant cybersecurity risk as well as a risk to:

(a)

the health or safety of persons;

(b)

the compliance with obligations under Union or national law intended to protect fundamental rights;

(c)

the availability, authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555; or

(d)

other aspects of public interest protection.

The measures referred to in the first subparagraph may include measures to ensure that the product with digital elements concerned and the processes put in place by the manufacturer no longer present the relevant risks when made available on the market, withdrawal from the market of the product with digital elements concerned, or recalling of it, and shall be commensurate with the nature of those risks.

2.   The manufacturer or other relevant economic operators shall ensure that corrective action is taken in respect of the products with digital elements concerned that they have made available on the market throughout the Union within the timeline established by the market surveillance authority of the Member State referred to in paragraph 1.

3.   The Member State shall immediately inform the Commission and the other Member States about the measures taken pursuant to paragraph 1. That information shall include all available details, in particular the data necessary for the identification of the products with digital elements concerned, the origin and the supply chain of those products with digital elements, the nature of the risk involved and the nature and duration of the national measures taken.

4.   The Commission shall without delay enter into consultation with the Member States and the relevant economic operator and shall evaluate the national measures taken. On the basis of the results of that evaluation, the Commission shall decide whether the measure is justified or not and, where necessary, propose appropriate measures.

5.   The Commission shall address the decision referred to in paragraph 4 to the Member States.

6.   Where the Commission has sufficient reason to consider, including based on information provided by ENISA, that a product with digital elements, although compliant with this Regulation, presents the risks referred to in paragraph 1 of this Article, it shall inform and may request the relevant market surveillance authority or authorities to carry out an evaluation and follow the procedures referred to in Article 54 and in paragraphs 1, 2 and 3 of this Article.

7.   In circumstances which justify an immediate intervention to preserve the proper functioning of the internal market and where the Commission has sufficient reason to consider that the product with digital elements referred to in paragraph 6 continues to present the risks referred to in paragraph 1, and no effective measures have been taken by the relevant national market surveillance authorities, the Commission shall carry out an evaluation of the risks presented by that product with digital elements and may request ENISA to provide an analysis to support that evaluation and shall inform the relevant market surveillance authorities accordingly. The relevant economic operators shall cooperate with ENISA as necessary.

8.   Based on the evaluation referred to in paragraph 7, the Commission may establish that a corrective or restrictive measure is necessary at Union level. To that end, it shall without delay consult the Member States concerned and the relevant economic operator or operators.

9.   On the basis of the consultation referred to in paragraph 8 of this Article, the Commission may adopt implementing acts to decide on corrective or restrictive measures at Union level, including requiring the products with digital elements concerned to be withdrawn from the market, or recalled, within a reasonable period, commensurate with the nature of the risk. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

10.   The Commission shall immediately communicate the implementing acts referred to in paragraph 9 to the relevant economic operator or operators. Member States shall implement those implementing acts without delay and shall inform the Commission accordingly.

11.   Paragraphs 6 to 10 shall apply for the duration of the exceptional situation that justified the Commission’s intervention and for as long as the product with digital elements concerned continues to present the risks referred to in paragraph 1.

Article 58

Formal non-compliance

1.   Where the market surveillance authority of a Member State makes one of the following findings, it shall require the relevant manufacturer to put an end to the non-compliance concerned:

(a)

the CE marking has been affixed in violation of Articles 29 and 30;

(b)

the CE marking has not been affixed;

(c)

the EU declaration of conformity has not been drawn up;

(d)

the EU declaration of conformity has not been drawn up correctly;

(e)

the identification number of the notified body which is involved in the conformity assessment procedure, where applicable, has not been affixed;

(f)

the technical documentation is either not available or not complete.

2.   Where the non-compliance referred to in paragraph 1 persists, the Member State concerned shall take all appropriate measures to restrict or prohibit the product with digital elements from being made available on the market or ensure that it is recalled or withdrawn from the market.

Article 59

Joint activities of market surveillance authorities

1.   Market surveillance authorities may agree with other relevant authorities to carry out joint activities aimed at ensuring cybersecurity and the protection of consumers with respect to specific products with digital elements placed on the market or made available on the market, in particular products with digital elements that are often found to present cybersecurity risks.

2.   The Commission or ENISA shall propose joint activities for checking compliance with this Regulation to be conducted by market surveillance authorities based on indications or information of potential non-compliance across several Member States of products with digital elements that fall within the scope of this Regulation with the requirements laid down in this Regulation.

3.   The market surveillance authorities and, where applicable, the Commission, shall ensure that the agreement to carry out joint activities does not lead to unfair competition between economic operators and does not negatively affect the objectivity, independence and impartiality of the parties to the agreement.

4.   A market surveillance authority may use any information obtained as a result of the joint activities carried out as part of any investigation that it undertakes.

5.   The market surveillance authority concerned and, where applicable, the Commission, shall make the agreement on joint activities, including the names of the parties involved, available to the public.

Article 60

Sweeps

1.   Market surveillance authorities shall conduct simultaneous coordinated control actions (sweeps) of particular products with digital elements or categories thereof to check compliance with or to detect infringements to this Regulation. Those sweeps may include inspections of products with digital elements acquired under a cover identity.

2.   Unless otherwise agreed upon by the market surveillance authorities involved, sweeps shall be coordinated by the Commission. The coordinator of the sweep shall, where appropriate, make the aggregated results publicly available.

3.   Where, in the performance of its tasks, including based on the notifications received pursuant to Article 14(1) and (3), ENISA identifies categories of products with digital elements for which sweeps may be organised, it shall submit a proposal for a sweep to the coordinator referred to in paragraph 2 of this Article for the consideration of the market surveillance authorities.

4.   When conducting sweeps, the market surveillance authorities involved may use the investigation powers set out in Articles 52 to 58 and any other powers conferred upon them by national law.

5.   Market surveillance authorities may invite Commission officials, and other accompanying persons authorised by the Commission, to participate in sweeps.

CHAPTER VI

DELEGATED POWERS AND COMMITTEE PROCEDURE

Article 61

Exercise of the delegation

1.   The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2.   The power to adopt delegated acts referred to in Article 2(5), second subparagraph, Article 7(3), Article 8(1) and (2), Article 13(8), fourth subparagraph, Article 14(9), Article 25, Article 27(9), Article 28(5) and Article 31(5) shall be conferred on the Commission for a period of five years from 10 December 2024. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.

3.   The delegation of power referred to in Article 2(5), second subparagraph, Article 7(3), Article 8(1) and (2), Article 13(8), fourth subparagraph, Article 14(9), Article 25, Article 27(9), Article 28(5) and Article 31(5) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4.   Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5.   As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6.   A delegated act adopted pursuant to Article 2(5), second subparagraph, Article 7(3), Article 8(1) or (2), Article 13(8), fourth subparagraph, Article 14(9), Article 25, Article 27(9), Article 28(5) or Article 31(5) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

Article 62

Committee procedure

1.   The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.   Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

3.   Where the opinion of the committee is to be obtained by written procedure, that procedure shall be terminated without result when, within the time-limit for delivery of the opinion, the chair of the committee so decides or a committee member so requests.

CHAPTER VII

CONFIDENTIALITY AND PENALTIES

Article 63

Confidentiality

1.   All parties involved in the application of this Regulation shall respect the confidentiality of information and data obtained in carrying out their tasks and activities in such a manner as to protect, in particular:

(a)

intellectual property rights and confidential business information or trade secrets of a natural or legal person, including source code, except the cases referred to in Article 5 of Directive (EU) 2016/943 of the European Parliament and of the Council (37);

(b)

the effective implementation of this Regulation, in particular for the purposes of inspections, investigations or audits;

(c)

public and national security interests;

(d)

integrity of criminal or administrative proceedings.

2.   Without prejudice to paragraph 1, information exchanged on a confidential basis between the market surveillance authorities and between market surveillance authorities and the Commission shall not be disclosed without the prior agreement of the originating market surveillance authority.

3.   Paragraphs 1 and 2 shall not affect the rights and obligations of the Commission, Member States and notified bodies with regard to the exchange of information and the dissemination of warnings, nor the obligations of the persons concerned to provide information under criminal law of the Member States.

4.   The Commission and Member States may exchange, where necessary, sensitive information with relevant authorities of third countries with which they have concluded bilateral or multilateral confidentiality arrangements guaranteeing an adequate level of protection.

Article 64

Penalties

1.   Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall, without delay, notify the Commission of those rules and measures and shall notify it, without delay, of any subsequent amendment affecting them.

2.   Non-compliance with the essential cybersecurity requirements set out in Annex I and the obligations set out in Articles 13 and 14 shall be subject to administrative fines of up to EUR 15 000 000 or, if the offender is an undertaking, up to 2,5 % of the its total worldwide annual turnover for the preceding financial year, whichever is higher.

3.   Non-compliance with the obligations set out in Articles 18 to 23, Article 28, Article 30(1) to (4), Article 31(1) to (4), Article 32(1), (2) and (3), Article 33(5), and Articles 39, 41, 47, 49 and 53 shall be subject to administrative fines of up to EUR 10 000 000 or, if the offender is an undertaking, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

4.   The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to EUR 5 000 000 or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

5.   When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:

(a)

the nature, gravity and duration of the infringement and of its consequences;

(b)

whether administrative fines have been already applied by the same or other market surveillance authorities to the same economic operator for a similar infringement;

(c)

the size, in particular with regard to microenterprises and small and medium sized-enterprises, including start-ups, and the market share of the economic operator committing the infringement.

6.   Market surveillance authorities that apply administrative fines shall communicate that application to the market surveillance authorities of other Member States through the information and communication system referred to in Article 34 of Regulation (EU) 2019/1020.

7.   Each Member State shall lay down rules on whether and to what extent administrative fines may be imposed on public authorities and public bodies established in that Member State.

8.   Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts or other bodies according to the competences established at national level in those Member States. The application of such rules in those Member States shall have an equivalent effect.

9.   Administrative fines may be imposed, depending on the circumstances of each individual case, in addition to any other corrective or restrictive measures applied by the market surveillance authorities for the same infringement.

10.   By way of derogation from paragraphs 3 to 9, the administrative fines referred to in those paragraphs shall not apply to the following:

(a)

manufacturers that qualify as microenterprises or small enterprises with regard to any failure to meet the deadline referred to in Article 14(2), point (a), or Article 14(4), point (a);

(b)

any infringement of this Regulation by open-source software stewards.

Article 65

Representative actions

Directive (EU) 2020/1828 shall apply to the representative actions brought against infringements by economic operators of provisions of this Regulation that harm, or may harm, the collective interests of consumers.

CHAPTER VIII

TRANSITIONAL AND FINAL PROVISIONS

Article 66

Amendment to Regulation (EU) 2019/1020

In Annex I to Regulation (EU) 2019/1020, the following point is added:

‘72.

Regulation (EU) 2024/2847 of the European Parliament and of the Council (*1).

Article 67

Amendment to Directive (EU) 2020/1828

In Annex I to Directive (EU) 2020/1828, the following point is added:

‘69.

Regulation (EU) 2024/2847 of the European Parliament and of the Council (*2).

Article 68

Amendment to Regulation (EU) No 168/2013

In Part C1, in the table, of Annex II to Regulation (EU) No 168/2013 of the European Parliament and of the Council (38), the following entry is added:

16

18

protection of vehicle against cyberattacks

 

x

x

x

x

x

x

x

x

x

x

x

x

x

x

’.

Article 69

Transitional provisions

1.   EU type-examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements that are subject to Union harmonisation legislation other than this Regulation shall remain valid until 11 June 2028, unless they expire before that date, or unless otherwise specified in such other Union harmonisation legislation, in which case they shall remain valid as referred to in that legislation.

2.   Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification.

3.   By way of derogation from paragraph 2 of this Article, the obligations laid down in Article 14 shall apply to all products with digital elements that fall within the scope of this Regulation that have been placed on the market before 11 December 2027.

Article 70

Evaluation and review

1.   By 11 December 2030 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. Those reports shall be made public.

2.   By 11 September 2028, the Commission shall, after consulting ENISA and the CSIRTs network, submit a report to the European Parliament and to the Council, assessing the effectiveness of the single reporting platform set out in Article 16, as well as the impact of the application of the cybersecurity-related grounds referred to Article 16(2) by the CSIRTs designated as coordinators on the effectiveness of the single reporting platform as regards the timely dissemination of received notifications to other relevant CSIRTs.

Article 71

Entry into force and application

1.   This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.   This Regulation shall apply from 11 December 2027.

However, Article 14 shall apply from 11 September 2026 and Chapter IV (Articles 35 to 51) shall apply from 11 June 2026.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Strasbourg, 23 October 2024.

For the European Parliament

The President

R. METSOLA

For the Council

The President

ZSIGMOND B. P.


(1)   OJ C 100, 16.3.2023, p. 101.

(2)  Position of the European Parliament of 12 March 2024 (not yet published in the Official Journal) and decision of the Council of 10 October 2024.

(3)  Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).

(4)  Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).

(5)  Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).

(6)   OJ C 67, 8.2.2022, p. 81.

(7)  Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65).

(8)  Directive 2014/25/EU of the European Parliament and of the Council of 26 February 2014 on procurement by entities operating in the water, energy, transport and postal services sectors and repealing Directive 2004/17/EC (OJ L 94, 28.3.2014, p. 243).

(9)  Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1).

(10)  Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).

(11)  Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1).

(12)   OJ L 82, 9.3.2021, p. 30.

(13)  Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1).

(14)  Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive (OJ L 7, 12.1.2022, p. 6).

(15)  Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62).

(16)  Directive (EU) 2024/2853 of the European Parliament and of the Council of 23 October 2024 on liability for defective products and repealing Council Directive 85/374/EEC (OJ L, 2024/2853, 18.11.2024, ELI: http://data.europa.eu/eli/dir/2024/2853/oj).

(17)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(18)  Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).

(19)  Regulation (EU) 2024/1781 of the European Parliament and of the Council of 13 June 2024 establishing a framework for the setting of ecodesign requirements for sustainable products, amending Directive (EU) 2020/1828 and Regulation (EU) 2023/1542 and repealing Directive 2009/125/EC (OJ L, 2024/1781, 28.6.2024, ELI: http://data.europa.eu/eli/reg/2024/1781/oj).

(20)  Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (OJ L, 2024/482, 7.2.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/482/oj).

(21)  Regulation (EU) 2023/988 of the European Parliament and of the Council of 10 May 2023 on general product safety, amending Regulation (EU) No 1025/2012 of the European Parliament and of the Council and Directive (EU) 2020/1828 of the European Parliament and the Council, and repealing Directive 2001/95/EC of the European Parliament and of the Council and Council Directive 87/357/EEC (OJ L 135, 23.5.2023, p. 1).

(22)  Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/2024/1689/oj).

(23)  Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).

(24)  Regulation (EU) 2023/1230 of the European Parliament and of the Council of 14 June 2023 on machinery and repealing Directive 2006/42/EC of the European Parliament and of the Council and Council Directive 73/361/EEC (OJ L 165, 29.6.2023, p. 1).

(25)  Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).

(26)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ L 201, 31.7.2002, p. 37).

(27)  Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (OJ L 169, 25.6.2019, p. 1).

(28)  Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).

(29)  Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).

(30)  Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (OJ L 218, 13.8.2008, p. 82).

(31)   OJ L 123, 12.5.2016, p. 1.

(32)  Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13, ELI: http://data.europa.eu/eli/reg/2011/182/oj).

(33)  Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1).

(34)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

(35)   OJ C 452, 29.11.2022, p. 23.

(36)  Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146).

(37)  Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).

(38)  Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52).


ANNEX I

ESSENTIAL CYBERSECURITY REQUIREMENTS

Part I Cybersecurity requirements relating to the properties of products with digital elements

(1)

Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.

(2)

On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:

(a)

be made available on the market without known exploitable vulnerabilities;

(b)

be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;

(c)

ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

(d)

ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;

(e)

protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;

(f)

protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;

(g)

process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);

(h)

protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;

(i)

minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks;

(j)

be designed, developed and produced to limit attack surfaces, including external interfaces;

(k)

be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;

(l)

provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;

(m)

provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.

Part II Vulnerability handling requirements

Manufacturers of products with digital elements shall:

(1)

identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products;

(2)

in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;

(3)

apply effective and regular tests and reviews of the security of the product with digital elements;

(4)

once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;

(5)

put in place and enforce a policy on coordinated vulnerability disclosure;

(6)

take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;

(7)

provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;

(8)

ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.


ANNEX II

INFORMATION AND INSTRUCTIONS TO THE USER

At minimum, the product with digital elements shall be accompanied by:

1.

the name, registered trade name or registered trademark of the manufacturer, and the postal address, the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;

2.

the single point of contact where information about vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;

3.

name and type and any additional information enabling the unique identification of the product with digital elements;

4.

the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties;

5.

any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks;

6.

where applicable, the internet address at which the EU declaration of conformity can be accessed;

7.

the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates;

8.

detailed instructions or an internet address referring to such detailed instructions and information on:

(a)

the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use;

(b)

how changes to the product with digital elements can affect the security of data;

(c)

how security-relevant updates can be installed;

(d)

the secure decommissioning of the product with digital elements, including information on how user data can be securely removed;

(e)

how the default setting enabling the automatic installation of security updates, as required by Part I, point (2)(c), of Annex I, can be turned off;

(f)

where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential cybersecurity requirements set out in Annex I and the documentation requirements set out in Annex VII.

9.

If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed.


ANNEX III

IMPORTANT PRODUCTS WITH DIGITAL ELEMENTS

Class I

1.

Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers

2.

Standalone and embedded browsers

3.

Password managers

4.

Software that searches for, removes, or quarantines malicious software

5.

Products with digital elements with the function of virtual private network (VPN)

6.

Network management systems

7.

Security information and event management (SIEM) systems

8.

Boot managers

9.

Public key infrastructure and digital certificate issuance software

10.

Physical and virtual network interfaces

11.

Operating systems

12.

Routers, modems intended for the connection to the internet, and switches

13.

Microprocessors with security-related functionalities

14.

Microcontrollers with security-related functionalities

15.

Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities

16.

Smart home general purpose virtual assistants

17.

Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems

18.

Internet connected toys covered by Directive 2009/48/EC of the European Parliament and of the Council (1) that have social interactive features (e.g. speaking or filming) or that have location tracking features

19.

Personal wearable products to be worn or placed on a human body that have a health monitoring (such as tracking) purpose and to which Regulation (EU) 2017/745 or (EU) No 2017/746 do not apply, or personal wearable products that are intended for the use by and for children

Class II

1.

Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments

2.

Firewalls, intrusion detection and prevention systems

3.

Tamper-resistant microprocessors

4.

Tamper-resistant microcontrollers

(1)  Directive 2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys (OJ L 170, 30.6.2009, p. 1).


ANNEX IV

CRITICAL PRODUCTS WITH DIGITAL ELEMENTS

1.   

Hardware Devices with Security Boxes

2.   

Smart meter gateways within smart metering systems as defined in Article 2, point (23) of Directive (EU) 2019/944 of the European Parliament and of the Council (1) and other devices for advanced security purposes, including for secure cryptoprocessing

3.   

Smartcards or similar devices, including secure elements


(1)  Directive (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019 on common rules for the internal market for electricity and amending Directive 2012/27/EU (OJ L 158, 14.6.2019, p. 125).


ANNEX V

EU DECLARATION OF CONFORMITY

The EU declaration of conformity referred to in Article 28, shall contain all of the following information:

1.

Name and type and any additional information enabling the unique identification of the product with digital elements

2.

Name and address of the manufacturer or its authorised representative

3.

A statement that the EU declaration of conformity is issued under the sole responsibility of the provider

4.

Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate)

5.

A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation

6.

References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared

7.

Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued

8.

Additional information:

Signed for and on behalf of:

(place and date of issue):

(name, function) (signature):


ANNEX VI

SIMPLIFIED EU DECLARATION OF CONFORMITY

The simplified EU declaration of conformity referred to in Article 13(20) shall be provided as follows:

 

Hereby, … [name of manufacturer] declares that the product with digital elements type … [designation of type of product with digital element] is in compliance with Regulation (EU) 2024/2847 (1).

 

The full text of the EU declaration of conformity is available at the following internet address: …


(1)   OJ L, 2024/2847, 20.11.2024, ELI: http://data.europa.eu/eli/reg/2024/2847/oj.


ANNEX VII

CONTENT OF THE TECHNICAL DOCUMENTATION

The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements:

1.

a general description of the product with digital elements, including:

(a)

its intended purpose;

(b)

versions of software affecting compliance with essential cybersecurity requirements;

(c)

where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout;

(d)

user information and instructions as set out in Annex II;

2.

a description of the design, development and production of the product with digital elements and vulnerability handling processes, including:

(a)

necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;

(b)

necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;

(c)

necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes;

3.

an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity requirements set out in Part I of Annex I are applicable;

4.

relevant information that was taken into account to determine the support period pursuant to Article 13(8) of the product with digital elements;

5.

a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;

6.

reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential cybersecurity requirements as set out in Parts I and II of Annex I;

7.

a copy of the EU declaration of conformity;

8.

where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity requirements set out in Annex I.


ANNEX VIII

CONFORMITY ASSESSMENT PROCEDURES

Part I Conformity assessment procedure based on internal control (based on module A)

1.

Internal control is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2, 3 and 4 of this Part, and ensures and declares on its sole responsibility that the products with digital elements satisfy all the essential cybersecurity requirements set out in Part I of Annex I and the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.

2.

The manufacturer shall draw up the technical documentation described in Annex VII.

3.

Design, development, production and vulnerability handling of products with digital elements

The manufacturer shall take all measures necessary so that the design, development, production and vulnerability handling processes and their monitoring ensure compliance of the manufactured or developed products with digital elements and of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Parts I and II of Annex I.

4.

Conformity marking and declaration of conformity

4.1.

The manufacturer shall affix the CE marking to each individual product with digital elements that satisfies the applicable requirements set out in this Regulation.

4.2.

The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements in accordance with Article 28 and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request.

5.

Authorised representatives

The manufacturer’s obligations set out in point 4 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.

Part II EU-type examination (based on module B)

1.

EU-type examination is the part of a conformity assessment procedure in which a notified body examines the technical design and development of a product with digital elements and the vulnerability handling processes put in place by the manufacturer, and attests that a product with digital elements meets the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.

2.

EU-type examination shall be carried out by assessing the adequacy of the technical design and development of the product with digital elements through the examination of the technical documentation and supporting evidence referred to in point 3, and the examination of specimens of one or more critical parts of the product (combination of production type and design type).

3.

The manufacturer shall lodge an application for EU-type examination with a single notified body of its choice.

The application shall include:

3.1.

the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;

3.2.

a written declaration that the same application has not been lodged with any other notified body;

3.3.

the technical documentation, which shall make it possible to assess the conformity of the product with digital elements with the applicable essential cybersecurity requirements as set out in Part I of Annex I and the manufacturer’s vulnerability handling processes set out in Part II of Annex I and shall include an adequate analysis and assessment of the risks. The technical documentation shall specify the applicable requirements and cover, as far as relevant for the assessment, the design, manufacture and operation of the product with digital elements. The technical documentation shall contain, wherever applicable, at least the elements set out in Annex VII;

3.4.

the supporting evidence for the adequacy of the technical design and development solutions and vulnerability handling processes. This supporting evidence shall mention any documents that have been used, in particular where the relevant harmonised standards or technical specifications have not been applied in full. The supporting evidence shall include, where necessary, the results of tests carried out by the appropriate laboratory of the manufacturer, or by another testing laboratory on its behalf and under its responsibility.

4.

The notified body shall:

4.1.

examine the technical documentation and supporting evidence to assess the adequacy of the technical design and development of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and of the vulnerability handling processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I;

4.2.

verify that specimens have been developed or manufactured in conformity with the technical documentation, and identify the elements which have been designed and developed in accordance with the applicable provisions of the relevant harmonised standards or technical specifications, as well as the elements which have been designed and developed without applying the relevant provisions of those standards;

4.3.

carry out appropriate examinations and tests, or have them carried out, to check that, where the manufacturer has chosen to apply the solutions in the relevant harmonised standards or technical specifications for the requirements set out in Annex I, they have been applied correctly;

4.4.

carry out appropriate examinations and tests, or have them carried out, to check that, where the solutions in the relevant harmonised standards or technical specifications for the requirements set out in Annex I have not been applied, the solutions adopted by the manufacturer meet the corresponding essential cybersecurity requirements;

4.5.

agree with the manufacturer on a location where the examinations and tests will be carried out.

5.

The notified body shall draw up an evaluation report that records the activities undertaken in accordance with point 4 and their outcomes. Without prejudice to its obligations vis-à-vis the notifying authorities, the notified body shall release the content of that report, in full or in part, only with the agreement of the manufacturer.

6.

Where the type and the vulnerability handling processes meet the essential cybersecurity requirements set out in Annex I, the notified body shall issue an EU-type examination certificate to the manufacturer. The certificate shall contain the name and address of the manufacturer, the conclusions of the examination, the conditions (if any) for its validity and the necessary data for identification of the approved type and vulnerability handling processes. The certificate may have one or more annexes attached.

The certificate and its annexes shall contain all relevant information to allow the conformity of manufactured or developed products with digital elements with the examined type and vulnerability handling processes to be evaluated and to allow for in-service control.

Where the type and the vulnerability handling processes do not satisfy the applicable essential cybersecurity requirements set out in Annex I, the notified body shall refuse to issue an EU-type examination certificate and shall inform the applicant accordingly, giving detailed reasons for its refusal.

7.

The notified body shall keep itself apprised of any changes in the generally acknowledged state of the art which indicate that the approved type and the vulnerability handling processes may no longer comply with the applicable essential cybersecurity requirements set out in Annex I, and shall determine whether such changes require further investigation. If so, the notified body shall inform the manufacturer accordingly.

The manufacturer shall inform the notified body that holds the technical documentation relating to the EU-type examination certificate of all modifications to the approved type and the vulnerability handling processes that may affect the conformity with the essential cybersecurity requirements set out in Annex I, or the conditions for validity of the certificate. Such modifications shall require additional approval in the form of an addition to the original EU-type examination certificate.

8.

The notified body shall carry out periodic audits to ensure that the vulnerability handling processes as set out in Part II of Annex I are implemented adequately.

9.

Each notified body shall inform its notifying authorities concerning the EU-type examination certificates and any additions thereto which it has issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of certificates and any additions thereto refused, suspended or otherwise restricted.

Each notified body shall inform the other notified bodies concerning the EU-type examination certificates and any additions thereto which it has refused, withdrawn, suspended or otherwise restricted, and, upon request, concerning the certificates and additions thereto which it has issued.

The Commission, the Member States and the other notified bodies may, on request, obtain a copy of the EU-type examination certificates and any additions thereto. On request, the Commission and the Member States may obtain a copy of the technical documentation and the results of the examinations carried out by the notified body. The notified body shall keep a copy of the EU-type examination certificate, its annexes and additions, as well as the technical file including the documentation submitted by the manufacturer, until the expiry of the validity of the certificate.

10.

The manufacturer shall keep a copy of the EU-type examination certificate, its annexes and additions together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.

11.

The manufacturer’s authorised representative may lodge the application referred to in point 3 and fulfil the obligations set out in points 7 and 10, provided that the relevant obligations are specified in the mandate.

Part III Conformity to type based on internal production control (based on module C)

1.

Conformity to type based on internal production control is the part of a conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 3 of this Part, and ensures and declares that the products with digital elements concerned are in conformity with the type described in the EU-type examination certificate and satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.

2.

Production

The manufacturer shall take all measures necessary so that the production and its monitoring ensure conformity of the manufactured products with digital elements with the approved type described in the EU-type examination certificate and with the essential cybersecurity requirements as set out in Part I of Annex I and ensures that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.

3.

Conformity marking and declaration of conformity

3.1.

The manufacturer shall affix the CE marking to each individual product with digital elements that is in conformity with the type described in the EU-type examination certificate and satisfies the applicable requirements set out in this Regulation.

3.2.

The manufacturer shall draw up a written declaration of conformity for a product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up. A copy of the declaration of conformity shall be made available to the relevant authorities upon request.

4.

Authorised representative

The manufacturer’s obligations set out in point 3 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.

Part IV Conformity based on full quality assurance (based on module H)

1.

Conformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 5 of this Part, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Part II of Annex I.

2.

Design, development, production and vulnerability handling of products with digital elements

The manufacturer shall operate an approved quality system as specified in point 3 for the design, development and final product inspection and testing of the products with digital elements concerned and for handling vulnerabilities, maintain its effectiveness throughout the support period, and shall be subject to surveillance as specified in point 4.

3.

Quality system

3.1.

The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned.

The application shall include:

(a)

the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;

(b)

the technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall, wherever applicable, contain at least the elements as set out in Annex VII;

(c)

the documentation concerning the quality system; and

(d)

a written declaration that the same application has not been lodged with any other notified body.

3.2.

The quality system shall ensure compliance of the products with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Part II of Annex I.

All the elements, requirements and provisions adopted by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. That quality system documentation shall permit a consistent interpretation of the quality programmes, plans, manuals and records.

It shall, in particular, contain an adequate description of:

(a)

the quality objectives and the organisational structure, responsibilities and powers of the management with regard to design, development, product quality and vulnerability handling;

(b)

the technical design and development specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part I of Annex I that apply to the products with digital elements will be met;

(c)

the procedural specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part II of Annex I that apply to the manufacturer will be met;

(d)

the design and development control, as well as design and development verification techniques, processes and systematic actions that will be used when designing and developing the products with digital elements pertaining to the product category covered;

(e)

the corresponding production, quality control and quality assurance techniques, processes and systematic actions that will be used;

(f)

the examinations and tests that will be carried out before, during and after production, and the frequency with which they will be carried out;

(g)

the quality records, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned;

(h)

the means of monitoring the achievement of the required design and product quality and the effective operation of the quality system.

3.3.

The notified body shall assess the quality system to determine whether it satisfies the requirements referred to in point 3.2.

It shall presume conformity with those requirements in respect of the elements of the quality system that comply with the corresponding specifications of the national standard that implements the relevant harmonised standard or technical specification.

In addition to experience in quality management systems, the auditing team shall have at least one member experienced as an assessor in the relevant product field and product technology concerned, and shall have knowledge of the applicable requirements set out in this Regulation. The audit shall include an assessment visit to the manufacturer’s premises, where such premises exist. The auditing team shall review the technical documentation referred to in point 3.1 (b), to verify the manufacturer’s ability to identify the applicable requirements set out in this Regulation and to carry out the necessary examinations with a view to ensuring compliance of the product with digital elements with those requirements.

The manufacturer or its authorised representative shall be notified of the decision.

The notification shall contain the conclusions of the audit and the reasoned assessment decision.

3.4.

The manufacturer shall undertake to fulfil the obligations arising out of the quality system as approved and to maintain it so that it remains adequate and efficient.

3.5.

The manufacturer shall keep the notified body that has approved the quality system informed of any intended change to the quality system.

The notified body shall evaluate any proposed changes and decide whether the modified quality system will continue to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary.

It shall notify the manufacturer of its decision. The notification shall contain the conclusions of the examination and the reasoned assessment decision.

4.

Surveillance under the responsibility of the notified body

4.1.

The purpose of surveillance is to make sure that the manufacturer duly fulfils the obligations arising out of the approved quality system.

4.2.

The manufacturer shall, for assessment purposes, allow the notified body access to the design, development, production, inspection, testing and storage sites, and shall provide it with all necessary information, in particular:

(a)

the quality system documentation;

(b)

the quality records as provided for by the design part of the quality system, such as results of analyses, calculations and tests;

(c)

the quality records as provided for by the manufacturing part of the quality system, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned.

4.3.

The notified body shall carry out periodic audits to make sure that the manufacturer maintains and applies the quality system and shall provide the manufacturer with an audit report.

5.

Conformity marking and declaration of conformity

5.1.

The manufacturer shall affix the CE marking, and, under the responsibility of the notified body referred to in point 3.1, the latter’s identification number to each individual product with digital elements that satisfies the requirements set out in Part I of Annex I.

5.2.

The manufacturer shall draw up a written declaration of conformity for each product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up.

A copy of the declaration of conformity shall be made available to the relevant authorities upon request.

6.

The manufacturer shall, for a period ending at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep at the disposal of the national authorities:

(a)

the technical documentation referred to in point 3.1;

(b)

the documentation concerning the quality system referred to in point 3.1;

(c)

the change referred to in point 3.5, as approved;

(d)

the decisions and reports of the notified body referred to in points 3.5 and 4.3.

7.

Each notified body shall inform its notifying authorities of quality system approvals issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of quality system approvals refused, suspended or otherwise restricted.

Each notified body shall inform the other notified bodies of quality system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued.

8.

Authorised representative

The manufacturer’s obligations set out in points 3.1, 3.5, 5 and 6 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.

A statement has been made with regard to this act and can be found in OJ C, 2024/6786, 20.11.2024, ELI: http://data.europa.eu/eli/C/2024/6786/oj.


ELI: http://data.europa.eu/eli/reg/2024/2847/oj

ISSN 1977-0677 (electronic edition)


Top