Source: OJ L, 2025/2392, 1.12.2025
Current language: EN
- Cyber resilience for products with digital elements
Implementing acts
- Technical description of product categories
Annex I IMPORTANT PRODUCTS WITH DIGITAL ELEMENTS
Class I
Category of product
Technical description
Identity management systems and privileged access management softwaremeans the part of an electronic information system which consists of computer code; and hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;, including authentication and access control readers, including biometric readers
Identity management systems are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that provide mechanisms for authentication or authorisation and that may also provide mechanisms for the lifecycle management of identity credentials of natural persons, legal persons, devices or systems, such as identity registration, provisioning, maintenance, deregistration. These systems include access management systems that control access of natural persons, legal persons, devices or systems to digital resources or physical locations.
Privileged access management softwaremeans the part of an electronic information system which consists of computer code; is an access management system that controls and monitors access rights to IT or OT systems and sensitive information within an organisation, including systems enforcing differentiated access control policies for privileged users.
This category includes but is not limited to authentication and access control readers, biometric readers, single sign-on softwaremeans the part of an electronic information system which consists of computer code;, federated identity management softwaremeans the part of an electronic information system which consists of computer code;, one-time password softwaremeans the part of an electronic information system which consists of computer code;, hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; authentication devices such as transaction authentication number (TAN) generators, authentication softwaremeans the part of an electronic information system which consists of computer code; and multi-factor authentication softwaremeans the part of an electronic information system which consists of computer code;.
Standalone and embedded browsers
Softwaremeans the part of an electronic information system which consists of computer code; products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that enable end users to access, render, and interact with web content and services hosted on servers that are connected to networks such as the Internet. They typically include a browser engine for interpreting and displaying content written in markup language (e.g. HTML), support for web protocols (e.g. HTTP, HTTPS), the ability to execute scripts and manage user inputs as well as storage of temporary or persistent data from websites (cookies).
This category includes but is not limited to standalone applications that fulfil the functions of browsers, embedded browsers intended for integration into another system or application as well as browsers with AI agent integration.
Password managers
Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that store passwords, locally on a device or on a remote server, including activities such as generation of passwords as well as password sharing and integration with local or third-party applications for usage of passwords.
This category includes but is not limited to local password managers, password managers provided as browser extensions, enterprise password managers as well as hardware-based password managers.
Softwaremeans the part of an electronic information system which consists of computer code; that searches for, removes, or quarantines malicious softwaremeans the part of an electronic information system which consists of computer code;
Softwaremeans the part of an electronic information system which consists of computer code; products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, typically referred to as antivirus or antimalware, that detect or search for malicious softwaremeans the part of an electronic information system which consists of computer code; or code on devices, or remove or quarantine such softwaremeans the part of an electronic information system which consists of computer code; or code, in order to maintain the integrity, confidentiality, or availability of such devices.
In the context of this category of products, malicious softwaremeans the part of an electronic information system which consists of computer code; means softwaremeans the part of an electronic information system which consists of computer code; containing malicious features or capabilities that can cause harm directly or indirectly to the user and/or the computer system, such as viruses, worms, ransomware, spyware and trojans.
This category includes but is not limited to softwaremeans the part of an electronic information system which consists of computer code; that detects or searches for malicious softwaremeans the part of an electronic information system which consists of computer code; in real-time or manually, rootkit detection and rescue disks with the core functionality of searching, removing or quarantining malicious softwaremeans the part of an electronic information system which consists of computer code;.
Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; with the function of virtual private network (VPN)
Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that establish an encrypted logical tunnel that is constructed from the system resources of a physical or virtual network.
This category includes but is not limited to virtual private network clients, virtual private network servers and virtual private network gateways.
Network management systems
Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that manage connected network elements, such as servers, routers, switches, workstations, printers or mobile devices, by monitoring them and controlling their network operations and configuration.
This category includes but is not limited to end-to-end management systems and dedicated configuration management systems, such as controllers for software-defined networking.
Security information and event management (SIEM) systems
Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that collect data from multiple sources, analyse and correlate that data and present it as actionable information for security-related purposes, such as threat and incidentmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; detection, forensic analysis or compliance purposes.
Boot managers
Softwaremeans the part of an electronic information system which consists of computer code; products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that manage the process of initial system startup after power on/restart by initialising hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;, loading or transferring control to the operating system environment or system resources, and selecting boot options.
This category includes but is not limited to UEFI firmware, single-stage and multi-stage boot loaders.
Public key infrastructure and digital certificate issuance softwaremeans the part of an electronic information system which consists of computer code;
Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; used as part of a public key infrastructure (PKI) that manage the validation, creation, issuance, distribution, status publication, renewal or revocation of digital certificates, or the generation, storage, escrow, exchange, destruction or rotation of cryptographic keys associated with such digital certificates.
This category includes but is not limited to key management systems, digital certificate management systems, online certificate status protocol responders and all-in-one PKI solutions.
Physical and virtual network interfaces
Physical network interfaces are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that directly connect a device to a network via an application programming interface (API) provided by the interface drivers, typically operating at the data link layer, and that feature hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; adapters to transmission media with corresponding firmware, typically operating at the physical and data link layer.
Virtual network interfaces are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that directly or indirectly connect a device to a network via an API that emulates that of drivers of physical network interfaces, typically operating at the data link layer.
This category includes but is not limited to wired and wireless network interface cards, controllers and adapters, such as for Wi-Fi, Ethernet, IrDA, USB, Bluetooth, NearLink, Zigbee, or Fieldbus, as well as purely virtual standalone products, such as virtual network interface cards, container network interfaces and VPN interfaces.
Operating systems
Softwaremeans the part of an electronic information system which consists of computer code; products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that provide an abstract interface of the underlying hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; and control the execution of softwaremeans the part of an electronic information system which consists of computer code;, and that may provide services such as computing resource management and configuration, scheduling, input-output control, managing data, and providing an interface through which applications interact with system resources and peripherals.
This category includes but is not limited to real-time operating systems, general-purpose and special-purpose operating systems.
Routers, modems intended for the connection to the internet, and switches
Routers are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that establish and control the flow of data between different networks by selecting paths or routes using routing protocol mechanisms and algorithms, typically operating at the network layer.
This category includes but is not limited to wired and wireless routers, virtual routers and routers with or without modems.
Modems intended for the connection to the Internet are hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that use digital modulation and demodulation techniques to convert analogue signals from and to digital signals for IP-based communication.
This category includes but is not limited to fibre modems, Digital Subscriber Line (DSL) modems, cable (DOCSIS) modems, satellite modems and cellular modems.
Switches are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that provide connectivity between networked devices through packet forwarding mechanisms and that have a management plane, typically implemented at the data link or network layer.
This category includes but is not limited to managed switches, smart switches, multilayer switches, virtual security switches, programmable switches for software-defined networking and bridges such as wireless access points.
Microprocessors with security-related functionalities
Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are integrated circuits that carry out central processing functions relying on external memory and peripherals, including microcode and other low-level firmware. They additionally provide security-related functionalities, such as encryption, authentication, secure key storage, random number generation, trusted execution environment, or other hardware-based protection mechanisms, that aim to secure other products, networks or services beyond the microprocessor itself, such as secure boot chain, virtualization or secure communication interfaces.
Microcontrollers with security-related functionalities
Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are integrated circuits that carry out central processing functions integrating memory allowing the microcontroller to be programmable and typically also other peripherals, including microcode and other low-level firmware. They additionally provide security-related functionalities, such as encryption, authentication, secure key storage, random number generation, trusted execution environment, or other hardware-based protection mechanisms, that aim to secure other products, networks or services beyond the microcontroller itself, such as secure boot chain, virtualization or secure communication interfaces.
Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities
Application specific integrated circuits (ASIC) with security-related functionalities are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are integrated circuits, fully or partially custom-designed to perform a specific function or implement a specific application, including microcode and other low-level firmware. They additionally provide security-related functionalities, such as encryption, authentication, secure key storage, random number generation, trusted execution environment, or other hardware-based protection mechanisms, that aim to secure other products, networks or services beyond the ASIC itself, such as secure boot chain, virtualization or secure communication interfaces.
Field-programmable gate arrays (FPGA) with security-related functionalities are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are integrated circuits characterized by a matrix of configurable logic blocks designed to be reprogrammable after manufacturing to perform a specific function or implement a specific application, including microcode and other low-level firmware. They additionally provide security-related functionalities, such as encryption, authentication, secure key storage, random number generation, trusted execution environment, or other hardware-based protection mechanisms, that aim to secure other products, networks or services beyond the FPGA itself, such as secure boot chain, virtualization or secure communication interfaces.
Smart home general purpose virtual assistants
Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that communicate on the public Internet, whether directly or via other equipment, that process demands, tasks or questions based on natural language prompts, such as through audio or written input, and that, based on those demands, tasks or questions, provide access to other services or control the functions of connected devices in residential settings.
This category includes but is not limited to smart speakers with an integrated virtual assistant, and standalone virtual assistants that meet this description.
Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems
Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that protect the physical security of consumersmeans a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; in a residential setting and which can be controlled or managed remotely from other systems, as well as hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; and softwaremeans the part of an electronic information system which consists of computer code; that centrally control such products.
This category includes but is not limited to smart door locking devices, baby monitoring systems, alarm systems and home security cameras.
Internet connected toys covered by Directive 2009/48/EC of the European Parliament and of the Council(1)Directive 2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys (OJ L 170, 30.6.2009, p. 1, ELI: http://data.europa.eu/eli/dir/2009/48/oj). that have social interactive features (e.g. speaking or filming) or that have location tracking features
Internet connected toys that have social interactive features are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are covered by Directive 2009/48/EC, that communicate on the public Internet, whether directly or via any other equipment, and that have embedded technologies that enable inbound and outbound communication, such as keyboard, microphone, speaker or camera.
Internet connected toys that have location tracking features are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are covered by Directive 2009/48/EC, that communicate on the public Internet, whether directly or via any other equipment, and that have technologies that enable tracking or inferring of the geographical location of the toy or its user. Where the toy merely detects the proximity of the user or of other toys by using sensing technologies, the toy is not to be considered to have location tracking features.
Personal wearable products to be worn or placed on a human body that have a health monitoring (such as tracking) purpose and to which Regulation (EU) 2017/745(2)Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1, ELI: http://data.europa.eu/eli/reg/2017/745/oj). or (EU) 2017/746 of the European Parliament and of the Council(3)Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176, ELI: http://data.europa.eu/eli/reg/2017/746/oj). do not apply, or personal wearable products that are intended for the use by and for children
Personal wearable products to be worn or placed on a human body that have a health monitoring purpose are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are worn on the body directly or via clothing or accessories and that can, regularly or continuously, sense and further process information, including body metrics, relevant to the user’s health, excluding products that fall within the scope of Regulation (EU) 2017/745 or of Regulation (EU) 2017/746.
This category includes but is not limited to fitness trackers, smartwatches, smart jewellery, smart clothing and sports apparel that meet this description.
Personal wearable products that are intended for the use by and for children are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which can be worn or placed on the body, directly or via clothing or accessories, of individuals under the age of 14.
This category includes but is not limited to child safety wearables.
Class II
Category of product
Technical description
Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments
Hypervisors are softwaremeans the part of an electronic information system which consists of computer code; products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that abstract and/or allocate computing resources and enable the execution, management and orchestration of virtual machines that are logically separated from each other and/or from the physical hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;. Hypervisors may run directly on hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; (bare metal), on top of an operating system, or within another virtual machine (nested virtualisation).
In the context of this category of products, a virtual machine is a software-defined logical separation of a computing environment, which includes a virtualised set of hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; resources (e.g. CPU, memory, storage, network interfaces) and typically hosts its own operating system.
This category includes but is not limited to type 1 hypervisors (bare metal), type 2 hypervisors (hosted on an operating system) and hybrid hypervisors.
Container runtime systems are softwaremeans the part of an electronic information system which consists of computer code; products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that manage the execution and lifecycle of containers running on a single host operating system as isolated processes, allocating resources and allowing the management and orchestration of individual containers.
In the context of this category of products, a container is a software-based execution environment that encapsulates one or more softwaremeans the part of an electronic information system which consists of computer code; componentsmeans software or hardware intended for integration into an electronic information system; and their dependencies in a single package, enabling it to run independently and consistently.
Firewalls, intrusion detection and prevention systems
Firewalls are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that protect a connected network or system from unauthorized access by monitoring and restricting data communication traffic to and from that network.
This category includes but is not limited to network firewalls and application firewalls such as web application firewalls or filters and anti-spam gateways.
Intrusion detection systems are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that monitor traffic once it has entered the network environment for suspicious activity and detect or identify that an intrusion has been attempted, is occurring, or has occurred on a connected network or system.
This category includes but is not limited to network-based intrusion detection systems and host-based intrusion detection systems.
Intrusion prevention systems are products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; composed of an intrusion detection system that actively responds to an intrusion to a connected network or system.
This category includes but is not limited to network-based intrusion prevention systems and host-based intrusion prevention systems.
Tamper-resistant microprocessors
Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are microprocessors with security-related functionalities referred to in Table ‘Class I’, point 13, of this Annex, including tamper evidence, resistance or response, and which additionally are designed to provide protection of AVA_VAN level 2 or 3, as set out in the Common Criteria and the Common Evaluation Methodology.
Tamper-resistant microcontrollers
Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are microcontrollers with security-related functionalities referred to in Table ‘Class I’, point 14, of this Annex, including tamper evidence, resistance or response, and which additionally are designed to provide protection of AVA_VAN level 2 or 3, as set out in the Common Criteria and the Common Evaluation Methodology.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.