Preamble Recitals

Regulation (EU) 2024/2847 lays down rules on the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. In particular, Annex III to that Regulation sets out categories of important products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that, when placed on the market, are subject to conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures that are stricter than those applicable to other products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Annex IV to Regulation (EU) 2024/2847 sets out categories of critical products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; for which manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; could be required to obtain a European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certificate under a European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme pursuant to Regulation (EU) 2019/881 of the European Parliament and of the Council(²)Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15, ELI: http://data.europa.eu/eli/reg/2019/881/oj). or which would be subject to mandatory third-party conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;, when placed on the market.

Pursuant to Article 7(1) and Article 8(1) of Regulation (EU) 2024/2847, the core functionality of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; determines whether that product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; meets the technical description of a category of important or critical products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and therefore the applicable conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures.

When developing a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, and in order to achieve their desired set of functionalities, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; typically integrate into their own products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; other componentsmeans software or hardware intended for integration into an electronic information system; which are also products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and that can meet the technical description of a category of important or critical products. Pursuant to Regulation (EU) 2024/2847, a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is subject to the conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures applicable to important or critical products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, if that product as a whole is an important or critical product as set out in Annexes III and IV to that Regulation. For example, integrating an embedded browser as a componentmeans software or hardware intended for integration into an electronic information system; of a news app for use in smartphones does not in itself render the news app subject to the conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedure applicable to products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that have the core functionality of ‘standalone and embedded browsers’. Nonetheless, in accordance with Regulation (EU) 2024/2847, the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; needs to ensure that the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; as a whole meets the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements. Therefore, the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; needs to evaluate the security of the whole product, considering, as appropriate, the security of the componentsmeans software or hardware intended for integration into an electronic information system; or functionalities that are integrated into it. For example, in order for the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of a news app to demonstrate that its product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is in conformity with Regulation (EU) 2024/2847, that manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; is to demonstrate that the news app as a whole satisfies the applicable requirements, considering, as appropriate, the security of the embedded browser that is integrated into its app.

The fact that a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; performs functions other than or additional to those detailed in the technical descriptions set out in this Regulation does not in itself mean that the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; does not have the core functionality of a product category set out in Annexes III and IV to Regulation (EU) 2024/2847. For example, products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that have the core functionality of ‘operating systems’ often include softwaremeans the part of an electronic information system which consists of computer code; that performs ancillary functions not included in the technical description of that product category, such as calculators or simple graphics editors. Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; often also incorporate componentsmeans software or hardware intended for integration into an electronic information system; that have the functionality of another important or critical product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, such as an operating system integrating browser functionality, or a router integrating firewall functionality. This, however, does not in itself mean that such products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; do not have the core functionality of ‘operating systems’ or ‘routers, modems intended for the connection to the internet, and switches’, respectively.

On the other hand, a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that has the ability to perform the functions of a product category set out in Annexes III and IV to Regulation (EU) 2024/2847 but whose core functionality itself is different from that of such product category is not to be considered to meet the technical description of that product category. For example, a security orchestration, automation and response (SOAR) softwaremeans the part of an electronic information system which consists of computer code; often has the ability to perform the functions of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; in the category of ‘security information and event management (SIEM) systems’, i.e. gather data, analyse it and present it as actionable information for security purposes. However, as its core functionality is not that of a SIEM, SOAR softwaremeans the part of an electronic information system which consists of computer code; are generally not to be considered to meet the technical description of ‘security information and event management (SIEM) systems’. Similarly, a smartphone typically integrates componentsmeans software or hardware intended for integration into an electronic information system; that perform the functions of several product categories set out in Annexes III and IV to Regulation (EU) 2024/2847, such as an operating system or an integrated password manager. However, as a smartphone’s core functionality is not that of an operating system or of a password manager, it is generally not to be considered to meet the technical description of such product categories.

Pursuant to Article 13(2) and (3) of Regulation (EU) 2024/2847, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are to implement the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Part I of Annex I to Regulation (EU) 2024/2847 in a way that is proportionate to the risks of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, based on the intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; and reasonably foreseeable usemeans use that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions; as well as the conditions of use of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, taking into account the length of time the product is expected to be in use. In accordance with Article 13(2) and (3) of that Regulation, and irrespective of whether the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is considered to be an important or critical product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; are to carry out a comprehensive cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment and indicate how the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements are implemented as informed by the risk assessment, including their testing and assurance. Where the core functionality of their product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; meets the technical description of an important or critical product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; are to demonstrate conformity following the specific conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures established by Article 32(2), (3), (4) and (5) of Regulation (EU) 2024/2847.

This Regulation includes examples of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; whose core functionality meets the technical description of certain important or critical products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Such examples are provided for illustrative purposes only and are not an exhaustive list.

In order to provide legal certainty to manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, the categories of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are tamper-resistant microprocessors, tamper-resistant microcontrollers, and smartcards and similar devices, including secure elements, should be distinguished on the basis of the level of resistance against potential exploitability of flaws or weaknesses for which they have been designed. AVA_VAN level is an extensively used and standardised way to express such a level of resistance. AVA_VAN levels are set out in the publicly available Common Criteriameans the Common Criteria for Information Technology Security Evaluation as defined in Article 2(1) of Implementing Regulation (EU) 2024/482 or as set out in the standards referred to in Article 3(2), points (a) and (b), of that Implementing Regulation; and Common Evaluation Methodologymeans the Common Methodology for Information Technology Security Evaluation as defined in Article 2(2) of Implementing Regulation (EU) 2024/482 or as set out in the standards referred to in Article 3(2), points (c) and (d), of that Implementing Regulation. standards, which underlie existing certification frameworks widely adopted on the market, such as Commission Implementing Regulation (EU) 2024/482(³)Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (OJ L, 2024/482, 7.2.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/482/oj).. Implementing Regulation (EU) 2024/482 establishes a European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme that can be used to certify a product at a specific assurance level. Drawing on global practices, Implementing Regulation (EU) 2024/482 foresees the possibility to issue certificates based on older versions of the standards until end of 2027. Hence, in the context of Regulation (EU) 2024/2847, it is appropriate to allow for AVA_VAN levels to be expressed by referring to either the latest version or older versions of those standards.

The measures provided for in this Regulation are in accordance with the opinion of the Committee established by Article 62(1) of Regulation (EU) 2024/2847,