Annex I ESSENTIAL CYBERSECURITY REQUIREMENTS

Taking into account the iterative nature of softwaremeans the part of an electronic information system which consists of computer code; development, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that have placed subsequent versions of a softwaremeans the part of an electronic information system which consists of computer code; product on the market as a result of a subsequent substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; of that product should be able to provide security updates for the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; only for the version of the softwaremeans the part of an electronic information system which consists of computer code; product that they have last placed on the market. They should be able to do so only if the users of the relevant previous product versions have access to the product version last placed on the market free of charge and do not incur additional costs to adjust the hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; or softwaremeans the part of an electronic information system which consists of computer code; environment in which they operate the product. This could, for instance, be the case where a desktop operating system upgrade does not require new hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;, such as a faster central processing unit or more memory. Nonetheless, the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should continue to comply, for the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, with other vulnerability-handling requirements, such as having a policy on coordinated vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure or measures in place to facilitate the sharing of information about potential vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; for all subsequent substantially modified versions of the softwaremeans the part of an electronic information system which consists of computer code; product placed on the market. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should be able to provide minor security or functionality updates that do not constitute a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; only for the latest version or sub-version of a softwaremeans the part of an electronic information system which consists of computer code; product that has not been substantially modified. At the same time, where a hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; product, such as a smartphone, is not compatible with the latest version of the operating system it was originally delivered with, the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should continue to provide security updates at least for the latest compatible version of the operating system for the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;.

Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of products falling within the scope of Regulation (EU) 2023/1230 of the European Parliament and of the Council(²⁴)Regulation (EU) 2023/1230 of the European Parliament and of the Council of 14 June 2023 on machinery and repealing Directive 2006/42/EC of the European Parliament and of the Council and Council Directive 73/361/EEC (OJ L 165, 29.6.2023, p. 1). which are also products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; as defined in this Regulation should comply with both the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation and the essential health and safety requirements set out in Regulation (EU) 2023/1230. The essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation and certain essential requirements set out in Regulation (EU) 2023/1230 might address similar cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Therefore, the compliance with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation could facilitate the compliance with the essential requirements that also cover certain cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; as set out in Regulation (EU) 2023/1230, and in particular those regarding the protection against corruption and safety and reliability of control systems set out in sections 1.1.9 and 1.2.1 of Annex III to that Regulation. Such synergies have to be demonstrated by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, for instance by applying, where available, harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; or other technical specifications covering relevant essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements following a risk assessment covering those cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. The manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should also follow the applicable conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures set out in this Regulation and in Regulation (EU) 2023/1230. The Commission and the European standardisation organisations, in the preparatory work supporting the implementation of this Regulation and of Regulation (EU) 2023/1230 and the related standardisation processes, should promote consistency in how the cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; are to be assessed and in how those risks are to be covered by harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; with regard to the relevant essential requirements. In particular, the Commission and the European standardisation organisations should take into account this Regulation in the preparation and development of harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; to facilitate the implementation of Regulation (EU) 2023/1230 as regards in particular the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; aspects related to the protection against corruption and safety and reliability of control systems set out in sections 1.1.9 and 1.2.1 of Annex III to that Regulation. The Commission should provide guidance to support manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; subject to this Regulation that are also subject to Regulation (EU) 2023/1230, in particular to facilitate the demonstration of compliance with relevant essential requirements set out in this Regulation and in Regulation (EU) 2023/1230.

In order to ensure that products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are secure both at the time of their placing on the marketmeans the first making available of a product with digital elements on the Union market; as well as during the time the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is expected to be in use, it is necessary to lay down essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements for vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling and essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements relating to the properties of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. While manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should comply with all essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements related to vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling throughout the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, they should determine which other essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements related to the product properties are relevant for the type of product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned. For that purpose, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should undertake an assessment of the cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; to identify relevant risks and relevant essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements in order to make available their products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; without known exploitable vulnerabilitiesmeans a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions; that might have an impact on the security of those products and to appropriately apply suitable harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European or international standardsmeans an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;.

One of the most important measures for users to take in order to protect their products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; from cyberattacks is to install the latest available security updates as soon as possible. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should therefore design their products and put in place processes to ensure that products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; include functions that enable the notification, distribution, download and installation of security updates automatically, in particular in the case of consumermeans a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; products. They should also provide the possibility to approve the download and installation of the security updates as a final step. Users should retain the ability to deactivate automatic updates, with a clear and easy-to-use mechanism, supported by clear instructions on how users can opt out. The requirements relating to automatic updates as set out in an annex to this Regulation are not applicable to products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; primarily intended to be integrated as componentsmeans software or hardware intended for integration into an electronic information system; into other products. They also do not apply to products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; for which users would not reasonably expect automatic updates, including products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; intended to be used in professional ICT networks, and especially in critical and industrial environments where an automatic update could cause interference with operations. Irrespective of whether a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is designed to receive automatic updates or not, its manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should inform users about vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and make security updates available without delay. Where a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has a user interface or similar technical means allowing direct interaction with its users, the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should make use of such features to inform users that their product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has reached the end of the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;. Notifications should be limited to what is necessary in order to ensure the effective reception of this information and should not have a negative impact on the user experience of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;.

To improve the transparency of vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling processes and to ensure that users are not required to install new functionality updates for the sole purpose of receiving the latest security updates, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should ensure, where technically feasible, that new security updates are provided separately from functionality updates.

Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should make their products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; available on the market with a secure by default configuration and provide security updates to users free of charge. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should only be able to deviate from the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements in relation to tailor-made products that are fitted to a particular purpose for a particular business user and where both the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and the user have explicitly agreed to a different set of contractual terms.

In order to facilitate vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; analysis, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should identify and document componentsmeans software or hardware intended for integration into an electronic information system; contained in the products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, including by drawing up an SBOM. An SBOM can provide those who manufacture, purchase, and operate softwaremeans the part of an electronic information system which consists of computer code; with information that enhances their understanding of the supply chain, which has multiple benefits, in particular it helps manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and users to track known newly emerged vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. It is of particular importance that manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; ensure that their products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; do not contain vulnerable componentsmeans software or hardware intended for integration into an electronic information system; developed by third parties. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should not be obliged to make the SBOM public.