Beta

Source: OJ L 2024/2847, 20.11.2024

EN

Article 13 Obligations of manufacturers

    1. When placing a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; on the market, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall ensure that it has been designed, developed and produced in accordance with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Part I of Annex I.

    1. For the purpose of complying with paragraph 1, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall undertake an assessment of the cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; with a view to minimising cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, preventing incidentsmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and minimising their impact, including in relation to the health and safety of users.

    1. The cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment shall be documented and updated as appropriate during a support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; to be determined in accordance with paragraph 8 of this Article. That cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment shall comprise at least an analysis of cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; based on the intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; and reasonably foreseeable usemeans use that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions;, as well as the conditions of use, of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and how those requirements are implemented as informed by the cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment. It shall also indicate how the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; is to apply Part I, point (1), of Annex I and the vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling requirements set out in Part II of Annex I.

    1. When placing a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; on the market, the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall include the cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment referred to in paragraph 3 of this Article in the technical documentation required pursuant to Article 31 and Annex VII. For products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; as referred to in Article 12, which are also subject to other Union legal acts, the cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment may be part of the risk assessment required by those Union legal acts. Where certain essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements are not applicable to the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall include a clear justification to that effect in that technical documentation.

    1. For the purpose of complying with paragraph 1, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall exercise due diligence when integrating componentsmeans software or hardware intended for integration into an electronic information system; sourced from third parties so that those componentsmeans software or hardware intended for integration into an electronic information system; do not compromise the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, including when integrating componentsmeans software or hardware intended for integration into an electronic information system; of free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; that have not been made available on the market in the course of a commercial activity.

    1. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall, upon identifying a vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; in a componentmeans software or hardware intended for integration into an electronic information system;, including in an open source-component, which is integrated in the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; report the vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; to the person or entity manufacturing or maintaining the componentmeans software or hardware intended for integration into an electronic information system;, and address and remediate the vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; in accordance with the vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling requirements set out in Part II of Annex I. Where manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; have developed a softwaremeans the part of an electronic information system which consists of computer code; or hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; modification to address the vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; in that componentmeans software or hardware intended for integration into an electronic information system;, they shall share the relevant code or documentation with the person or entity manufacturing or maintaining the componentmeans software or hardware intended for integration into an electronic information system;, where appropriate in a machine-readable format.

    1. The manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, relevant cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; aspects concerning the products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, including vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; of which they become aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment of the products.

    1. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall ensure, when placing a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; on the market, and for the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, that vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; of that product, including its componentsmeans software or hardware intended for integration into an electronic information system;, are handled effectively and in accordance with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Part II of Annex I.

    2. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall determine the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;, as well as relevant Union law determining the lifetime of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. When determining the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; may also take into account the support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; offering a similar functionality placed on the market by other manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, the availability of the operating environment, the support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; of integrated componentsmeans software or hardware intended for integration into an electronic information system; that provide core functions and are sourced from third parties as well as relevant guidance provided by the dedicated administrative cooperation group (ADCO) established pursuant to Article 52(15) and the Commission. The matters to be taken into account in order to determine the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; shall be considered in a manner that ensures proportionality.

    3. Without prejudice to the second subparagraph, the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; shall be at least five years. Where the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is expected to be in use for less than five years, the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; shall correspond to the expected use time.

    4. Taking into account ADCO recommendations as referred to in Article 52(16), the Commission may adopt delegated acts in accordance with Article 61 to supplement this Regulation by specifying the minimum support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; for specific product categories where the market surveillance data suggests inadequate support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;.

    5. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall include the information that was taken into account to determine the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; in the technical documentation as set out in Annex VII.

    6. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall have appropriate policies and procedures, including coordinated vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure policies, referred to in Part II, point (5), of Annex I to process and remediate potential vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; in the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; reported from internal or external sources.

    1. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall ensure that each security update, as referred to in Part II, point (8), of Annex I, which has been made available to users during the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, remains available after it has been issued for a minimum of 10 years or for the remainder of the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, whichever is longer.

    1. Where a manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; has placed subsequent substantially modified versions of a softwaremeans the part of an electronic information system which consists of computer code; product on the market, that manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; may ensure compliance with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirement set out in Part II, point (2), of Annex I only for the version that it has last placed on the market, provided that the users of the versions that were previously placed on the market have access to the version last placed on the market free of charge and do not incur additional costs to adjust the hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; and softwaremeans the part of an electronic information system which consists of computer code; environment in which they use the original version of that product.

    1. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; may maintain public softwaremeans the part of an electronic information system which consists of computer code; archives enhancing user access to historical versions. In those cases, users shall be clearly informed in an easily accessible manner about risks associated with using unsupported softwaremeans the part of an electronic information system which consists of computer code;.

    1. Before placing a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; on the market, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall draw up the technical documentation referred to in Article 31.

    2. They shall carry out the chosen conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures as referred to in Article 32 or have them carried out.

    3. Where compliance of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Part I of Annex I and of the processes put in place by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Part II of Annex I has been demonstrated by that conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedure, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall draw up the EU declaration of conformity in accordance with Article 28 and affix the CE markingmeans a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing; in accordance with Article 30.

    1. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall keep the technical documentation and the EU declaration of conformity at the disposal of the market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; for at least 10 years after the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has been placed on the market or for the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, whichever is longer.

    1. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall ensure that procedures are in place for products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are part of a series of production to remain in conformity with this Regulation. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall adequately take into account changes in the development and production process or in the design or characteristics of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and changes in the harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes or common specifications as referred to in Article 27 by reference to which the conformity of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is declared or by application of which its conformity is verified.

    1. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall ensure that their products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; bear a type, batch or serial number or other element allowing their identification, or, where that is not possible, that that information is provided on their packaging or in a document accompanying the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;.

    1. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall indicate the name, registered trade name or registered trademark of the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, and the postal address, email address or other digital contact details, as well as, where applicable, the website where the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; can be contacted, on the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, on its packaging or in a document accompanying the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. That information shall also be included in the information and instructions to the user set out in Annex II. The contact details shall be in a language which can be easily understood by users and market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;.

    1. For the purposes of this Regulation, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall designate a single point of contact to enable users to communicate directly and rapidly with them, including in order to facilitate reporting on vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;.

    2. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall ensure that the single point of contact is easily identifiable by the users. They shall also include the single point of contact in the information and instructions to the user set out in Annex II.

    3. The single point of contact shall allow users to choose their preferred means of communication and shall not limit such means to automated tools.

    1. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall ensure that products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are accompanied by the information and instructions to the user set out in Annex II, in paper or electronic form. Such information and instructions shall be provided in a language which can be easily understood by users and market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;. They shall be clear, understandable, intelligible and legible. They shall allow for the secure installation, operation and use of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall keep the information and instructions to the user set out in Annex II at the disposal of users and market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; for at least 10 years after the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has been placed on the market or for the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, whichever is longer. Where such information and instructions are provided online, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall ensure that they are accessible, user-friendly and available online for at least 10 years after the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has been placed on the market or for the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, whichever is longer.

    1. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall ensure that the end date of the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; referred to in paragraph 8, including at least the month and the year, is clearly and understandably specified at the time of purchase in an easily accessible manner and, where applicable, on the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, its packaging or by digital means.

    2. Where technically feasible in light of the nature of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall display a notification to users informing them that their product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has reached the end of its support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;.

    1. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall either provide a copy of the EU declaration of conformity or a simplified EU declaration of conformity with the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Where a simplified EU declaration of conformity is provided, it shall contain the exact internet address at which the full EU declaration of conformity can be accessed.

    1. From the placing on the marketmeans the first making available of a product with digital elements on the Union market; and for the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; who know or have reason to believe that the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; or the processes put in place by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; are not in conformity with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; or the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;’s processes into conformity, or to withdraw or recallmeans recall as defined in Article 3, point (22), of Regulation (EU) 2019/1020; the product, as appropriate.

    1. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall, upon a reasoned request from a market surveillance authoritymeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;, provide that authority, in a language which can be easily understood by that authority, with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and of the processes put in place by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed by the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which they have placed on the market.

    1. A manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that ceases its operations and, as a result, is not able to comply with this Regulation shall inform, before the cessation of operations takes effect, the relevant market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; as well as, by any means available and to the extent possible, the users of the relevant products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; placed on the market, of the impending cessation of operations.

    1. The Commission may, by means of implementing acts taking into account European or international standardsmeans an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012; and best practices, specify the format and elements of the software bill of materialsmeans a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements; referred to in Part II, point (1), of Annex I. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

    1. In order to assess the dependence of Member States and of the Union as a whole on softwaremeans the part of an electronic information system which consists of computer code; componentsmeans software or hardware intended for integration into an electronic information system; and in particular on componentsmeans software or hardware intended for integration into an electronic information system; qualifying as free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;, ADCO may decide to conduct a Union wide dependency assessment for specific categories of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. For that purpose, market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; may request manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of such categories of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; to provide the relevant software bills of materialsmeans a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements; as referred to in Part II, point (1), of Annex I. On the basis of such information, the market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; may provide ADCO with anonymised and aggregated information about softwaremeans the part of an electronic information system which consists of computer code; dependencies. ADCO shall submit a report on the results of the dependency assessment to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod