Article 21 Cases in which obligations of manufacturers apply to importers and distributors

In order to ensure that products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, when placed on the market, do not pose cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to persons and organisations, essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements should be set out for such products. Those essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements, including vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; management handling requirements, apply to each individual product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; when placed on the market, irrespective of whether the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is manufactured as an individual unit or in series. For example, for a product type, each individual product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should have received all security patches or updates available to address relevant security issues when it is placed on the market. Where products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in the initial risk assessment and that may imply that they no longer meet the relevant essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements, the modification should be considered to be substantial. For example, repairs could be assimilated to maintenance operations provided that they do not modify a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; for which the product has been assessed may be changed.

As is the case for physical repairs or modifications, a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be considered to be substantially modified by a softwaremeans the part of an electronic information system which consists of computer code; change where the softwaremeans the part of an electronic information system which consists of computer code; update modifies the intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of that product and those changes were not foreseen by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in the initial risk assessment, or where the nature of the hazard has changed or the level of cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; has increased because of the softwaremeans the part of an electronic information system which consists of computer code; update, and the updated version of the product is made available on the market. Where a security update which is designed to decrease the level of cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; does not modify the intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, it is not considered to be a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;. This usually includes situations where a security update entails only minor adjustments of the source code. For example, this could be the case where a security update addresses a known vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, including by modifying functions or the performance of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; for the sole purpose of decreasing the level of cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Similarly, a minor functionality update, such as a visual enhancement or the addition of new pictograms or languages to the user interface, should not generally be considered to be a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;. Conversely, where a feature update modifies the original intended functions or the type or performance of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and meets the above criteria, it should be considered to be a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;, as the addition of new features typically leads to a broader attack surface, thereby increasing the cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. For example, this could be the case where a new input element is added to an application, requiring the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to ensure adequate input validation. In assessing whether a feature update is considered to be a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; it is not relevant whether it is provided as a separate update or in combination with a security update. The Commission should issue guidance on how to determine what constitutes a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;.

In line with the commonly established concept of substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; for products regulated by Union harmonisation legislationmeans Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies;, where a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; occurs that may affect the compliance of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; with this Regulation or when the intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of that product changes, it is appropriate that the compliance of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is verified and that, where applicable, it undergoes a new conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;. Where applicable, if the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; undertakes a conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; involving a third party, a change that might lead to a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; should be notified to the third party.

Where a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is subject to ‘refurbishment’, ‘maintenance’ and ‘repair’ as defined in Article 2, points (18), (19) and (20), of Regulation (EU) 2024/1781 of the European Parliament and of the Council(¹⁹)Regulation (EU) 2024/1781 of the European Parliament and of the Council of 13 June 2024 establishing a framework for the setting of ecodesign requirements for sustainable products, amending Directive (EU) 2020/1828 and Regulation (EU) 2023/1542 and repealing Directive 2009/125/EC (OJ L, 2024/1781, 28.6.2024, ELI: http://data.europa.eu/eli/reg/2024/1781/oj)., this does not necessarily lead to a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; of the product, for instance if the intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; and functionalities are not changed and the level of risk remains unaffected. However, an upgrade of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; might lead to changes in the design and development of that product and might therefore affect its intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; and compliance with the requirements set out in this Regulation.