Article 25 Security attestation of free and open-source software

Softwaremeans the part of an electronic information system which consists of computer code; and data that are openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market. To foster the development and deployment of free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;, in particular by microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises, including start-ups, individuals, not-for-profit organisations, and academic research organisations, the application of this Regulation to products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; supplied for distribution or use in the course of a commercial activity should take into account the nature of the different development models of softwaremeans the part of an electronic information system which consists of computer code; distributed and developed under free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; licences.

Free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; is understood as softwaremeans the part of an electronic information system which consists of computer code; the source code of which is openly shared and the licensing of which provides for all rights to make it freely accessible, usable, modifiable and redistributable. Free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; is developed, maintained and distributed openly, including via online platforms. In relation to economic operatorsmeans the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; that fall within the scope of this Regulation, only free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; made available on the market, and therefore supplied for distribution or use in the course of a commercial activity, should fall within the scope of this Regulation. The mere circumstances under which the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has been developed, or how the development has been financed, should therefore not be taken into account when determining the commercial or non-commercial nature of that activity. More specifically, for the purposes of this Regulation and in relation to the economic operatorsmeans the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation; that fall within its scope, to ensure that there is a clear distinction between the development and supply phases, the provision of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; that are not monetised by their manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should not be considered to be a commercial activity. Furthermore, the supply of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; componentsmeans software or hardware intended for integration into an electronic information system; intended for integration by other manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; into their own products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be considered to be making available on the marketmeans the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge; only if the componentmeans software or hardware intended for integration into an electronic information system; is monetised by its original manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;. For instance, the mere fact that an open-source softwaremeans the part of an electronic information system which consists of computer code; product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; receives financial support from manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; or that manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; contribute to the development of such a product should not in itself determine that the activity is of commercial nature. In addition, the mere presence of regular releases should not in itself lead to the conclusion that a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is supplied in the course of a commercial activity. Finally, for the purposes of this Regulation, the development of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; by not-for-profit organisations should not be considered to be a commercial activity provided that the organisation is set up in such a way that ensures that all earnings after costs are used to achieve not-for-profit objectives. This Regulation does not apply to natural or legal persons who contribute with source code to products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; that are not under their responsibility.

Taking into account the importance for cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of many products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; that are published, but not made available on the market within the meaning of this Regulation, legal persons who provide support on a sustained basis for the development of such products which are intended for commercial activities, and who play a main role in ensuring the viability of those products (open-source software stewardsmeans a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;), should be subject to a light-touch and tailor-made regulatory regime. Open-source software stewardsmeans a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products; include certain foundations as well as entities that develop and publish free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; in a business context, including not-for-profit entities. The regulatory regime should take account of their specific nature and compatibility with the type of obligations imposed. It should only cover products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; that are ultimately intended for commercial activities, such as for integration into commercial services or into monetised products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. For the purposes of that regulatory regime, an intention for integration into monetised products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; includes cases where manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that integrate a componentmeans software or hardware intended for integration into an electronic information system; into their own products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; either contribute to the development of that componentmeans software or hardware intended for integration into an electronic information system; in a regular manner or provide regular financial assistance to ensure the continuity of a softwaremeans the part of an electronic information system which consists of computer code; product. The provision of sustained support to the development of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; includes but is not limited to the hosting and managing of softwaremeans the part of an electronic information system which consists of computer code; development collaboration platforms, the hosting of source code or softwaremeans the part of an electronic information system which consists of computer code;, the governing or managing of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; as well as the steering of the development of such products. Given that the light-touch and tailor-made regulatory regime does not subject those acting as open-source software stewardsmeans a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products; to the same obligations as those acting as manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; under this Regulation, they should not be permitted to affix the CE markingmeans a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing; to the products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; whose development they support.

In order to support and facilitate the due diligence of manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that integrate free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; componentsmeans software or hardware intended for integration into an electronic information system; that are not subject to the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation into their products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, the Commission should be able to establish voluntary security attestation programmes, either by a delegated act supplementing this Regulation or by requesting a European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme pursuant to Article 48 of Regulation (EU) 2019/881 that takes into account the specificities of the free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; development models. The security attestation programmes should be conceived in such a way that not only natural or legal persons developing or contributing to the development of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; can initiate or finance a security attestation but also third parties, such as manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that integrate such products into their own products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, users, or Union and national public administrations.

The effectiveness of the implementation of this Regulation will also depend on the availability of adequate cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; skills. At Union level, various programmatic and political documents, including the Commission communication of 18 April 2023 on Closing the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; talent gap to boost the EU’s competitiveness, growth and resilience and the Council Conclusions of 22 May 2023 on the EU Policy on Cyber Defence acknowledged the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; skills gap in the Union and the need to address such challenges as a matter of priority, in both the public and private sectors. With a view to ensuring an effective implementation of this Regulation, Member States should ensure that adequate resources are available for the appropriate staffing of the market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; and conformity assessment bodiesmeans a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; to perform their tasks as laid down in this Regulation. Those measures should enhance workforce mobility in the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; field and their associated career pathways. They should also contribute to making the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; workforce more resilient and inclusive, also in terms of gender. Member States should therefore take measures to ensure that those tasks are carried out by adequately trained professionals, with the necessary cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; skills. Similarly, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should ensure that their staff has the necessary skills to comply with their obligations as laid down in this Regulation. Member States and the Commission, in line with their prerogatives and competences and the specific tasks conferred upon them by this Regulation, should take measures to support manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and in particular microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises, including start-ups, also in areas such as skill development, for the purposes of compliance with their obligations as laid down in this Regulation. Furthermore, as Directive (EU) 2022/2555 requires Member States to adopt policies promoting and developing training on cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; and cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; skills as part of their national cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; strategies, Member States may also consider, when adopting such strategies, addressing the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; skills needs resulting from this Regulation, including those relating to re-skilling and up-skilling.

When integrating componentsmeans software or hardware intended for integration into an electronic information system; sourced from third parties in products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; during the design and development phase, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should, in order to ensure that the products are designed, developed and produced in accordance with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation, exercise due diligence with regard to those componentsmeans software or hardware intended for integration into an electronic information system;, including free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; componentsmeans software or hardware intended for integration into an electronic information system; that have not been made available on the market. The appropriate level of due diligence depends on the nature and the level of cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with a given componentmeans software or hardware intended for integration into an electronic information system;, and should, for that purpose, take into account one or more of the following actions: verifying, as applicable, that the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of a componentmeans software or hardware intended for integration into an electronic information system; has demonstrated conformity with this Regulation, including by checking if the componentmeans software or hardware intended for integration into an electronic information system; already bears the CE markingmeans a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;; verifying that a componentmeans software or hardware intended for integration into an electronic information system; receives regular security updates, such as by checking its security updates history; verifying that a componentmeans software or hardware intended for integration into an electronic information system; is free from vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; registered in the European vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; database established pursuant to Article 12(2) of Directive (EU) 2022/2555 or other publicly accessible vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; databases; or carrying out additional security tests. The vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling obligations set out in this Regulation, which manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; have to comply with when placing a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; on the market and for the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, apply to products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; in their entirety, including to all integrated componentsmeans software or hardware intended for integration into an electronic information system;. Where, in the exercise of due diligence, the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; identifies a vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; in a componentmeans software or hardware intended for integration into an electronic information system;, including in a free and open-source componentmeans software or hardware intended for integration into an electronic information system;, it should inform the person or entity manufacturing or maintaining the componentmeans software or hardware intended for integration into an electronic information system;, address and remediate the vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, and, where applicable, provide the person or entity with the applied security fix.

Immediately after the transitional period for the application of this Regulation, a manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that integrates one or several componentsmeans software or hardware intended for integration into an electronic information system; sourced from third parties which are also subject to this Regulation may not be able to verify, as part of its due diligence obligation, that the manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of those componentsmeans software or hardware intended for integration into an electronic information system; have demonstrated conformity with this Regulation by checking, for instance, if the componentsmeans software or hardware intended for integration into an electronic information system; already bear the CE markingmeans a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;. This may be the case where the componentsmeans software or hardware intended for integration into an electronic information system; have been integrated before this Regulation becomes applicable to the manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of those componentsmeans software or hardware intended for integration into an electronic information system;. In such a case, a manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; integrating such componentsmeans software or hardware intended for integration into an electronic information system; should exercise due diligence through other means.