Article 26 Guidance

The Commission should provide guidance to assist economic operatorsmeans the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;, in particular microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises, in the application of this Regulation. Such guidance should cover, inter alia, the scope of this Regulation, in particular remote data processingmeans data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions; and its implications for free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; developers, the application of the criteria used to determine support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; for products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, the interplay between this Regulation and other Union law and the concept of substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;.

In order to ensure that products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, when placed on the market, do not pose cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to persons and organisations, essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements should be set out for such products. Those essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements, including vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; management handling requirements, apply to each individual product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; when placed on the market, irrespective of whether the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is manufactured as an individual unit or in series. For example, for a product type, each individual product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should have received all security patches or updates available to address relevant security issues when it is placed on the market. Where products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are subsequently modified, by physical or digital means, in a way that is not foreseen by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in the initial risk assessment and that may imply that they no longer meet the relevant essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements, the modification should be considered to be substantial. For example, repairs could be assimilated to maintenance operations provided that they do not modify a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; already placed on the market in such a way that compliance with the applicable requirements may be affected, or that the intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; for which the product has been assessed may be changed.

As is the case for physical repairs or modifications, a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be considered to be substantially modified by a softwaremeans the part of an electronic information system which consists of computer code; change where the softwaremeans the part of an electronic information system which consists of computer code; update modifies the intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of that product and those changes were not foreseen by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in the initial risk assessment, or where the nature of the hazard has changed or the level of cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; has increased because of the softwaremeans the part of an electronic information system which consists of computer code; update, and the updated version of the product is made available on the market. Where a security update which is designed to decrease the level of cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; does not modify the intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, it is not considered to be a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;. This usually includes situations where a security update entails only minor adjustments of the source code. For example, this could be the case where a security update addresses a known vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, including by modifying functions or the performance of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; for the sole purpose of decreasing the level of cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Similarly, a minor functionality update, such as a visual enhancement or the addition of new pictograms or languages to the user interface, should not generally be considered to be a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;. Conversely, where a feature update modifies the original intended functions or the type or performance of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and meets the above criteria, it should be considered to be a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;, as the addition of new features typically leads to a broader attack surface, thereby increasing the cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. For example, this could be the case where a new input element is added to an application, requiring the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to ensure adequate input validation. In assessing whether a feature update is considered to be a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; it is not relevant whether it is provided as a separate update or in combination with a security update. The Commission should issue guidance on how to determine what constitutes a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;.

Taking into account the iterative nature of softwaremeans the part of an electronic information system which consists of computer code; development, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that have placed subsequent versions of a softwaremeans the part of an electronic information system which consists of computer code; product on the market as a result of a subsequent substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; of that product should be able to provide security updates for the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; only for the version of the softwaremeans the part of an electronic information system which consists of computer code; product that they have last placed on the market. They should be able to do so only if the users of the relevant previous product versions have access to the product version last placed on the market free of charge and do not incur additional costs to adjust the hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; or softwaremeans the part of an electronic information system which consists of computer code; environment in which they operate the product. This could, for instance, be the case where a desktop operating system upgrade does not require new hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;, such as a faster central processing unit or more memory. Nonetheless, the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should continue to comply, for the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, with other vulnerability-handling requirements, such as having a policy on coordinated vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure or measures in place to facilitate the sharing of information about potential vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; for all subsequent substantially modified versions of the softwaremeans the part of an electronic information system which consists of computer code; product placed on the market. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should be able to provide minor security or functionality updates that do not constitute a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; only for the latest version or sub-version of a softwaremeans the part of an electronic information system which consists of computer code; product that has not been substantially modified. At the same time, where a hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; product, such as a smartphone, is not compatible with the latest version of the operating system it was originally delivered with, the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should continue to provide security updates at least for the latest compatible version of the operating system for the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;.

In line with the commonly established concept of substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; for products regulated by Union harmonisation legislationmeans Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies;, where a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; occurs that may affect the compliance of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; with this Regulation or when the intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of that product changes, it is appropriate that the compliance of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is verified and that, where applicable, it undergoes a new conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;. Where applicable, if the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; undertakes a conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; involving a third party, a change that might lead to a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; should be notified to the third party.

Where a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is subject to ‘refurbishment’, ‘maintenance’ and ‘repair’ as defined in Article 2, points (18), (19) and (20), of Regulation (EU) 2024/1781 of the European Parliament and of the Council(¹⁹)Regulation (EU) 2024/1781 of the European Parliament and of the Council of 13 June 2024 establishing a framework for the setting of ecodesign requirements for sustainable products, amending Directive (EU) 2020/1828 and Regulation (EU) 2023/1542 and repealing Directive 2009/125/EC (OJ L, 2024/1781, 28.6.2024, ELI: http://data.europa.eu/eli/reg/2024/1781/oj)., this does not necessarily lead to a substantial modificationmeans a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; of the product, for instance if the intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; and functionalities are not changed and the level of risk remains unaffected. However, an upgrade of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; might lead to changes in the design and development of that product and might therefore affect its intended purposemeans the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; and compliance with the requirements set out in this Regulation.

Important products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; as referred to in this Regulation should be understood as products which have the core functionality of a category of important products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that is set out in this Regulation. For example, this Regulation sets out categories of important products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which are defined by their core functionality as firewalls or intrusion detection or prevention systems in class II. As a result, firewalls and intrusion detection or prevention systems are subject to mandatory third-party conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;. This is not the case for other products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; not categorised as important products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which may integrate firewalls or intrusion detection or prevention systems. The Commission should adopt an implementing act to specify the technical description of the categories of important products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall under classes I and II as set out in this Regulation.

For the purpose of ensuring the security of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; after their placing on the marketmeans the first making available of a product with digital elements on the Union market;, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should determine the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, which should reflect the time the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is expected to be in use. In determining a support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, a manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should take into account in particular reasonable user expectations, the nature of the product, as well as relevant Union law determining the lifetime of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. Manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should also be able to take into account other relevant factors. Criteria should be applied in a manner that ensures proportionality in the determination of the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;. Upon request, a manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should provide market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; with the information that was taken into account to determine the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;.

The support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; for which the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; ensures the effective handling of vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; should be no less than five years, unless the lifetime of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is less than five years, in which case the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should ensure the vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling for that lifetime. Where the time the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is reasonably expected to be in use is longer than five years, as is often the case for hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; componentsmeans software or hardware intended for integration into an electronic information system; such as motherboards or microprocessors, network devices such as routers, modems or switches, as well as softwaremeans the part of an electronic information system which consists of computer code;, such as operating systems or video-editing tools, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should accordingly ensure longer support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;. In particular, products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; intended for use in industrial settings, such as industrial control systems, are often in use for significantly longer periods of time. A manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should be able to define a support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; of less than five years only where this is justified by the nature of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned and where that product is expected to be in use for less than five years, in which case the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; should correspond to the expected use time. For instance, the lifetime of a contact tracing application intended for use during a pandemic could be limited to the duration of the pandemic. Moreover, some softwaremeans the part of an electronic information system which consists of computer code; applications can by nature only be made available on the basis of a subscription model, in particular where the application becomes unavailable to the user and is consequently not in use anymore once the subscription expires.

When products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; reach the end of their support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, in order to ensure that vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; can be handled after the end of the support periodmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; should consider releasing the source code of such products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; either to other undertakings which commit to extending the provision of vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling services or to the public. Where manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; release the source code to other undertakings, they should be able to protect the ownership of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and prevent the dissemination of the source code to the public, for example through contractual arrangements.

In order to ensure that manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; across the Union determine similar support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; for comparable products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, ADCO should publish statistics on the average support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; determined by manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; for categories of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and issue guidance indicating appropriate support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; for such categories. In addition, with a view to ensuring a harmonised approach across the internal market, the Commission should be able to adopt delegated acts to specify minimum support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; for specific product categories where the data provided by market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; suggests that the support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; determined by manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; are either systematically not in line with the criteria for determining the support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; as laid down in this Regulation or that manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in different Member States unjustifiably determine different support periodsmeans the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;.