Article 27 Presumption of conformity

In order to facilitate assessment of conformity with the requirements laid down in this Regulation, there should be a presumption of conformity for products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which are in conformity with harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, which translate the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation into detailed technical specifications, and which are adopted in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council(²⁸)Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).. That Regulation provides for a procedure for objections to harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; where those standards do not entirely satisfy the requirements set out in this Regulation. The standardisation process should ensure a balanced representation of interests and effective participation of civil society stakeholders, including consumermeans a natural person who acts for purposes which are outside that person’s trade, business, craft or profession; organisations. International standardsmeans an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012; that are in line with the level of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; protection aimed for by the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation should also be taken into account, in order to facilitate the development of harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; and the implementation of this Regulation, as well as to facilitate compliance for companies, in particular microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises and those operating globally.

The timely development of harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; during the transitional period for the application of this Regulation and their availability before the date of application of this Regulation will be particularly important for its effective implementation. This is, in particular, the case for important products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall under class I. The availability of harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; will enable manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of such products to perform the conformity assessmentsmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; via the internal control procedure and can therefore avoid bottlenecks and delays in the activities of conformity assessment bodiesmeans a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;.

Regulation (EU) 2019/881 establishes a voluntary European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification framework for ICT products, ICT processes and ICT services. European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes provide a common framework of trust for users to use products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall within the scope of this Regulation. This Regulation should consequently create synergies with Regulation (EU) 2019/881. In order to facilitate the assessment of conformity with the requirements laid down in this Regulation, products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are certified or for which a statement of conformity has been issued under a European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; scheme pursuant to Regulation (EU) 2019/881 that has been identified by the Commission in an implementing act, shall be presumed to be in compliance with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation in so far as the European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certificate or statement of conformity or parts thereof cover those requirements. The need for new European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes for products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be assessed in the light of this Regulation, including when preparing the Union rolling work programme in accordance with Regulation (EU) 2019/881. Where there is a need for a new scheme covering products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, including in order to facilitate compliance with this Regulation, the Commission can request ENISA to prepare candidate schemes in accordance with Article 48 of Regulation (EU) 2019/881. Such future European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes covering products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should take into account the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements and conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures as set out in this Regulation and facilitate compliance with this Regulation. For European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes that enter into force before the entry into force of this Regulation, further specifications may be needed on detailed aspects of how a presumption of conformity can apply. The Commission, by means of delegated acts, should be empowered to specify under which conditions the European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes can be used to demonstrate conformity with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation. Furthermore, to avoid undue administrative burdens, there should be no obligation for manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to carry out a third-party conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; as provided for in this Regulation for corresponding requirements where a European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certificate has been issued under such European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes at least at level ‘substantial’.

Upon entry into force of Implementing Regulation (EU) 2024/482 which concerns products that fall within the scope of this Regulation, such as hardwaremeans a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; security modules and microprocessors, the Commission should be able to specify, by means of a delegated act, how the EUCC provides a presumption of conformity with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements as set out in this Regulation or parts thereof. Furthermore, such a delegated act may specify how a certificate issued under the EUCC eliminates the obligation for manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to carry out a third-party assessment as required pursuant to this Regulation for corresponding requirements.

The current European standardisation framework, which is based on the New Approach principles set out in Council Resolution of 7 May 1985 on a new approach to technical harmonization and standards and on Regulation (EU) No 1025/2012, represents the framework by default to elaborate standards that provide for a presumption of conformity with the relevant essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation. European standardsmeans a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012; should be market-driven, take into account the public interest, as well as the policy objectives clearly stated in the Commission’s request to one or more European standardisation organisations to draft harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, within a set deadline, and be based on consensus. However, in the absence of relevant references to harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, the Commission should be able to adopt implementing acts establishing common specifications for the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation, provided that in doing so it duly respects the role and functions of European standardisation organisations, as an exceptional fall back solution to facilitate the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;’s obligation to comply with those essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements, where the standardisation process is blocked or where there are delays in the establishment of appropriate harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;. If such delay is due to the technical complexity of the standard in question, this should be considered by the Commission before considering whether to establish common specifications.

With a view to establishing, in the most efficient way, common specifications that cover the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation, the Commission should involve relevant stakeholders in the process.

‘Reasonable period’ has the meaning, in relation to the publication of a reference to harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012, of a period during which the publication in the Official Journal of the European Union of the reference to the standard, its corrigendum or its amendment is expected and which should not exceed one year after the deadline for drafting a European standardmeans a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012; set in accordance with Regulation (EU) No 1025/2012.

In order to facilitate the assessment of conformity with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation, there should be a presumption of conformity for products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that are in conformity with the common specifications adopted by the Commission pursuant to this Regulation for the purpose of expressing detailed technical specifications of those requirements.

The application of harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes adopted pursuant to Regulation (EU) 2019/881 providing presumption of conformity in relation to the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements applicable to products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; will facilitate the assessment of conformity by the manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;. If the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; chooses not to apply such means for certain requirements, it has to indicate in their technical documentation how the compliance is reached otherwise. Furthermore, the application of harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes adopted pursuant to Regulation (EU) 2019/881 providing presumption of conformity by manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; would facilitate the check of compliance of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; by market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;. Therefore, manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are encouraged to apply such harmonised standardsmeans a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes.