Source: OJ L 2024/2847, 20.11.2024

Current language: EN

Article 5 Procurement or use of products with digital elements


Summary What does Article 5 of the Cyber Resilience Act say?

This article addresses the relationship between the Regulation and the powers of Member States, making clear that the Regulation does not act as a ceiling on cybersecurity requirements.

Member States retain the freedom to impose additional cybersecurity conditions on products with digital elements when procuring or using them for specific purposes, such as national security or defence, as long as those additional requirements are consistent with Union law and are necessary and proportionate.

The article also touches on public procurement, directing Member States to factor in compliance with the essential cybersecurity requirements of the Regulation — including a manufacturer's ability to handle vulnerabilities — when procuring products with digital elements covered by the Regulation.

Important points:

  • Member States may impose additional cybersecurity requirements beyond this Regulation for specific procurement or use purposes, including national security and defence, provided those requirements are consistent with Union law and are necessary and proportionate.
  • Member States are required to ensure that compliance with the essential cybersecurity requirements of Annex I is taken into consideration during public procurement processes.
  • The procurement obligation explicitly includes assessing manufacturers' ability to handle vulnerabilities effectively.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. This Regulation shall not prevent Member States from subjecting products with digital elements to additional cybersecurity requirements for the procurement or use of those products for specific purposes, including where those products are procured or used for national security or defence purposes, provided that such requirements are consistent with Member States’ obligations laid down in Union law and that they are necessary and proportionate for the achievement of those purposes.

    1. Without prejudice to Directives 2014/24/EU and 2014/25/EU, where products with digital elements that fall within the scope of this Regulation are procured, Member States shall ensure that compliance with the essential cybersecurity requirements set out in Annex I to this Regulation, including the manufacturers’ ability to handle vulnerabilities effectively, are taken into consideration in the procurement process.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod