Technical description of product categories

The fact that a product with digital elements performs functions other than or additional to those detailed in the technical descriptions set out in this Regulation does not in itself mean that the product with digital elements does not have the core functionality of a product category set out in Annexes III and IV to Regulation (EU) 2024/2847. For example, products with digital elements that have the core functionality of ‘operating systems’ often include software that performs ancillary functions not included in the technical description of that product category, such as calculators or simple graphics editors. Products with digital elements often also incorporate components that have the functionality of another important or critical product with digital elements, such as an operating system integrating browser functionality, or a router integrating firewall functionality. This, however, does not in itself mean that such products with digital elements do not have the core functionality of ‘operating systems’ or ‘routers, modems intended for the connection to the internet, and switches’, respectively.

On the other hand, a product with digital elements that has the ability to perform the functions of a product category set out in Annexes III and IV to Regulation (EU) 2024/2847 but whose core functionality itself is different from that of such product category is not to be considered to meet the technical description of that product category. For example, a security orchestration, automation and response (SOAR) software often has the ability to perform the functions of products with digital elements in the category of ‘security information and event management (SIEM) systems’, i.e. gather data, analyse it and present it as actionable information for security purposes. However, as its core functionality is not that of a SIEM, SOAR software are generally not to be considered to meet the technical description of ‘security information and event management (SIEM) systems’. Similarly, a smartphone typically integrates components that perform the functions of several product categories set out in Annexes III and IV to Regulation (EU) 2024/2847, such as an operating system or an integrated password manager. However, as a smartphone’s core functionality is not that of an operating system or of a password manager, it is generally not to be considered to meet the technical description of such product categories.

Pursuant to Article 13(2) and (3) of Regulation (EU) 2024/2847, manufacturers of products with digital elements are to implement the essential cybersecurity requirements set out in Part I of Annex I to Regulation (EU) 2024/2847 in a way that is proportionate to the risks of the product with digital elements, based on the intended purpose and reasonably foreseeable use as well as the conditions of use of the product with digital elements, taking into account the length of time the product is expected to be in use. In accordance with Article 13(2) and (3) of that Regulation, and irrespective of whether the product with digital elements is considered to be an important or critical product with digital elements, manufacturers are to carry out a comprehensive cybersecurity risk assessment and indicate how the essential cybersecurity requirements are implemented as informed by the risk assessment, including their testing and assurance. Where the core functionality of their product with digital elements meets the technical description of an important or critical product with digital elements, manufacturers are to demonstrate conformity following the specific conformity assessment procedures established by Article 32(2), (3), (4) and (5) of Regulation (EU) 2024/2847.

This Regulation includes examples of products with digital elements whose core functionality meets the technical description of certain important or critical products with digital elements. Such examples are provided for illustrative purposes only and are not an exhaustive list.

In order to provide legal certainty to manufacturers, the categories of products with digital elements that are tamper-resistant microprocessors, tamper-resistant microcontrollers, and smartcards and similar devices, including secure elements, should be distinguished on the basis of the level of resistance against potential exploitability of flaws or weaknesses for which they have been designed. AVA_VAN level is an extensively used and standardised way to express such a level of resistance. AVA_VAN levels are set out in the publicly available Common Criteria and Common Evaluation Methodology standards, which underlie existing certification frameworks widely adopted on the market, such as Commission Implementing Regulation (EU) 2024/482(³)Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (OJ L, 2024/482, 7.2.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/482/oj).. Implementing Regulation (EU) 2024/482 establishes a European cybersecurity certification scheme that can be used to certify a product at a specific assurance level. Drawing on global practices, Implementing Regulation (EU) 2024/482 foresees the possibility to issue certificates based on older versions of the standards until end of 2027. Hence, in the context of Regulation (EU) 2024/2847, it is appropriate to allow for AVA_VAN levels to be expressed by referring to either the latest version or older versions of those standards.

The measures provided for in this Regulation are in accordance with the opinion of the Committee established by Article 62(1) of Regulation (EU) 2024/2847,