Source: OJ L, 2025/2392, 1.12.2025Current language: EN
- Cyber resilience for products with digital elements
Implementing acts
- Technical description of product categories
Annex I IMPORTANT PRODUCTS WITH DIGITAL ELEMENTS
Class I
Category of product
Technical description
Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers
Identity management systems are products with digital elements that provide mechanisms for authentication or authorisation and that may also provide mechanisms for the lifecycle management of identity credentials of natural persons, legal persons, devices or systems, such as identity registration, provisioning, maintenance, deregistration. These systems include access management systems that control access of natural persons, legal persons, devices or systems to digital resources or physical locations.
Privileged access management software is an access management system that controls and monitors access rights to IT or OT systems and sensitive information within an organisation, including systems enforcing differentiated access control policies for privileged users.
This category includes but is not limited to authentication and access control readers, biometric readers, single sign-on software, federated identity management software, one-time password software, hardware authentication devices such as transaction authentication number (TAN) generators, authentication software and multi-factor authentication software.
Standalone and embedded browsers
Software products with digital elements that enable end users to access, render, and interact with web content and services hosted on servers that are connected to networks such as the Internet. They typically include a browser engine for interpreting and displaying content written in markup language (e.g. HTML), support for web protocols (e.g. HTTP, HTTPS), the ability to execute scripts and manage user inputs as well as storage of temporary or persistent data from websites (cookies).
This category includes but is not limited to standalone applications that fulfil the functions of browsers, embedded browsers intended for integration into another system or application as well as browsers with AI agent integration.
Password managers
Products with digital elements that store passwords, locally on a device or on a remote server, including activities such as generation of passwords as well as password sharing and integration with local or third-party applications for usage of passwords.
This category includes but is not limited to local password managers, password managers provided as browser extensions, enterprise password managers as well as hardware-based password managers.
Software that searches for, removes, or quarantines malicious software
Software products with digital elements, typically referred to as antivirus or antimalware, that detect or search for malicious software or code on devices, or remove or quarantine such software or code, in order to maintain the integrity, confidentiality, or availability of such devices.
In the context of this category of products, malicious software means software containing malicious features or capabilities that can cause harm directly or indirectly to the user and/or the computer system, such as viruses, worms, ransomware, spyware and trojans.
This category includes but is not limited to software that detects or searches for malicious software in real-time or manually, rootkit detection and rescue disks with the core functionality of searching, removing or quarantining malicious software.
Products with digital elements with the function of virtual private network (VPN)
Products with digital elements that establish an encrypted logical tunnel that is constructed from the system resources of a physical or virtual network.
This category includes but is not limited to virtual private network clients, virtual private network servers and virtual private network gateways.
Network management systems
Products with digital elements that manage connected network elements, such as servers, routers, switches, workstations, printers or mobile devices, by monitoring them and controlling their network operations and configuration.
This category includes but is not limited to end-to-end management systems and dedicated configuration management systems, such as controllers for software-defined networking.
Security information and event management (SIEM) systems
Products with digital elements that collect data from multiple sources, analyse and correlate that data and present it as actionable information for security-related purposes, such as threat and incident detection, forensic analysis or compliance purposes.
Boot managers
Software products with digital elements that manage the process of initial system startup after power on/restart by initialising hardware, loading or transferring control to the operating system environment or system resources, and selecting boot options.
This category includes but is not limited to UEFI firmware, single-stage and multi-stage boot loaders.
Public key infrastructure and digital certificate issuance software
Products with digital elements used as part of a public key infrastructure (PKI) that manage the validation, creation, issuance, distribution, status publication, renewal or revocation of digital certificates, or the generation, storage, escrow, exchange, destruction or rotation of cryptographic keys associated with such digital certificates.
This category includes but is not limited to key management systems, digital certificate management systems, online certificate status protocol responders and all-in-one PKI solutions.
Physical and virtual network interfaces
Physical network interfaces are products with digital elements that directly connect a device to a network via an application programming interface (API) provided by the interface drivers, typically operating at the data link layer, and that feature hardware adapters to transmission media with corresponding firmware, typically operating at the physical and data link layer.
Virtual network interfaces are products with digital elements that directly or indirectly connect a device to a network via an API that emulates that of drivers of physical network interfaces, typically operating at the data link layer.
This category includes but is not limited to wired and wireless network interface cards, controllers and adapters, such as for Wi-Fi, Ethernet, IrDA, USB, Bluetooth, NearLink, Zigbee, or Fieldbus, as well as purely virtual standalone products, such as virtual network interface cards, container network interfaces and VPN interfaces.
Operating systems
Software products with digital elements that provide an abstract interface of the underlying hardware and control the execution of software, and that may provide services such as computing resource management and configuration, scheduling, input-output control, managing data, and providing an interface through which applications interact with system resources and peripherals.
This category includes but is not limited to real-time operating systems, general-purpose and special-purpose operating systems.
Routers, modems intended for the connection to the internet, and switches
Routers are products with digital elements that establish and control the flow of data between different networks by selecting paths or routes using routing protocol mechanisms and algorithms, typically operating at the network layer.
This category includes but is not limited to wired and wireless routers, virtual routers and routers with or without modems.
Modems intended for the connection to the Internet are hardware products with digital elements that use digital modulation and demodulation techniques to convert analogue signals from and to digital signals for IP-based communication.
This category includes but is not limited to fibre modems, Digital Subscriber Line (DSL) modems, cable (DOCSIS) modems, satellite modems and cellular modems.
Switches are products with digital elements that provide connectivity between networked devices through packet forwarding mechanisms and that have a management plane, typically implemented at the data link or network layer.
This category includes but is not limited to managed switches, smart switches, multilayer switches, virtual security switches, programmable switches for software-defined networking and bridges such as wireless access points.
Microprocessors with security-related functionalities
Products with digital elements that are integrated circuits that carry out central processing functions relying on external memory and peripherals, including microcode and other low-level firmware. They additionally provide security-related functionalities, such as encryption, authentication, secure key storage, random number generation, trusted execution environment, or other hardware-based protection mechanisms, that aim to secure other products, networks or services beyond the microprocessor itself, such as secure boot chain, virtualization or secure communication interfaces.
Microcontrollers with security-related functionalities
Products with digital elements that are integrated circuits that carry out central processing functions integrating memory allowing the microcontroller to be programmable and typically also other peripherals, including microcode and other low-level firmware. They additionally provide security-related functionalities, such as encryption, authentication, secure key storage, random number generation, trusted execution environment, or other hardware-based protection mechanisms, that aim to secure other products, networks or services beyond the microcontroller itself, such as secure boot chain, virtualization or secure communication interfaces.
Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities
Application specific integrated circuits (ASIC) with security-related functionalities are products with digital elements that are integrated circuits, fully or partially custom-designed to perform a specific function or implement a specific application, including microcode and other low-level firmware. They additionally provide security-related functionalities, such as encryption, authentication, secure key storage, random number generation, trusted execution environment, or other hardware-based protection mechanisms, that aim to secure other products, networks or services beyond the ASIC itself, such as secure boot chain, virtualization or secure communication interfaces.
Field-programmable gate arrays (FPGA) with security-related functionalities are products with digital elements that are integrated circuits characterized by a matrix of configurable logic blocks designed to be reprogrammable after manufacturing to perform a specific function or implement a specific application, including microcode and other low-level firmware. They additionally provide security-related functionalities, such as encryption, authentication, secure key storage, random number generation, trusted execution environment, or other hardware-based protection mechanisms, that aim to secure other products, networks or services beyond the FPGA itself, such as secure boot chain, virtualization or secure communication interfaces.
Smart home general purpose virtual assistants
Products with digital elements that communicate on the public Internet, whether directly or via other equipment, that process demands, tasks or questions based on natural language prompts, such as through audio or written input, and that, based on those demands, tasks or questions, provide access to other services or control the functions of connected devices in residential settings.
This category includes but is not limited to smart speakers with an integrated virtual assistant, and standalone virtual assistants that meet this description.
Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems
Products with digital elements that protect the physical security of consumers in a residential setting and which can be controlled or managed remotely from other systems, as well as hardware and software that centrally control such products.
This category includes but is not limited to smart door locking devices, baby monitoring systems, alarm systems and home security cameras.
Internet connected toys covered by Directive 2009/48/EC of the European Parliament and of the Council(1)Directive 2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys (OJ L 170, 30.6.2009, p. 1, ELI: http://data.europa.eu/eli/dir/2009/48/oj). that have social interactive features (e.g. speaking or filming) or that have location tracking features
Internet connected toys that have social interactive features are products with digital elements that are covered by Directive 2009/48/EC, that communicate on the public Internet, whether directly or via any other equipment, and that have embedded technologies that enable inbound and outbound communication, such as keyboard, microphone, speaker or camera.
Internet connected toys that have location tracking features are products with digital elements that are covered by Directive 2009/48/EC, that communicate on the public Internet, whether directly or via any other equipment, and that have technologies that enable tracking or inferring of the geographical location of the toy or its user. Where the toy merely detects the proximity of the user or of other toys by using sensing technologies, the toy is not to be considered to have location tracking features.
Personal wearable products to be worn or placed on a human body that have a health monitoring (such as tracking) purpose and to which Regulation (EU) 2017/745(2)Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1, ELI: http://data.europa.eu/eli/reg/2017/745/oj). or (EU) 2017/746 of the European Parliament and of the Council(3)Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176, ELI: http://data.europa.eu/eli/reg/2017/746/oj). do not apply, or personal wearable products that are intended for the use by and for children
Personal wearable products to be worn or placed on a human body that have a health monitoring purpose are products with digital elements that are worn on the body directly or via clothing or accessories and that can, regularly or continuously, sense and further process information, including body metrics, relevant to the user’s health, excluding products that fall within the scope of Regulation (EU) 2017/745 or of Regulation (EU) 2017/746.
This category includes but is not limited to fitness trackers, smartwatches, smart jewellery, smart clothing and sports apparel that meet this description.
Personal wearable products that are intended for the use by and for children are products with digital elements which can be worn or placed on the body, directly or via clothing or accessories, of individuals under the age of 14.
This category includes but is not limited to child safety wearables.
Class II
Category of product
Technical description
Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments
Hypervisors are software products with digital elements that abstract and/or allocate computing resources and enable the execution, management and orchestration of virtual machines that are logically separated from each other and/or from the physical hardware. Hypervisors may run directly on hardware (bare metal), on top of an operating system, or within another virtual machine (nested virtualisation).
In the context of this category of products, a virtual machine is a software-defined logical separation of a computing environment, which includes a virtualised set of hardware resources (e.g. CPU, memory, storage, network interfaces) and typically hosts its own operating system.
This category includes but is not limited to type 1 hypervisors (bare metal), type 2 hypervisors (hosted on an operating system) and hybrid hypervisors.
Container runtime systems are software products with digital elements that manage the execution and lifecycle of containers running on a single host operating system as isolated processes, allocating resources and allowing the management and orchestration of individual containers.
In the context of this category of products, a container is a software-based execution environment that encapsulates one or more software components and their dependencies in a single package, enabling it to run independently and consistently.
Firewalls, intrusion detection and prevention systems
Firewalls are products with digital elements that protect a connected network or system from unauthorized access by monitoring and restricting data communication traffic to and from that network.
This category includes but is not limited to network firewalls and application firewalls such as web application firewalls or filters and anti-spam gateways.
Intrusion detection systems are products with digital elements that monitor traffic once it has entered the network environment for suspicious activity and detect or identify that an intrusion has been attempted, is occurring, or has occurred on a connected network or system.
This category includes but is not limited to network-based intrusion detection systems and host-based intrusion detection systems.
Intrusion prevention systems are products with digital elements composed of an intrusion detection system that actively responds to an intrusion to a connected network or system.
This category includes but is not limited to network-based intrusion prevention systems and host-based intrusion prevention systems.
Tamper-resistant microprocessors
Products with digital elements that are microprocessors with security-related functionalities referred to in Table ‘Class I’, point 13, of this Annex, including tamper evidence, resistance or response, and which additionally are designed to provide protection of AVA_VAN level 2 or 3, as set out in the Common Criteria and the Common Evaluation Methodology.
Tamper-resistant microcontrollers
Products with digital elements that are microcontrollers with security-related functionalities referred to in Table ‘Class I’, point 14, of this Annex, including tamper evidence, resistance or response, and which additionally are designed to provide protection of AVA_VAN level 2 or 3, as set out in the Common Criteria and the Common Evaluation Methodology.
Relevant recitals
Recital 2 Core functionality determines product category
Pursuant to Article 7(1) and Article 8(1) of Regulation (EU) 2024/2847, the core functionality of a product with digital elements determines whether that product with digital elements meets the technical description of a category of important or critical products with digital elements and therefore the applicable conformity assessment procedures.
Recital 7 Examples are illustrative and non-exhaustive
This Regulation includes examples of products with digital elements whose core functionality meets the technical description of certain important or critical products with digital elements. Such examples are provided for illustrative purposes only and are not an exhaustive list.
Recital 8 AVA_VAN levels distinguish tamper-resistant hardware categories
In order to provide legal certainty to manufacturers, the categories of products with digital elements that are tamper-resistant microprocessors, tamper-resistant microcontrollers, and smartcards and similar devices, including secure elements, should be distinguished on the basis of the level of resistance against potential exploitability of flaws or weaknesses for which they have been designed. AVA_VAN level is an extensively used and standardised way to express such a level of resistance. AVA_VAN levels are set out in the publicly available Common Criteria and Common Evaluation Methodology standards, which underlie existing certification frameworks widely adopted on the market, such as Commission Implementing Regulation (EU) 2024/482(3)Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (OJ L, 2024/482, 7.2.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/482/oj).. Implementing Regulation (EU) 2024/482 establishes a European cybersecurity certification scheme that can be used to certify a product at a specific assurance level. Drawing on global practices, Implementing Regulation (EU) 2024/482 foresees the possibility to issue certificates based on older versions of the standards until end of 2027. Hence, in the context of Regulation (EU) 2024/2847, it is appropriate to allow for AVA_VAN levels to be expressed by referring to either the latest version or older versions of those standards.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.