Source: OJ L, 2025/2392, 1.12.2025Current language: EN
- Cyber resilience for products with digital elements
Implementing acts
- Technical description of product categories
Annex II CRITICAL PRODUCTS WITH DIGITAL ELEMENTS
Category of product | Technical description |
|---|---|
| Hardware products with digital elements that securely store, process, or manage sensitive data or perform cryptographic operations, and that consist of multiple discrete components, incorporating a hardware physical envelope providing tamper evidence, resistance or response as countermeasures against physical attacks. This category includes but is not limited to physical payment terminals, hardware security modules that generate and manage cryptographic elements, and tachographs that meet the above description. |
| Smart meter gateways are products with digital elements that control communication between components in or connected to smart metering systems as defined in Article 2(23) of Directive (EU) 2019/944, and authorised third parties, such as utility providers. Smart meter gateways collect, process and store meter or personal data, protect data and information flows by supporting specific cryptographic needs, such as encryption and decryption of data, incorporate firewalling functionalities and provide the means to control other devices. This category includes but is not limited to smart meter gateways related to smart metering systems measuring electricity as defined in Article 2(23) of Directive (EU) 2019/944. It may also include smart meter gateways used in other smart metering systems measuring consumption of other sources of energy such as gas or heat, provided that the gateway meets this description. |
| Secure elements are microcontrollers or microprocessors with security-related functionalities, including tamper evidence, resistance or response. They typically store, process, or manage cryptographic operations or sensitive data, such as identity credentials or payment credentials. Secure elements are designed to provide protection of at least AVA_VAN.4, as set out in the Common Criteria or the Common Evaluation Methodology. They can be discrete silicon or can be integrated into systems on chip (SoC). Secure elements can incorporate an application environment or an operating system, and can include one or more applications. This category includes but is not limited to Trusted Platform Modules (TPMs) and embedded Universal Integrated Circuit Card (UICC). |
Smartcards or similar devices are secure elements integrated into a carrier material, such as plastic or wood, in the shape of a card, or secure elements integrated into carrier materials taking other shapes. This category includes but is not limited to identity and travel documents, qualified signature cards, replaceable UICCs, physical payment cards, physical access cards, digital tachograph cards or wrist bands with integrated payment secure elements. |
Relevant recitals
Recital 2 Core functionality determines product category
Pursuant to Article 7(1) and Article 8(1) of Regulation (EU) 2024/2847, the core functionality of a product with digital elements determines whether that product with digital elements meets the technical description of a category of important or critical products with digital elements and therefore the applicable conformity assessment procedures.
Recital 7 Examples are illustrative and non-exhaustive
This Regulation includes examples of products with digital elements whose core functionality meets the technical description of certain important or critical products with digital elements. Such examples are provided for illustrative purposes only and are not an exhaustive list.
Recital 8 AVA_VAN levels distinguish tamper-resistant hardware categories
In order to provide legal certainty to manufacturers, the categories of products with digital elements that are tamper-resistant microprocessors, tamper-resistant microcontrollers, and smartcards and similar devices, including secure elements, should be distinguished on the basis of the level of resistance against potential exploitability of flaws or weaknesses for which they have been designed. AVA_VAN level is an extensively used and standardised way to express such a level of resistance. AVA_VAN levels are set out in the publicly available Common Criteria and Common Evaluation Methodology standards, which underlie existing certification frameworks widely adopted on the market, such as Commission Implementing Regulation (EU) 2024/482(3)Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (OJ L, 2024/482, 7.2.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/482/oj).. Implementing Regulation (EU) 2024/482 establishes a European cybersecurity certification scheme that can be used to certify a product at a specific assurance level. Drawing on global practices, Implementing Regulation (EU) 2024/482 foresees the possibility to issue certificates based on older versions of the standards until end of 2027. Hence, in the context of Regulation (EU) 2024/2847, it is appropriate to allow for AVA_VAN levels to be expressed by referring to either the latest version or older versions of those standards.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.