Beta

Source: OJ L 2024/2847, 20.11.2024

EN

Annex I Essential cybersecurity requirements

  1. Part I cybersecurity requirements relating to the properties of products with digital elements

    1. Products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; based on the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;.

    2. On the basis of the cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment referred to in Article 13(2) and where applicable, products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; shall:

      1. be made available on the market without known exploitable vulnerabilities means a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions;;

      2. be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and business user in relation to a tailor-made product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, including the possibility to reset the product to its original state;

      3. ensure that vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

      4. ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;

      5. protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;

      6. protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;

      7. process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; (data minimisation);

      8. protect the availability of essential and basic functions, also after an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, including through resilience and mitigation measures against denial-of-service attacks;

      9. minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks;

      10. be designed, developed and produced to limit attack surfaces, including external interfaces;

      11. be designed, developed and produced to reduce the impact of an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; using appropriate exploitation mitigation mechanisms and techniques;

      12. provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;

      13. provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.

  2. Part II vulnerability handling requirements

    1. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; shall:

      1. identify and document vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and components means software or hardware intended for integration into an electronic information system; contained in products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, including by drawing up a software bill of materials means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements; in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products;

      2. in relation to the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed to products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, address and remediate vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;

      3. apply effective and regular tests and reviews of the security of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;;

      4. once a security update has been made available, share and publicly disclose information about fixed vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, including a description of the vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, information allowing users to identify the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; affected, the impacts of the vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, their severity and clear and accessible information helping users to remediate the vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;; in duly justified cases, where manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; consider the security risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; until after users have been given the possibility to apply the relevant patch;

      5. put in place and enforce a policy on coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure;

      6. take measures to facilitate the sharing of information about potential vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; in their product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; as well as in third-party components means software or hardware intended for integration into an electronic information system; contained in that product, including by providing a contact address for the reporting of the vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; discovered in the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;;

      7. provide for mechanisms to securely distribute updates for products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; to ensure that vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;

      8. ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and a business user in relation to a tailor-made product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod