Beta

Source: OJ L 2024/2847, 20.11.2024

EN

Annex VII Content of the technical documentation

The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;:

  1. a general description of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, including:

    1. its intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;;

    2. versions of software means the part of an electronic information system which consists of computer code; affecting compliance with essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements;

    3. where the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is a hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; product, photographs or illustrations showing external features, marking and internal layout;

    4. user information and instructions as set out in Annex II;

  2. a description of the design, development and production of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling processes, including:

    1. necessary information on the design and development of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, including, where applicable, drawings and schemes and a description of the system architecture explaining how software means the part of an electronic information system which consists of computer code; components means software or hardware intended for integration into an electronic information system; build on or feed into each other and integrate into the overall processing;

    2. necessary information and specifications of the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling processes put in place by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, including the software bill of materials means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements;, the coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and a description of the technical solutions chosen for the secure distribution of updates;

    3. necessary information and specifications of the production and monitoring processes of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and the validation of those processes;

  3. an assessment of the cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; against which the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is designed, developed, produced, delivered and maintained pursuant to Article 13, including how the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Part I of Annex I are applicable;

  4. relevant information that was taken into account to determine the support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I; pursuant to Article 13(8) of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;;

  5. a list of the harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes have not been applied, descriptions of the solutions adopted to meet the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Parts I and II of Annex I, including a list of other relevant technical specifications means a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012; applied. In the event of partly applied harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes, the technical documentation shall specify the parts which have been applied;

  6. reports of the tests carried out to verify the conformity of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and of the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; handling processes with the applicable essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements as set out in Parts I and II of Annex I;

  7. a copy of the EU declaration of conformity;

  8. where applicable, the software bill of materials means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements;, further to a reasoned request from a market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; provided that it is necessary in order for that authority to be able to check compliance with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod