Beta

Source: OJ L 2024/2847, 20.11.2024

EN

Article 27 Presumption of conformity

    1. Products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and processes put in place by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; which are in conformity with harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; or parts thereof, the references of which have been published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I covered by those standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). or parts thereof.

    2. The Commission shall, in accordance with Article 10(1) of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; for the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I to this Regulation. When preparing standardisation requests for this Regulation, the Commission shall strive to take into account existing European and international standards means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012; for cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; that are in place or under development in order to simplify the development of harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, in accordance with Regulation (EU) No 1025/2012.

    1. The Commission may adopt implementing acts establishing common specifications covering technical requirements that provide a means to comply with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I for products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that fall within the scope of this Regulation.

    2. Those implementing acts shall be adopted only where the following conditions are fulfilled:

      1. the Commission has requested, pursuant to Article 10(1) of Regulation (EU) No 1025/2012, one or more European standardisation organisations to draft a harmonised standard means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; for the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I and:

        1. the request has not been accepted;

        2. the harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; addressing that request are not delivered within the deadline set in accordance with Article 10(1) of Regulation (EU) No 1025/2012; or

        3. the harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; do not comply with the request; and

      2. no reference to harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; covering the relevant essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I to this Regulation has been published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012 and no such reference is expected to be published within a reasonable period.

    3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

    1. Before preparing the draft implementing act referred to in paragraph 2 of this Article, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) No 1025/2012 that it considers that the conditions in paragraph 2 of this Article have been fulfilled.

    1. When preparing the draft implementing act referred to in paragraph 2, the Commission shall take into account the views of relevant bodies and shall duly consult all relevant stakeholders.

    1. Products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and processes put in place by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; which are in conformity with the common specifications established by implementing acts referred to in paragraph 2 of this Article, or parts thereof, shall be presumed to be in conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I covered by those common specifications or parts thereof.

    1. Where a harmonised standard means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; is adopted by a European standardisation organisation and proposed to the Commission for the purpose of publishing its reference in the Official Journal of the European Union, the Commission shall assess the harmonised standard means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; in accordance with Regulation (EU) No 1025/2012. When a reference of a harmonised standard means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; is published in the Official Journal of the European Union, the Commission shall repeal the implementing acts referred to in paragraph 2 of this Article, or parts thereof which cover the same essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements as those covered by that harmonised standard means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;.

    1. Where a Member State considers that a common specification does not entirely satisfy the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed explanation and may, if appropriate, amend the implementing act establishing the common specification in question.

    1. Products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and processes put in place by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; for which an EU statement of conformity or certificate has been issued under a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme adopted pursuant to Regulation (EU) 2019/881 shall be presumed to be in conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I in so far as the EU statement of conformity or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certificate, or parts thereof, cover those requirements.

    1. The Commission is empowered to adopt delegated acts in accordance with Article 61 of this Regulation to supplement this Regulation by specifying the European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes adopted pursuant to Regulation (EU) 2019/881 that can be used to demonstrate conformity of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements or parts thereof as set out in Annex I to this Regulation. Furthermore, the issuance of a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certificate issued under such schemes, at least at assurance level ‘substantial’, eliminates the obligation of a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to carry out a third-party conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; for the corresponding requirements, as set out in Article 32(2), points (a) and (b), and Article 32(3), points (a) and (b), of this Regulation.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod