Beta

Source: OJ L 2024/2847, 20.11.2024

EN

Article 3 Definitions

For the purposes of this Regulation, the following definitions apply:

  1. product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;’ means a software means the part of an electronic information system which consists of computer code; or hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; product and its remote data processing means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions; solutions, including software means the part of an electronic information system which consists of computer code; or hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; components means software or hardware intended for integration into an electronic information system; being placed on the market separately;

  2. remote data processing means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;’ means data processing at a distance for which the software means the part of an electronic information system which consists of computer code; is designed and developed by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, or under the responsibility of the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, and the absence of which would prevent the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; from performing one of its functions;

  3. cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;’ means cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; as defined in Article 2, point (1), of Regulation (EU) 2019/881;

  4. software means the part of an electronic information system which consists of computer code;’ means the part of an electronic information system means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data; which consists of computer code;

  5. hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;’ means a physical electronic information system means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data;, or parts thereof capable of processing, storing or transmitting digital data;

  6. component means software or hardware intended for integration into an electronic information system;’ means software means the part of an electronic information system which consists of computer code; or hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; intended for integration into an electronic information system means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data;;

  7. electronic information system means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data;’ means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data;

  8. logical connection means a virtual representation of a data connection implemented through a software interface;’ means a virtual representation of a data connection implemented through a software means the part of an electronic information system which consists of computer code; interface;

  9. physical connection means a connection between electronic information systems or components implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio waves;’ means a connection between electronic information systems means a system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data; or components means software or hardware intended for integration into an electronic information system; implemented using physical means, including through electrical, optical or mechanical interfaces, wires or radio waves;

  10. indirect connection means a connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network;’ means a connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network;

  11. end-point means any device that is connected to a network and serves as an entry point to that network;’ means any device that is connected to a network and serves as an entry point to that network;

  12. economic operator means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation;’ means the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, the authorised representative means a natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasks;, the importer means a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;, the distributor means a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; or to the making available of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; on the market in accordance with this Regulation;

  13. manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;’ means a natural or legal person who develops or manufactures products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; or has products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;

  14. open-source software steward means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;’ means a legal person, other than a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable; and intended for commercial activities, and that ensures the viability of those products;

  15. authorised representative means a natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasks;’ means a natural or legal person established within the Union who has received a written mandate from a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to act on its behalf in relation to specified tasks;

  16. importer means a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;’ means a natural or legal person established in the Union who places on the market a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that bears the name or trademark of a natural or legal person established outside the Union;

  17. distributor means a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;’ means a natural or legal person in the supply chain, other than the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; or the importer means a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;, that makes a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; available on the Union market without affecting its properties;

  18. consumer means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession;’ means a natural person who acts for purposes which are outside that person’s trade, business, craft or profession;

  19. microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;’, ‘small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million;’ and ‘medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;’ mean, respectively, microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC;, small enterprises means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million; and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; as defined in the Annex to Recommendation 2003/361/EC;

  20. support period means the period during which a manufacturer is required to ensure that vulnerabilities of a product with digital elements are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I;’ means the period during which a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; is required to ensure that vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are handled effectively and in accordance with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Part II of Annex I;

  21. placing on the market means the first making available of a product with digital elements on the Union market;’ means the first making available of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; on the Union market;

  22. making available on the market means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;’ means the supply of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;

  23. intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;’ means the use for which a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; is intended by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, including the specific context and conditions of use, as specified in the information supplied by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;

  24. reasonably foreseeable use means use that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions;’ means use that is not necessarily the intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; supplied by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions;

  25. reasonably foreseeable misuse means the use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems;’ means the use of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; in a way that is not in accordance with its intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;, but which may result from reasonably foreseeable human behaviour or interaction with other systems;

  26. notifying authority means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; and for their monitoring;

  27. conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled;’ means the process of verifying whether the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I have been fulfilled;

  28. conformity assessment body means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008;’ means a conformity assessment body means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; as defined in Article 2, point (13), of Regulation (EC) No 765/2008;

  29. notified body means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation;’ means a conformity assessment body means a conformity assessment body as defined in Article 2, point (13), of Regulation (EC) No 765/2008; designated in accordance with Article 43 and other relevant Union harmonisation legislation means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies;;

  30. substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;’ means a change to the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; following its placing on the market means the first making available of a product with digital elements on the Union market;, which affects the compliance of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Part I of Annex I or which results in a modification to the intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; for which the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has been assessed;

  31. CE marking means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential cybersecurity requirements set out in Annex I and other applicable Union harmonisation legislation providing for its affixing;’ means a marking by which a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; indicates that a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and the processes put in place by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; are in conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I and other applicable Union harmonisation legislation means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies; providing for its affixing;

  32. Union harmonisation legislation means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies;’ means Union legislation listed in Annex I to Regulation (EU) 2019/1020 and any other Union legislation harmonising the conditions for the marketing of products to which that Regulation applies;

  33. market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;’ means a market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; as defined in Article 3, point (4), of Regulation (EU) 2019/1020;

  34. international standard means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;’ means an international standard means an international standard as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012; as defined in Article 2, point (1)(a), of Regulation (EU) No 1025/2012;

  35. European standard means a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012;’ means a European standard means a European standard as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012; as defined in Article 2, point (1)(b), of Regulation (EU) No 1025/2012;

  36. harmonised standard means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;’ means a harmonised standard means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012; as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;

  37. cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;’ means the potential for loss or disruption caused by an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;;

  38. significant cybersecurity risk means a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;’ means a cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; which, based on its technical characteristics, can be assumed to have a high likelihood of an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;

  39. software bill of materials means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements;’ means a formal record containing details and supply chain relationships of components means software or hardware intended for integration into an electronic information system; included in the software means the part of an electronic information system which consists of computer code; elements of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;;

  40. vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;’ means a weakness, susceptibility or flaw of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that can be exploited by a cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;;

  41. exploitable vulnerability means a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions;’ means a vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; that has the potential to be effectively used by an adversary under practical operational conditions;

  42. actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner;’ means a vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner;

  43. incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;’ means an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; as defined in Article 6, point (6), of Directive (EU) 2022/2555;

  44. incident having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;’ means an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; that negatively affects or is capable of negatively affecting the ability of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; to protect the availability, authenticity, integrity or confidentiality of data or functions;

  45. near miss means a near miss as defined in Article 6, point (5), of Directive (EU) 2022/2555;’ means a near miss means a near miss as defined in Article 6, point (5), of Directive (EU) 2022/2555; as defined in Article 6, point (5), of Directive (EU) 2022/2555;

  46. cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;’ means a cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; as defined in Article 2, point (8), of Regulation (EU) 2019/881;

  47. personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;’ means personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; as defined in Article 4, point (1), of Regulation (EU) 2016/679;

  48. free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;’ means software means the part of an electronic information system which consists of computer code; the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;

  49. recall means recall as defined in Article 3, point (22), of Regulation (EU) 2019/1020;’ means recall means recall as defined in Article 3, point (22), of Regulation (EU) 2019/1020; as defined in Article 3, point (22), of Regulation (EU) 2019/1020;

  50. withdrawal means withdrawal as defined in Article 3, point (23), of Regulation (EU) 2019/1020;’ means withdrawal means withdrawal as defined in Article 3, point (23), of Regulation (EU) 2019/1020; as defined in Article 3, point (23), of Regulation (EU) 2019/1020;

  51. CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555.’ means a CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. pursuant to Article 12(1) of Directive (EU) 2022/2555.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod