Beta

Source: OJ L 2024/2847, 20.11.2024

EN

Article 32 Conformity assessment procedures for products with digital elements

    1. The manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall perform a conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and the processes put in place by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to determine whether the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I are met. The manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall demonstrate conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements by using any of the following procedures:

      1. the internal control procedure (based on module A) set out in Annex VIII;

      2. the EU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII;

      3. a conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; based on full quality assurance (based on module H) set out in Annex VIII; or

      4. where available and applicable, a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme pursuant to Article 27(9).

    1. Where, in assessing the compliance of an important product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that falls under class I as set out in Annex III and the processes put in place by its manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; has not applied or has applied only in part harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes at assurance level at least ‘substantial’ as referred to in Article 27, or where such harmonised standards means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;, common specifications or European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification schemes do not exist, the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned and the processes put in place by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall be submitted with regard to those essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements to either of the following procedures:

      1. the EU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII; or

      2. a conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; based on full quality assurance (based on module H) set out in Annex VIII.

    1. Where the product is an important product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that falls under class II as set out in Annex III, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall demonstrate conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I by using any of the following procedures:

      1. EU-type examination procedure (based on module B) set out in Annex VIII followed by conformity to EU-type based on internal production control (based on module C) set out in Annex VIII;

      2. a conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; based on full quality assurance (based on module H) set out in Annex VIII; or

      3. where available and applicable, a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme pursuant to Article 27(9) of this Regulation at assurance level at least ‘substantial’ pursuant to Regulation (EU) 2019/881.

    1. Critical products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; listed in Annex IV shall demonstrate conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I by using one of the following procedures:

      1. a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme in accordance with Article 8(1); or

      2. where the conditions in Article 8(1) are not met, any of the procedures referred to in paragraph 3 of this Article.

    1. Manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source software means software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;, which fall under the categories set out in Annex III, shall be able to demonstrate conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I by using one of the procedures referred to in paragraph 1 of this Article, provided that the technical documentation referred to in Article 31 is made available to the public at the time of the placing on the market means the first making available of a product with digital elements on the Union market; of those products.

    1. The specific interests and needs of microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, including start-ups, shall be taken into account when setting the fees for conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures and those fees shall be reduced proportionately to their specific interests and needs.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod