Article 8 Critical products with digital elements

The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation to determine which products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that have the core functionality of a product category that is set out in Annex IV to this Regulation are to be required to obtain a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certificate at assurance level at least ‘substantial’ under a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme adopted pursuant to Regulation (EU) 2019/881, to demonstrate conformity with the essential cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Annex I to this Regulation or parts thereof, provided that a European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme covering those categories of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has been adopted pursuant to Regulation (EU) 2019/881 and is available to manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;. Those delegated acts shall specify the required assurance level that shall be proportionate to the level of cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with the products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and shall take account of their intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;, including the critical dependency on them by essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3(1) of Directive (EU) 2022/2555.

Before adopting such delegated acts, the Commission shall carry out an assessment of the potential market impact of the envisaged measures and shall carry out consultations with relevant stakeholders, including the European Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; Certification Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established under Regulation (EU) 2019/881. The assessment shall take into account the readiness and the capacity level of the Member States for the implementation of the relevant European cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification scheme. Where no delegated acts as referred to in the first subparagraph of this paragraph have been adopted, products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; which have the core functionality of a product category as set out in Annex IV shall be subject to the conformity assessment means the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures referred to in Article 32(3).

The delegated acts referred to in the first subparagraph shall provide for a minimum transitional period of six months, unless a shorter transitional period is justified for imperative reasons of urgency.

1. there is a critical dependency of essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 3 of Directive (EU) 2022/2555 on the category of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;;

2. incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and exploited vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; concerning the category of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; could lead to serious disruptions of critical supply chains across the internal market.

Before adopting such delegated acts, the Commission shall carry out an assessment of the type referred to in paragraph 1.

The delegated acts referred to in the first subparagraph shall provide for a minimum transitional period of six months, unless a shorter transitional period is justified for imperative reasons of urgency.