Beta

Source: OJ L 2024/2847, 20.11.2024

EN

Recital 39 Guidance on substantial modifications

As is the case for physical repairs or modifications, a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; should be considered to be substantially modified by a software means the part of an electronic information system which consists of computer code; change where the software means the part of an electronic information system which consists of computer code; update modifies the intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of that product and those changes were not foreseen by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; in the initial risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment, or where the nature of the hazard has changed or the level of cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; has increased because of the software means the part of an electronic information system which consists of computer code; update, and the updated version of the product is made available on the market. Where a security update which is designed to decrease the level of cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; does not modify the intended purpose means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, it is not considered to be a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;. This usually includes situations where a security update entails only minor adjustments of the source code. For example, this could be the case where a security update addresses a known vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, including by modifying functions or the performance of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; for the sole purpose of decreasing the level of cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Similarly, a minor functionality update, such as a visual enhancement or the addition of new pictograms or languages to the user interface, should not generally be considered to be a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;. Conversely, where a feature update modifies the original intended functions or the type or performance of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and meets the above criteria, it should be considered to be a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;, as the addition of new features typically leads to a broader attack surface, thereby increasing the cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. For example, this could be the case where a new input element is added to an application, requiring the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to ensure adequate input validation. In assessing whether a feature update is considered to be a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed; it is not relevant whether it is provided as a separate update or in combination with a security update. The Commission should issue guidance on how to determine what constitutes a substantial modification means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I or which results in a modification to the intended purpose for which the product with digital elements has been assessed;.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod