Recitals

Cybersecurity is one of the key challenges for the Union. The number and variety of connected devices will rise exponentially in the coming years. Cyb...

This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and softwar...

Relevant Union law in force comprises several sets of horizontal rules that address certain aspects linked to cybersecurity from different angles, inc...

While existing Union law applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensi...

As regards microenterprises and small and medium-sized enterprises, when determining the category an enterprise falls into, the provisions of the Anne...

The Commission should provide guidance to assist economic operators, in particular microenterprises and small and medium-sized enterprises, in the app...

At Union level, various programmatic and political documents, such as the Joint communication of the Commission and the High Representative of the Uni...

To increase the overall level of cybersecurity of all products with digital elements placed on the internal market, it is necessary to introduce objec...

Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an atta...

By laying down cybersecurity requirements for placing on the market products with digital elements, it is intended that the cybersecurity of those pro...

The purpose of this Regulation is to ensure a high level of cybersecurity of products with digital elements and their integrated remote data processin...

Cloud solutions constitute remote data processing solutions within the meaning of this Regulation only if they meet the definition laid down in this R...

In line with the objective of this Regulation to remove obstacles to the free movement of products with digital elements, Member States should not imp...

This Regulation should be without prejudice to the Member States’ responsibility for safeguarding national security, in compliance with Union law. Mem...

This Regulation applies to economic operators only in relation to products with digital elements made available on the market, hence supplied for dist...

Products with digital elements provided as part of the delivery of a service for which a fee is charged solely to recover the actual costs directly re...

Software and data that are openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contri...

Free and open-source software is understood as software the source code of which is openly shared and the licensing of which provides for all rights t...

Taking into account the importance for cybersecurity of many products with digital elements qualifying as free and open-source software that are publi...

The sole act of hosting products with digital elements on open repositories, including through package managers or on collaboration platforms, does no...

In order to support and facilitate the due diligence of manufacturers that integrate free and open-source software components that are not subject to

In view of the public cybersecurity objectives of this Regulation and in order to improve the situational awareness of Member States as regards the Un...

The effectiveness of the implementation of this Regulation will also depend on the availability of adequate cybersecurity skills. At Union level, vari...

A secure internet is indispensable for the functioning of critical infrastructures and for society as a whole. Directive (EU) 2022/2555 aims at ensuri...

Regulation (EU) 2017/745 of the European Parliament and of the Council lays down rules on medical devices and Regulation (EU) 2017/746 of the European...

Products with digital elements that are developed or modified exclusively for national security or defence purposes or products that are specifically

Regulation (EU) 2019/2144 of the European Parliament and of the Council establishes requirements for the type-approval of vehicles, and of their syste...

This Regulation lays down horizontal cybersecurity rules which are not specific to sectors or to certain products with digital elements. Nevertheless,...

In order to ensure that products with digital elements made available on the market can be repaired effectively and their durability extended, an exem...

Commission Delegated Regulation (EU) 2022/30 specifies that a number of essential requirements set out in Article 3(3), points (d), (e) and (f), of Di...

Directive (EU) 2024/2853 of the European Parliament and of the Council is complementary to this Regulation. That Directive sets out liability rules fo...

This Regulation should be without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council, including to provisions relatin...

To the extent that their products fall within the scope of this Regulation, providers of European Digital Identity Wallets as referred to in Article 5...

When integrating components sourced from third parties in products with digital elements during the design and development phase, manufacturers should...

Immediately after the transitional period for the application of this Regulation, a manufacturer of a product with digital elements that integrates on...

Products with digital elements should bear the CE marking to visibly, legibly and indelibly indicate their conformity with this Regulation so that the...

In order to ensure that manufacturers can release software for testing purposes before subjecting their products with digital elements to conformity a...

In order to ensure that products with digital elements, when placed on the market, do not pose cybersecurity risks to persons and organisations, essen...

As is the case for physical repairs or modifications, a product with digital elements should be considered to be substantially modified by a software

Taking into account the iterative nature of software development, manufacturers that have placed subsequent versions of a software product on the mark...

In line with the commonly established concept of substantial modification for products regulated by Union harmonisation legislation, where a substanti...

Where a product with digital elements is subject to ‘refurbishment’, ‘maintenance’ and ‘repair’ as defined in Article 2, points (18), (19) and (20), o...

Products with digital elements should be considered to be important if the negative impact of the exploitation of potential vulnerabilities in the pro...

Certain categories of products with digital elements should be subject to stricter conformity assessment procedures, while keeping a proportionate app...

Important products with digital elements as referred to in this Regulation should be understood as products which have the core functionality of a cat...

The categories of critical products with digital elements set out in this Regulation have a cybersecurity-related functionality and perform a function...

Delegated acts requiring mandatory European cybersecurity certification should determine the products with digital elements that have the core functio...

In order to ensure a common adequate cybersecurity protection in the Union of products with digital elements that have the core functionality of a cat...

The Commission should ensure that a wide range of relevant stakeholders are consulted in a structured and regular manner when preparing measures for t...

This Regulation addresses cybersecurity risks in a targeted manner. Products with digital elements might, however, pose other safety risks, that are n...

Products with digital elements classified as high-risk AI systems pursuant to Article 6 of Regulation (EU) 2024/1689 of the European Parliament and of...

In order to improve the security of products with digital elements placed on the internal market it is necessary to lay down essential cybersecurity r...

Manufacturers of products falling within the scope of Regulation (EU) 2023/1230 of the European Parliament and of the Council which are also products

In order to ensure that products with digital elements are secure both at the time of their placing on the market as well as during the time the produ...

Where certain essential cybersecurity requirements are not applicable to a product with digital elements, the manufacturer should include a clear just...

One of the most important measures for users to take in order to protect their products with digital elements from cyberattacks is to install the late...

To improve the transparency of vulnerability handling processes and to ensure that users are not required to install new functionality updates for the...

The joint communication of the Commission and the High Representative of the Union for Foreign Affairs and Security Policy of 20 June 2023 entitled ‘E...

For the purpose of ensuring the security of products with digital elements after their placing on the market, manufacturers should determine the suppo...

The support period for which the manufacturer ensures the effective handling of vulnerabilities should be no less than five years, unless the lifetime...

When products with digital elements reach the end of their support periods, in order to ensure that vulnerabilities can be handled after the end of th...

In order to ensure that manufacturers across the Union determine similar support periods for comparable products with digital elements, ADCO should pu...

Manufacturers should set up a single point of contact that enables users to communicate easily with them, including for the purpose of reporting on an...

Manufacturers should make their products with digital elements available on the market with a secure by default configuration and provide security upd...

Manufacturers should notify simultaneously via the single reporting platform both the computer security incident response team (CSIRT) designated as c...

Manufacturers should notify actively exploited vulnerabilities to ensure that the CSIRTs designated as coordinators, and ENISA, have an adequate overv...

Manufacturers should also notify any severe incident having an impact on the security of the product with digital elements to the CSIRT designated as

Actively exploited vulnerabilities concern instances where a manufacturer establishes that a security breach affecting its users or any other natural

To ensure that notifications can be disseminated quickly to all relevant CSIRTs designated as coordinators and to enable manufacturers to submit a sin...

In exceptional circumstances and in particular upon request by the manufacturer, the CSIRT designated as coordinator initially receiving a notificatio...

When manufacturers notify an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elemen...

In order to simplify the reporting of information required under this Regulation, in consideration of other complementary reporting requirements laid

When establishing the single reporting platform referred to in this Regulation and in order to benefit from past experience, ENISA should consult othe...

Manufacturers and other natural and legal persons should be able to notify to a CSIRT designated as coordinator or ENISA, on a voluntary basis, any vu...

Member States should aim to address, to the extent possible, the challenges faced by vulnerability researchers, including their potential exposure to

Manufacturers of products with digital elements should put in place coordinated vulnerability disclosure policies to facilitate the reporting of vulne...

In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements,

Under the new complex business models linked to online sales, a business operating online can provide a variety of services. Depending on the nature o...

In order to facilitate assessment of conformity with the requirements laid down in this Regulation, there should be a presumption of conformity for pr...

The timely development of harmonised standards during the transitional period for the application of this Regulation and their availability before the...

Regulation (EU) 2019/881 establishes a voluntary European cybersecurity certification framework for ICT products, ICT processes and ICT services. Euro...

Upon entry into force of Implementing Regulation (EU) 2024/482 which concerns products that fall within the scope of this Regulation, such as hardware...

The current European standardisation framework, which is based on the New Approach principles set out in Council Resolution of 7 May 1985 on a new app...

With a view to establishing, in the most efficient way, common specifications that cover the essential cybersecurity requirements set out in this Regu...

‘Reasonable period’ has the meaning, in relation to the publication of a reference to harmonised standards in the Official Journal of the European Uni...

In order to facilitate the assessment of conformity with the essential cybersecurity requirements set out in this Regulation, there should be a presum...

The application of harmonised standards, common specifications or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 201...

Manufacturers should draw up an EU declaration of conformity to provide information required under this Regulation on the conformity of products with

The CE marking, indicating the conformity of a product, is the visible consequence of a whole process comprising conformity assessment in a broad sens...

In order to allow economic operators to demonstrate conformity with the essential cybersecurity requirements set out in this Regulation and to allow m...

Conformity assessment of products with digital elements that are not listed as important or critical products with digital elements in this Regulation...

While the creation of tangible products with digital elements usually requires manufacturers to make substantial efforts throughout the design, develo...

In relation to microenterprises and small enterprises, in order to ensure proportionality, it is appropriate to alleviate administrative costs without...

In order to promote and protect innovation, it is important that the interests of manufacturers that are microenterprises or small or medium-sized ent...

In order to ensure a smooth application of this Regulation, Member States should strive to ensure, before the date of application of this Regulation,

In order to ensure proportionality, conformity assessment bodies, when setting the fees for conformity assessment procedures, should take into account...

The objectives of regulatory sandboxes should be to foster innovation and competitiveness for businesses by establishing controlled testing environmen...

In order to carry out third-party conformity assessment for products with digital elements, conformity assessment bodies should be notified by the nat...

In order to ensure a consistent level of quality in the performance of conformity assessment of products with digital elements, it is also necessary t...

Conformity assessment bodies that have been accredited and notified under Union law laying down requirements similar to those laid down in this Regula...

Transparent accreditation as provided for in Regulation (EC) No 765/2008, ensuring the necessary level of confidence in certificates of conformity, sh...

Conformity assessment bodies frequently subcontract parts of their activities linked to the assessment of conformity or have recourse to a subsidiary....

The notification of a conformity assessment body should be sent by the notifying authority to the Commission and the other Member States via the New A...

Since notified bodies may offer their services throughout the Union, it is appropriate to give the other Member States and the Commission the opportun...

In the interests of competitiveness, it is crucial that notified bodies apply the conformity assessment procedures without creating unnecessary burden...

Market surveillance is an essential instrument in ensuring the proper and uniform application of Union law. It is therefore appropriate to put in plac...

In accordance with Regulation (EU) 2019/1020, a market surveillance authority carries out market surveillance in the territory of the Member State tha...

A dedicated ADCO for the cyber resilience of products with digital elements should be established for the uniform application of this Regulation, purs...

Market surveillance authorities, through ADCO established under this Regulation, should cooperate closely and should be able to develop guidance docum...

In order to ensure timely, proportionate and effective measures in relation to products with digital elements presenting a significant cybersecurity r...

In certain cases, a product with digital elements which complies with this Regulation can nonetheless present a significant cybersecurity risk or pose...

For products with digital elements presenting a significant cybersecurity risk, and where there is reason to believe that they do not comply with this...

Where there are indications of non-compliance with this Regulation in several Member States, market surveillance authorities should be able to carry o...

Simultaneous coordinated control actions (sweeps) are specific enforcement actions by market surveillance authorities that can further enhance product...

In light of its expertise and mandate, ENISA should be able to support the process for implementation of this Regulation. In particular, ENISA should

This Regulation confers certain tasks upon ENISA which require appropriate resources in terms of both expertise and human resources in order to enable...

In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 of the Treaty

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to specify

In order to ensure trusting and constructive cooperation of market surveillance authorities at Union and national level, all parties involved in the a...

In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to

Where administrative fines are imposed on a person that is not an undertaking, the competent authority should take account of the general level of inc...

Member States should examine, taking into account national circumstances, the possibility of using the revenues from the penalties as provided for in

In its relationships with third countries, the Union endeavours to promote international trade in regulated products. A broad variety of measures can

Consumers should be entitled to enforce their rights in relation to the obligations imposed on economic operators under this Regulation through repres...

The Commission should periodically evaluate and review this Regulation, in consultation with relevant stakeholders, in particular with a view to deter...

Economic operators should be provided with sufficient time to adapt to the requirements set out in this Regulation. This Regulation should apply from

It is important to provide support to microenterprises and small and medium-sized enterprises, including start-ups, in the implementation of this Regu...

Furthermore, Member States should consider taking complementary action aiming to provide guidance and support for microenterprises and small and mediu...

Since the objective of this Regulation cannot be sufficiently achieved by the Member States but can rather, by reason of the effects of the action, be...

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of