(fra kommisjonsforordningen)

(1) Regulation (EU) 2024/2847 lays down rules on the cybersecurity of products with digital elements. In particular, Annex III to that Regulation sets out categories of important products with digital elements that, when placed on the market, are subject to conformity assessment procedures that are stricter than those applicable to other products with digital elements. Annex IV to Regulation (EU) 2024/2847 sets out categories of critical products with digital elements for which manufacturers could be required to obtain a European cybersecurity certificate under a European cybersecurity certification scheme pursuant to Regulation (EU) 2019/881 of the European Parliament and of the Council (2) or which would be subject to mandatory third-party conformity assessment, when placed on the market.

(2) Pursuant to Article 7(1) and Article 8(1) of Regulation (EU) 2024/2847, the core functionality of a product with digital elements determines whether that product with digital elements meets the technical description of a category of important or critical products with digital elements and therefore the applicable conformity assessment procedures.

(3) When developing a product with digital elements, and in order to achieve their desired set of functionalities, manufacturers typically integrate into their own products with digital elements other components which are also products with digital elements and that can meet the technical description of a category of important or critical products. Pursuant to Regulation (EU) 2024/2847, a product with digital elements is subject to the conformity assessment procedures applicable to important or critical products with digital elements, if that product as a whole is an important or critical product as set out in Annexes III and IV to that Regulation. For example, integrating an embedded browser as a component of a news app for use in smartphones does not in itself render the news app subject to the conformity assessment procedure applicable to products with digital elements that have the core functionality of ‘standalone and embedded browsers’. Nonetheless, in accordance with Regulation (EU) 2024/2847, the manufacturer needs to ensure that the product with digital elements as a whole meets the essential cybersecurity requirements. Therefore, the manufacturer needs to evaluate the security of the whole product, considering, as appropriate, the security of the components or functionalities that are integrated into it. For example, in order for the manufacturer of a news app to demonstrate that its product with digital elements is in conformity with Regulation (EU) 2024/2847, that manufacturer is to demonstrate that the news app as a whole satisfies the applicable requirements, considering, as appropriate, the security of the embedded browser that is integrated into its app.

(4) The fact that a product with digital elements performs functions other than or additional to those detailed in the technical descriptions set out in this Regulation does not in itself mean that the product with digital elements does not have the core functionality of a product category set out in Annexes III and IV to Regulation (EU) 2024/2847. For example, products with digital elements that have the core functionality of ‘operating systems’ often include software that performs ancillary functions not included in the technical description of that product category, such as calculators or simple graphics editors. Products with digital elements often also incorporate components that have the functionality of another important or critical product with digital elements, such as an operating system integrating browser functionality, or a router integrating firewall functionality. This, however, does not in itself mean that such products with digital elements do not have the core functionality of ‘operating systems’ or ‘routers, modems intended for the connection to the internet, and switches’, respectively.

(5) On the other hand, a product with digital elements that has the ability to perform the functions of a product category set out in Annexes III and IV to Regulation (EU) 2024/2847 but whose core functionality itself is different from that of such product category is not to be considered to meet the technical description of that product category. For example, a security orchestration, automation and response (SOAR) software often has the ability to perform the functions of products with digital elements in the category of ‘security information and event management (SIEM) systems’, i.e. gather data, analyse it and present it as actionable information for security purposes. However, as its core functionality is not that of a SIEM, SOAR software are generally not to be considered to meet the technical description of ‘security information and event management (SIEM) systems’. Similarly, a smartphone typically integrates components that perform the functions of several product categories set out in Annexes III and IV to Regulation (EU) 2024/2847, such as an operating system or an integrated password manager. However, as a smartphone’s core functionality is not that of an operating system or of a password manager, it is generally not to be considered to meet the technical description of such product categories.

(6) Pursuant to Article 13(2) and (3) of Regulation (EU) 2024/2847, manufacturers of products with digital elements are to implement the essential cybersecurity requirements set out in Part I of Annex I to Regulation (EU) 2024/2847 in a way that is proportionate to the risks of the product with digital elements, based on the intended purpose and reasonably foreseeable use as well as the conditions of use of the product with digital elements, taking into account the length of time the product is expected to be in use. In accordance with Article 13(2) and (3) of that Regulation, and irrespective of whether the product with digital elements is considered to be an important or critical product with digital elements, manufacturers are to carry out a comprehensive cybersecurity risk assessment and indicate how the essential cybersecurity requirements are implemented as informed by the risk assessment, including their testing and assurance. Where the core functionality of their product with digital elements meets the technical description of an important or critical product with digital elements, manufacturers are to demonstrate conformity following the specific conformity assessment procedures established by Article 32(2), (3), (4) and (5) of Regulation (EU) 2024/2847.

(7) This Regulation includes examples of products with digital elements whose core functionality meets the technical description of certain important or critical products with digital elements. Such examples are provided for illustrative purposes only and are not an exhaustive list.

(8) In order to provide legal certainty to manufacturers, the categories of products with digital elements that are tamper-resistant microprocessors, tamper-resistant microcontrollers, and smartcards and similar devices, including secure elements, should be distinguished on the basis of the level of resistance against potential exploitability of flaws or weaknesses for which they have been designed. AVA_VAN level is an extensively used and standardised way to express such a level of resistance. AVA_VAN levels are set out in the publicly available Common Criteria and Common Evaluation Methodology standards, which underlie existing certification frameworks widely adopted on the market, such as Commission Implementing Regulation (EU) 2024/482 (3). Implementing Regulation (EU) 2024/482 establishes a European cybersecurity certification scheme that can be used to certify a product at a specific assurance level. Drawing on global practices, Implementing Regulation (EU) 2024/482 foresees the possibility to issue certificates based on older versions of the standards until end of 2027. Hence, in the context of Regulation (EU) 2024/2847, it is appropriate to allow for AVA_VAN levels to be expressed by referring to either the latest version or older versions of those standards.

(9) The measures provided for in this Regulation are in accordance with the opinion of the Committee established by Article 62(1) of Regulation (EU) 2024/2847,