Data & Privacy
- Data Act
- Data Governance Act
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
- Product Liability Directive
Cybersecurity
- Cyber Resilience Act
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
Cyber Resilience Act
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 12
CHAPTER II
OBLIGATIONS OF ECONOMIC OPERATORS AND PROVISIONS IN RELATION TO FREE AND OPEN-SOURCE SOFTWAREArticles 13 — 26
CHAPTER III
CONFORMITY OF THE PRODUCT WITH DIGITAL ELEMENTSArticles 27 — 34
CHAPTER IV
NOTIFICATION OF CONFORMITY ASSESSMENT BODIESArticles 35 — 51
CHAPTER V
MARKET SURVEILLANCE AND ENFORCEMENTArticles 52 — 60
CHAPTER VI
DELEGATED POWERS AND COMMITTEE PROCEDUREArticles 61 — 62
CHAPTER VII
CONFIDENTIALITY AND PENALTIESArticles 63 — 65
CHAPTER VIII
TRANSITIONAL AND FINAL PROVISIONSArticles 66 — 71
ANNEXES
Annex III. IMPORTANT PRODUCTS WITH DIGITAL ELEMENTS
Class I
- (1)
Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers
- (2)
Standalone and embedded browsers
- (3)
Password managers
- (4)
Software that searches for, removes, or quarantines malicious software
- (5)
Products with digital elements with the function of virtual private network (VPN)
- (6)
Network management systems
- (7)
Security information and event management (SIEM) systems
- (8)
Boot managers
- (9)
Public key infrastructure and digital certificate issuance software
- (10)
Physical and virtual network interfaces
- (11)
Operating systems
- (12)
Routers, modems intended for the connection to the internet, and switches
- (13)
Microprocessors with security-related functionalities
- (14)
Microcontrollers with security-related functionalities
- (15)
Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) with security-related functionalities
- (16)
Smart home general purpose virtual assistants
- (17)
Smart home products with security functionalities, including smart door locks, security cameras, baby monitoring systems and alarm systems
- (18)
Internet connected toys covered by Directive 2009/48/EC of the European Parliament and of the Council that have social interactive features (e.g. speaking or filming) or that have location tracking features
- (19)
Personal wearable products to be worn or placed on a human body that have a health monitoring (such as tracking) purpose and to which Regulation (EU) 2017/745 or (EU) No 2017/746 do not apply, or personal wearable products that are intended for the use by and for children
Class II
- (1)
Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments
- (2)
Firewalls, intrusion detection and prevention systems
- (3)
Tamper-resistant microprocessors
- (4)
Tamper-resistant microcontrollers
Relevant Recitals for this Annex
Certain categories of products with digital elements should be subject to stricter conformity assessment procedures, while keeping a proportionate approach. For that purpose, important products with digital elements should be divided into two classes, reflecting the level of cybersecurity risk linked to those categories of products. An incident involving important products with digital elements that fall under class II might lead to greater negative impacts than an incident involving important products with digital elements that fall under class I, for instance due to the nature of their cybersecurity-related function or the performance of another function which carries a significant risk of adverse effects. As an indication of such greater negative impacts, products with digital elements that fall under class II could either perform a cybersecurity-related functionality or another function which carries a significant risk of adverse effects that is higher than for those listed in class I, or meet both of the aforementioned criteria. Important products with digital elements that fall under class II should therefore be subject to a stricter conformity assessment procedure.
Important products with digital elements as referred to in this Regulation should be understood as products which have the core functionality of a category of important products with digital elements that is set out in this Regulation. For example, this Regulation sets out categories of important products with digital elements which are defined by their core functionality as firewalls or intrusion detection or prevention systems in class II. As a result, firewalls and intrusion detection or prevention systems are subject to mandatory third-party conformity assessment. This is not the case for other products with digital elements not categorised as important products with digital elements which may integrate firewalls or intrusion detection or prevention systems. The Commission should adopt an implementing act to specify the technical description of the categories of important products with digital elements that fall under classes I and II as set out in this Regulation.