icon-grid
Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)RecitalsChapter I General ProvisionsArticle 1 Subject matterArticle 2 ScopeArticle 3 DefinitionsArticle 4 Free movementArticle 5 Procurement or use of products with digital elementsArticle 6 Requirements for products with digital elementsArticle 7 Important products with digital elementsArticle 8 Critical products with digital elementsArticle 9 Stakeholder consultationArticle 10 Enhancing skills in a cyber resilient digital environmentArticle 11 General product safetyArticle 12 High-risk AI systemsChapter II Obligations of economic operators and provisions in relation to free and open-source softwareArticle 13 Obligations of manufacturersArticle 14 Reporting obligations of manufacturersArticle 15 Voluntary reportingArticle 16 Establishment of a single reporting platformArticle 17 Other provisions related to reportingArticle 18 Authorised representativesArticle 19 Obligations of importersArticle 20 Obligations of distributorsArticle 21 Cases in which obligations of manufacturers apply to importers and distributorsArticle 22 Other cases in which obligations of manufacturers applyArticle 23 Identification of economic operatorsArticle 24 Obligations of open-source software stewardsArticle 25 Security attestation of free and open-source softwareArticle 26 GuidanceChapter III Conformity of the product with digital elementsArticle 27 Presumption of conformityArticle 28 EU declaration of conformityArticle 29 General principles of the CE markingArticle 30 Rules and conditions for affixing the CE markingArticle 31 Technical documentationArticle 32 Conformity assessment procedures for products with digital elementsArticle 33 Support measures for microenterprises and small and medium-sized enterprises, including start-upsArticle 34 Mutual recognition agreementsChapter IV Notification of conformity assessment bodiesArticle 35 NotificationArticle 36 Notifying authoritiesArticle 37 Requirements relating to notifying authoritiesArticle 38 Information obligation on notifying authoritiesArticle 39 Requirements relating to notified bodiesArticle 40 Presumption of conformity of notified bodiesArticle 41 Subsidiaries of and subcontracting by notified bodiesArticle 42 Application for notificationArticle 43 Notification procedureArticle 44 Identification numbers and lists of notified bodiesArticle 45 Changes to notificationsArticle 46 Challenge of the competence of notified bodiesArticle 47 Operational obligations of notified bodiesArticle 48 Appeal against decisions of notified bodiesArticle 49 Information obligation on notified bodiesArticle 50 Exchange of experienceArticle 51 Coordination of notified bodiesChapter V Market surveillance and enforcementArticle 52 Market surveillance and control of products with digital elements in the Union marketArticle 53 Access to data and documentationArticle 54 Procedure at national level concerning products with digital elements presenting a significant cybersecurity riskArticle 55 Union safeguard procedureArticle 56 Procedure at Union level concerning products with digital elements presenting a significant cybersecurity riskArticle 57 Compliant products with digital elements which present a significant cybersecurity riskArticle 58 Formal non-complianceArticle 59 Joint activities of market surveillance authoritiesArticle 60 SweepsChapter VI Delegated powers and committee procedureArticle 61 Exercise of the delegationArticle 62 Committee procedureChapter VII Confidentiality and penaltiesArticle 63 ConfidentialityArticle 64 PenaltiesArticle 65 Representative actionsChapter VIII Transitional and final provisionsArticle 66 Amendment to Regulation (EU) 2019/1020Article 67 Amendment to Directive (EU) 2020/1828Article 68 Amendment to Regulation (EU) No 168/2013Article 69 Transitional provisionsArticle 70 Evaluation and reviewArticle 71 Entry into force and applicationAnnex I Essential cybersecurity requirementsAnnex II Information and instructions to the userAnnex III Important products with digital elementsAnnex IV Critical products with digital elementsAnnex V EU Declaration of conformityAnnex VI Simplified EU declaration of conformityAnnex VII Content of the technical documentationAnnex VIII Conformity assessment proceduresDone at
Document Overview
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Coming soon: Any documents - Any document vs Another document at any date
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 23rd December 2024
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application
PreviousNext
Version status: Published | Document consolidation status: No known changes
Version date: 20 November 2024 - onwards

Annex I Essential cybersecurity requirements

Part I Cybersecurity requirements relating to the properties of products with digital elements

(1) Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.

(2) On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:

(a) be made available on the market without known exploitable vulnerabilities;

(b) be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;

(c) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;

(d) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;

PreviousNext