Scope

The proposal aims to enhance the functioning of the internal market by introducing EU-wide cybersecurity requirements for design, development, production and making available on the market of hardware and software products.

The Regulation will apply to all manufacturers, representatives, importers and distributors of products with digital elements. Products with digital elements encompasses in principle any software or hardware that are connected, indirectly or directly to another device or to a network (including laptop, sensors and cameras, industrial control systems, mobile applications, CPU units, and software libraries).

There are some exceptions for products for which cybersecurity requirements are already set out in existing rules, such as medical devices, aeronautical products and cars.

In addition to crucial cybersecurity requirements, the Regulation will impose obligations on economic operators and introduce provisions for conformity assessment, notification to conformity assessment bodies, and market surveillance. Users of products with digital elements are also required to provide market surveillance authorities with the name and address of any economic operator who has supplied them with a product with digital elements 10 years following such supply.

Relevance

The objective of the proposal is to address deficiencies, clarify connections, and enhance the overall coherence of existing cybersecurity legislation. Most hardware- and software products are not subject to cybersecurity requirements, even though vulnerabilities in embedded software are often targeted in cybersecurity attacks.

The regulation aims to ensure the security of products with digital components, such as ‘Internet of Things’ (IoT) products, across the entire supply chain and throughout their lifespan which will affect the businesses of both manufacturers, importers and distributors.

While the regulation is not applicable before 11 December 2027, the reporting and notification obligations are applicable from 11 September 2026.

Key obligations

Products with digital elements can only be made available on the EU market only where they meet the essential cybersecurity requirements, such as cybersecurity proportionate to risks, no known exploitable vulnerabilities at launch, and a secure-by-default configuration. Products must for instance enable timely security updates (default automatic), protect against unauthorized access, and ensure confidentiality, integrity, and minimization of data usage. Further, products must be fit to ensure essential functions post-incident, minimize attack surfaces, mitigate exploitation impacts, and provide logging and secure data deletion capabilities for users. New requirements related to identification and mitigation of vulnerabilities in open source components are also introduced.

Products must undergo a conformity assessment prior to it being placed on the market, resulting in a CE-mark. In addition, businesses must prepare and maintain specified technical documentation related to the product. Products that are considered important (such as identity control systems) or critical (such as smart cards) are subject to a stricter conformity assessments and requirements.

The regulation also imposes new notification and reporting obligations. An actively exploited vulnerability must be notified by 24 hours, with a follow-up within 72 hours. A final report must be provided within 14 days after a corrective or mitigating measure is available. There are also reporting obligations for “severe” incidents, and the notification obligation may apply towards both the supervisory authority, users of products and the European Union Agency for Cybersecurity.