Essential Cybersecurity Requirements for Products with Digital Elements

Annex I is divided into two parts:

Part I — Product Properties: Security requirements that must be built into the product before it is placed on the market. These are engineering and design requirements.

Part II — Vulnerability Handling: Post-market obligations for how manufacturers manage vulnerabilities discovered after the product is sold. These are operational and process requirements.

Both parts are mandatory for all in-scope products. Part I determines whether a product can receive CE marking. Part II governs ongoing obligations throughout the product's supported life.

Part I requires that products be designed and developed to:

1. No known exploitable vulnerabilities — Products must be placed on the market without known vulnerabilities that could be exploited.
2. Secure default configurations — Default settings must be secure; insecure defaults must be opt-in, not opt-out.
3. Protection against unauthorised access — Authentication, access controls, and least-privilege principles must be implemented.
4. Data protection — Personal and sensitive data must be protected at rest and in transit using appropriate cryptography.
5. Attack surface minimisation — Unnecessary interfaces, ports, and services must be disabled or removed.
6. Availability protection — Products must be resilient against denial-of-service attacks.
7. Limited data collection — Products must collect only the minimum data necessary for their function (data minimisation).
8. Auditability — Security-relevant events must be logged in a way that supports incident investigation.
9. Secure update capability — Products must support a mechanism for receiving and verifying security updates.

Part II sets out what manufacturers must do after a product is on the market:

1. CVD policy — Maintain a publicly accessible coordinated vulnerability disclosure policy (implements Article 13).
2. Vulnerability remediation — Address discovered vulnerabilities without undue delay, including distributing security updates.
3. Disclosure of vulnerability information — Publish information about fixed vulnerabilities, including CVE identifiers where applicable.
4. No-charge security updates — Security updates must be provided free of charge to users for the product's supported life.
5. CSAF advisories — Publish machine-readable security advisories in CSAF 2.0 format for significant vulnerabilities.
6. Support period — Products must have a defined security support period appropriate to their expected use life (minimum 5 years for most product classes).

One of the most operationally significant Part I requirements is that products must be placed on the market without known exploitable vulnerabilities.

• Known vulnerabilities in third-party components (checked against CVE databases, vendor advisories, and SBOMs) must be addressed before release.
• Security testing must be conducted before placing products on the market.
• A Software Bill of Materials (SBOM) should be maintained to track component vulnerabilities.

This requirement places a practical obligation on manufacturers to perform pre-release vulnerability scanning and to maintain SBOM data for all components.

Annex I Part I(9) requires that products support a secure update mechanism. This means:

• Updates must be digitally signed or otherwise verifiable by the device.
• The update mechanism itself must be resistant to attack (e.g., update-in-transit attacks, rollback attacks).
• Users must be notified when security updates are available.
• For products that cannot receive over-the-air updates, there must be a documented alternative update process.

This requirement has major implications for embedded systems, industrial IoT, and medical devices where over-the-air updates are not standard practice.

Annex I Part II(4) requires that security updates be provided free of charge throughout the product's supported life. Combined with the support period requirement, this means:

• You must define and publicly disclose the security support period for each product.
• Security patches cannot be paywalled or tied to a paid support contract.
• The support period should be commensurate with the expected use life of the product — which for many IoT and industrial products can be 10–20 years.

This requirement has significant commercial implications for manufacturers who currently monetise ongoing security support.

To obtain CE marking for a product with digital elements, manufacturers must demonstrate conformity with Annex I requirements through one of three conformity assessment routes:

1. Self-assessment — Available for most products (Default Class). The manufacturer conducts and documents their own conformity assessment.
2. Third-party audit — Required for Important Class products (listed in Annex III). A notified body reviews the technical documentation.
3. EU type-examination — Required for Critical Class products. Full third-party examination of the product.

For all routes, the manufacturer must maintain a technical file documenting how each Annex I requirement is met.