Ensure vulnerability handling processes meet essential requirements (Annex I Part II)
- Applies to
- Manufacturer
- Source citations
- Art. 6(b)Annex I Part II
- Product classes
- DefaultImportant — Class IImportant — Class IICritical
Plain language
As well as the product itself meeting security requirements, your internal processes for handling vulnerabilities must also meet specific standards. This means having processes to identify vulnerabilities, fix them promptly, publish an SBOM, operate a CVD policy, share information about patched vulnerabilities, and distribute security updates — both during development and for the whole support period after you ship.
Legal text
Article 6(b) of Regulation (EU) 2024/2847 provides that products with digital elements shall be made available on the market only where:
the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I.
Annex I Part II — Vulnerability handling requirements
Manufacturers of products with digital elements must put in place processes to:
- SBOM — Identify and document vulnerabilities and components, including by drawing up a software bill of materials (SBOM) in a machine-readable format covering at least the top-level dependencies
- Patch promptly — Address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, security updates must be provided separately from functionality updates
- Regular testing — Apply effective and regular tests and reviews of the security of the product
- Disclose fixed vulnerabilities — Once a security update is available, publicly share information about fixed vulnerabilities including description, affected products, impacts, severity, and remediation instructions (may be delayed if disclosure risk outweighs benefit)
- CVD policy — Put in place and enforce a policy on coordinated vulnerability disclosure
- Facilitate sharing — Take measures to facilitate sharing of information about potential vulnerabilities, including by providing a contact address for reporting
- Secure update distribution — Provide mechanisms to securely distribute updates to fix or mitigate vulnerabilities in a timely manner, and where applicable, automatically
- Free security updates — Ensure that security updates are disseminated without delay and, unless agreed otherwise for a tailor-made B2B product, free of charge, accompanied by advisory messages
Relationship to other obligations
- The SBOM obligation in detail → OBL-ART13-06 (also covered in Art. 13(6))
- CVD policy requirement → OBL-ART13-07
- Security update provision → OBL-ART13-08
- Vulnerability disclosure → OBL-ART13-09
- Reporting actively exploited vulnerabilities → OBL-ART14-01
Evidence you may need
- Software bill of materials (SBOM) in CycloneDX or SPDX format
- Vulnerability management process documentation
- CVD policy (published)
- Records of security updates issued during support period
- Penetration test or security review reports