Ensure the product meets essential cybersecurity requirements (Annex I Part I)

Article 6(a) of Regulation (EU) 2024/2847 provides that products with digital elements shall be made available on the market only where:

they meet the essential cybersecurity requirements set out in Part I of Annex I, provided that they are properly installed, maintained, used for their intended purpose or under conditions which can reasonably be foreseen, and, where applicable, the necessary security updates have been installed.

The product itself (not the manufacturer's processes) must satisfy all of the following, where applicable:

1. No known exploitable vulnerabilities — the product shall be placed on the market without any known exploitable vulnerabilities
2. Security by default — the product shall be placed on the market with a secure by default configuration, including the possibility to reset to original state
3. Protection of data — the product shall ensure protection of stored, transmitted or otherwise processed data against unauthorised access or disclosure
4. Data integrity — the product shall protect the integrity of stored, transmitted or otherwise processed data, commands, programs and configuration against manipulation or corruption by unauthorised parties
5. Data minimisation — the product shall process only data that are adequate, relevant and limited to what is necessary
6. Availability — the product shall protect the availability of essential functions and services, including resilience against and mitigation of denial-of- service attacks
7. Limited attack surface — the product shall minimise its own attack surface, including external interfaces
8. Reduced impact of incidents — the product shall be designed to minimise the impact of incidents using appropriate exploitation mitigation mechanisms and techniques
9. Security logging — the product shall provide security-related information by recording and/or monitoring relevant internal activity, including access to data
10. Update capability — the product shall ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users

Not all Annex I Part I requirements apply to every product. The manufacturer's cybersecurity risk assessment (required under Art. 13(2)) determines which requirements are applicable. Where a requirement is not applicable, the manufacturer must include a clear justification in the technical documentation (Art. 13(4)).

• This obligation sets the product-level standard; the corresponding process-level standard is in Art. 6(b) → OBL-ART6-02
• Manufacturers demonstrate conformity via the conformity assessment procedures in Art. 32 → OBL-ART13-04
• Technical documentation must record how each requirement is met → OBL-ART31-01

• Cybersecurity risk assessment (Annex VII §3)
• Test reports demonstrating compliance with each applicable Annex I Part I requirement
• Justification for any Annex I Part I requirements deemed not applicable
• Security update delivery mechanism documentation