2024/2847 - Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)

This document specifies general cybersecurity principles and general risk management activities for all products with digital elements, hereafter also referred to as 'products'. This document covers every stage of the product lifecycle to ensure and maintain an appropriate level of cybersecurity based on the risks.
This document also provides generic elements to support the development of coherent product-category-specific standards (vertical standards).
This document:
—   establishes generic cybersecurity principles applicable to all stages of the product lifecycle;
—   specifies requirements for risk assessment and treatment of cybersecurity risks;
—   specifies requirements on activities that can be applied to ensure an appropriate level of cybersecurity at every phase of the product lifecycle;
—   provides elements and considerations for product category specific standards in order to facilitate a harmonized approach.
This document does not provide vertical product category specific activities and elements.

This document specifies the technical requirements for general-purposes tamper-resistant microprocessors and microcontrollers intended for integration into products that rely on them as a foundational security component. The microprocessors and microcontrollers in scope are designed for deployment in environments where the security features of the product integrating the platform are of importance, and where the threat landscape includes attackers with low but non-negligeable attack potential, corresponding to AVA_VAN.2 to AVA_VAN.3 as defined in [13].

The products with digital elements in the scope of this document are the platforms of smartcards and similar devices including secure elements, which consist of a tamper-resistant MCU/MPU and optionally an application environment or operating system. Platforms are designed to store and process sensitive data, and to protect it against physical and logical attacks by attackers with significant resources and skills, at AVA_VAN.4 (moderate attack potential) or AVA_VAN.5 (high attack potential) levels. Although platforms do not delegate data processing to remote entities, these can be involved in operations such as software update, configuration or key provisioning. The platform ensures the authentication of the remote entities before receiving/sending sensitive information and ensures this information is protected during the exchange. Platforms are intended for final products including, but not limited to, electronic identity cards, removable UICCs, eUICC, payment cards, physical access cards, digital tachograph cards or wrist bands with integrated payment secure elements, trust anchors in connected digital products and critical IT systems. This document defines technical requirements for platforms, which meet the essential requirements defined in Regulation (EU) 2024/2847 to the extent described in Annex ZZ. It also defines the methods for assessing the technical requirements. The expression of the technical requirements and the assessment methods use the Common Criteria (CC) formalism defined in the EN ISO/IEC 15408 series and EN ISO/IEC 18045:2023 supplemented by the EUCC state-of-the-art documents for the technical domain smart cards and similar devices. This document covers platforms conformant with the Protection Profiles (PPs) PP0084, PP0117, PP0104 and PP TPM, and identifies the gaps of these specifications against the CRA essential requirements. In this document, PP0104 also refers to the PP0104-based PP-Configuration 0107. The evaluation of platforms against PP0084, PP0117, PP0104 or PP TPM plus the applicable additional technical requirements which cover their gaps allow to demonstrate conformance with the CRA essential requirements. The technical requirements and the mappings against PP0084, PP0117, PP0104 and PP TPM are defined in Clause 7 and Annex B, respectively. This document also covers platforms consisting of a hardware layer and either an application environment, e.g. Java Card platform, or firmware/software. Annex C contains an informative mapping of Java Card platforms towards PP0099. Platforms can have discrete, integrated or embedded form factors, and employ technologies such as integrated circuits, programmable macros or system-in-package or system-on-chip. These do not affect the requirements or the assessment methods. Unless specified, clauses apply to all platforms, from pure hardware to platforms consisting of hardware, firmware and/or software. Platforms are accompanied by guidance which contains all the requirements and recommendations for the secure integration of the platform into further intermediate or final products and the secure usage of the platform by the external entities. The guidance covers all the non-platform aspects which can impact the security of the platform assets. The applications stored and/or running on the platforms, which are an integral part of the final products, are outside the scope of this document. prEN 18330:2026 applies to products composed of a platform and a set of applications.

This document specifies the security assessment requirements for platforms that include microprocessors and microcontrollers with security-related functionalities. These platforms aim to secure other products/networks/services beyond the microprocessors and microcontrollers themselves and are intended to provide assurance at a level AVA_VAN.1 as defined in [2], or without AVA_VAN claim.

This document provides the terms and definitions commonly used in the cybersecurity requirements for products with digital elements family of standards.

This document specifies the technical requirements for general-purposes tamper-resistant microprocessors and microcontrollers intended for integration into products that rely on them as a foundational security component. The microprocessors and microcontrollers in scope are designed for deployment in environments where the security features of the product integrating the platform are of importance, and where the threat landscape includes attackers with low but non-negligeable attack potential, corresponding to AVA_VAN.2 to AVA_VAN.3 as defined in [13].

This document specifies the security assessment requirements for platforms that include microprocessors and microcontrollers with security-related functionalities. These platforms aim to secure other products/networks/services beyond the microprocessors and microcontrollers themselves and are intended to provide assurance at a level AVA_VAN.1 as defined in [2], or without AVA_VAN claim.

The products with digital elements in the scope of this document are the platforms of smartcards and similar devices including secure elements, which consist of a tamper-resistant MCU/MPU and optionally an application environment or operating system. Platforms are designed to store and process sensitive data, and to protect it against physical and logical attacks by attackers with significant resources and skills, at AVA_VAN.4 (moderate attack potential) or AVA_VAN.5 (high attack potential) levels. Although platforms do not delegate data processing to remote entities, these can be involved in operations such as software update, configuration or key provisioning. The platform ensures the authentication of the remote entities before receiving/sending sensitive information and ensures this information is protected during the exchange.
Platforms are intended for final products including, but not limited to, electronic identity cards, removable UICCs, eUICC, payment cards, physical access cards, digital tachograph cards or wrist bands with integrated payment secure elements, trust anchors in connected digital products and critical IT systems.
This document defines technical requirements for platforms, which meet the essential requirements defined in Regulation (EU) 2024/2847 to the extent described in Annex ZZ. It also defines the methods for assessing the technical requirements.
The expression of the technical requirements and the assessment methods use the Common Criteria (CC) formalism defined in the EN ISO/IEC 15408 series and EN ISO/IEC 18045:2023 supplemented by the EUCC state-of-the-art documents  for the technical domain smart cards and similar devices.
This document covers platforms conformant with the Protection Profiles (PPs) PP0084, PP0117, PP0104 and PP TPM, and identifies the gaps of these specifications against the CRA essential requirements. In this document, PP0104 also refers to the PP0104-based PP-Configuration 0107. The evaluation of platforms against PP0084, PP0117, PP0104 or PP TPM plus the applicable additional technical requirements which cover their gaps allow to demonstrate conformance with the CRA essential requirements. The technical requirements and the mappings against PP0084, PP0117, PP0104 and PP TPM are defined in Clause 7 and Annex B, respectively.
This document also covers platforms consisting of a hardware layer and either an application environment, e.g. Java Card platform, or firmware/software. Annex C contains an informative mapping of Java Card platforms towards PP0099.
Platforms can have discrete, integrated or embedded form factors, and employ technologies such as integrated circuits, programmable macros or system-in-package or system-on-chip. These do not affect the requirements or the assessment methods. Unless specified, clauses apply to all platforms, from pure hardware to platforms consisting of hardware, firmware and/or software.
Platforms are accompanied by guidance which contains all the requirements and recommendations for the secure integration of the platform into further intermediate or final products and the secure usage of the platform by the external entities. The guidance covers all the non-platform aspects which can impact the security of the platform assets.
The applications stored and/or running on the platforms, which are an integral part of the final products, are outside the scope of this document. prEN 18330:2026 applies to products composed of a platform and a set of applications.

This standards shall provide specifications applicable to vulnerability handling processes, covering all relevant product categories, to
be put in place by manufacturers of the products with digital elements. Those processes shall at least allow to:
(a) identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machinereadable format covering at the very least the top-level dependencies of the product;
(b) in relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;
(c) apply effective and regular tests and reviews of the security of the product with digital elements;
(d) once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;
(e) put in place and enforce a policy on coordinated vulnerability disclosure;
(f) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a standardised contact address for the reporting of the
vulnerabilities discovered in the product with digital elements;
(g) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner, and, where applicable for security updates, in an automatic manner;
(h) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

This document provides the terms and definitions commonly used in the cybersecurity requirements for products with digital elements family of standards.

This document specifies general cybersecurity principles and general risk management activities for all products with digital elements, hereafter also referred to as 'products'. This document covers every stage of the product lifecycle to ensure and maintain an appropriate level of cybersecurity based on the risks.
This document also provides generic elements to support the development of coherent product-category-specific standards (vertical standards).
This document:
—   establishes generic cybersecurity principles applicable to all stages of the product lifecycle;
—   specifies requirements for risk assessment and treatment of cybersecurity risks;
—   specifies requirements on activities that can be applied to ensure an appropriate level of cybersecurity at every phase of the product lifecycle;
—   provides elements and considerations for product category specific standards in order to facilitate a harmonized approach.
This document does not provide vertical product category specific activities and elements.

This standards shall provide specifications applicable to vulnerability handling processes, covering all relevant product categories, to
be put in place by manufacturers of the products with digital elements. Those processes shall at least allow to:
(a) identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machinereadable format covering at the very least the top-level dependencies of the product;
(b) in relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;
(c) apply effective and regular tests and reviews of the security of the product with digital elements;
(d) once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;
(e) put in place and enforce a policy on coordinated vulnerability disclosure;
(f) take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a standardised contact address for the reporting of the
vulnerabilities discovered in the product with digital elements;
(g) provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner, and, where applicable for security updates, in an automatic manner;
(h) ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.