Proposal 15.9.2022, Cyber Resilience Act

The Articles of the Cyber Resilience Act

Annex 2


As a minimum, the product with digital elements shall be accompanied by:

1. the name, registered trade name or registered trade mark of the manufacturer, and the postal address and the email address at which the manufacturer can be contacted, on the product or, where that is not possible, on its packaging or in a document accompanying the product;

2. the point of contact where information about cybersecurity vulnerabilities of the product can be reported and received;

3. the correct identification of the type, batch, version or serial number or other element allowing the identification of the product and the corresponding instructions and user information;

4. the intended use, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties;

5. any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks;

6. if and, where applicable, where the software bill of materials can be accessed;

7. where applicable, the internet address at which the EU declaration of conformity can be accessed;

8. the type of technical security support offered by the manufacturer and until when it will be provided, at the very least until when users can expect to receive security updates;

9. detailed instructions or an internet address referring to such detailed instructions and information on:

(a) the necessary measures during initial commissioning and throughout the lifetime of the product to ensure its secure use;

(b) how changes to the product can affect the security of data;

(c) how security-relevant updates can be installed;

(d) the secure decommissioning of the product, including information on how user data can be securely removed.

Cyber Resilience Act Text 15.9.2022

You may also visit:

NIS 2 Directive

Digital Operational Resilience Act (DORA)

European Chips Act