Article 3, Definitions
For the purposes of this Regulation, the following definitions apply:
(1) ‘product with digital elements’ means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately;
(2) ‘remote data processing’ means any data processing at a distance for which the software is designed and developed by the manufacturer or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions;
(3) ‘critical product with digital elements’ means a product with digital elements that presents a cybersecurity risk in accordance with the criteria laid down in Article 6(2) and whose core functionality is set out in Annex III;
(4) ‘highly critical product with digital elements’ means a product with digital elements that presents a cybersecurity risk in accordance with the criteria laid down in Article 6(5);
(5) ‘operational technology’ means programmable digital systems or devices that interact with the physical environment or manage devices that interact with the physical environment;
(6) ‘software’ means the part of an electronic information system which consists of computer code;
(7) ‘hardware’ means a physical electronic information system, or parts thereof capable of processing, storing or transmitting of digital data;
(8) ‘component’ means software or hardware intended for integration into an electronic information system;
(9) ‘electronic information system’ means any system, including electrical or electronic equipment, capable of processing, storing or transmitting digital data;
(10) ‘logical connection’ means a virtual representation of a data connection implemented through a software interface;
(11) ‘physical connection’ means any connection between electronic information systems or components implemented using physical means, including through electrical or mechanical interfaces, wires or radio waves;
(12) ‘indirect connection’ means a connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network;
(13) ‘privilege’ means an access right granted to particular users or programmes to perform security-relevant operations within an electronic information system;
(14) ‘elevated privilege’ means an access right granted to particular users or programmes to perform an extended set of security-relevant operations within an electronic information system that, if misused or compromised, could allow a malicious actor to gain wider access to the resources of a system or organisation;
(15) ‘endpoint’ means any device that is connected to a network and serves as an entry point to that network;
(16) ‘networking or computing resources’ means data or hardware or software functionality that is accessible either locally or through a network or another connected device;
(17) ‘economic operator’ means the manufacturer, the authorised representative, the importer, the distributor, or any other natural or legal person who is subject to obligations laid down by this Regulation;
(18)‘manufacturer’ means any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge;
(19) ‘authorised representative’ means any natural or legal person established within the Union who has received a written mandate from a manufacturer to act on his or her behalf in relation to specified tasks;
(20) ‘importer’ means any natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;
(21) ‘distributor’ means any natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;
(22) ‘placing on the market’ means the first making available of a product with digital elements on the Union market;
(23) ‘making available on the market’ means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
(24) ‘intended purpose’ means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;
(25) ‘reasonably foreseeable use’ means use that is not necessarily the intended purpose supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation, but which is likely to result from reasonably foreseeable human behaviour or technical operations or interactions;
(26) ‘reasonably foreseeable misuse’ means the use of a product with digital elements in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems;
(27) ‘notifying authority’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;
(28) ‘conformity assessment’ means the process of verifying whether the essential requirements set out in Annex I have been fulfilled;
(29) ‘conformity assessment body’ means a body defined in Article 2(13) of Regulation (EU) No 765/2008;
(30) ‘notified body’ means a conformity assessment body designated in accordance with Article 33 of this Regulation and other relevant Union harmonisation legislation;
(31) ‘substantial modification’ means a change to the product with digital elements following its placing on the market, which affects the compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I or results in a modification to the intended use for which the product with digital elements has been assessed;
(32) ‘CE marking’ means a marking by which a manufacturer indicates that a product with digital elements and the processes put in place by the manufacturer are in conformity with the essential requirements set out in Annex I and other applicable Union legislation harmonising the conditions for the marketing of products (‘Union harmonisation legislation’) providing for its affixing;
(33)‘market surveillance authority’ means the authority as defined in Article 3, point (4) of Regulation (EU) 2019/1020;
(34) ‘harmonised standard’ means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012;
(35) ‘cybersecurity risk’ means risk as defined in Article [Article X] of Directive [Directive XXX/XXXX (NIS2)];
(36) ‘significant cybersecurity risk’ means a cybersecurity risk which, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could lead to a severe negative impact, including by causing considerable material or non-material loss or disruption;
(37) ‘software bill of materials’ means a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements;
(38) ‘vulnerability’ means a vulnerability as defined in Article [Article X] of Directive [Directive XXX/XXXX (NIS2)];
(39) ‘actively exploited vulnerability’ means a vulnerability for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner;
(40) ‘personal data’ means data as defined in Article 4(1) of Regulation (EU) 2016/679.
Cyber Resilience Act Text 15.9.2022
You may also visit: