offered on the market without known exploitable vulnerabilities;

be offered on the market with a standard secure configuration, unless otherwise agreed between the manufacturer and the business user with regard to a product with customized digital elements, including the possibility to restore the product to its original state;

ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within a reasonable timeframe and enabled by default, with a clear and user-friendly opt-out mechanism, by notifying users of available updates, and by allowing them to temporarily defer updates;

ensure protection against unauthorized access through appropriate control mechanisms, including but not limited to authentication, identity, or access management systems, and report any unauthorized access;

protect the confidentiality of stored, transmitted, or otherwise processed personal data or other data, for example by encrypting relevant inactive data or data in transit using advanced mechanisms, and by using other technical means;

protect the integrity of stored, transmitted, or otherwise processed data, personal data, or other data, commands, programs, and configurations against manipulation or modification not authorized by the user, and report any damage;

process only personal or other data that is adequate and relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimal data processing);

protect the availability of essential and basic functions, even after an incident, including through resilience and mitigation measures against denial of service attacks;

minimise the negative impact of the products themselves or of connected devices on the availability of services provided by other devices or networks;

be designed, developed, and manufactured to minimize vulnerabilities to attack, including external interfaces;

are designed, developed, and manufactured to limit the consequences of an incident using appropriate mechanisms and techniques to limit exploitation;

provide security-related information by recording and monitoring relevant internal activities, including access to or modification of data, services, or functions, with an opt-out mechanism for the user;

Provide users with the ability to securely and easily permanently delete all data and settings and, if that data can be transferred to other products or systems, ensure that this is done in a secure manner.

Identify and document vulnerabilities and components in products with digital elements, including by creating a software bill of materials in a commonly used and machine-readable format that indicates at least the dependencies of the products at the highest level.

in connection with the risks associated with products containing digital elements, address and remedy vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates should be provided separately from functionality updates;

test and evaluate the security of the product with digital elements in an effective and regular manner;

once a security update has been made available, share and disclose information about the vulnerabilities that have been addressed, including a description of the vulnerabilities, information that allows users to identify the product with digital elements, the impact of the vulnerabilities, their severity, and clear and accessible information that helps users address the vulnerabilities; in duly justified cases, where manufacturers consider that the security risks of disclosure outweigh the security benefits, they may delay the disclosure of information about a fixed vulnerability until users have had the opportunity to apply the relevant patch;

implement and enforce a policy of coordinated disclosure of vulnerabilities;

take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements and in third-party components in that product, including by providing a contact address for reporting vulnerabilities discovered in the product with digital elements;

provide mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are addressed or mitigated in a timely manner and, where applicable for security updates, automatically;

ensure that, when security updates are available to address identified security issues, they are distributed promptly and, unless otherwise agreed between a manufacturer and a business user in relation to a product with customized digital elements, free of charge, accompanied by advice containing relevant information for users, including on any measures to be taken.