Skip to content

Chapter VIII — Transitional and final provisions

Article 66 — Amendment to Regulation (EU) 2019/1020

In Annex I to Regulation (EU) 2019/1020, the following point is added:

(‘72) Regulation (EU) 2024/2847 of the European Parliament and of the Council ( *1 ) .

Article 67 — Amendment to Directive (EU) 2020/1828

In Annex I to Directive (EU) 2020/1828, the following point is added:

(‘69) Regulation (EU) 2024/2847 of the European Parliament and of the Council ( *2 ) .

Article 68 — Amendment to Regulation (EU) No 168/2013

In Part C1, in the table, of Annex II to Regulation (EU) No 168/2013 of the European Parliament and of the Council (38), the following entry is added:

(16) 18

’.

Article 69 — Transitional provisions

  1. EU type-examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements that are subject to Union harmonisation legislation other than this Regulation shall remain valid until 11 June 2028, unless they expire before that date, or unless otherwise specified in such other Union harmonisation legislation, in which case they shall remain valid as referred to in that legislation.

  2. Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification.

  3. By way of derogation from paragraph 2 of this Article, the obligations laid down in Article 14 shall apply to all products with digital elements that fall within the scope of this Regulation that have been placed on the market before 11 December 2027.

Article 70 — Evaluation and review

  1. By 11 December 2030 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. Those reports shall be made public.

  2. By 11 September 2028, the Commission shall, after consulting ENISA and the CSIRTs network, submit a report to the European Parliament and to the Council, assessing the effectiveness of the single reporting platform set out in Article 16, as well as the impact of the application of the cybersecurity-related grounds referred to Article 16(2) by the CSIRTs designated as coordinators on the effectiveness of the single reporting platform as regards the timely dissemination of received notifications to other relevant CSIRTs.

Article 71 — Entry into force and application

  1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union .

  2. This Regulation shall apply from 11 December 2027.

    However, Article 14 shall apply from 11 September 2026 and Chapter IV (Articles 35 to 51) shall apply from 11 June 2026.