Product-related Essential Requirements
- Products to be delivered without known exploitable vulnerability
- Free Security Patches for 5 years or the lifetime of the product (whichever is shorter)
- Security patches must be installed automatically over the air by default
- Users must be able to decline, postpone, or disable the updates
- Protect the device – Security by default
- Reduce the Impact of security incidents
- Availability of essential functions
- Log certain events
- Personal data and sensitive information must be encrypted at rest
- Software integrity protection measures must be in place to prevent unauthorized modification of software or firmware
Vulnerability Handling Requirements
- Document Software used - provide a Software Bill of Materials (SBOM)
- Must notify relevant authorities upon discovering any sever incident--early warning within 24h, full notification within 72h
- Address vulnerabilities and patch with no delay
- Allow customers to report vulnerabilities
- Provide a secure update mechanism
Information & Instruction
- Communicate the expected lifetime and support period of the product
- Communicate the intended use of the product
- How to remove data from the devices
- Describe the security features of the product
