Ensure no known exploitable vulnerabilities when placing on the market

Article 13(6) of Regulation (EU) 2024/2847 and Annex I Part I §3 require that, when placing a product with digital elements on the market, manufacturers ensure the product does not contain any known exploitable vulnerabilities.

This obligation applies:

• at first placement on the market
• for each subsequent software update made available to users

1. Pre-release vulnerability scan — run SCA and SAST checks before every release
2. CVE/EUVD check — verify all components (first-party and third-party) against the National Vulnerability Database (NVD), the EU Vulnerability Database (EUVD), and relevant advisory feeds
3. No CVSS-critical shipment — do not ship with known critical or high-severity exploitable vulnerabilities unless a documented, time-limited risk-acceptance decision is in place
4. Update pipeline check — the same no-known-vuln gate applies to every security update and feature release pushed to users
5. Documented at release — retain the vulnerability-status assessment for each shipped version as evidence

"Known exploitable" means vulnerabilities for which a CVE or equivalent advisory has been published and for which a practical exploitation path exists in the context of the product as deployed. Theoretical or highly-conditional risks that cannot be exercised in normal use are assessed under the risk-proportionality principle.

• SCA and SAST scan reports for each release
• CVE/EUVD database query records at each release date
• Risk-acceptance records (for accepted residual risk)
• Vulnerability backlog showing all issues resolved before release
• Penetration test results for major versions