[buzer]

Thanks. I tried to look into this a bit more and it sounds quite a few places are interpreting "be made available on the market without known exploitable vulnerabilities" as that there cannot be any known vulnerability at the release date. Germany's Federal Office for Information Security (BSI, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publicat...) seems to be even looser with the definition, on 5.3.2.3 they actually say it's just "SHOULD", not "MUST". No clue what they are basing that on.

The "including the possibility to reset the product to its original state" is interesting one, would that prevent manufacturers from not allowing user to downgrade to original version (via eFuses)? 5.3.3.1 on those guidelines does say "initial or newest version", but that doesn't really sound like original state.