Protect your data, get rid of vulnerabilities and prepare against threats: take the Cyber Resilience Act compliance checklist to verify if your company, product or software are CRA ready!
Identify any requirements that may be missing to take swift action and be ready on time.
Manufacturers of non-critical products can self-assess their compliance with the CRA’s requirements.
You can check the Annex III of the regulation for a list of Critical Products.
Manufacturers of non-critical products may nonetheless choose to undergo the same assessment process as critical products, wherein compliance with the CRA is assessed by a notified body. In this case, they will need to select between two main modules, that are further described in the Critical products tab and for which requirements differ from those described below.
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | Cyber-resilience should be taken into account when designing, developing and producing products with digital elements | Annex I, Section 1 §1 | Self-assessment | |
| 3 | Manufacturers shall exercise due diligence when integrating components sourced from third parties | Article 10(4) of the regulation | Self-assessment | |
| 4 | Secure by default configuration without any known exploitable vulnerabilities | Annex I, Section 1 §3a | Self-assessment | |
| 6 | Implement strong authentication protocols (such as N-factor auth) to protect against unauthorized access | Annex I, Section 1 §3b | Self-assessment | |
| 7 | Protect the confidentiality and integrity of users data (including personal data) using tools such as encryption mechanisms, access control protocols, etc. | Annex I, Section 1 §3c and Annex 1, Section 1 §3d | Self-assessment | |
| 8 | Process only data that is necessary for the intended use of the product or software (similar to GDPR requirement) | Annex I, Section 1 §3e | Self-assessment | |
| 9 | Create resilience against and mitigation of denial of service attacks | Annex I, Section 1 §3f | Self-assessment | |
| 10 | Minimize your own impact on the availability of services provided by other devices or networks. In other words, ensure that your systems cannot be used in a DooS attack | Annex I, Section 1 §3g | Self-assessment | |
| 11 | Design products to limit attack surfaces including external interface. For example: close open ports that should not be open, protect USB ports | Annex I, Section 1 §3h | Self-assessment | |
| 12 | Design products to limit impact of attacks and incidents. For example: auth protocols, user roles with different privileges, incident response plans | Annex I, Section 1 §3i | Self-assessment | |
| 13 | Record and/or monitor relevant users and network activity. For example: activity/user log | Annex I, Section 1 §3j | Self-assessment | |
| 14 | Enable that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates by default, but with a clear and easy-to-use opt-out mechanism, and where applicable through the notification of available updates to users, and the option to temporarily postpone them | Annex I, Section 1 §3k | Self-assessment | |
| 16 | Creation of a Software Bill of Materials | Annex I, Section 2 §1 | Self-assessment | |
| 17 | Identification of vulnerabilities and documentation writing (including through the SBOM) | Annex I, Section 2 §1 | Self-assessment | |
| 18 | Ability to provide free automatic security updates and alert the end-user that a security update is available/was executed on their device | Annex I, Section 2 §2, Section 2 §7 and Section 2 §8 | Self-assessment | |
| 19 | Design an implement a policy for regular testing and reviews of the security of the product | Annex I, Section 2 §3 | Self-assessment | |
| 20 | Design and implement a policy for the creation of security update release notes that will be issued every time a security update is released | Annex I, Section 2 §4 and Section 2 §8 | Self-assessment | |
| 21 | Put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Section 2 §5 | Self-assessment | |
| 22 | Create a contact address for the third-party reporting of vulnerabilities discovered in your product | Annex I, Section 2 §6 | Self-assessment | |
| 23 | Design and implement a policy for the third-party sharing of information about vulnerabilities in your product, including the contact address | Annex I, Section 2 §6 | Self-assessment | |
| 24 | Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. | Article 10(9) of the Regulation | Self-assessment |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 26 | A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the accompanying documentation | Annex II, Section 2 | self-written | |
| 27 | The product must be delivered with a name and type and any additional information enabling the uniqueness of the product | Annex II, Section 3 | self-written | |
| 28 | The intended purpose, essential functionalities and security features/properties provided by the manufacturer must be detailed in the accompanying documentation | Annex II, Section 4 | self-written | |
| 29 | Any intended use of the product which may lead to a significant cybersecurity risk must be detailed in the accompanying documentation | Annex II, Section 5 | self-written | |
| 32 | The type of technical and security support and time limit for support must be detailed in the accompanying documentation | Annex II, Section 8 | self-written | |
| 33 | Detailed instructions or a link to the detailed instructions on necessary measures during initial commissionning and throughout the lifetime of the product to ensure its secure use must be provided. | Annex II, Section 9 §a | self-written | |
| 34 | Detailed instructions or a link to the detailed instructions on how changes to the product can affect the security of the data must be provided | Annex II, Section 9 §b | self-written | |
| 35 | Detailed instructions or a link to the detailed instructions on how changes to install security updates must be provided | Annex II, Section 9 §c | self-written | |
| 36 | Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be provided | Annex II, Section 9 §d | self-written | |
| 37 | How the default setting of automatically installed updates can be turned off. | Annex II, Section 9§e | ||
| 38 | The CE marking should be affixed to the product | Annex VI, Section 4.1 |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 38 | The EU declaration of conformity must contain the name, type and any unique identifying information of the product (including a photograph if appropriate) allowing its traceability | Annex IV, Section 1 and Annex IV, Section 4 | self-written | |
| 39 | The EU declaration of conformity must contain the name and address of the manufacturer or his authorised representative | Annex IV, Section 2 | self-written | |
| 40 | The declaration must contain a statement that it is issued under the sole responsibility of the provider | Annex IV, Section 3 | self-written | |
| 41 | The declaration must contain a statement that it is in conformity with the relevant Union harmonisation legislation | Annex IV, Section 5 | self-written | |
| 42 | The declaration must reference any relevant harmonised standards used or related certification to which conformity is declared. | Annex IV, Section 6 | self-written | |
| 43 | Where applicable (such as Class I and II products), the name and number of the notified body, description of the conformity assessment procedure performed and id of the issued certificated must be referenced. | Annex IV, Section 7 | if applicable | |
| 44 | The declaration can contain additional information if relevant. | Annex IV, Section 8 | - | |
| 45 | The declaration must be signed for and on behalfed of the manufacturer, designated by its trademark, dated at (location) and dated on. | Annex IV | - | |
| 46 | The declaration must be signed by an authorised representative, designated by name and function | Annex IV and article 12(1) of the Regulation | - | |
| 47 | The EU declaration of conformity must be created for each product and kept for 10 years after it has been placed on the market | Annex VI, Section 4.2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 48 | The technical documentation must contain a general description of the product. | Annex V, Section 1 | self-written | |
| 49 | The general description must include the product's intended purpose | Annex V, Section 1 §a | self-written | |
| 50 | The general description must include the versions of software affecting compliance with the essential requirements of the CRA | Annex V, Section 1 §b | self-written | |
| 51 | For hardware products, the general description must include photographs or illustrations detailing external features, marking and internal layout | Annex V, Section 1 §c | self-written | |
| 52 | The general description must include the information described in Annex II (manufacturer's name, registered trademark, contact info - general and for cybersecurity risk reporting -, type, bash, version or serial number of the product, technical and security support provided, how to safely commission and decommission the product, how to install securiy updates) | Annex V, Section 1 §d and the whole of Annex II | self-written | |
| 53 | The technical documentation must contain a description on the design and development of the product including drawings and schemes (if applicable) and/or description of the system architecture | Annex V, Section 2 §a | self-written | |
| 54 | The technical description must contain complete information on vulnerabilities handling processes and disclosure policy, software bill of materials, contact address for the reporting of vulnerabilities and how updates are securily distributed. | Annex V, Section 2 §b and Section 7 | self-written | |
| 55 | The technical description must contain complete information and specifications of the production and monitoring processes of the product, including validation of these processes | Annex V, Section 2 §c | self-written | |
| 56 | The technical description must contain an assessment of cybersecurity risks against which the product is designed, developed, produced, delivered and maintain | Annex V, Section 3 and Article 10 of the Regulation | self-written | |
| 57 | If the product also falls under the purview of other EU regulations of harmonised standards, the technical description must contain a reference to them, how they have been applied to the product, if they have not been applied, what other solutions and measures have been implemented to meet the CRA's own standards and if they have been partly applied, which parts of these standards or regulations have been applied | Annex V, Section 4 and Article 19 and Article 18(3) of the Regulation | self-written | |
| 58 | The technical description should contain a description and reports of the tests carried out to verify the conformity of the product and vulnerability handling processes, in reference to Sections 1 and 2 of Annex I. If an essential requirement does not apply to a particular product, the manufacturer must include a justification in the cybersecurity risk assessment in the technical documentation | Annex V, Section 5 and Annex I, Sections 1 and 2 and Swedish Update | self-written | |
| 59 | The technical description must contain a copy of the EU declaration of conformity | Annex V, Section 6 and Annex IV | - | |
| 60 | The technical description must be created for each product and kept for 10 years after it has been placed on the market | Annex VI, Section 4.2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 61 | The manufacturer shall notify any actively exploited vulnerability that they become aware of to the CSIRTs | Article 11(1) of the Regulation | - | |
| 62 | The manufacturer must design and implement a policy for the reporting, wihtout undue delay, of vulnerabilities and breaches to products users, including corrective measures | Article 11(4) of the Regulation | - | |
| 63 | The manufacturer must design and implement a policy to force a product that is no longer in conformity to become such (including through updates) or withdraw or recall the product, if appropriate | Article 10(12) of the Regulation | - | |
| 65 | The manufacturer shall design and implement a policy that enables him to alert relevant market authorities and by any means available, the product's users in the event that he ceases its operations | Article 10(14) of the Regulation | - | |
| 65 | The manufacturer shall designated an authorised representative with a mandate enabling them to fulfull the requirements set out in point 4 | Annex VI, Module A, Section 5 | - |
Manufacturers of critical products need to go through an external assessment process conducted by a notified body responsible for verifying the compliance of the products with the requirements of the CRA.
You can check the Annex III of the regulation for a list of Critical Products.
Manufacturers of critical products can freely choose among two paths for the assessment of their products: module B (or module B + module C) and module H.
Module H is a relatively more rigorous assessment path wherein a quality system made of a written record of processes and procedures undertaken by the manufacturer to ensure that the product meets the requirements of the CRA is assessed by the notified body.
Module B does not mandate the creation of a quality system but instead, requires that a specimen of the product be examined by a notified body during the assessment process. Further, once a product is certified under module B, other products of the same type can be certified through module C, which is a certification path that does not require for a new assessment by a notified body.
Hence, while module B focuses on the hardware itself, module H looks at the manufacturer’s processes (i.e: the quality system) as the basis for compliance with the CRA.
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | Cyber-resilience should be taken into account when designing, developing and producing products with digital elements | Annex I, Section 1 §1 | Assessed by notified body | |
| 3 | Manufacturers shall exercise due diligence when integrating components sourced from third parties | Article 10(4) of the regulation | Assessed by notified body | |
| 4 | Secure by default configuration | Annex I, Section 1 §3a | Assessed by notified body | |
| 5 | Implement factory reset features | Annex I, Section 1 §3a | Assessed by notified body | |
| 6 | Implement strong authentication protocols (such as N-factor auth) to protect against unauthorized access | Annex I, Section 1 §3b | Assessed by notified body | |
| 7 | Protect the confidentiality and integrity of users data (including personal data) using tools such as encryption mechanisms, access control protocols, etc. | Annex I, Section 1 §3c and Annex 1, Section 1 §3d | Assessed by notified body | |
| 8 | Process only data that is necessary for the intended use of the product or software (similar to GDPR requirement) | Annex I, Section 1 §3e | Assessed by notified body | |
| 9 | Create resilience against and mitigation of denial of service attacks | Annex I, Section 1 §3f | Assessed by notified body | |
| 10 | Minimize your own impact on the availability of services provided by other devices or networks. In other words, ensure that your systems cannot be used in a DooS attack | Annex I, Section 1 §3g | Assessed by notified body | |
| 11 | Design products to limit attack surfaces including external interface. For example: close open ports that should not be open, protect USB ports | Annex I, Section 1 §3h | Assessed by notified body | |
| 12 | Design products to limit impact of attacks and incidents. For example: auth protocols, user roles with different priviledges, incident response plans | Annex I, Section 1 §3i | Assessed by notified body | |
| 13 | Record and/or monitor relevant users and network activity. For example: activity/user log | Annex I, Section 1 §3j | Assessed by notified body | |
| 14 | Automatic security updates for at least 5 years (or lifetime of the product, whichever is shorter), except for products primarily intended to be integrated into components of other products, nor to devices for which users would not ‘reasonably expect’ automatic updates | Annex I, Section 1 §3k and article 10(5) of the Regulation and Swedish update | Assessed by notified body | |
| 15 | Automatic user notification of vulnerabilities and security updates | Annex I, Section 1 §3k | Assessed by notified body | |
| 16 | Creation of a Software Bill of Materials | Annex I, Section 2 §1 | Assessed by notified body | |
| 17 | Identification of vulnerabilities and documentation writing (including through the SBOM) | Annex I, Section 2 §1 | Assessed by notified body | |
| 18 | Ability to provide free automatic security updates and alert the end-user that a security update is available/was executed on their device | Annex I, Section 2 §2, Section 2 §7 and Section 2 §8 | Assessed by notified body | |
| 19 | Design an implement a policy for regular testing and reviews of the security of the product | Annex I, Section 2 §3 | Assessed by notified body | |
| 20 | Design and implement a policy for the creation of security update release notes that will be issued every time a security update is released | Annex I, Section 2 §4 and Section 2 §8 | Assessed by notified body | |
| 21 | Put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Section 2 §5 | Assessed by notified body | |
| 22 | Create a contact address for the third-party reporting of vulnerabilities discovered in your product | Annex I, Section 2 §6 | Assessed by notified body | |
| 23 | Design and implement a policy for the third-party sharing of information about vulnerabilities in your product, including the contact address | Annex I, Section 2 §6 | Assessed by notified body | |
| 24 | Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. | Article 10(9) of the Regulation | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 26 | A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the accompanying documentation | Annex II, Section 2 | self-written | |
| 27 | The product must be delivered with a name and type and any additional information enabling the uniqueness of the product | Annex II, Section 3 | self-written | |
| 28 | The intended purpose, essential functionalities and security features/properties provided by the manufacturer must be detailed in the accompanying documentation | Annex II, Section 4 | self-written | |
| 29 | Any intended use of the product which may lead to a significant cybersecurity risk must be detailed in the accompanying documentation | Annex II, Section 5 | self-written | |
| 32 | The type of technical and security support and time limit for support must be detailed in the accompanying documentation | Annex II, Section 8 | self-written | |
| 33 | Detailed instructions or a link to the detailed instructions on necessary measures during initial commissionning and throughout the lifetime of the product to ensure its secure use must be provided. | Annex II, Section 9 §a | self-written | |
| 34 | Detailed instructions or a link to the detailed instructions on how changes to the product can affect the security of the data must be provided | Annex II, Section 9 §b | self-written | |
| 35 | Detailed instructions or a link to the detailed instructions on how changes to install security updates must be provided | Annex II, Section 9 §c | self-written | |
| 36 | Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be provided | Annex II, Section 9 §d | self-written | |
| 37 | How the default setting of automatically installed updates can be turned off. | Annex II, Section 9§e | ||
| 38 | The CE marking should be affixed to the product | Annex VI, Section 4.1 |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 38 | The EU declaration of conformity must contain the name, type and any unique identifying information of the product (including a photograph if appropriate) allowing its traceability | Annex IV, Section 1 and Annex IV, Section 4 | self-written | |
| 39 | The EU declaration of conformity must contain the name and address of the manufacturer or his authorised representative | Annex IV, Section 2 | self-written | |
| 40 | The declaration must contain a statement that it is issued under the sole responsibility of the provider | Annex IV, Section 3 | self-written | |
| 41 | The declaration must contain a statement that it is in conformity with the relevant Union harmonisation legislation | Annex IV, Section 5 | self-written | |
| 42 | The declaration must reference any relevant harmonised standards used or related certification to which conformity is declared. | Annex IV, Section 6 | self-written | |
| 43 | Where applicable (such as Class I and II products), the name and number of the notified body, description of the conformity assessment procedure performed and id of the issued certificated must be referenced. | Annex IV, Section 7 | if applicable | |
| 44 | The declaration can contain additional information if relevant. | Annex IV, Section 8 | - | |
| 45 | The declaration must be signed for and on behalfed of the manufacturer, designated by its trademark, dated at (location) and dated on. | Annex IV | - | |
| 46 | The declaration must be signed by an authorised representative, designated by name and function | Annex IV and article 12(1) of the Regulation | - | |
| 47 | The EU declaration of conformity must be created for each product and kept for 10 years after it has been placed on the market | Annex VI, Section 4.2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 48 | The technical documentation must contain a general description of the product. | Annex V, Section 1 | assessed by notified body | |
| 49 | The general description must include the product's intended purpose | Annex V, Section 1 §a | assessed by notified body | |
| 50 | The general description must include the versions of software affecting compliance with the essential requirements of the CRA | Annex V, Section 1 §b | assessed by notified body | |
| 51 | For hardware products, the general description must include photographs or illustrations detailing external features, marking and internal layout | Annex V, Section 1 §c | assessed by notified body | |
| 52 | The general description must include the information described in Annex II (manufacturer's name, registered trademark, contact info - general and for cybersecurity risk reporting -, type, bash, version or serial number of the product, technical and security support provided, how to safely commission and decommission the product, how to install security updates) | Annex V, Section 1 §d and the whole of Annex II | assessed by notified body | |
| 53 | The technical documentation must contain a description of the design and development of the product, including drawings and diagrams (if applicable), and/or a description of the system architecture. | Annex V, Section 2 §a | assessed by notified body | |
| 54 | The technical description must contain complete information on vulnerabilities handling processes and disclosure policy, software bill of materials, contact address for the reporting of vulnerabilities and how updates are securily distributed. | Annex V, Section 2 §b and Section 7 | assessed by notified body | |
| 55 | The technical description must contain complete information and specifications of the production and monitoring processes of the product, including validation of these processes | Annex V, Section 2 §c | assessed by notified body | |
| 56 | The technical description must contain an assessment of cybersecurity risks against which the product is designed, developed, produced, delivered and maintained | Annex V, Section 3 and Article 10 of the Regulation | assessed by notified body | |
| 57 | If the product also falls under the purview of other EU regulations of harmonised standards, the technical description must contain a reference to them, how they have been applied to the product, if they have not been applied, what other solutions and measures have been implemented to meet the CRA's own standards and if they have been partly applied, which parts of these standards or regulations have been applied | Annex V, Section 4 and Article 19 and Article 18(3) of the Regulation | assessed by notified body | |
| 58 | The technical description should contain a description and reports of the tests carried out to verify the conformity of the product and vulnerability handling processes, in reference to Sections 1 and 2 of Annex I. If an essential requirement does not apply to a particular product, the manufacturer must include a justification in the cybersecurity risk assessment in the technical documentation | Annex V, Section 5 and Annex I, Sections 1 and 2 and Swedish update | assessed by notified body | |
| 59 | The technical description must contain a copy of the EU declaration of conformity | Annex V, Section 6 and Annex IV | assessed by notified body | |
| 60 | The technical description must be created for each product and kept for 10 years after it has been placed on the market | Annex VI, Section 4.2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 61 | The manufacturer shall notify any actively exploited vulnerability that they become aware of to the CSIRTs | Article 11(1) of the Regulation | - | |
| 62 | The manufacturer must design and implement a policy for the reporting, wihtout undue delay, of vulnerabilities and breaches to products users, including corrective measures | Article 11(4) of the Regulation | - | |
| 63 | The manufacturer must design and implement a policy to force a product that is no longer in conformity to become such (including through updates) or withdraw or recall the product, if appropriate | Article 10(12) of the Regulation | - | |
| 65 | The manufacturer shall design and implement a policy that enables him to alert relevant market authorities and by any means available, the product's users in the event that he ceases its operations | Article 10(14) of the Regulation | - | |
| 65 | The manufacturer shall designated an authorised representative with a mandate enabling them to fulfull the requirements set out in point 4 | Annex VI, Module A, Section 5 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 66 | The manufacturer shall lodge an application for EU-type examination with a single notified body | Annex VI, module B, Section 3 | - | |
| 67 | The application shall include name and address of manufacturer and, if applicable, of the authorised representative | Annex VI, module B, Section 3 | - | |
| 68 | The application shall include a declaration that the same application has not been made for another body | Annex VI, module B, Section 3 | - | |
| 69 | The application shall include the technical description | Annex VI, module B, Section 3 | - | |
| 70 | The application shall include the supporting evidence for adequacy, including testings if applicable | Annex VI, module B, Section 3 | - | |
| 71 | The application must include specimens of the product for further testings by the notified body | Annex VI, module B, section 2 | - | |
| 72 | The manufacturer shall informed the notified body of all modifications to the approved product and vulnerability handling processes that may affect the conditions for validaty of the certificated | Annex VI, module B, section 7 | - | |
| 73 | The manufacturer shall keep a copy of the examination certificate, annexes and additions provided by the notified body for 10 years after the product has been placed on the market. | Annex VI, module B, section 9 | - | |
| 74 | The authorised representative may lodge the application provided that they are specified in the mandate. | Annex VI, module B, section 10 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | Cyber-resilience should be taken into account when designing, developing and producing products with digital elements | Annex I, Section 1 §1 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 2 | The product should have no known exploitable vulnerability | Annex I, Section 1 §2 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 3 | Manufacturers shall exercise due diligence when integrating components sourced from third parties | Article 10(4) of the regulation | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 4 | Secure by default configuration | Annex I, Section 1 §3a | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 5 | Implement factory reset features | Annex I, Section 1 §3a | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 6 | Implement strong authentication protocols (such as N-factor auth) to protect against unauthorised access | Annex I, Section 1 §3b | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 7 | Protect the confidentiality and integrity of users data (including personal data) using tools such as encryption mechanisms, access control protocols, etc. | Annex I, Section 1 §3c and Annex 1, Section 1 §3d | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 8 | Process only data that is necessary for the intended use of the product or software (similar to GDPR requirement) | Annex I, Section 1 §3e | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 9 | Create resilience against and mitigation of denial of service attacks | Annex I, Section 1 §3f | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 10 | Minimize your own impact on the availability of services provided by other devices or networks. In other words, ensure that your systems cannot be used in a DooS attack | Annex I, Section 1 §3g | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 11 | Design products to limit attack surfaces including external interface. For example: close open ports that should not be open, protect USB ports | Annex I, Section 1 §3h | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 12 | Design products to limit impact of attacks and incidents. For example: auth protocols, user roles with different privileges, incident response plans | Annex I, Section 1 §3i | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 13 | Record and/or monitor relevant users and network activity. For example: activity/user log | Annex I, Section 1 §3j | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 14 | Automatic security updates for at least 5 years (or lifetime of the product, whichever is shorter), except for products primarily intended to be integrated into components of other products, nor to devices for which users would not ‘reasonably expect’ automatic updates | Annex I, Section 1 §3k and article 10(5) of the Regulation | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 15 | Automatic user notification of vulnerabilities and security updates | Annex I, Section 1 §3k | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
| 16 | Creation of a Software Bill of Materials | Annex I, Section 2 §1 | Assessed by notified body | |
| 17 | Identification of vulnerabilities and documentation writing (including through the SBOM) | Annex I, Section 2 §1 | Assessed by notified body | |
| 18 | Ability to provide free automatic security updates and alert the end-user that a security update is available/was executed on their device | Annex I, Section 2 §2, Section 2 §7 and Section 2 §8 | Assessed by notified body | |
| 19 | Design an implement a policy for regular testing and reviews of the security of the product | Annex I, Section 2 §3 | Assessed by notified body | |
| 20 | Design and implement a policy for the creation of security update release notes that will be issued every time a security update is released | Annex I, Section 2 §4 and Section 2 §8 | Assessed by notified body | |
| 21 | Put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Section 2 §5 | Assessed by notified body | |
| 22 | Create a contact address for the third-party reporting of vulnerabilities discovered in your product | Annex I, Section 2 §6 | Assessed by notified body | |
| 23 | Design and implement a policy for the third-party sharing of information about vulnerabilities in your product, including the contact address | Annex I, Section 2 §6 | Assessed by notified body | |
| 24 | Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. | Article 10(9) of the Regulation | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 26 | A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the accompanying documentation | Annex II, Section 2 | self-written | |
| 27 | The product must be delivered with a name and type and any additional information enabling the uniqueness of the product | Annex II, Section 3 | self-written | |
| 28 | The intended purpose, essential functionalities and security features/properties provided by the manufacturer must be detailed in the accompanying documentation | Annex II, Section 4 | self-written | |
| 29 | Any intended use of the product which may lead to a significant cybersecurity risk must be detailed in the accompanying documentation | Annex II, Section 5 | self-written | |
| 32 | The type of technical and security support and time limit for support must be detailed in the accompanying documentation | Annex II, Section 8 | self-written | |
| 33 | Detailed instructions or a link to the detailed instructions on necessary measures during initial commissionning and throughout the lifetime of the product to ensure its secure use must be provided. | Annex II, Section 9 §a | self-written | |
| 34 | Detailed instructions or a link to the detailed instructions on how changes to the product can affect the security of the data must be provided | Annex II, Section 9 §b | self-written | |
| 35 | Detailed instructions or a link to the detailed instructions on how changes to install security updates must be provided | Annex II, Section 9 §c | self-written | |
| 36 | Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be provided | Annex II, Section 9 §d | self-written | |
| 37 | How the default setting of automatically installed updates can be turned off. | Annex II, Section 9§e | ||
| 38 | The CE marking should be affixed to the product | Annex VI, Section 4.1 |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 38 | The EU declaration of conformity must contain the name, type and any unique identifying information of the product (including a photograph if appropriate) allowing its traceability. It must also include the specific product model for which it has been drawn. | Annex IV, Section 1 and Annex IV, Section 4 and Annex VI, module C, section 3.2 | Self-written | |
| 39 | The EU declaration of conformity must contain the name and address of the manufacturer or his authorised representative | Annex IV, Section 2 | self-written | |
| 40 | The declaration must contain a statement that it is issued under the sole responsibility of the provider | Annex IV, Section 3 | self-written | |
| 41 | The declaration must contain a statement that it is in conformity with the relevant Union harmonisation legislation | Annex IV, Section 5 | self-written | |
| 42 | The declaration must reference any relevant harmonised standards used or related certification to which conformity is declared. | Annex IV, Section 6 | self-written | |
| 43 | Where applicable (such as Class I and II products), the name and number of the notified body, description of the conformity assessment procedure performed and id of the issued certificated must be referenced. | Annex IV, Section 7 | self-written | |
| 44 | The declaration can contain additional information if relevant | Annex IV, Section 8 | self-written | |
| 45 | The declaration must be signed for and on behalfed of the manufacturer, designated by its trademark, done at (location) and dated on. | Annex IV | self-written | |
| 46 | The declaration must be signed by an authorised representative, designated by name and function | Annex IV and article 12(1) of the Regulation | self-written | |
| 47 | The EU declaration of conformity must be created for each product and kept for 10 years after it has been placed on the market | Annex VI, Section 4.2 | self-written |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 48 | The technical documentation must contain a general description of the product. | Annex V, Section 1 | self-written | |
| 49 | The general description must include the product's intended purpose | Annex V, Section 1 §a | self-written | |
| 50 | The general description must include the versions of software affecting compliance with the essential requirements of the CRA | Annex V, Section 1 §b | self-written | |
| 51 | For hardware products, the general description must include photographs or illustrations detailing external features, marking and internal layout | Annex V, Section 1 §c | self-written | |
| 52 | The general description must include the information described in Annex II (manufacturer's name, registered trademark, contact info - general and for cybersecurity risk reporting -, type, bash, version or serial number of the product, technical and security support provided, how to safely commission and decommission the product, how to install securiy updates) | Annex V, Section 1 §d and the whole of Annex II | self-written | |
| 53 | The technical documentation must contain a description on the design and development of the product including drawings and schemes (if applicable) and/or description of the system architecture | Annex V, Section 2 §a | self-written | |
| 54 | The technical description must contain complete information on vulnerabilities handling processes and disclosure policy, software bill of materials, contact address for the reporting of vulnerabilities and how updates are securily distributed. | Annex V, Section 2 §b and Section 7 | self-written | |
| 55 | The technical description must contain complete information and specifications of the production and monitoring processes of the product, including validation of these processes | Annex V, Section 2 §c | self-written | |
| 56 | The technical description must contain an assessment of cybersecurity risks against which the product is designed, developed, produced, delivered and maintain | Annex V, Section 3 and Article 10 of the Regulation | self-written | |
| 57 | If the product also falls under the purview of other EU regulations of harmonised standards, the technical description must contain a reference to them, how they have been applied to the product, if they have not been applied, what other solutions and measures have been implemented to meet the CRA's own standards and if they have been partly applied, which parts of these standards or regulations have been applied | Annex V, Section 4 and Article 19 and Article 18(3) of the Regulation | self-written | |
| 58 | The technical description should contain a description and reports of the tests carried out to verify the conformity of the product and vulnerability handling processes, in reference to Sections 1 and 2 of Annex I. If an essential requirement does not apply to a particular product, the manufacturer must include a justification in the cybersecurity risk assessment in the technical documentation | Annex V, Section 5 and Annex I, Sections 1 and 2 and Swedish Update | self-written | |
| 59 | The technical description must contain a copy of the EU declaration of conformity | Annex V, Section 6 and Annex IV | - | |
| 60 | The technical description must be created for each product and kept for 10 years after it has been placed on the market | Annex VI, Section 4.2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 61 | The manufacturer shall notify any actively exploited vulnerability that they become aware of to the CSIRTs | Article 11(1) of the Regulation | - | |
| 62 | The manufacturer must design and implement a policy for the reporting, wihtout undue delay, of vulnerabilities and breaches to products users, including corrective measures | Article 11(4) of the Regulation | - | |
| 63 | The manufacturer must design and implement a policy to force a product that is no longer in conformity to become such (including through updates) or withdraw or recall the product, if appropriate | Article 10(12) of the Regulation | - | |
| 65 | The manufacturer shall design and implement a policy that enables him to alert relevant market authorities and by any means available, the product's users in the event that he ceases its operations | Article 10(14) of the Regulation | - | |
| 65 | The manufacturer shall designated an authorised representative with a mandate enabling them to fulfull the requirements set out in point 4 | Annex VI, Module A, Section 5 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | Cyber-resilience should be taken into account when designing, developing and producing products with digital elements. | Annex I, Section 1 §1 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 2 | The product should have no known exploitable vulnerability | Annex I, Section 1 §2 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 3 | Manufacturers shall exercise due diligence when integrating components sourced from third parties | Article 10(4) of the regulation | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 4 | Secure by default configuration | Annex I, Section 1 §3a | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 5 | Implement factory reset features | Annex I, Section 1 §3a | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 6 | Implement strong authentication protocols (such as N-factor auth) to protect against unauthorized access | Annex I, Section 1 §3b | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 7 | Protect the confidentiality and integrity of users data (including personal data) using tools such as encryption mechanisms, access control protocols, etc. | Annex I, Section 1 §3c and Annex 1, Section 1 §3d | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 8 | Process only data that is necessary for the intended use of the product or software (similar to GDPR requirement) | Annex I, Section 1 §3e | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 9 | Create resilience against and mitigation of denial of service attacks | Annex I, Section 1 §3f | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 10 | Minimize your own impact on the availability of services provided by other devices or networks. In other words, ensure that your systems cannot be used in a DooS attack | Annex I, Section 1 §3g | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 11 | Design products to limit attack surfaces including external interface. For example: close open ports that should not be open, protect USB ports | Annex I, Section 1 §3h | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 12 | Design products to limit impact of attacks and incidents. For example: auth protocols, user roles with different privileges, incident response plans | Annex I, Section 1 §3i | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 13 | Record and/or monitor relevant users and network activity. For example: activity/user log | Annex I, Section 1 §3j | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 14 | Automatic security updates for at least 5 years (or lifetime of the product, whichever is shorter), except for products primarily intended to be integrated into components of other products, nor to devices for which users would not ‘reasonably expect’ automatic updates | Annex I, Section 1 §3k and article 10(5) of the Regulation and Swedish update | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 15 | Automatic user notification of vulnerabilities and security updates | Annex I, Section 1 §3k | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 16 | Creation of a Software Bill of Materials | Annex I, Section 2 §1 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 17 | Identification of vulnerabilities and documentation writing (including through the SBOM) | Annex I, Section 2 §1 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 18 | Ability to provide free automatic security updates and alert the end-user that a security update is available/was executed on their device | Annex I, Section 2 §2, Section 2 §7 and Section 2 §8 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 19 | Design and implement a policy for regular testing and reviews of the security of the product | Annex I, Section 2 §3 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 20 | Design and implement a policy for the creation of security update release notes that will be issued every time a security update is released | Annex I, Section 2 §4 and Section 2 §8 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 21 | Put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Section 2 §5 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 22 | Create a contact address for the third-party reporting of vulnerabilities discovered in your product | Annex I, Section 2 §6 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 23 | Design and implement a policy for the third-party sharing of information about vulnerabilities in your product, including the contact address | Annex I, Section 2 §6 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
| 24 | Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity. | Article 10(9) of the Regulation | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 25 | The name, registered trade mark (or trade name), a contact postal address and email address must be printed on the product or, if not possible, on its packaging or accompanying document | Annex II, Section 1 | self-written | |
| 26 | A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the accompanying documentation | Annex II, Section 2 | self-written | |
| 27 | The product must be delivered with a type, batch, version or serial number (or other element allowing its identification) | Annex II, Section 3 | self-written | |
| 28 | The intended use, essential functionalities and security features/properties provided by the manufacturer must be detailed in the accompanying documentation | Annex II, Section 4 | self-written | |
| 29 | Any intended use of the product which may lead to a significant cybersecurity risk must be detailed in the accompanying documentation | Annex II, Section 5 | self-written | |
| 30 | A link to the software bill or material must be provided in the accompanying documentation (if not directly provided) | Annex II, Section 6 | self-written | |
| 31 | A link to the EU declaration of conformity must be provided in the accompanying documentation (if not directly provided) | Annex II, Section 7 | self-written | |
| 32 | The type of technical and security support and time limit for support must be detailed in the accompanying documentation | Annex II, Section 8 | self-written | |
| 33 | Detailed instructions or a link to the detailed instructions on necessary measures during initial commissionning and throughout the lifetime of the product to ensure its secure use must be provided. | Annex II, Section 9 §a | self-written | |
| 34 | Detailed instructions or a link to the detailed instructions on how changes to the product can affect the security of the data must be provided | Annex II, Section 9 §b | self-written | |
| 35 | Detailed instructions or a link to the detailed instructions on how to install security updates must be provided | Annex II, Section 9 §c | self-written | |
| 36 | Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be provided | Annex II, Section 9 §d | self-written | |
| 37 | The manufacturer shall affix the CE marking, and, under the responsibility of the notified body referred to in point 3.1, the latter's identification number | Annex VI, module H, section 5.1 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 38 | The EU declaration of conformity must contain the name, type and any unique identifying information of the product (including a photograph if appropriate) allowing its traceability. It must also include the specific product model for which it has been drawn. | Annex IV, Section 1 and Annex IV, Section 4 and Annex VI, module H, section 5.2 | Self-written | |
| 39 | The EU declaration of conformity must contain the name and address of the manufacturer or his authorised representative | Annex IV, Section 2 | self-written | |
| 40 | The declaration must contain a statement that it is issued under the sole responsibility of the provider | Annex IV, Section 3 | self-written | |
| 41 | The declaration must contain a statement that it is in conformity with the relevant Union harmonisation legislation | Annex IV, Section 5 | self-written | |
| 42 | The declaration must reference any relevant harmonised standards used or related certification to which conformity is declared. | Annex IV, Section 6 | self-written | |
| 43 | Where applicable (such as Class I and II products), the name and number of the notified body, description of the conformity assessment procedure performed and id of the issued certificated must be referenced. | Annex IV, Section 7 | self-written | |
| 44 | The declaration can contain additional information if relevant | Annex IV, Section 8 | self-written | |
| 45 | The declaration must be signed for and on behalfed of the manufacturer, designated by its trademark, done at (location) and dated on. | Annex IV | self-written | |
| 46 | The declaration must be signed by an authorised representative, designated by name and function | Annex IV and article 12(1) of the Regulation | self-written | |
| 47 | The EU declaration of conformity must be created for each product and kept for 10 years after it has been placed on the market | Annex VI, Section 4.2 | self-written |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 48 | The technical documentation must contain a general description of the product. | Annex V, Section 1 | assessed by notified body | |
| 49 | The general description must include the product's intended purpose | Annex V, Section 1 §a | assessed by notified body | |
| 50 | The general description must include the versions of software affecting compliance with the essential requirements of the CRA | Annex V, Section 1 §b | assessed by notified body | |
| 51 | For hardware products, the general description must include photographs or illustrations detailing external features, marking and internal layout | Annex V, Section 1 §c | assessed by notified body | |
| 52 | The general description must include the information described in Annex II (manufacturer's name, registered trademark, contact info - general and for cybersecurity risk reporting -, type, bash, version or serial number of the product, technical and security support provided, how to safely commission and decommission the product, how to install security updates) | Annex V, Section 1 §d and the whole of Annex II | assessed by notified body | |
| 53 | The technical documentation must contain a description of the design and development of the product, including drawings and diagrams (if applicable), and/or a description of the system architecture. | Annex V, Section 2 §a | assessed by notified body | |
| 54 | The technical description must contain complete information on vulnerabilities handling processes and disclosure policy, software bill of materials, contact address for the reporting of vulnerabilities and how updates are securily distributed. | Annex V, Section 2 §b and Section 7 | assessed by notified body | |
| 55 | The technical description must contain complete information and specifications of the production and monitoring processes of the product, including validation of these processes | Annex V, Section 2 §c | assessed by notified body | |
| 56 | The technical description must contain an assessment of cybersecurity risks against which the product is designed, developed, produced, delivered and maintained | Annex V, Section 3 and Article 10 of the Regulation | assessed by notified body | |
| 57 | If the product also falls under the purview of other EU regulations of harmonised standards, the technical description must contain a reference to them, how they have been applied to the product, if they have not been applied, what other solutions and measures have been implemented to meet the CRA's own standards and if they have been partly applied, which parts of these standards or regulations have been applied | Annex V, Section 4 and Article 19 and Article 18(3) of the Regulation | assessed by notified body | |
| 58 | The technical description should contain a description and reports of the tests carried out to verify the conformity of the product and vulnerability handling processes, in reference to Sections 1 and 2 of Annex I. If an essential requirement does not apply to a particular product, the manufacturer must include a justification in the cybersecurity risk assessment in the technical documentation | Annex V, Section 5 and Annex I, Sections 1 and 2 and Swedish update | assessed by notified body | |
| 59 | The technical description must contain a copy of the EU declaration of conformity | Annex V, Section 6 and Annex IV | assessed by notified body | |
| 60 | The technical description must be created for each product and kept for 10 years after it has been placed on the market | Annex VI, Section 4.2 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 61 | The manufacturer shall notify any actively exploited vulnerability that they become aware of to the CSIRTs | Article 11(1) of the Regulation | - | |
| 62 | The manufacturer must design and implement a policy for the reporting, wihtout undue delay, of vulnerabilities and breaches to products users, including corrective measures | Article 11(4) of the Regulation | - | |
| 63 | The manufacturer must design and implement a policy to force a product that is no longer in conformity to become such (including through updates) or withdraw or recall the product, if appropriate | Article 10(12) of the Regulation | - | |
| 65 | The manufacturer shall design and implement a policy that enables him to alert relevant market authorities and by any means available, the product's users in the event that he ceases its operations | Article 10(14) of the Regulation | - | |
| 65 | The manufacturer shall designated an authorised representative with a mandate enabling them to fulfull the requirements set out in point 4 | Annex VI, Module A, Section 5 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 66 | The manufacturer shall lodge an application for assessment of his quality system with the notified body of his choice, for the products concerned. | Annex VI, module H, section 3.1 | - | |
| 67 | The application shall include name and address of manufacturer and, if applicable, of the authorised representative | Annex VI, module H, section 3.1 | - | |
| 68 | The application shall include the technical documentation (see annex V) for one model of each category of products | Annex VI, module H, section 3.1 and Annex V | - | |
| 69 | The application shall include a declaration that the same application has not been made to another body | Annex VI, module H, section 3.1 | - | |
| 70 | The self-assessed compliance with Annex I, Sections 1 and 2 shall be made with accompanying quality system describing policies, procedures, instructions and tests (including records of test results) set out to meet the requirements of Annex I | Annex VI, module H, section 3.2 | - | |
| 71 | The application shall included the quality system related to Annex VI, module H, section 3.2 | Annex VI, module H, sections 3.3 and 4.2 | - | |
| 72 | The quality system shall be maintened through the lifetime of the product | Annex VI, module H, section 3.4 | - | |
| 73 | The manufacturer shall inform the notified body if the quality system changes and may be re-evaluated on the new quality system | Annex VI, module H, section 3.5 | - | |
| 74 | The manufacturer shall, for assessment purposes, allow the notified body access to the design, development, production, inspection, testing and storage sites, and shall provide it with all necessary information, in particular, the quality management system | Annex VI, module H, section 4.2 | - | |
| 75 | The manufacturer shall keep for at least 10 years after the product has been placed on the market: the technical documentation referred in 3.1, quality system documentation (3.1) and modifications, as approved (3.5), decisions and reports of the notified body | Annex VI, module H, section 6 | - | |
| 76 | The authorised representative may lodge the application provided that they are specified in the mandate. | Annex VI, module H, section 8 | - |
Companies developing non-critical software can self-assess their compliance with the CRA’s requirements.
You can check the Annex III of the regulation for a list of Critical Products (what the CRA names “critical products with digital elements” encompasses both hardware products and software).
Developers of non-critical software may nonetheless choose to undergo the same assessment process as critical software, wherein compliance with the CRA is assessed by a notified body.
Check the Critical software tab to know more.
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The software is not released for testing purpose (such as alpha versions, beta versions or release candidates). | ¶21 of the Regulation | software release for testing does not fall under the scope of the CRA - but should be released after a risk assessment has been conducted | |
| 2 | Cyber-resilience should be taken into account when designing, developping and producing the software | Annex I, Section 1 §1 | self-assessed | |
| 3 | The software should have no known exploitable vulnerability | Annex I, Section 1 §2 | self-assessed | |
| 4 | Developers shall exercise due diligence when integrating components sourced from third parties | Article 10(4) of the regulation | self-assessed | |
| 5 | Secure by default configuration | Annex I, Section 1 §3a | self-assessed | |
| 6 | Implement factory reset features | Annex I, Section 1 §3a | self-assessed | |
| 7 | Implement strong authentication protocols (such as N-factor auth) to protect against unauthorized access | Annex I, Section 1 §3b | self-assessed | |
| 8 | Protect the confidentiality and integrity of users data (including personal data) using tools such as encryption mechanisms, access control protocols, etc. | Annex I, Section 1 §3c and Annex 1, Section 1 §3d | self-assessed | |
| 9 | Process only data that is necessary for the intended use of the software (similar to GDPR requirement) | Annex I, Section 1 §3e | self-assessed | |
| 10 | Create resilience against and mitigation of denial of service attacks | Annex I, Section 1 §3f | self-assessed | |
| 11 | Minimize your own impact on the availability of services provided by other devices or networks. In other words, ensure that your systems cannot be used in a DooS attack | Annex I, Section 1 §3g | self-assessed | |
| 12 | Design software to limit impact of attacks and incidents. For example: auth protocols, user roles with different privileges, incident response plans | Annex I, Section 1 §3i | self-assessed | |
| 13 | Record and/or monitor relevant users and network activity. For example: activity/user log | Annex I, Section 1 §3j | self-assessed | |
| 14 | Automatic security updates for at least 5 years (or lifetime of the software, whichever is shorter) | Annex I, Section 1 §3k and article 10(5) of the Regulation | self-assessed | |
| 15 | Automatic user notification of vulnerabilities and security updates | Annex I, Section 1 §3k | self-assessed | |
| 16 | Creation of a Software Bill of Materials | Annex I, Section 2 §1 | self-assessed | |
| 17 | Identification of vulnerabilities and documentation writing (including through the SBOM) | Annex I, Section 2 §1 | self-assessed | |
| 18 | Ability to provide free automatic security updates and alert the end-user that a security update is available/was executed on their device | Annex I, Section 2 §2, Section 2 §7 and Section 2 §8 | self-assessed | |
| 19 | Design and implement a policy for regular testing and reviews of the security of the software | Annex I, Section 2 §3 | self-assessed | |
| 20 | Design and implement a policy for the creation of security update release notes that will be issued every time a security update is released | Annex I, Section 2 §4 and Section 2 §8 | self-assessed | |
| 21 | Put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Section 2 §5 | self-assessed | |
| 22 | Create a contact address for the third-party reporting of vulnerabilities discovered in your software | Annex I, Section 2 §6 | self-assessed | |
| 23 | Design and implement a policy for the third-party sharing of information about vulnerabilities in your software, including the contact address | Annex I, Section 2 §6 | self-assessed | |
| 24 | The CE marking should be affixed to the software | Annex VI, Section 4.1 | if applicable |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 25 | A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the software developing documentation | Annex II, Section 2 | self-written | |
| 26 | The software must be delivered with a name, a type and any additional information enabling its identification | Annex II, Section 3 | self-written | |
| 27 | The intended purpose, essential functionalities and security features/properties provided by the software must be detailed in the accompanying documentation | Annex II, Section 4 | self-written | |
| 28 | Any intended use of the software which may lead to a significant cybersecurity risk must be detailed in the accompanying documentation | Annex II, Section 5 | self-written | |
| 31 | The type of technical and security support and time limit for support must be detailed in the accompanying documentation | Annex II, Section 8 | self-written | |
| 32 | Detailed instructions or a link to the detailed instructions on necessary measures during initial commissioning and throughout the lifetime of the software to ensure its secure use must be provided. | Annex II, Section 9 §a | self-written | |
| 33 | Detailed instructions or a link to the detailed instructions on how changes to the software can affect the security of the data must be provided | Annex II, Section 9 §b | self-written | |
| 34 | Detailed instructions or a link to the detailed instructions on how to install security updates must be provided | Annex II, Section 9 §c | self-written | |
| 35 | Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be provided | Annex II, Section 9 §d | self-written |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 36 | The EU declaration of conformity must contain the name, type and any unique identifying information of the software allowing its traceability | Annex IV, Section 1 and Annex IV, Section 4 | self-written | |
| 37 | The EU declaration of conformity must contain the name and address of the software developer or his authorised representative | Annex IV, Section 2 | self-written | |
| 38 | The declaration must contain a statement that it is issued under the sole responsibility of the provider | Annex IV, Section 3 | self-written | |
| 39 | The declaration must contain a statement that it is in conformity with the relevant Union harmonization legislation | Annex IV, Section 5 | self-written | |
| 40 | The declaration must reference any relevant harmonized standards used or related certification to which conformity is declared. | Annex IV, Section 6 | self-written | |
| 41 | Where applicable (such as Class I and II software), the name and number of the notified body, description of the conformity assessment procedure performed and id of the issued certificated must be referenced. | Annex IV, Section 7 | self-written | |
| 42 | The declaration can contain additional information if relevant | Annex IV, Section 8 | self-written | |
| 43 | The declaration must be signed for and on behalf of the software developer, designated by its trademark, done at (location) and dated on. | Annex IV | self-written | |
| 44 | The declaration must be signed by an authorized representative, designated by name and function | Annex IV and article 12(1) of the Regulation | self-written | |
| 45 | The EU declaration of conformity and technical description must be created for each software version (provided that a new version introduces substantial changes) and kept for 10 years after it has been placed on the market | Annex VI, Section 4.2 | self-written |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 46 | The technical documentation must contain a general description of the software. | Annex V, Section 1 | self-written | |
| 47 | The general description must include the software's intended purpose | Annex V, Section 1 §a | self-written | |
| 48 | The general description must include the versions of software affecting compliance with the essential requirements of the CRA | Annex V, Section 1 §b | self-written | |
| 49 | The general description must include the information described in Annex II (software developer's name, registered trademark, contact info - general and for cybersecurity risk reporting -, type, bash, version or serial number of the software, technical and security support provided, how to safely commission and decommission the software, how to install securiy updates) | Annex V, Section 1 §d and the whole of Annex II | self-written | |
| 50 | The technical documentation must contain a description on the design and development of the software including drawings and schemes (if applicable) and/or description of the system architecture | Annex V, Section 2 §a | self-written | |
| 51 | The technical description must contain complete information on vulnerabilities handling processes and disclosure policy, software bill of materials, contact address for the reporting of vulnerabilities and how updates are securily distributed. | Annex V, Section 2 §b and Section 7 | self-written | |
| 52 | The technical description must contain complete information and specifications of the development and monitoring processes of the software, including validation of these processes | Annex V, Section 2 §c | self-written | |
| 53 | The technical description must contain an assessment of cybersecurity risks against which the software is designed, developed, produced, delivered and maintained | Annex V, Section 3 and Article 10 of the Regulation | self-written | |
| 54 | If the software also falls under the purview of other EU regulations of harmonised standards, the technical description must contain a reference to them, how they have been applied to the software, if they have not been applied, what other solutions and measures have been implemented to meet the CRA's own standards and if they have been partly applied, which parts of these standards or regulations have been applied | Annex V, Section 4 and Article 19 and Article 18(3) of the Regulation | self-written | |
| 55 | The technical description should contain a description and reports of the tests carried out to verify the conformity of the software and vulnerability handling processes, in reference to Sections 1 and 2 of Annex I | Annex V, Section 5 and Annex I, Sections 1 and 2 | self-written | |
| 56 | The technical description must contain a copy of the EU declaration of conformity | Annex V, Section 6 and Annex IV | self-written | |
| 57 | The technical description must be created for each software version (provided that a new version introduces substantial changes) and kept for 10 years after it has been placed on the market | Annex VI, Section 4.2 | self-written |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 58 | The software developer must design and implement a policy for the reporting of vulnerabilities and breaches to the relevant authorities within 24 hours of their discovery | Article 11(1) of the Regulation | self-written | |
| 59 | The software developer must design and implement a policy for the reporting, without undue delay, of vulnerabilities and breaches to software users, including corrective measures | Article 11(4) of the Regulation | self-written | |
| 60 | The software developer must design and implement a policy to force a software that is no longer in conformity to become such (including through updates) or withdraw the software from the market, if appropriate | Article 10(12) of the Regulation | self-written | |
| 61 | The software developer shall design and implement a policy that enables him to alert relevant market authorities and by any means available, the software users in the event that he ceases its operations | Article 10(14) of the Regulation | self-written | |
| 62 | The software developer shall designate an authorized representative with a mandate enabling them to fulfil the requirements set out in point 4 | Annex VI, Module A, Section 5 | - |
Software companies developing critical software need to go through an external assessment process conducted by a notified body responsible for verifying the compliance of the products with the requirements of the CRA.
You can check the Annex III of the regulation for a list of Critical Products (what the CRA names “critical products with digital elements” encompasses both hardware products and software).
These software companies will need to go through Module H, which is a CRA assessment path wherein a quality system made of a written record of processes and procedures undertaken by the software company to ensure that the software meets the requirements of the CRA is assessed by the notified body.
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 1 | The software is not released for testing purpose (such as alpha versions, beta versions or release candidates). | ¶21 of the Regulation | software release for testing does not fall under the scope of the CRA - but should be released after a risk assessment has been conducted | |
| 2 | Cyber-resilience should be taken into account when designing, developping and producing the software | Annex I, Section 1 §1 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 3 | The software should have no known exploitable vulnerability | Annex I, Section 1 §2 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 4 | Developers shall exercise due diligence when integrating components sourced from third parties | Article 10(4) of the regulation | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.3 | |
| 5 | Secure by default configuration | Annex I, Section 1 §3a | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 6 | Implement a possibility to reset the product to its original state | Annex I, Section 1 §3a | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 7 | Implement strong authentication protocols (such as N-factor auth) to protect against unauthorised access | Annex I, Section 1 §3b | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 8 | Protect the confidentiality and integrity of users data (including personal data) using tools such as encryption mechanisms, access control protocols, etc. | Annex I, Section 1 §3c and Annex 1, Section 1 §3d | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 9 | Process only data that is necessary for the intended use of the software (similar to GDPR requirement) | Annex I, Section 1 §3e | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 10 | Create resilience against and mitigation of denial of service attacks | Annex I, Section 1 §3f | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 11 | Minimize your own impact on the availability of services provided by other devices or networks. In other words, ensure that your systems cannot be used in a DooS attack | Annex I, Section 1 §3g | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 12 | Design software to limit impact of attacks and incidents. For example: auth protocols, user roles with different privileges, incident response plans | Annex I, Section 1 §3i | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 13 | Record and/or monitor relevant users and network activity. For example: activity/user log | Annex I, Section 1 §3j | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 14 | Automatic security updates for at least 5 years (or lifetime of the software, whichever is shorter) | Annex I, Section 1 §3k and article 10(5) of the Regulation | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 15 | Automatic user notification of vulnerabilities and security updates | Annex I, Section 1 §3k | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 16 | Creation of a Software Bill of Materials | Annex I, Section 2 §1 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 17 | Identification of vulnerabilities and documentation writing (including through the SBOM) | Annex I, Section 2 §1 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 18 | Ability to provide free automatic security updates and alert the end-user that a security update is available/was executed on their device | Annex I, Section 2 §2, Section 2 §7 and Section 2 §8 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 19 | Design and implement a policy for regular testing and reviews of the security of the software | Annex I, Section 2 §3 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 20 | Design and implement a policy for the creation of security update release notes that will be issued every time a security update is released | Annex I, Section 2 §4 and Section 2 §8 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 21 | Put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Section 2 §5 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 22 | Create a contact address for the third-party reporting of vulnerabilities discovered in your software | Annex I, Section 2 §6 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 23 | Design and implement a policy for the third-party sharing of information about vulnerabilities in your software, including the contact address | Annex I, Section 2 §6 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
| 24 | The CE marking and notified body ID number (module H) should be affixed to the software | Annex VI, Section 4.1 | if applicable |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 25 | A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the software developing documentation | Annex II, Section 2 | self-written | |
| 26 | The software must be delivered with a name, a type and any additional information enabling its identification | Annex II, Section 3 | self-written | |
| 27 | The intended purpose, essential functionalities and security features/properties provided by the software must be detailed in the accompanying documentation | Annex II, Section 4 | self-written | |
| 28 | Any intended use of the software which may lead to a significant cybersecurity risk must be detailed in the accompanying documentation | Annex II, Section 5 | self-written | |
| 31 | The type of technical and security support and time limit for support must be detailed in the accompanying documentation | Annex II, Section 8 | self-written | |
| 32 | Detailed instructions or a link to the detailed instructions on necessary measures during initial commissioning and throughout the lifetime of the software to ensure its secure use must be provided. | Annex II, Section 9 §a | self-written | |
| 33 | Detailed instructions or a link to the detailed instructions on how changes to the software can affect the security of the data must be provided | Annex II, Section 9 §b | self-written | |
| 34 | Detailed instructions or a link to the detailed instructions on how to install security updates must be provided | Annex II, Section 9 §c | self-written | |
| 35 | Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be provided | Annex II, Section 9 §d | self-written |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 36 | The EU declaration of conformity must contain the name, type and any unique identifying information of the software allowing its traceability | Annex IV, Section 1 and Annex IV, Section 4 | self-written | |
| 37 | The EU declaration of conformity must contain the name and address of the software developer or his authorised representative | Annex IV, Section 2 | self-written | |
| 38 | The declaration must contain a statement that it is issued under the sole responsibility of the provider | Annex IV, Section 3 | self-written | |
| 39 | The declaration must contain a statement that it is in conformity with the relevant Union harmonization legislation | Annex IV, Section 5 | self-written | |
| 40 | The declaration must reference any relevant harmonized standards used or related certification to which conformity is declared. | Annex IV, Section 6 | self-written | |
| 41 | Where applicable (such as Class I and II software), the name and number of the notified body, description of the conformity assessment procedure performed and id of the issued certificated must be referenced. | Annex IV, Section 7 | self-written | |
| 42 | The declaration can contain additional information if relevant | Annex IV, Section 8 | self-written | |
| 43 | The declaration must be signed for and on behalf of the software developer, designated by its trademark, done at (location) and dated on. | Annex IV | self-written | |
| 44 | The declaration must be signed by an authorized representative, designated by name and function | Annex IV and article 12(1) of the Regulation | self-written | |
| 45 | The EU declaration of conformity and technical description must be created for each software version (provided that a new version introduces substantial changes) and kept for 10 years after it has been placed on the market | Annex VI, Section 4.2 | self-written |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 46 | The technical documentation must contain a general description of the software. | Annex V, Section 1 | self-written, assessed by notified body | |
| 47 | The general description must include the software's intended purpose | Annex V, Section 1 §a | self-written, assessed by notified body | |
| 48 | The general description must include the versions of software affecting compliance with the essential requirements of the CRA | Annex V, Section 1 §b | self-written, assessed by notified body | |
| 49 | The general description must include the information described in Annex II (software developer's name, registered trademark, contact info - general and for cybersecurity risk reporting -, type, bash, version or serial number of the software, technical and security support provided, how to safely commission and decommission the software, how to install security updates) | Annex V, Section 1 §d and the whole of Annex II | self-written, assessed by notified body | |
| 50 | The technical documentation must contain a description on the design and development of the software including drawings and schemes (if applicable) and/or description of the system architecture | Annex V, Section 2 §a | self-written, assessed by notified body | |
| 51 | The technical description must contain complete information on vulnerabilities handling processes and disclosure policy, software bill of materials, contact address for the reporting of vulnerabilities and how updates are securely distributed. | Annex V, Section 2 §b and Section 7 | self-written, assessed by notified body | |
| 52 | The technical description must contain complete information and specifications of the development and monitoring processes of the software, including validation of these processes | Annex V, Section 2 §c | self-written, assessed by notified body | |
| 53 | The technical description must contain an assessment of cybersecurity risks against which the software is designed, developed, produced, delivered and maintained | Annex V, Section 3 and Article 10 of the Regulation | self-written, assessed by notified body | |
| 54 | If the software also falls under the purview of other EU regulations of harmonised standards, the technical description must contain a reference to them, how they have been applied to the software, if they have not been applied, what other solutions and measures have been implemented to meet the CRA's own standards and if they have been partly applied, which parts of these standards or regulations have been applied | Annex V, Section 4 and Article 19 and Article 18(3) of the Regulation | self-written, assessed by notified body | |
| 55 | The technical description should contain a description and reports of the tests carried out to verify the conformity of the software and vulnerability handling processes, in reference to Sections 1 and 2 of Annex I | Annex V, Section 5 and Annex I, Sections 1 and 2 | self-written, assessed by notified body | |
| 56 | The technical description must contain a copy of the EU declaration of conformity | Annex V, Section 6 and Annex IV | self-written, assessed by notified body | |
| 57 | The CE marking and notified body ID number (module H) should be affixed to the software | Annex VI, Section 4.1 | if applicable, assessed by notified body |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 58 | The software developer must design and implement a policy for the reporting of vulnerabilities and breaches to the relevant authorities within 24 hours of their discovery | Article 11(1) of the Regulation | self-written | |
| 59 | The software developer must design and implement a policy for the reporting, without undue delay, of vulnerabilities and breaches to software users, including corrective measures | Article 11(4) of the Regulation | self-written | |
| 60 | The software developer must design and implement a policy to force a software that is no longer in conformity to become such (including through updates) or withdraw the software from the market, if appropriate | Article 10(12) of the Regulation | self-written | |
| 61 | The software developer shall design and implement a policy that enables him to alert relevant market authorities and by any means available, the software users in the event that he ceases its operations | Article 10(14) of the Regulation | self-written | |
| 62 | The software developer shall designate an authorized representative with a mandate enabling them to fulfil the requirements set out in point 4 | Annex VI, Module A, Section 5 | - |
| ID | Requirement | Reference | Comment | Check |
|---|---|---|---|---|
| 63 | The software developer shall lodge an application for assessment of his quality system with the notified body of his choice, for the softwares concerned. | Annex VI, module H, section 3.1 | - | |
| 64 | The application shall include name and address of software developer and, if applicable, of the authorised representative | Annex VI, module H, section 3.1 | - | |
| 65 | The application shall include the technical documentation (see annex V) for each software version. | Annex VI, module H, section 3.1 and Annex V | - | |
| 66 | The application shall include a declaration that the same application has not been made to another body | Annex VI, module H, section 3.1 | - | |
| 67 | The self-assessed compliance with Annex I, Sections 1 and 2 shall be made with accompanying quality system describing policies, procedures, instructions and tests (including records of test results) set out to meet the requirements of Annex I | Annex VI, module H, section 3.2 | - | |
| 68 | The application shall include the quality system related to Annex VI, module H, section 3.2 | Annex VI, module H, sections 3.3 and 4.2 | - | |
| 69 | The quality system shall be maintained through the lifetime of the software | Annex VI, module H, section 3.4 | - | |
| 70 | The software developer shall inform the notified body if the quality system changes and may be re-evaluated on the new quality system | Annex VI, module H, section 3.5 | - | |
| 71 | The software developer shall keep for at least 10 years after the software has been placed on the market: the technical documentation referred in 3.1, quality system documentation (3.1) and modifications, as approved (3.5), decisions and reports of the notified body | Annex VI, module H, section 6 | - | |
| 72 | The authorized representative may lodge the application provided that they are specified in the mandate. | Annex VI, module H, section 8 | - |
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 1 | When placing a product on the EU market, distributors shall neither use their own name or trademark, nor substantially modify the CRA-compliant product. Doing either would have them considered as "manufacturers" under the CRA, with corresponding requirements. | article 15 of the Regulation | |
| 2 | Importers shall only place on the market products with digital elements that comply with the essential requirements set out in Section 1 of Annex I and where the processes put in place by the manufacturer are compliant with the essential requirements set out in Section 2 of Annex I (i.e: CRA compliant) | article 13(1) of the Regulation |
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 3 | Before placing a product with digital elements on the market, importers shall ensure that: | article 13(2) of the Regulation | |
| 4 | the appropriate conformity assessment procedures referred to in Article 24 have been carried out by the manufacturer; | article 13(2)a of the Regulation | |
| 5 | the manufacturer has drawn up the technical documentation; | article 13(2)b of the Regulation | |
| 6 | the product with digital elements bears the CE marking referred to in Article 22 and is accompanied by the information and instructions for use as set out in Annex II. | article 13(2)c of the Regulation | |
| 7 | Importers shall indicate their name, registered trade name or registered trademark, the postal address and the email address at which they can be contacted on the product with digital elements or, where that is not possible, on its packaging or in a document accompanying the product with digital elements. | article 13(4) of the Regulation | |
| 8 | Importers shall ensure that the product with digital elements is accompanied by the instructions and information set out in Annex II in a language which can be easily understood by users and market surveillance authorities. | article 13(5) of the Regulation |
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 9 | Importers must be willing to fully cooperate with market surveillance authorities and other competent authorities. | ¶ 55 of the Regulation | |
| 10 | Where an importer has reason to believe that a product is not in conformity with the essential requirements of the CRA, the importer shall not place the product on the market until that product has been brought into conformity. | article 13(3) of the Regulation | |
| 11 | Furthermore, where the product with digital elements presents a significant cybersecurity risk, the importer shall inform the manufacturer and the market surveillance authorities to that effect. | article 13(3) of the Regulation | |
| 12 | Importers who have reason to believe that a product which they have placed on the market, is not in conformity with the CRA shall immediately take the corrective measures necessary to bring that product into conformity, or to withdraw or recall the product, if appropriate. | article 13(6) of the Regulation | |
| 13 | Importers shall, for ten years after the product has been placed on the market, keep a copy of the EU declaration of conformity and technical documentation at the disposal of the market surveillance authorities. | article 13(7) of the Regulation | |
| 14 | Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with the CRA in a language that can be easily understood by that authority. | article 13(8) of the Regulation | |
| 15 | When the importer of a product with digital elements becomes aware that the manufacturer of that product ceased its operations, it shall inform the relevant market surveillance authorities about this situation, | article 13(9) of the Regulation |
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 1 | When placing a product on the EU market, distributors shall neither use their own name or trademark, nor substantially modify the CRA-compliant product. Doing either would have them considered as "manufacturers" under the CRA, with corresponding requirements. | article 15 of the Regulation | |
| 2 | When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements of this Regulation. | article 14(1) of the Regulation |
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 3 | Before making a product with digital elements available on the market, distributors shall verify that: | article 14(2) of the Regulation | |
| 4 | the product with digital elements bears the CE marking; | article 14(2)a of the Regulation | |
| 5 | the manufacturer and the importer have complied with the obligations set out respectively in Articles 10(10), 10(11) and 13(4) (i.e: general documentation - see checklist of manufacturers - EU declaration of conformity checklists and contact information of the importer shall be distributed with the product). | article 14(2)b of the Regulation |
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 6 | Distributors must be willing to fully cooperate with market surveillance authorities and other competent authorities. | ¶ 55 of the Regulation | |
| 7 | When an distributor has reason to believe that a product is not in conformity with the essential requirements of the CRA, it shall not place the product on the market until that product has been brought into conformity. | article 14(3) of the Regulation | |
| 8 | Furthermore, when the product with digital elements presents a significant cybersecurity risk, the distributor shall inform the manufacturer. | article 14(3) of the Regulation | |
| 9 | Distributors who have reason to believe that a product which they have placed on the market, is not in conformity with the CRA shall immediately take the corrective measures necessary to bring that product into conformity, or to withdraw or recall the product, if appropriate. | article 14(4) of the Regulation | |
| 10 | Distributors shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with the CRA in a language that can be easily understood by that authority. | Core proposal - article 14(5) | |
| 11 | When the distributor becomes aware that the manufacturer ceased its operations, it shall inform the relevant market surveillance authorities about this situation. | Core proposal - article 14(6) | |
| 12 | When the distributor becomes aware that the manufacturer ceased its operations, it shall inform, by any means available and to the extent possible, the users of the products placed on the market. | Core proposal - article 14(6) |
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 1 | Resellers (or other economic actors that are neither the manufacturer, nor the importer or distributor), shall not substantially modify a CRA-compliant product. | article 16 of the Regulation | |
| 2 | If they were to substantially modify a CRA-compliant product, they would be subjected to Articles 10 and 11(1), (1a), (2), (2a), (2b), 2(aaaa), (4) and (7), for the part of the product that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product. | article 16 of the Regulation |
| ID | Requirement | Reference | Check |
|---|---|---|---|
| 3 | Resellers (or other economic actors that are neither the manufacturer, nor the importer or distributor) must be willing to fully cooperate with market surveillance authorities and other competent authorities. | ¶ 55 of the Regulation | |
| 4 | They shall be able to provide to the market surveillance authorities the name and address of any economic operator who has supplied them with a product with digital elements; | article 17(1)a of the Regulation | |
| 5 | They shall be able to provide to the market surveillance authorities the name and address of any economic operator to whom they have supplied a product with digital elements; | article 17(1)b of the Regulation | |
| 6 | They shall keep a record of the information referred to in paragraph 1 for ten years after they have been supplied with the product with digital elements. | article 17(2) of the Regulation |
Cyber Security News and Events
Check out the latest events on cyber security and the Cyber Resilience Act.