Protect your data, get rid of vulnerabilities and prepare against threats: take the Cyber Resilience Act compliance checklist to verify if your company, product or software are CRA ready!
Identify any requirements that may be missing to take swift action and be ready on time.
Manufacturers of products not classified as Critical Products or Important Products Class II can self-assess their compliance with the CRA’s requirements.
You can check Annex III of the Regulation for a list of Important Products and Annex IV for a list of Critical Products.
Manufacturers of Important Products Class I who either conform fully to an harmonised standard or conform to common specifications or has a European cybersecurity certification, can also self-assess their compliance with the CRA’s requirements.
⚠️Manufacturers of Important Products Class I who have not applied or have applied only in part harmonised standards, common specifications or European cybersecurity certification schemes must undergo a third party assessment (see “Important and Critical Products tab”)
In any case, manufacturers of non-Important Products may choose to undergo the same assessment process as Important Products, wherein compliance with the CRA is assessed by a notified body. In this case, they will need to select between two main modules, that are further described in the Important products tab and for which requirements differ from those described below.
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
1 | Conduct a cybersecurity risk assessment, while shall be a written document, included in the Technical Documentation | article 13(3) of the Regulation | self-assessed | |
2 | The cybersecurity risk assessment should include at least an analysis of cybersecurity risks based on the intended purpose and foreseeable use of the product with digital element | Article 13(3) of the Regulation | self-assessed | |
3 | The cybersecurity risk assessment should indicate how the manufacturer/software developer apply the general requirements (see table GENERAL REQUIREMENTS below) | Article 13(3) of the Regulation | self-assessed | |
4 | The cybersecurity risk assessment should indicate how the manufacturer/software developer applies the vulnerability handling requirements (see table GENERAL REQUIREMENTS below) | Article 13(3) of the Regulation | self-assessed | |
6 | Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment. | (56) | self-assessed | |
5 | The cybersecurity risk assessment should be updated when the nature of cybersecurity risks evolve, and when new vulnerabilities are discovered, at least during the product support period. | Article 13(7) of the Regulation | self-assessed |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
7 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks; | Annex I, Section 1 §1 | Self-assessment | |
8 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall be made available on the market without known exploitable vulnerabilities; | Annex I, Section 1 §2a | Self-assessment | |
9 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall be made available on the market with a secure by default configuration, (unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements), including the possibility to reset the product to its original state; | Annex I, Section 1 §2b | Self-assessment | |
10 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex Annex 1, Section 1 §2c | Self-assessment | |
11 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Section 1 §2d | Self-assessment | |
12 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Section 1 §2e | Self-assessment | |
13 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Section 1 §2f | Self-assessment | |
14 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimisation of data); | Annex I, Section 1 §2g | Self-assessment | |
15 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks; | Annex I, Section 1 §2h | Self-assessment | |
16 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks (e.g: by monitoring external connections and open ports) | Annex I, Section 1 §2i | Self-assessment | |
17 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall be designed, developed and produced to limit attack surfaces, including external interfaces (e.g: by closing external ports) | Annex I, Section 1 §2j | Self-assessment | |
18 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques (e.g: by isolating the compromised device from the network) | Annex I, Section 1 §2k | Self-assessment | |
19 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Section 1 §2l | Self-assessment | |
20 | On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Annex I, Section 2 §2, Section 2 §7 and Section 1 §2m | Self-assessment | |
21 | Manufacturers of products with digital elements shall: (1) identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Section 2 §1 | Self-assessment | |
22 | in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Section 2 §4 and Section 2 §2 | Self-assessment | |
23 | apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Section 2 §3 | Self-assessment | |
24 | once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Section 2 §4 | Self-assessment | |
25 | put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Section 2 §5 | Self-assessment | |
26 | take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Section 2 §6 | Self-assessment | |
27 | provide for mechanisms to securely distribute updates for products with digital elements to ensure that ▌ vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Section 2 §7 | Self-assessment | |
28 | ensure that, where security ▌ updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailormade product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Section 2 §8 | Self-assessment |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
29 | At minimum, the product with digital elements shall be accompanied by: 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, ▌the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted; | Annex II, §1 | self-written | |
30 | the single point of contact where information about ▌ vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; | Annex II, §2 | self-written | |
31 | name and type and any additional information enabling the unique identification of the product with digital elements ▌; | Annex II, §3 | self-written | |
32 | the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties; | Annex II, §4 | self-written | |
33 | any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, §5 | self-written | |
34 | where applicable, the internet address at which the EU declaration of conformity can be accessed; | Annex II, §6 | self-written | |
35 | the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates; | Annex II, §7 | self-written | |
36 | detailed instructions or an internet address referring to such detailed instructions and information on: (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use; | Annex II, §8a | self-written | |
37 | how changes to the product with digital elements can affect the security of data; | Annex II, §8b | self-written | |
38 | how security-relevant updates can be installed; | Annex II, §8c | ||
39 | the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, §8d | ||
40 | how the default setting enabling the automatic installation of security updates, as required by Annex I, Part I, point (c), can be turned off; | Annex VI, §8e | ||
41 | where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, §8f | ||
42 | If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, §9 |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
43 | The EU declaration of conformity referred to in Article 28, shall contain all of the following information: 1. Name and type and any additional information enabling the unique identification of the product with digital elements; | Annex V, Section 1 | self-written | |
44 | Name and address of the manufacturer or its authorised representative; | Annex V, Section 2 | self-written | |
45 | A statement that the EU declaration of conformity is issued under the sole responsibility of the provider; | Annex V, Section 3 | self-written | |
46 | Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate); | Annex V, Section 4 | self-written | |
47 | A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation; | Annex V, Section 5 | self-written | |
48 | References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared; | Annex V, Section 6 | if applicable | |
49 | Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued; | Annex V, Section 7 | - | |
50 | Additional information: Signed for and on behalf of:………………………………… (place and date of issue): (name, function) (signature): | Annex V, Section 8 | - |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
51 | The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: 1. a general description of the product with digital elements, including: (a) its intended purpose; | Annex VIII, Section 1 §a | self-written | |
52 | versions of software affecting compliance with essential requirements; | Annex VIII, Section 1 §b | self-written | |
53 | where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; | Annex VIII, Section 1 §c | self-written | |
54 | user information and instructions as set out in Annex II; | Annex VIII, Section 1 §d | self-written | |
55 | a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VIII, Section 2 §a | self-written | |
56 | necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VIII, Section 2 §b | self-written | |
57 | necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VIII, Section 2 §c | self-written | |
58 | an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 13 of this Regulation, including how the essential requirements set out in Annex I, Part I, are applicable; | Annex VIII, Section 3 | self-written | |
59 | relevant information that was taken into account to determine the support period as referred to in Article 13(8) of the product with digital elements; | Annex VIII, Section 4 | self-written | |
60 | a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential requirements set out in of Annex I, Parts I and II, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VIII, Section 5 | self-written | |
61 | reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential requirements as set out in Annex I, Parts I and II; | Annex VIII, Section 6 | self-written | |
62 | a copy of the EU declaration of conformity; | Annex VIII, Section 7 | self-written | |
63 | where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I. | Annex VIII, Section 8 | self-written |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
64 | A manufacturer shall ▌ notify ▌ any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. | Article 14(1) of the Regulation | - | |
65 | an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14(2) §a of the Regulation | - | |
66 | unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be; | Article 14(2) §b of the Regulation | - | |
67 | unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: (i) a description of the vulnerability, including its severity and impact; (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14(2) §c of the Regulation | - | |
68 | A manufacturer shall ▌ notify ▌ any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16. | Article 14(3) of the Regulation | - | |
69 | Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant status updates about the actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements | Article 14(6) of the Regulation |
Manufacturers of Important Products Class II and Class I (if their products do not fully conform to harmonized standards or common specification or have not been certified with a European Cybersecurity Certification) need to go through an external assessment process conducted by a notified body responsible for verifying the compliance of the products with the requirements of the CRA.
⚠️ As of March 2024, no certified body has been announced.
You can check the Annex III of the regulation for a list of Important Products.
Manufacturers of Critical Products could be required in the future to obtain a European cybersecurity certificate instead of undergoing the CRA’s dedicated assessment modules (see below); this is according to article 8(1). However, as of March 2024, the Commission has not yet adopted delegated acts that are required to determine which products are concerned and what certification scheme must be followed. In the absence of such delegated acts, manufacturers of Critical Products can follow the same certification procedures as Important Products.
⚠️Once delegated acts are published and we know more about these certifications schemes, this web page will be updated.
You can check the Annex IV of the regulation for a list of Critical Products.
Manufacturers of Important and Critical Products can freely choose among two paths for the assessment of their products: module B (or module B + module C) and module H.
Module H is a relatively more rigorous assessment path wherein a quality system made of a written record of processes and procedures undertaken by the manufacturer to ensure that the product meets the requirements of the CRA is assessed by the notified body.
Module B does not mandate the creation of a quality system but instead, requires that a specimen of the product be examined by a notified body during the assessment process. Further, once a product is certified under module B, other products of the same type can be certified through module C, which is a certification path that does not require for a new assessment by a notified body.
Hence, while module B focuses on the hardware itself, module H looks at the manufacturer’s processes (i.e: the quality system) as the basis for compliance with the CRA.
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
1 | Conduct a cybersecurity risk assessment, while shall be a written document, included in the Technical Documentation | article 13(3) of the Regulation | self-assessed | |
2 | The cybersecurity risk assessment should include at least an analysis of cybersecurity risks based on the intended purpose and foreseeable use of the product with digital element | Article 13(3) of the Regulation | self-assessed | |
3 | The cybersecurity risk assessment should indicate how the manufacturer/software developer apply the general requirements (see table GENERAL REQUIREMENTS below) | Article 13(3) of the Regulation | self-assessed | |
4 | The cybersecurity risk assessment should indicate how the manufacturer/software developer applies the vulnerability handling requirements (see table GENERAL REQUIREMENTS below) | Article 13(3) of the Regulation | self-assessed | |
6 | Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment. | (56) | self-assessed | |
5 | The cybersecurity risk assessment should be updated when the nature of cybersecurity risks evolve, and when new vulnerabilities are discovered, at least during the product support period. | Article 13(7) of the Regulation | self-assessed |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
7 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks; | Annex I, Section 1 §1 | Assessed by notified body | |
8 | be made available on the market without known exploitable vulnerabilities; | Annex I, Section 1 §2a | Assessed by notified body | |
9 | be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state; | Annex I, Section 1 §2b | Assessed by notified body | |
10 | ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex I, Section 1 §2c | Assessed by notified body | |
11 | ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Section 1 §2d | Assessed by notified body | |
12 | protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Section 1 §3c and Annex 1, Section 1 §2e | Assessed by notified body | |
13 | protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Section 1 §2f | Assessed by notified body | |
14 | process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimisation of data); | Annex I, Section 1 §2g | Assessed by notified body | |
15 | protect the availability of essential and basic functions, also after an incident, including through resilience ▌ and mitigation measures against denial-of-service attacks; | Annex I, Section 1 §2h | Assessed by notified body | |
16 | minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Section 1 §2i | Assessed by notified body | |
17 | be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Section 1 §2j | Assessed by notified body | |
18 | be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Section 1 §2k | Assessed by notified body | |
19 | provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Section 1 §2l | Assessed by notified body | |
20 | provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner | Annex I, Section 1 §2m | Assessed by notified body | |
21 | identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Section 2 §1 | Assessed by notified body | |
22 | in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Section 2 §2 | Assessed by notified body | |
23 | apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Section 2 §2, Section 2 §7 and Section 2 §3 | Assessed by notified body | |
24 | once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Section 2 §4 | Assessed by notified body | |
25 | put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Section 2 §4 and Section 2 §5 | Assessed by notified body | |
26 | take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Section 2 §6 | Assessed by notified body | |
27 | provide for mechanisms to securely distribute updates for products with digital elements to ensure that ▌ vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Section 2 §7 | Assessed by notified body | |
28 | ensure that, where security ▌ updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailormade product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Section 2 §8 | Assessed by notified body |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
29 | At minimum, the product with digital elements shall be accompanied by: 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, ▌the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted; | Annex II, §1 | self-written | |
30 | the single point of contact where information about ▌ vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; | Annex II, §2 | self-written | |
31 | name and type and any additional information enabling the unique identification of the product with digital elements ▌; | Annex II, §3 | self-written | |
32 | the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties; | Annex II, §4 | self-written | |
33 | any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, §5 | self-written | |
34 | where applicable, the internet address at which the EU declaration of conformity can be accessed; | Annex II, §6 | self-written | |
35 | the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates; | Annex II, §7 | self-written | |
36 | detailed instructions or an internet address referring to such detailed instructions and information on: (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use; | Annex II, §8a | self-written | |
37 | how changes to the product with digital elements can affect the security of data; | Annex II, §8b | self-written | |
38 | how security-relevant updates can be installed; | Annex II, §8c | ||
39 | the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, §8d | ||
40 | how the default setting enabling the automatic installation of security updates, as required by Annex I, Part I, point (c), can be turned off; | Annex VI, §8e | ||
41 | where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, §8f | ||
42 | If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, §9 |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
43 | The EU declaration of conformity referred to in Article 28, shall contain all of the following information: 1. Name and type and any additional information enabling the unique identification of the product with digital elements; | Annex V, Section 1 | self-written | |
44 | Name and address of the manufacturer or its authorised representative; | Annex V, Section 2 | self-written | |
45 | A statement that the EU declaration of conformity is issued under the sole responsibility of the provider; | Annex V, Section 3 | self-written | |
46 | Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate); | Annex V, Section 4 | self-written | |
47 | A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation; | Annex V, Section 5 | self-written | |
48 | References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared; | Annex V, Section 6 | if applicable | |
49 | Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued; | Annex V, Section 7 | - | |
50 | Additional information: Signed for and on behalf of:………………………………… (place and date of issue): (name, function) (signature): | Annex V, Section 8 | - |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
51 | a general description of the product with digital elements, including: (a) its intended purpose | Annex VII, Section 1 §a | assessed by notified body | |
52 | versions of software affecting compliance with essential requirements; | Annex VII, Section 1 §b | assessed by notified body | |
53 | where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout | Annex VII, Section 1 §c | assessed by notified body | |
54 | user information and instructions as set out in Annex II; | Annex VII, Section 1 §d | assessed by notified body | |
55 | necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VII, Section 2 §a | assessed by notified body | |
56 | necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VII, Section 2 §b | assessed by notified body | |
57 | necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VII, Section 2 §c | assessed by notified body | |
58 | an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 13 of this Regulation, including how the essential requirements set out in Annex I, Part I, are applicable; | Annex VII, Section 3 | assessed by notified body | |
59 | relevant information that was taken into account to determine the support period as referred to in Article 13(8) of the product with digital elements; | Annex VII, Section 4 | assessed by notified body | |
60 | a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential requirements set out in of Annex I, Parts I and II, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VII, Section 5 | assessed by notified body | |
61 | reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential requirements as set out in Annex I, Parts I and II; | Annex VII, Section 6 | assessed by notified body | |
62 | a copy of the EU declaration of conformity; | Annex VII, Section 7 | assessed by notified body | |
63 | where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I. | Annex VII, Section 8 |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
64 | A manufacturer shall ▌ notify ▌ any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. | Article 14(1) of the Regulation | - | |
65 | an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14(2) §a of the Regulation | - | |
66 | unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be; | Article 14(2) §b of the Regulation | - | |
67 | unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: (i) a description of the vulnerability, including its severity and impact; (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14(2) §c of the Regulation | - | |
68 | A manufacturer shall ▌ notify ▌ any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16. | Article 14(3) of the Regulation | - | |
69 | Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant status updates about the actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements | Article 14(6) of the Regulation |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
72 | The manufacturer shall lodge an application for EU-type examination with a single notified body | Annex VIII, module B, Section 3 | - | |
73 | The application shall include name and address of manufacturer and, if applicable, of the authorised representative | Annex VIII, module B, Section 3 | - | |
74 | The application shall include a declaration that the same application has not been made for another body | Annex VIII, module B, Section 3 | - | |
75 | The application shall include the technical description | Annex VIII, module B, Section 3 | - | |
76 | The application shall include the supporting evidence for adequacy, including testings if applicable | Annex VIII, module B, Section 3 | - | |
77 | The application must include specimens of the product for further testings by the notified body | Annex VIII, module B, section 2 | - | |
78 | The manufacturer shall informed the notified body of all modifications to the approved product and vulnerability handling processes that may affect the conditions for validaty of the certificated | Annex VIII, module B, section 7 | - | |
79 | The manufacturer shall keep a copy of the examination certificate, annexes and additions provided by the notified body for 10 years after the product has been placed on the market. | Annex VIII, module B, section 9 | - | |
80 | The authorised representative may lodge the application provided that they are specified in the mandate. | Annex VIII, module B, section 10 | - |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
1 | Conduct a cybersecurity risk assessment, while shall be a written document, included in the Technical Documentation | article 13(3) of the Regulation | self-assessed | |
2 | The cybersecurity risk assessment should include at least an analysis of cybersecurity risks based on the intended purpose and foreseeable use of the product with digital element | Article 13(3) of the Regulation | self-assessed | |
3 | The cybersecurity risk assessment should indicate how the manufacturer/software developer apply the general requirements (see table GENERAL REQUIREMENTS below) | Article 13(3) of the Regulation | self-assessed | |
4 | The cybersecurity risk assessment should indicate how the manufacturer/software developer applies the vulnerability handling requirements (see table GENERAL REQUIREMENTS below) | Article 13(3) of the Regulation | self-assessed | |
6 | Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment. | (56) | self-assessed | |
5 | The cybersecurity risk assessment should be updated when the nature of cybersecurity risks evolve, and when new vulnerabilities are discovered, at least during the product support period. | Article 13(7) of the Regulation | self-assessed |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
7 | Cyber-resilience should be taken into account when designing, developing and producing products with digital elements | Annex I, Section 1 §1 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
8 | be made available on the market without known exploitable vulnerabilities; | Annex I, Section 1 §2a | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
9 | be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state; | Annex I, Section 1 §2b | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
10 | ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex I, Section 1 §2c | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
11 | ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Section 1 §2d | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
12 | protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Section 1 §3c and Annex 1, Section 1 §2e | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
13 | protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Section 1 §2f | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
14 | process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimisation of data); | Annex I, Section 1 §2g | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
15 | protect the availability of essential and basic functions, also after an incident, including through resilience ▌ and mitigation measures against denial-of-service attacks; | Annex I, Section 1 §2h | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
16 | minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Section 1 §2i | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
17 | be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Section 1 §2j | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
18 | be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Section 1 §2k | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
19 | provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Section 1 §2l | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
20 | provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner | Annex I, Section 1 §2m | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
21 | identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Section 2 §1 | Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B) | |
22 | in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Section 2 §2 | Assessed by notified body | |
23 | apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Section 2 §2 | Assessed by notified body | |
24 | once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Section 2 §4 | Assessed by notified body | |
25 | put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Section 2 §5 | Assessed by notified body | |
26 | take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Section 2 §6 | Assessed by notified body | |
27 | provide for mechanisms to securely distribute updates for products with digital elements to ensure that ▌ vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Section 2 §7 | Assessed by notified body | |
28 | ensure that, where security ▌ updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailormade product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Section 2 §8 | Assessed by notified body |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
29 | At minimum, the product with digital elements shall be accompanied by: 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, ▌the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted; | Annex II, §1 | self-written | |
30 | the single point of contact where information about ▌ vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; | Annex II, §2 | self-written | |
31 | name and type and any additional information enabling the unique identification of the product with digital elements ▌; | Annex II, §3 | self-written | |
32 | the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties; | Annex II, §4 | self-written | |
33 | any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, §5 | self-written | |
34 | where applicable, the internet address at which the EU declaration of conformity can be accessed; | Annex II, §6 | self-written | |
35 | the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates; | Annex II, §7 | self-written | |
36 | detailed instructions or an internet address referring to such detailed instructions and information on: (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use; | Annex II, §8a | self-written | |
37 | how changes to the product with digital elements can affect the security of data; | Annex II, §8b | self-written | |
38 | how security-relevant updates can be installed; | Annex II, §8c | ||
39 | the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, §8d | ||
40 | how the default setting enabling the automatic installation of security updates, as required by Annex I, Part I, point (c), can be turned off; | Annex VI, §8e | ||
41 | where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, §8f | ||
42 | If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, §9 |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
37 | The EU declaration of conformity referred to in Article 28, shall contain all of the following information: 1. Name and type and any additional information enabling the unique identification of the product with digital elements; | Annex V, Section 1 | Self-written | |
38 | Name and address of the manufacturer or its authorised representative; | Annex V, Section 2 | self-written | |
39 | A statement that the EU declaration of conformity is issued under the sole responsibility of the provider; | Annex V, Section 3 | self-written | |
40 | Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate) | Annex V, Section 4 | self-written | |
41 | A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation; | Annex V, Section 5 | self-written | |
42 | References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared; | Annex V, Section 6 | self-written | |
43 | Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued; | Annex V, Section 7 | self-written | |
44 | Additional information: Signed for and on behalf of:………………………………… (place and date of issue): (name, function) (signature): | Annex V, Section 8 | self-written |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
51 | The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: 1. a general description of the product with digital elements, including: (a) its intended purpose; | Annex VIII, Section 1 §a | self-written | |
52 | versions of software affecting compliance with essential requirements; | Annex VIII, Section 1 §b | self-written | |
53 | where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; | Annex VIII, Section 1 §c | self-written | |
54 | user information and instructions as set out in Annex II; | Annex VIII, Section 1 §d | self-written | |
55 | a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VIII, Section 2 §a | self-written | |
56 | necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VIII, Section 2 §b | self-written | |
57 | necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VIII, Section 2 §c | self-written | |
58 | an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 13 of this Regulation, including how the essential requirements set out in Annex I, Part I, are applicable; | Annex VIII, Section 3 | self-written | |
59 | relevant information that was taken into account to determine the support period as referred to in Article 13(8) of the product with digital elements; | Annex VIII, Section 4 | self-written | |
60 | a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential requirements set out in of Annex I, Parts I and II, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VIII, Section 5 | self-written | |
61 | reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential requirements as set out in Annex I, Parts I and II; | Annex VIII, Section 6 | self-written | |
62 | a copy of the EU declaration of conformity; | Annex VIII, Section 7 | self-written | |
63 | where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I. | Annex VIII, Section 8 | self-written |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
64 | A manufacturer shall ▌ notify ▌ any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. | Article 14(1) of the Regulation | - | |
65 | an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14(2) §a of the Regulation | - | |
66 | unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be; | Article 14(2) §b of the Regulation | - | |
67 | unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: (i) a description of the vulnerability, including its severity and impact; (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14(2) §c of the Regulation | - | |
68 | A manufacturer shall ▌ notify ▌ any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16. | Article 14(3) of the Regulation | - | |
69 | Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant status updates about the actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements | Article 14(6) of the Regulation |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
1 | Conduct a cybersecurity risk assessment, while shall be a written document, included in the Technical Documentation | article 13(3) of the Regulation | self-assessed | |
2 | The cybersecurity risk assessment should include at least an analysis of cybersecurity risks based on the intended purpose and foreseeable use of the product with digital element | Article 13(3) of the Regulation | self-assessed | |
3 | The cybersecurity risk assessment should indicate how the manufacturer/software developer apply the general requirements (see table GENERAL REQUIREMENTS below) | Article 13(3) of the Regulation | self-assessed | |
4 | The cybersecurity risk assessment should indicate how the manufacturer/software developer applies the vulnerability handling requirements (see table GENERAL REQUIREMENTS below) | Article 13(3) of the Regulation | self-assessed | |
6 | Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment. | (56) | self-assessed | |
5 | The cybersecurity risk assessment should be updated when the nature of cybersecurity risks evolve, and when new vulnerabilities are discovered, at least during the product support period. | Article 13(7) of the Regulation | self-assessed |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
7 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks; | Annex I, Section 1 §1 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
8 | On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall: (a) be made available on the market without known exploitable vulnerabilities; | Annex I, Section 1 §2a | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
9 | be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state; | Annex I, Section 1 §2b | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
10 | ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex I, Section 1 §3c and Annex 1, Section 1 §2c | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
11 | ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Section 1 §2d | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
12 | protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Section 1 §2e | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
13 | protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Section 1 §2f | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
14 | process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimisation of data); | Annex I, Section 1 §2g | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
15 | protect the availability of essential and basic functions, also after an incident, including through resilience ▌ and mitigation measures against denial-of-service attacks; | Annex I, Section 1 §2h | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
16 | minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Section 1 §2i | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
17 | be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Section 1 §2j | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
18 | be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Section 1 §2k | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
19 | provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Section 1 §2l | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
20 | provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Annex I, Section 2 §2, Section 2 §7 and Section 1 §2m | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
21 | Manufacturers of products with digital elements shall: (1) identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Section 2 §1 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
22 | in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Section 2 §4 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
23 | apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Section 2 §3 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
24 | once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Section 2 §4 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
25 | put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Section 2 §5 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
26 | take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Section 2 §6 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
27 | provide for mechanisms to securely distribute updates for products with digital elements to ensure that ▌ vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Section 2 §7 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. | |
28 | ensure that, where security ▌ updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailormade product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Section 2 §8 | Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system. |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
25 | The name, registered trade mark (or trade name), a contact postal address and email address must be printed on the product or, if not possible, on its packaging or accompanying document | Annex II, Section 1 | self-written | |
26 | A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the accompanying documentation | Annex II, Section 2 | self-written | |
27 | The product must be delivered with a type, batch, version or serial number (or other element allowing its identification) | Annex II, Section 3 | self-written | |
28 | The intended use, essential functionalities and security features/properties provided by the manufacturer must be detailed in the accompanying documentation | Annex II, Section 4 | self-written | |
29 | Any intended use of the product which may lead to a significant cybersecurity risk must be detailed in the accompanying documentation | Annex II, Section 5 | self-written | |
30 | A link to the software bill or material must be provided in the accompanying documentation (if not directly provided) | Annex II, Section 6 | self-written | |
31 | A link to the EU declaration of conformity must be provided in the accompanying documentation (if not directly provided) | Annex II, Section 7 | self-written | |
32 | The type of technical and security support and time limit for support must be detailed in the accompanying documentation | Annex II, Section 8 | self-written | |
33 | Detailed instructions or a link to the detailed instructions on necessary measures during initial commissionning and throughout the lifetime of the product to ensure its secure use must be provided. | Annex II, Section 9 §a | self-written | |
34 | Detailed instructions or a link to the detailed instructions on how changes to the product can affect the security of the data must be provided | Annex II, Section 9 §b | self-written | |
35 | Detailed instructions or a link to the detailed instructions on how to install security updates must be provided | Annex II, Section 9 §c | self-written | |
36 | Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be provided | Annex II, Section 9 §d | self-written |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
38 | The EU declaration of conformity referred to in Article 28, shall contain all of the following information: 1. Name and type and any additional information enabling the unique identification of the product with digital elements; | Annex V, Section 1 | Self-written | |
39 | Name and address of the manufacturer or its authorised representative; | Annex V, Section 2 | self-written | |
40 | A statement that the EU declaration of conformity is issued under the sole responsibility of the provider; | Annex V, Section 3 | self-written | |
41 | Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate); | Annex V, Section 4 | self-written | |
42 | A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation; | Annex V, Section 5 | self-written | |
43 | References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared; | Annex V, Section 6 | self-written | |
44 | Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued; | Annex V, Section 7 | self-written | |
45 | Additional information: Signed for and on behalf of:………………………………… (place and date of issue): (name, function) (signature): | Annex V, Section 8 | self-written |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
51 | a general description of the product with digital elements, including: (a) its intended purpose | Annex VII, Section 1 §a | assessed by notified body | |
52 | versions of software affecting compliance with essential requirements; | Annex VII, Section 1 §b | assessed by notified body | |
53 | where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout | Annex VII, Section 1 §c | assessed by notified body | |
54 | user information and instructions as set out in Annex II; | Annex VII, Section 1 §d | assessed by notified body | |
55 | necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VII, Section 2 §a | assessed by notified body | |
56 | necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VII, Section 2 §b | assessed by notified body | |
57 | necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VII, Section 2 §c | assessed by notified body | |
58 | an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 13 of this Regulation, including how the essential requirements set out in Annex I, Part I, are applicable; | Annex VII, Section 3 | assessed by notified body | |
59 | relevant information that was taken into account to determine the support period as referred to in Article 13(8) of the product with digital elements; | Annex VII, Section 4 | assessed by notified body | |
60 | a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential requirements set out in of Annex I, Parts I and II, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VII, Section 5 | assessed by notified body | |
61 | reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential requirements as set out in Annex I, Parts I and II; | Annex VII, Section 6 | assessed by notified body | |
62 | a copy of the EU declaration of conformity; | Annex VII, Section 7 | assessed by notified body | |
63 | where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I. | Annex VII, Section 8 |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
64 | A manufacturer shall ▌ notify ▌ any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. | Article 14(1) of the Regulation | - | |
65 | an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14(2) §a of the Regulation | - | |
66 | unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be; | Article 14(2) §b of the Regulation | - | |
67 | unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: (i) a description of the vulnerability, including its severity and impact; (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. | Article 14(2) §c of the Regulation | - | |
68 | A manufacturer shall ▌ notify ▌ any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16. | Article 14(3) of the Regulation | - | |
69 | Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant status updates about the actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements | Article 14(6) of the Regulation |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
66 | The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned. | Annex VIII, module H, section 3.1 | - | |
67 | The quality system shall ensure compliance of the products with digital elements with the essential requirements set out in Annex I, Part I, and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Annex I, Part II. All the elements, requirements and provisions adopted by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. That quality system documentation shall permit a consistent interpretation of the quality programmes, plans, manuals and records. | Annex VIII, module H, section 3.2 | - | |
68 | The notified body shall assess the quality system to determine whether it satisfies the requirements referred to in point 3.2. It shall presume conformity with those requirements in respect of the elements of the quality system that comply with the corresponding specifications of the national standard that implements the relevant harmonised standard or technical specification. In addition to experience in quality management systems, the auditing team shall have at least one member experienced as an assessor in the relevant product field and product technology concerned, and shall have knowledge of the applicable requirements of this Regulation. The audit shall include an assessment visit to the manufacturer's premises, where such premises exist. The auditing team shall review the technical documentation referred to in point 3.1, second indent, to verify the manufacturer's ability to identify the applicable requirements of this Regulation and to carry out the necessary examinations with a view to ensuring compliance of the product with digital elements with those requirements. The manufacturer or its authorised representative shall be notified of the decision. The notification shall contain the conclusions of the audit and the reasoned assessment decision | Annex VIII, module H, section 3.3 | - | |
69 | The manufacturer shall undertake to fulfil the obligations arising out of the quality system as approved and to maintain it so that it remains adequate and efficient. | Annex VIII, module H, section 3.4 | - | |
70 | The manufacturer shall keep the notified body that has approved the quality system informed of any intended change to the quality system. The notified body shall evaluate any proposed changes and decide whether the modified quality system will continue to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary. It shall notify the manufacturer of its decision. The notification shall contain the conclusions of the examination and the reasoned assessment decision. | Annex VIII, module H, section 3.5 | - | |
71 | The manufacturer shall, for assessment purposes, allow the notified body access to the design, development, production, inspection, testing and storage sites, and shall provide it with all necessary information, in particular: - the quality system documentation; - the quality records as provided for by the design part of the quality system, such as results of analyses, calculations and tests; - the quality records as provided for by the manufacturing part of the quality system, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned. | Annex VIII, module H, sections 4.2 | - | |
72 | The notified body shall carry out periodic audits to make sure that the manufacturer maintains and applies the quality system and shall provide the manufacturer with an audit report. | Annex VIII, module H, section 4.3 | - | |
73 | The manufacturer shall affix the CE marking, and, under the responsibility of the notified body referred to in point 3.1, the latter's identification number to each individual product with digital elements that satisfies the requirements set out in Annex I, Part I, to this Regulation. | Annex VIII, module H, section 5.1 | - | |
74 | The manufacturer shall draw up a written declaration of conformity for each product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up. A copy of the declaration of conformity shall be made available to the relevant authorities upon request. | Annex VIII, module H, section 5.2 | - | |
75 | The manufacturer shall, for a period ending at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep at the disposal of the national authorities: 6.1 the technical documentation referred to in point 3.1; 6.2 the documentation concerning the quality system referred to in point 3.1; 6.3 the change referred to in point 3.5, as approved; 6.4 the decisions and reports of the notified body referred to in points 3.5 and 4.3. | Annex VI, module H, section 6 | - | |
76 | The manufacturer's obligations set out in points 3.1, 3.5, 5 and 6 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that they are specified in the mandate | Annex VIII, module H, section 8 | - |
Companies developing software not classified as Critical Products or Important Products Class II can self-assess their software compliance with the CRA’s requirements.
You can check Annex III of the Regulation for a list of Important Products and Annex IV for a list of Critical Products.
Companies developing software classified as Important Products Class I who either conform fully to an harmonised standard or conform fully to common specifications or has a European cybersecurity certification, can also self-assess their compliance with the CRA’s requirements.
⚠️Software developers of Important Products Class I who have not applied or have applied only in part harmonised standards, common specifications or European cybersecurity certification schemes must undergo a third party assessment (see “Important and Critical software tab”)
In any case, software developers of non-Important Products may choose to undergo the same assessment process as Important and Critical Products, wherein compliance with the CRA is assessed by a notified body.
Check the Important and Critical software tab to know more.
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
1 | Conduct a cybersecurity risk assessment, while shall be a written document, included in the Technical Documentation | article 13(3) of the Regulation | self-assessed | |
2 | The cybersecurity risk assessment should include at least an analysis of cybersecurity risks based on the intended purpose and foreseeable use of the product with digital element | Article 13(3) of the Regulation | self-assessed | |
3 | The cybersecurity risk assessment should indicate how the manufacturer/software developer apply the general requirements (see table GENERAL REQUIREMENTS below) | Article 13(3) of the Regulation | self-assessed | |
4 | The cybersecurity risk assessment should indicate how the manufacturer/software developer applies the vulnerability handling requirements (see table GENERAL REQUIREMENTS below) | Article 13(3) of the Regulation | self-assessed | |
6 | Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment. | (56) | self-assessed | |
5 | The cybersecurity risk assessment should be updated when the nature of cybersecurity risks evolve, and when new vulnerabilities are discovered, at least during the product support period. | Article 13(7) of the Regulation | self-assessed |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
1 | The software is not released for testing purpose (such as alpha versions, beta versions or release candidates). | ¶21 of the Regulation | software release for testing does not fall under the scope of the CRA - but should be released after a risk assessment has been conducted | |
2 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks; | Annex I, Section 1 §1 | self-assessed | |
3 | be made available on the market without known exploitable vulnerabilities; | Annex I, Section 1 §2a | self-assessed | |
4 | In order to facilitate the due diligence obligation set out in Article 13(5), in particular as regards manufacturers that integrate free and open-source software components in their products with digital elements, the Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by establishing voluntary security attestation programmes allowing the developers or users of products with digital elements qualifying as free and open-source software as well as other third parties to assess the conformity of such products with all or certain essential requirements or other obligations laid down in this Regulation. | Article 25 of the regulation | self-assessed | |
5 | be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state; | Annex I, Section 1 §2b | self-assessed | |
6 | ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex I, Section 1 §2c | self-assessed | |
7 | ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Section 1 §2d | self-assessed | |
8 | protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Section 1 §3c and Annex 1, Section 1 §2e | self-assessed | |
9 | protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Section 1 §2f | self-assessed | |
10 | process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimisation of data); | Annex I, Section 1 §2g | self-assessed | |
11 | protect the availability of essential and basic functions, also after an incident, including through resilience ▌ and mitigation measures against denial-of-service attacks; | Annex I, Section 1 §2h | self-assessed | |
12 | minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Section 1 §2i | self-assessed | |
13 | be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Section 1 §2j | self-assessed | |
14 | be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Section 1 §2k | self-assessed | |
15 | provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Section 1 §2l | self-assessed | |
16 | provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Annex I, Section 1 §2l | self-assessed | |
17 | identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Section 2 §1 | self-assessed | |
18 | in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Section 2 §2 | self-assessed | |
19 | apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Section 2 §3 | self-assessed | |
20 | ensure that, where security ▌ updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailormade product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Section 2 §4 and Section 2 §8 | self-assessed | |
21 | put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Section 2 §5 | self-assessed | |
22 | take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Section 2 §6 | self-assessed |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
25 | the name, registered trade name or registered trademark of the manufacturer, and the postal address, ▌the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted; | Annex II, Section 1 | self-written | |
26 | the single point of contact where information about ▌ vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; | Annex II, Section 2 | self-written | |
27 | name and type and any additional information enabling the unique identification of the product with digital elements ▌; | Annex II, Section 3 | self-written | |
28 | any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, Section 5 | self-written | |
31 | the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use | Annex II, Section 8 §a | self-written | |
32 | how changes to the product with digital elements can affect the security of data; | Annex II, Section 8 §b | self-written | |
33 | how security-relevant updates can be installed; | Annex II, Section 8 §c | self-written | |
34 | the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, Section 8 §d | self-written | |
37 | If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, Section 9 §d | self-written | |
35 | how the default setting enabling the automatic installation of security updates, as required by Annex I, Part I, point (c), can be turned off; | Annex II, Section 8 §e | ||
36 | where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, Section 8 §f |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
38 | Name and type and any additional information enabling the unique identification of the product with digital elements; | Annex V, Section 1 | self-written | |
39 | Name and address of the manufacturer or its authorised representative; | Annex V, Section 2 | self-written | |
40 | A statement that the EU declaration of conformity is issued under the sole responsibility of the provider; | Annex V, Section 3 | self-written | |
41 | Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate); | Annex V, Section 4 | self-written | |
42 | A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation; | Annex V, Section 5 | self-written | |
43 | References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared; | Annex V, Section 6 | self-written | |
44 | Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued; | Annex V, Section 7 | self-written | |
45 | Additional information: Signed for and on behalf of:………………………………… (place and date of issue): (name, function) (signature): | Annex V, Section 8 | self-written |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
45 | a general description of the product with digital elements, including: (a) its intended purpose; | Annex VII, Section 1 §a | self-written | |
46 | versions of software affecting compliance with essential requirements; | Annex VII, Section 1 §b | self-written | |
47 | where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; | Annex VII, Section 1 §c | self-written | |
48 | user information and instructions as set out in Annex II; | Annex VII, Section 1 §d | self-written | |
49 | a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VII, Section 2 §a | self-written | |
50 | necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VII, Section 2 §b | self-written | |
51 | necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VII, Section 2 §c | self-written | |
52 | an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 13 of this Regulation, including how the essential requirements set out in Annex I, Part I, are applicable; | Annex VII, Section 3 | self-written | |
53 | relevant information that was taken into account to determine the support period as referred to in Article 13(8) of the product with digital elements; | Annex VII, Section 4 | self-written | |
54 | a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential requirements set out in of Annex I, Parts I and II, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VII, Section 5 | self-written | |
55 | reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential requirements as set out in Annex I, Parts I and II; | Annex VII, Section 6 | self-written | |
56 | a copy of the EU declaration of conformity; | Annex VII, Section 7 | self-written | |
57 | where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I. | Annex VII, Section 8 |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
58 | Open-source software stewards shall cooperate with the market surveillance authorities, at their request, with a view to mitigating the cybersecurity risks posed by a product with digital elements qualifying as free and open-source software. Further to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by that authority, with the documentation referred to in paragraph 1, in paper or electronic form. | Article 24(2) of the Regulation | self-written | |
59 | an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14(2) §a of the Regulation | self-written | |
60 | unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be; | Article 14(2) §b of the Regulation | self-written | |
61 | Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilities as laid down in Article 15 by the developers of that product and take into account the specific nature of the open-source software steward and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source community. | Article 24(1) of the Regulation | self-written | |
62 | The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products. | Article 24(3) of the Regulation | - |
Companies developing software products classified as Important Products Class II and Class I (if their products do not fully conform to harmonized standards or common specification or have not been certified with a European Cybersecurity Certification) need to go through an external assessment process conducted by a notified body responsible for verifying the compliance of the products with the requirements of the CRA.
⚠️ As of March 2024, no certified body has been announced.
You can check the Annex III of the regulation for a list of software classified as Important Products.
Companies developing software products classified as Critical Products could be required in the future to obtain a European cybersecurity certificate instead of undergoing the CRA’s dedicated assessment modules (see below); this is according to article 8(1). However, as of March 2024, the Commission has not yet adopted delegated acts that are required to determine which products are concerned and what certification scheme must be followed. In the absence of such delegated acts, developers of Critical Products can follow the same certification procedures as Important Products.
⚠️Once delegated acts are published and we know more about these certifications schemes, this web page will be updated.
You can check the Annex IV of the regulation for a list of software classified as Critical Products.
These software companies will need to go through Module H, which is a CRA assessment path wherein a quality system made of a written record of processes and procedures undertaken by the software company to ensure that the software meets the requirements of the CRA is assessed by the notified body.
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
1 | Conduct a cybersecurity risk assessment, while shall be a written document, included in the Technical Documentation | article 13(3) of the Regulation | self-assessed | |
2 | The cybersecurity risk assessment should include at least an analysis of cybersecurity risks based on the intended purpose and foreseeable use of the product with digital element | Article 13(3) of the Regulation | self-assessed | |
3 | The cybersecurity risk assessment should indicate how the manufacturer/software developer apply the general requirements (see table GENERAL REQUIREMENTS below) | Article 13(3) of the Regulation | self-assessed | |
4 | The cybersecurity risk assessment should indicate how the manufacturer/software developer applies the vulnerability handling requirements (see table GENERAL REQUIREMENTS below) | Article 13(3) of the Regulation | self-assessed | |
6 | Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment. | (56) | self-assessed | |
5 | The cybersecurity risk assessment should be updated when the nature of cybersecurity risks evolve, and when new vulnerabilities are discovered, at least during the product support period. | Article 13(7) of the Regulation | self-assessed |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
1 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks; | Annex I, Section 1 §1 | software release for testing does not fall under the scope of the CRA - but should be released after a risk assessment has been conducted | |
2 | be made available on the market without known exploitable vulnerabilities; | Annex I, Section 1 §2a | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
3 | be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state; | Annex I, Section 1 §2b | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
4 | ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them; | Annex I, Section 1 §2c | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.3 | |
5 | ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access; | Annex I, Section 1 §2d | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
6 | protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means; | Annex I, Section 1 §2e | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
7 | protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions; | Annex I, Section 1 §2f | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
8 | process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimisation of data); | Annex I, Section 1 §3c and Annex 1, Section 1 §2g | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
9 | protect the availability of essential and basic functions, also after an incident, including through resilience ▌ and mitigation measures against denial-of-service attacks; | Annex I, Section 1 §2h | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
10 | minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks; | Annex I, Section 1 §2i | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
11 | be designed, developed and produced to limit attack surfaces, including external interfaces; | Annex I, Section 1 §3j | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
12 | be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; | Annex I, Section 1 §2k | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
13 | provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user; | Annex I, Section 1 §2l | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
14 | provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Annex I, Section 1 §2m | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
15 | identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products; | Annex I, Section 2 §1 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
16 | in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates; | Annex I, Section 2 §2 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
17 | apply effective and regular tests and reviews of the security of the product with digital elements; | Annex I, Section 2 §3 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
18 | once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch; | Annex I, Section 2 §2, Section 2 §7 and Section 2 §4 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
19 | put in place and enforce a policy on coordinated vulnerability disclosure; | Annex I, Section 2 §5 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
20 | take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements; | Annex I, Section 2 §4 and Section 2 §6 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
21 | provide for mechanisms to securely distribute updates for products with digital elements to ensure that ▌ vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner; | Annex I, Section 2 §7 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
22 | ensure that, where security ▌ updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailormade product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. | Annex I, Section 2 §8 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | |
23 | Annex I, Section 2 §6 | assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2 | ||
24 | Annex VI, Section 4.1 | if applicable |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
25 | the name, registered trade name or registered trademark of the manufacturer, and the postal address, ▌the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted; | Annex II, Section 1 | self-written | |
26 | the single point of contact where information about ▌ vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found; | Annex II, Section 2 | self-written | |
27 | name and type and any additional information enabling the unique identification of the product with digital elements ▌; | Annex II, Section 3 | self-written | |
28 | any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks; | Annex II, Section 5 | self-written | |
31 | the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use | Annex II, Section 8 §a | self-written | |
32 | how changes to the product with digital elements can affect the security of data; | Annex II, Section 8 §b | self-written | |
33 | how security-relevant updates can be installed; | Annex II, Section 8 §c | self-written | |
34 | the secure decommissioning of the product with digital elements, including information on how user data can be securely removed; | Annex II, Section 8 §d | self-written | |
37 | If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed. | Annex II, Section 9 §d | self-written | |
35 | how the default setting enabling the automatic installation of security updates, as required by Annex I, Part I, point (c), can be turned off; | Annex II, Section 8 §e | ||
36 | where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential requirements set out in Annex I and the documentation requirements set out in Annex VII. | Annex II, Section 8 §f |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
38 | Name and type and any additional information enabling the unique identification of the product with digital elements; | Annex V, Section 1 | self-written | |
39 | Name and address of the manufacturer or its authorised representative; | Annex V, Section 2 | self-written | |
40 | A statement that the EU declaration of conformity is issued under the sole responsibility of the provider; | Annex V, Section 3 | self-written | |
41 | Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate); | Annex V, Section 4 | self-written | |
42 | A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation; | Annex V, Section 5 | self-written | |
43 | References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared; | Annex V, Section 6 | self-written | |
44 | Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued; | Annex V, Section 7 | self-written | |
45 | Additional information: Signed for and on behalf of:………………………………… (place and date of issue): (name, function) (signature): | Annex V, Section 8 | self-written |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
46 | a general description of the product with digital elements, including: (a) its intended purpose; | Annex VII, Section 1 §a | self-written, assessed by notified body | |
47 | versions of software affecting compliance with essential requirements; | Annex VII, Section 1 §b | self-written, assessed by notified body | |
48 | where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout; | Annex VII, Section 1 §c | self-written, assessed by notified body | |
49 | user information and instructions as set out in Annex II; | Annex VII, Section 1 §d | self-written, assessed by notified body | |
50 | a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; | Annex VII, Section 2 §a | self-written, assessed by notified body | |
51 | necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates; | Annex VII, Section 2 §b | self-written, assessed by notified body | |
52 | necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes; | Annex VII, Section 2 §c | self-written, assessed by notified body | |
53 | an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 13 of this Regulation, including how the essential requirements set out in Annex I, Part I, are applicable; | Annex VII, Section 3 | self-written, assessed by notified body | |
54 | relevant information that was taken into account to determine the support period as referred to in Article 13(8) of the product with digital elements; | Annex VII, Section 4 | self-written, assessed by notified body | |
55 | a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential requirements set out in of Annex I, Parts I and II, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied; | Annex VII, Section 5 | self-written, assessed by notified body | |
56 | reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential requirements as set out in Annex I, Parts I and II; | Annex VII, Section 6 | self-written, assessed by notified body | |
57 | where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I. | Annex VII, Section 8 | if applicable, assessed by notified body |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
58 | Open-source software stewards shall cooperate with the market surveillance authorities, at their request, with a view to mitigating the cybersecurity risks posed by a product with digital elements qualifying as free and open-source software. Further to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by that authority, with the documentation referred to in paragraph 1, in paper or electronic form. | Article 24(2) of the Regulation | self-written | |
59 | an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; | Article 14(2) §a of the Regulation | self-written | |
60 | unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be; | Article 14(2) §b of the Regulation | self-written | |
61 | Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilities as laid down in Article 15 by the developers of that product and take into account the specific nature of the open-source software steward and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source community. | Article 24(1) of the Regulation | self-written | |
62 | The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products. | Article 24(3) of the Regulation | - |
ID | Requirement | Reference | Comment | Check |
---|---|---|---|---|
63 | Conformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations laid down in points 2 and 5, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential requirements set out in Annex I, Part I, and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Annex I, Part II. | Annex VIII, module H, section 1 | - | |
64 | Design, development, production and vulnerability handling of products with digital elements The manufacturer shall operate an approved quality system as specified in point 3 for the design, development and final product inspection and testing of the products with digital elements concerned and for handling vulnerabilities, maintain its effectiveness throughout the support period, and shall be subject to surveillance as specified in point 4. | Annex VIII, module H, section 2 | - | |
65 | The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned. The application shall include: - the name and address of the manufacturer and, if the application is lodged by the authorised representative, its name and address as well; - the technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall, wherever applicable, contain at least the elements as set out in Annex VII; - the documentation concerning the quality system; and - a written declaration that the same application has not been lodged with any other notified body. | Annex VIII, module H, section 3.1 | - | |
66 | The quality system shall ensure compliance of the products with digital elements with the essential requirements set out in Annex I, Part I, and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Annex I, Part II. All the elements, requirements and provisions adopted by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. That quality system documentation shall permit a consistent interpretation of the quality programmes, plans, manuals and records. It shall, in particular, contain an adequate description of: - the quality objectives and the organisational structure, responsibilities and powers of the management with regard to design, development, product quality and vulnerability handling; - the technical design and development specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential requirements set out in Annex I, Part I, that apply to the products with digital elements will be met; - the procedural specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential requirements set out in Annex I, Part II, that apply to the manufacturer will be met; - the design and development control, as well as design and development verification techniques, processes and systematic actions that will be used when designing and developing the products with digital elements pertaining to the product category covered; - the corresponding production, quality control and quality assurance techniques, processes and systematic actions that will be used; - the examinations and tests that will be carried out before, during and after production, and the frequency with which they will be carried out; - the quality records, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned; - the means of monitoring the achievement of the required design and product quality and the effective operation of the quality system | Annex VIII, module H, section 3.2 | - | |
67 | The notified body shall assess the quality system to determine whether it satisfies the requirements referred to in point 3.2. It shall presume conformity with those requirements in respect of the elements of the quality system that comply with the corresponding specifications of the national standard that implements the relevant harmonised standard or technical specification. In addition to experience in quality management systems, the auditing team shall have at least one member experienced as an assessor in the relevant product field and product technology concerned, and shall have knowledge of the applicable requirements of this Regulation. The audit shall include an assessment visit to the manufacturer's premises, where such premises exist. The auditing team shall review the technical documentation referred to in point 3.1, second indent, to verify the manufacturer's ability to identify the applicable requirements of this Regulation and to carry out the necessary examinations with a view to ensuring compliance of the product with digital elements with those requirements. The manufacturer or its authorised representative shall be notified of the decision. The notification shall contain the conclusions of the audit and the reasoned assessment decision. | Annex VIII, module H, section 3.3 | - | |
68 | The manufacturer shall undertake to fulfil the obligations arising out of the quality system as approved and to maintain it so that it remains adequate and efficient. | Annex VIII, module H, section 3.4 | - | |
69 | The manufacturer shall keep the notified body that has approved the quality system informed of any intended change to the quality system. The notified body shall evaluate any proposed changes and decide whether the modified quality system will continue to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary. It shall notify the manufacturer of its decision. The notification shall contain the conclusions of the examination and the reasoned assessment decision. | Annex VIII, module H, section 3.5 | - | |
70 | Each notified body shall inform its notifying authorities of quality system approvals issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of quality system approvals refused, suspended or otherwise restricted. Each notified body shall inform the other notified bodies of quality system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued | Annex VIII, module H, section 7 | - | |
71 | Authorised representative The manufacturer's obligations set out in points 3.1, 3.5, 5 and 6 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that they are specified in the mandate. | Annex VIII, module H, section 8 | - |
As a reminder, the CRA defines importers of products with digital elements as “a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;” article 3(16).
Consequently, importers who import products with digital elements under their own trademarks OR modify substantially a product with digital elements are considered “manufacturers” and should refer to the “hardware manufacturers” tab or “software developers” tab, whichever fits best.
ID | Requirement | Reference | Check |
---|---|---|---|
1 | Importers shall place on the market only products with digital elements that comply with the essential requirements set out in Annex I, Part I, and where the processes put in place by the manufacturer comply with the essential requirements set out in Annex I, Part II. | article 19(1) of the Regulation | |
2 | Importers shall indicate their name, registered trade name or registered trademark, the postal address, email address or other digital contact as well as, where applicable, the website at which they can be contacted on the product with digital elements or ▌ on its packaging or in a document accompanying the product with digital elements. The contact details shall be in a language easily understood by users and market surveillance authorities | article 19(4) of the Regulation |
ID | Requirement | Reference | Check |
---|---|---|---|
3 | Before making a product with digital elements available on the market, distributors shall verify that: (a) the product with digital elements bears the CE marking; (b) the manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article19(4), and have provided all necessary documents to the distributor. | article 20(2) of the Regulation |
ID | Requirement | Reference | Check |
---|---|---|---|
10 | Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect. | article 20(3) of the Regulation | |
11 | Distributors who know or have reason to believe, on the basis of information in their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken. Upon becoming aware of a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-compliance and of any corrective measures taken. | article 20(4) of the Regulation | |
13 | Where the distributor of a product with digital elements becomes aware, on the basis of information in its possession, that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the distributor shall inform, without undue delay, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market. | article 20(6) of the Regulation | |
12 | Distributors shall, further to a reasoned request from a market surveillance authority, provide all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements which they have made available on the market. | article 20(5) of the Regulation |
As a reminder, the CRA defines distributors of products with digital elements as “a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;” article 3(17).
Consequently, distributors who distribute products with digital elements under their own trademarks OR modify substantially a product with digital elements are considered “manufacturers” and should refer to the “hardware manufacturers” tab or “software developers” tab, whichever fits best.
ID | Requirement | Reference | Check |
---|---|---|---|
1 | When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements set out in this Regulation | article 20(1) of the Regulation | |
2 | Before making a product with digital elements available on the market, distributors shall verify that: (a) the product with digital elements bears the CE marking; (b) the manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article19(4), and have provided all necessary documents to the distributor. | article 20(2) of the Regulation |
ID | Requirement | Reference | Check |
---|---|---|---|
1 | When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements set out in this Regulation. | article 20(1) of the Regulation | |
2 | Before making a product with digital elements available on the market, distributors shall verify that: (a) the product with digital elements bears the CE marking; (b) the manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article19(4), and have provided all necessary documents to the distributor. | article 20(2) of the Regulation |
ID | Requirement | Reference | Check |
---|---|---|---|
6 | Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect. | article 20(3) of the Regulation | |
7 | Distributors who know or have reason to believe, on the basis of information in their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken. Upon becoming aware of a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-compliance and of any corrective measures taken. | article 20(4) of the Regulation | |
8 | Distributors shall, further to a reasoned request from a market surveillance authority, provide all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements which they have made available on the market. | article 20(5) of the Regulation | |
9 | Where the distributor of a product with digital elements becomes aware, on the basis of information in its possession, that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the distributor shall inform, without undue delay, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market. | article 20(6) of the Regulation |
The CRA does not directly defines the term “resellers”, instead, we must look at the definition of the term “economic operator”, and specifically, the second half of the definition: ‘economic operator’ means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products on the market in accordance with this Regulation”; article 3(12).
Resellers who distribute digital elements under their own trademarks OR modify substantially a product with digital elements are considered “manufacturers” and should refer to the “hardware manufacturers” tab or “software developers” tab, whichever fits best.
ID | Requirement | Reference | Check |
---|---|---|---|
1 | A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements and makes it available on the market, shall be considered to be a manufacturer for the purposes of this Regulation. | article 22(1) of the Regulation | |
2 | That person shall be subject to ▌ the obligations set out in Articles 13 and 14 for the part of the product with digital elements that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product. | article 22(2) of the Regulation |
ID | Requirement | Reference | Check |
---|---|---|---|
3 | Economic operators shall, on request ▌, provide the market surveillance authorities with the following information: (a) the name and address of any economic operator who has supplied them with a product with digital elements; (b) where available, the name and address of any economic operator to whom they have supplied a product with digital elements. | article 23(1) of the Regulation | |
4 | Economic operators shall, on request ▌, provide the market surveillance authorities with the following information: (a) the name and address of any economic operator who has supplied them with a product with digital elements; (b) where available, the name and address of any economic operator to whom they have supplied a product with digital elements. | article 23(2) of the Regulation | |
5 | Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA. | article 15(1) of the Regulation | |
6 | Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA. | article 15(2) of the Regulation |
Find out how much budget to allocate to compliance.
Cyber Security News and Events
Check out the latest events on cyber security and the Cyber Resilience Act.