Compliance Checklist

Protect your data, get rid of vulnerabilities and prepare against threats: take the Cyber Resilience Act compliance checklist to verify if your company,  product or software are CRA ready!

Identify any requirements that may be missing to take swift action and be ready on time.

European flag
Manufacturers of non-IMPORTANT products

Manufacturers of products not classified as Critical Products or Important Products Class II can self-assess their compliance with the CRA’s requirements.

You can check Annex III of the Regulation for a list of Important Products and Annex IV for a list of Critical Products.

Manufacturers of Important Products Class I who either conform fully to an harmonised standard or conform to common specifications or has a European cybersecurity certification, can also self-assess their compliance with the CRA’s requirements.

⚠️Manufacturers of Important Products Class I who have not applied or have applied only in part harmonised standards, common specifications or European cybersecurity certification schemes must undergo a third party assessment (see “Important and Critical Products tab”)

In any case, manufacturers of non-Important Products may choose to undergo the same assessment process as Important Products, wherein compliance with the CRA is assessed by a notified body. In this case, they will need to select between two main modules, that are further described in the Important products tab and for which requirements differ from those described below.

Cybersecurity risk assessment
IDRequirementReferenceCommentCheck
1Conduct a cybersecurity risk assessment, while shall be a written document, included in the Technical Documentationarticle 13(3) of the Regulationself-assessed
2The cybersecurity risk assessment should include at least an analysis of cybersecurity risks based on the intended purpose and foreseeable use of the product with digital elementArticle 13(3) of the Regulationself-assessed
3The cybersecurity risk assessment should indicate how the manufacturer/software developer apply the general requirements (see table GENERAL REQUIREMENTS below)Article 13(3) of the Regulationself-assessed
4The cybersecurity risk assessment should indicate how the manufacturer/software developer applies the vulnerability handling requirements (see table GENERAL REQUIREMENTS below)Article 13(3) of the Regulationself-assessed
6Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment.(56)self-assessed
5The cybersecurity risk assessment should be updated when the nature of cybersecurity risks evolve, and when new vulnerabilities are discovered, at least during the product support period.Article 13(7) of the Regulationself-assessed
General requirements
IDRequirementReferenceCommentCheck
7Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks;Annex I, Section 1 §1Self-assessment
8On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall be made available on the market without known exploitable vulnerabilities; Annex I, Section 1 §2aSelf-assessment
9On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall be made available on the market with a secure by default configuration, (unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements), including the possibility to reset the product to its original state;Annex I, Section 1 §2bSelf-assessment
10On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;Annex Annex 1, Section 1 §2c Self-assessment
11On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;Annex I, Section 1 §2dSelf-assessment
12On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;Annex I, Section 1 §2eSelf-assessment
13On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;Annex I, Section 1 §2fSelf-assessment
14On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimisation of data);Annex I, Section 1 §2gSelf-assessment
15On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;Annex I, Section 1 §2hSelf-assessment
16On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks (e.g: by monitoring external connections and open ports)Annex I, Section 1 §2iSelf-assessment
17On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall be designed, developed and produced to limit attack surfaces, including external interfaces (e.g: by closing external ports)Annex I, Section 1 §2jSelf-assessment
18On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques (e.g: by isolating the compromised device from the network)Annex I, Section 1 §2kSelf-assessment
19On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;Annex I, Section 1 §2lSelf-assessment
20On the basis of the cybersecurity risk assessment and where applicable, products with digital elements shall provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. Annex I, Section 2 §2, Section 2 §7 and Section 1 §2mSelf-assessment
21Manufacturers of products with digital elements shall: (1) identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products;Annex I, Section 2 §1Self-assessment
22 in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;Annex I, Section 2 §4 and Section 2 §2Self-assessment
23 apply effective and regular tests and reviews of the security of the product with digital elements;Annex I, Section 2 §3Self-assessment
24 once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;Annex I, Section 2 §4Self-assessment
25put in place and enforce a policy on coordinated vulnerability disclosure;Annex I, Section 2 §5Self-assessment
26take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;Annex I, Section 2 §6Self-assessment
27provide for mechanisms to securely distribute updates for products with digital elements to ensure that ▌ vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;Annex I, Section 2 §7Self-assessment
28ensure that, where security ▌ updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailormade product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.Annex I, Section 2 §8Self-assessment
General documentation
IDRequirementReferenceCommentCheck
29At minimum, the product with digital elements shall be accompanied by: 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, ▌the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;Annex II, §1self-written
30the single point of contact where information about ▌ vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;Annex II, §2self-written
31name and type and any additional information enabling the unique identification of the product with digital elements ▌;Annex II, §3self-written
32 the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties;Annex II, §4self-written
33 any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks;Annex II, §5self-written
34where applicable, the internet address at which the EU declaration of conformity can be accessed;Annex II, §6self-written
35the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates;Annex II, §7self-written
36detailed instructions or an internet address referring to such detailed instructions and information on: (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use;Annex II, §8aself-written
37 how changes to the product with digital elements can affect the security of data;Annex II, §8bself-written
38 how security-relevant updates can be installed;Annex II, §8c
39the secure decommissioning of the product with digital elements, including information on how user data can be securely removed;Annex II, §8d
40how the default setting enabling the automatic installation of security updates, as required by Annex I, Part I, point (c), can be turned off;Annex VI, §8e
41where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential requirements set out in Annex I and the documentation requirements set out in Annex VII.Annex II, §8f
42If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed.Annex II, §9
EU declaration of conformity
IDRequirementReferenceCommentCheck
43The EU declaration of conformity referred to in Article 28, shall contain all of the following information: 1. Name and type and any additional information enabling the unique identification of the product with digital elements;Annex V, Section 1self-written
44Name and address of the manufacturer or its authorised representative;Annex V, Section 2self-written
45A statement that the EU declaration of conformity is issued under the sole responsibility of the provider;Annex V, Section 3self-written
46 Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate);Annex V, Section 4self-written
47A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation;Annex V, Section 5self-written
48References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared;Annex V, Section 6if applicable
49Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued;Annex V, Section 7-
50Additional information: Signed for and on behalf of:………………………………… (place and date of issue): (name, function) (signature):Annex V, Section 8-
Technical documentation
IDRequirementReferenceCommentCheck
51The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: 1. a general description of the product with digital elements, including: (a) its intended purpose;Annex VIII, Section 1 §aself-written
52versions of software affecting compliance with essential requirements;Annex VIII, Section 1 §bself-written
53where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout;Annex VIII, Section 1 §cself-written
54 user information and instructions as set out in Annex II;Annex VIII, Section 1 §dself-written
55a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;Annex VIII, Section 2 §aself-written
56necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;Annex VIII, Section 2 §bself-written
57necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes;Annex VIII, Section 2 §cself-written
58an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 13 of this Regulation, including how the essential requirements set out in Annex I, Part I, are applicable;Annex VIII, Section 3self-written
59relevant information that was taken into account to determine the support period as referred to in Article 13(8) of the product with digital elements;Annex VIII, Section 4self-written
60a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential requirements set out in of Annex I, Parts I and II, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;Annex VIII, Section 5self-written
61reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential requirements as set out in Annex I, Parts I and II;Annex VIII, Section 6self-written
62a copy of the EU declaration of conformity;Annex VIII, Section 7self-written
63where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I.Annex VIII, Section 8self-written
Communication with the Authorities
IDRequirementReferenceCommentCheck
64A manufacturer shall ▌ notify ▌ any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.Article 14(1) of the Regulation-
65an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;Article 14(2) §a of the Regulation-
66unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be;Article 14(2) §b of the Regulation-
67unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: (i) a description of the vulnerability, including its severity and impact; (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability.Article 14(2) §c of the Regulation-
68A manufacturer shall ▌ notify ▌ any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16.Article 14(3) of the Regulation-
69Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant status updates about the actively exploited vulnerability or severe incident having an impact on the security of the product with digital elementsArticle 14(6) of the Regulation
Manufacturers of Important and Critical products

Manufacturers of Important Products Class II and Class I (if their products do not fully conform to harmonized standards or common specification or have not been certified with a European Cybersecurity Certification) need to go through an external assessment process conducted by a notified body responsible for verifying the compliance of the products with the requirements of the CRA.

⚠️ As of March 2024, no certified body has been announced.

You can check the Annex III of the regulation for a list of Important Products.

Manufacturers of Critical Products could be required in the future  to obtain a European cybersecurity certificate instead of undergoing the CRA’s dedicated assessment modules (see below); this is according to article 8(1). However, as of March 2024, the Commission has not yet adopted delegated acts that are required to determine which products are concerned and what certification scheme must be followed. In the absence of such delegated acts, manufacturers of Critical Products can follow the same certification procedures as Important Products.

⚠️Once delegated acts are published and we know more about these certifications schemes, this web page will be updated.

You can check the Annex IV of the regulation for a list of Critical Products.

Manufacturers of Important and Critical Products can freely choose among two paths for the assessment of their products: module B (or module B + module C) and module H.

Module H is a relatively more rigorous assessment path wherein a quality system made of a written record of processes and procedures undertaken by the manufacturer to ensure that the product meets the requirements of the CRA is assessed by the notified body.

Module B does not mandate the creation of a quality system but instead, requires that a specimen of the product be examined by a notified body during the assessment process. Further, once a product is certified under module B, other products of the same type can be certified through module C, which is a certification path that does not require for a new assessment by a notified body.

Hence, while module B focuses on the hardware itself, module H looks at the manufacturer’s processes (i.e: the quality system) as the basis for compliance with the CRA.

Choose a path

Cybersecurity risk assessment
IDRequirementReferenceCommentCheck
1Conduct a cybersecurity risk assessment, while shall be a written document, included in the Technical Documentationarticle 13(3) of the Regulationself-assessed
2The cybersecurity risk assessment should include at least an analysis of cybersecurity risks based on the intended purpose and foreseeable use of the product with digital elementArticle 13(3) of the Regulationself-assessed
3The cybersecurity risk assessment should indicate how the manufacturer/software developer apply the general requirements (see table GENERAL REQUIREMENTS below)Article 13(3) of the Regulationself-assessed
4The cybersecurity risk assessment should indicate how the manufacturer/software developer applies the vulnerability handling requirements (see table GENERAL REQUIREMENTS below)Article 13(3) of the Regulationself-assessed
6Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment.(56)self-assessed
5The cybersecurity risk assessment should be updated when the nature of cybersecurity risks evolve, and when new vulnerabilities are discovered, at least during the product support period.Article 13(7) of the Regulationself-assessed
General requirements
IDRequirementReferenceCommentCheck
7Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks;Annex I, Section 1 §1Assessed by notified body
8be made available on the market without known exploitable vulnerabilities;Annex I, Section 1 §2aAssessed by notified body
9 be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;Annex I, Section 1 §2bAssessed by notified body
10ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;Annex I, Section 1 §2cAssessed by notified body
11 ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;Annex I, Section 1 §2dAssessed by notified body
12protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;Annex I, Section 1 §3c and Annex 1, Section 1 §2eAssessed by notified body
13protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;Annex I, Section 1 §2fAssessed by notified body
14process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimisation of data);Annex I, Section 1 §2gAssessed by notified body
15protect the availability of essential and basic functions, also after an incident, including through resilience ▌ and mitigation measures against denial-of-service attacks;Annex I, Section 1 §2hAssessed by notified body
16minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks;Annex I, Section 1 §2iAssessed by notified body
17be designed, developed and produced to limit attack surfaces, including external interfaces;Annex I, Section 1 §2jAssessed by notified body
18be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;Annex I, Section 1 §2kAssessed by notified body
19provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;Annex I, Section 1 §2lAssessed by notified body
20provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure mannerAnnex I, Section 1 §2mAssessed by notified body
21 identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products;Annex I, Section 2 §1Assessed by notified body
22 in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;Annex I, Section 2 §2Assessed by notified body
23apply effective and regular tests and reviews of the security of the product with digital elements;Annex I, Section 2 §2, Section 2 §7 and Section 2 §3Assessed by notified body
24once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;Annex I, Section 2 §4Assessed by notified body
25put in place and enforce a policy on coordinated vulnerability disclosure;Annex I, Section 2 §4 and Section 2 §5Assessed by notified body
26take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;Annex I, Section 2 §6Assessed by notified body
27provide for mechanisms to securely distribute updates for products with digital elements to ensure that ▌ vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;Annex I, Section 2 §7Assessed by notified body
28ensure that, where security ▌ updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailormade product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.Annex I, Section 2 §8Assessed by notified body
General documentation
IDRequirementReferenceCommentCheck
29At minimum, the product with digital elements shall be accompanied by: 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, ▌the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;Annex II, §1self-written
30the single point of contact where information about ▌ vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;Annex II, §2self-written
31name and type and any additional information enabling the unique identification of the product with digital elements ▌;Annex II, §3self-written
32 the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties;Annex II, §4self-written
33 any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks;Annex II, §5self-written
34where applicable, the internet address at which the EU declaration of conformity can be accessed;Annex II, §6self-written
35the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates;Annex II, §7self-written
36detailed instructions or an internet address referring to such detailed instructions and information on: (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use;Annex II, §8aself-written
37 how changes to the product with digital elements can affect the security of data;Annex II, §8bself-written
38 how security-relevant updates can be installed;Annex II, §8c
39the secure decommissioning of the product with digital elements, including information on how user data can be securely removed;Annex II, §8d
40how the default setting enabling the automatic installation of security updates, as required by Annex I, Part I, point (c), can be turned off;Annex VI, §8e
41where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential requirements set out in Annex I and the documentation requirements set out in Annex VII.Annex II, §8f
42If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed.Annex II, §9
EU declaration of conformity
IDRequirementReferenceCommentCheck
43The EU declaration of conformity referred to in Article 28, shall contain all of the following information: 1. Name and type and any additional information enabling the unique identification of the product with digital elements;Annex V, Section 1self-written
44Name and address of the manufacturer or its authorised representative;Annex V, Section 2self-written
45A statement that the EU declaration of conformity is issued under the sole responsibility of the provider;Annex V, Section 3self-written
46 Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate);Annex V, Section 4self-written
47A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation;Annex V, Section 5self-written
48References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared;Annex V, Section 6if applicable
49Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued;Annex V, Section 7-
50Additional information: Signed for and on behalf of:………………………………… (place and date of issue): (name, function) (signature):Annex V, Section 8-
Technical documentation
IDRequirementReferenceCommentCheck
51a general description of the product with digital elements, including: (a) its intended purposeAnnex VII, Section 1 §aassessed by notified body
52versions of software affecting compliance with essential requirements;Annex VII, Section 1 §bassessed by notified body
53where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layoutAnnex VII, Section 1 §cassessed by notified body
54user information and instructions as set out in Annex II;Annex VII, Section 1 §dassessed by notified body
55necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;Annex VII, Section 2 §aassessed by notified body
56necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;Annex VII, Section 2 §bassessed by notified body
57necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes;Annex VII, Section 2 §cassessed by notified body
58an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 13 of this Regulation, including how the essential requirements set out in Annex I, Part I, are applicable;Annex VII, Section 3assessed by notified body
59relevant information that was taken into account to determine the support period as referred to in Article 13(8) of the product with digital elements;Annex VII, Section 4assessed by notified body
60a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential requirements set out in of Annex I, Parts I and II, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;Annex VII, Section 5assessed by notified body
61reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential requirements as set out in Annex I, Parts I and II;Annex VII, Section 6assessed by notified body
62a copy of the EU declaration of conformity;Annex VII, Section 7assessed by notified body
63where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I.Annex VII, Section 8
Communication with the authorities
IDRequirementReferenceCommentCheck
64A manufacturer shall ▌ notify ▌ any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.Article 14(1) of the Regulation-
65an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;Article 14(2) §a of the Regulation-
66unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be;Article 14(2) §b of the Regulation-
67unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: (i) a description of the vulnerability, including its severity and impact; (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability.Article 14(2) §c of the Regulation-
68A manufacturer shall ▌ notify ▌ any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16.Article 14(3) of the Regulation-
69Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant status updates about the actively exploited vulnerability or severe incident having an impact on the security of the product with digital elementsArticle 14(6) of the Regulation
Lodging an application for certification
IDRequirementReferenceCommentCheck
72The manufacturer shall lodge an application for EU-type examination with a single notified bodyAnnex VIII, module B, Section 3-
73The application shall include name and address of manufacturer and, if applicable, of the authorised representative Annex VIII, module B, Section 3-
74The application shall include a declaration that the same application has not been made for another bodyAnnex VIII, module B, Section 3-
75The application shall include the technical descriptionAnnex VIII, module B, Section 3-
76The application shall include the supporting evidence for adequacy, including testings if applicableAnnex VIII, module B, Section 3-
77The application must include specimens of the product for further testings by the notified bodyAnnex VIII, module B, section 2-
78The manufacturer shall informed the notified body of all modifications to the approved product and vulnerability handling processes that may affect the conditions for validaty of the certificatedAnnex VIII, module B, section 7-
79The manufacturer shall keep a copy of the examination certificate, annexes and additions provided by the notified body for 10 years after the product has been placed on the market.Annex VIII, module B, section 9-
80The authorised representative may lodge the application provided that they are specified in the mandate.Annex VIII, module B, section 10-
Cybersecurity risk assessment
IDRequirementReferenceCommentCheck
1Conduct a cybersecurity risk assessment, while shall be a written document, included in the Technical Documentationarticle 13(3) of the Regulationself-assessed
2The cybersecurity risk assessment should include at least an analysis of cybersecurity risks based on the intended purpose and foreseeable use of the product with digital elementArticle 13(3) of the Regulationself-assessed
3The cybersecurity risk assessment should indicate how the manufacturer/software developer apply the general requirements (see table GENERAL REQUIREMENTS below)Article 13(3) of the Regulationself-assessed
4The cybersecurity risk assessment should indicate how the manufacturer/software developer applies the vulnerability handling requirements (see table GENERAL REQUIREMENTS below)Article 13(3) of the Regulationself-assessed
6Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment.(56)self-assessed
5The cybersecurity risk assessment should be updated when the nature of cybersecurity risks evolve, and when new vulnerabilities are discovered, at least during the product support period.Article 13(7) of the Regulationself-assessed
General requirements
IDRequirementReferenceCommentCheck
7Cyber-resilience should be taken into account when designing, developing and producing products with digital elementsAnnex I, Section 1 §1Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
8be made available on the market without known exploitable vulnerabilities;Annex I, Section 1 §2aSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
9be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;Annex I, Section 1 §2bSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
10ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;Annex I, Section 1 §2cSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
11ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;Annex I, Section 1 §2dSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
12protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;Annex I, Section 1 §3c and Annex 1, Section 1 §2eSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
13protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;Annex I, Section 1 §2fSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
14process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimisation of data);Annex I, Section 1 §2gSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
15protect the availability of essential and basic functions, also after an incident, including through resilience ▌ and mitigation measures against denial-of-service attacks;Annex I, Section 1 §2hSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
16minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks;Annex I, Section 1 §2iSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
17be designed, developed and produced to limit attack surfaces, including external interfaces;Annex I, Section 1 §2jSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
18be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;Annex I, Section 1 §2kSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
19provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;Annex I, Section 1 §2lSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
20provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure mannerAnnex I, Section 1 §2mSelf-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
21identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products;Annex I, Section 2 §1Self-assessed, based on a previously received EU-type examination certificate for the same type of product (module B)
22in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;Annex I, Section 2 §2Assessed by notified body
23apply effective and regular tests and reviews of the security of the product with digital elements;Annex I, Section 2 §2Assessed by notified body
24once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;Annex I, Section 2 §4Assessed by notified body
25put in place and enforce a policy on coordinated vulnerability disclosure;Annex I, Section 2 §5Assessed by notified body
26take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;Annex I, Section 2 §6Assessed by notified body
27provide for mechanisms to securely distribute updates for products with digital elements to ensure that ▌ vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;Annex I, Section 2 §7Assessed by notified body
28ensure that, where security ▌ updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailormade product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.Annex I, Section 2 §8Assessed by notified body
General Documentation
IDRequirementReferenceCommentCheck
29At minimum, the product with digital elements shall be accompanied by: 1. the name, registered trade name or registered trademark of the manufacturer, and the postal address, ▌the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;Annex II, §1self-written
30the single point of contact where information about ▌ vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;Annex II, §2self-written
31name and type and any additional information enabling the unique identification of the product with digital elements ▌;Annex II, §3self-written
32 the intended purpose of the product with digital elements, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties;Annex II, §4self-written
33 any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks;Annex II, §5self-written
34where applicable, the internet address at which the EU declaration of conformity can be accessed;Annex II, §6self-written
35the type of technical security support offered by the manufacturer and the end-date of the support period during which users can expect vulnerabilities to be handled and to receive security updates;Annex II, §7self-written
36detailed instructions or an internet address referring to such detailed instructions and information on: (a) the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure use;Annex II, §8aself-written
37 how changes to the product with digital elements can affect the security of data;Annex II, §8bself-written
38 how security-relevant updates can be installed;Annex II, §8c
39the secure decommissioning of the product with digital elements, including information on how user data can be securely removed;Annex II, §8d
40how the default setting enabling the automatic installation of security updates, as required by Annex I, Part I, point (c), can be turned off;Annex VI, §8e
41where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential requirements set out in Annex I and the documentation requirements set out in Annex VII.Annex II, §8f
42If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed.Annex II, §9
EU declaration of conformity
IDRequirementReferenceCommentCheck
37The EU declaration of conformity referred to in Article 28, shall contain all of the following information: 1. Name and type and any additional information enabling the unique identification of the product with digital elements;Annex V, Section 1Self-written
38Name and address of the manufacturer or its authorised representative;Annex V, Section 2self-written
39A statement that the EU declaration of conformity is issued under the sole responsibility of the provider;Annex V, Section 3self-written
40 Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate)Annex V, Section 4self-written
41A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation;Annex V, Section 5self-written
42 References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared;Annex V, Section 6self-written
43Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued;Annex V, Section 7self-written
44Additional information: Signed for and on behalf of:………………………………… (place and date of issue): (name, function) (signature):Annex V, Section 8self-written
Technical documentation
IDRequirementReferenceCommentCheck
51The technical documentation referred to in Article 31 shall contain at least the following information, as applicable to the relevant product with digital elements: 1. a general description of the product with digital elements, including: (a) its intended purpose;Annex VIII, Section 1 §aself-written
52versions of software affecting compliance with essential requirements;Annex VIII, Section 1 §bself-written
53where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout;Annex VIII, Section 1 §cself-written
54 user information and instructions as set out in Annex II;Annex VIII, Section 1 §dself-written
55a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;Annex VIII, Section 2 §aself-written
56necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;Annex VIII, Section 2 §bself-written
57necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes;Annex VIII, Section 2 §cself-written
58an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 13 of this Regulation, including how the essential requirements set out in Annex I, Part I, are applicable;Annex VIII, Section 3self-written
59relevant information that was taken into account to determine the support period as referred to in Article 13(8) of the product with digital elements;Annex VIII, Section 4self-written
60a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential requirements set out in of Annex I, Parts I and II, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;Annex VIII, Section 5self-written
61reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential requirements as set out in Annex I, Parts I and II;Annex VIII, Section 6self-written
62a copy of the EU declaration of conformity;Annex VIII, Section 7self-written
63where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I.Annex VIII, Section 8self-written
Communication with the authorities
IDRequirementReferenceCommentCheck
64A manufacturer shall ▌ notify ▌ any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.Article 14(1) of the Regulation-
65an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;Article 14(2) §a of the Regulation-
66unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be;Article 14(2) §b of the Regulation-
67unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: (i) a description of the vulnerability, including its severity and impact; (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability.Article 14(2) §c of the Regulation-
68A manufacturer shall ▌ notify ▌ any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16.Article 14(3) of the Regulation-
69Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant status updates about the actively exploited vulnerability or severe incident having an impact on the security of the product with digital elementsArticle 14(6) of the Regulation
Cybersecurity risk assessment
IDRequirementReferenceCommentCheck
1Conduct a cybersecurity risk assessment, while shall be a written document, included in the Technical Documentationarticle 13(3) of the Regulationself-assessed
2The cybersecurity risk assessment should include at least an analysis of cybersecurity risks based on the intended purpose and foreseeable use of the product with digital elementArticle 13(3) of the Regulationself-assessed
3The cybersecurity risk assessment should indicate how the manufacturer/software developer apply the general requirements (see table GENERAL REQUIREMENTS below)Article 13(3) of the Regulationself-assessed
4The cybersecurity risk assessment should indicate how the manufacturer/software developer applies the vulnerability handling requirements (see table GENERAL REQUIREMENTS below)Article 13(3) of the Regulationself-assessed
6Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment.(56)self-assessed
5The cybersecurity risk assessment should be updated when the nature of cybersecurity risks evolve, and when new vulnerabilities are discovered, at least during the product support period.Article 13(7) of the Regulationself-assessed
General requirements
IDRequirementReferenceCommentCheck
7Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks;Annex I, Section 1 §1Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
8On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall: (a) be made available on the market without known exploitable vulnerabilities;Annex I, Section 1 §2aAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
9be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;Annex I, Section 1 §2bAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
10ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;Annex I, Section 1 §3c and Annex 1, Section 1 §2cAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
11ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;Annex I, Section 1 §2dAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
12protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;Annex I, Section 1 §2eAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
13protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;Annex I, Section 1 §2fAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
14process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimisation of data);Annex I, Section 1 §2gAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
15protect the availability of essential and basic functions, also after an incident, including through resilience ▌ and mitigation measures against denial-of-service attacks;Annex I, Section 1 §2hAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
16minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks;Annex I, Section 1 §2iAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
17be designed, developed and produced to limit attack surfaces, including external interfaces;Annex I, Section 1 §2jAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
18be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;Annex I, Section 1 §2kAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
19provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;Annex I, Section 1 §2lAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
20provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.Annex I, Section 2 §2, Section 2 §7 and Section 1 §2mAssessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
21Manufacturers of products with digital elements shall: (1) identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products;Annex I, Section 2 §1Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
22in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;Annex I, Section 2 §4 Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
23apply effective and regular tests and reviews of the security of the product with digital elements;Annex I, Section 2 §3Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
24once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;Annex I, Section 2 §4Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
25put in place and enforce a policy on coordinated vulnerability disclosure;Annex I, Section 2 §5Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
26take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;Annex I, Section 2 §6Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
27provide for mechanisms to securely distribute updates for products with digital elements to ensure that ▌ vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;Annex I, Section 2 §7Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
28ensure that, where security ▌ updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailormade product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.Annex I, Section 2 §8Assessed by notified body - must be justified by clear written policies, procedures and instructions, with regards to quality system.
General documentation
IDRequirementReferenceCommentCheck
25The name, registered trade mark (or trade name), a contact postal address and email address must be printed on the product or, if not possible, on its packaging or accompanying document Annex II, Section 1self-written
26A contact information specifically for the reporting and communication of cybersecurity vulnerabilities must be provided in the accompanying documentationAnnex II, Section 2self-written
27The product must be delivered with a type, batch, version or serial number (or other element allowing its identification)Annex II, Section 3self-written
28The intended use, essential functionalities and security features/properties provided by the manufacturer must be detailed in the accompanying documentationAnnex II, Section 4self-written
29Any intended use of the product which may lead to a significant cybersecurity risk must be detailed in the accompanying documentationAnnex II, Section 5self-written
30A link to the software bill or material must be provided in the accompanying documentation (if not directly provided) Annex II, Section 6self-written
31A link to the EU declaration of conformity must be provided in the accompanying documentation (if not directly provided) Annex II, Section 7self-written
32The type of technical and security support and time limit for support must be detailed in the accompanying documentationAnnex II, Section 8self-written
33Detailed instructions or a link to the detailed instructions on necessary measures during initial commissionning and throughout the lifetime of the product to ensure its secure use must be provided.Annex II, Section 9 §aself-written
34Detailed instructions or a link to the detailed instructions on how changes to the product can affect the security of the data must be providedAnnex II, Section 9 §bself-written
35Detailed instructions or a link to the detailed instructions on how to install security updates must be providedAnnex II, Section 9 §cself-written
36Detailed instructions or a link to the detailed instructions on secure decommissioning and user data erasure must be providedAnnex II, Section 9 §dself-written
EU declaration of conformity
IDRequirementReferenceCommentCheck
38The EU declaration of conformity referred to in Article 28, shall contain all of the following information: 1. Name and type and any additional information enabling the unique identification of the product with digital elements;Annex V, Section 1Self-written
39Name and address of the manufacturer or its authorised representative;Annex V, Section 2self-written
40A statement that the EU declaration of conformity is issued under the sole responsibility of the provider;Annex V, Section 3self-written
41 Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate);Annex V, Section 4self-written
42 A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation;Annex V, Section 5self-written
43References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared;Annex V, Section 6self-written
44Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued;Annex V, Section 7self-written
45 Additional information: Signed for and on behalf of:………………………………… (place and date of issue): (name, function) (signature):Annex V, Section 8self-written
Technical documentation
IDRequirementReferenceCommentCheck
51a general description of the product with digital elements, including: (a) its intended purposeAnnex VII, Section 1 §aassessed by notified body
52versions of software affecting compliance with essential requirements;Annex VII, Section 1 §bassessed by notified body
53where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layoutAnnex VII, Section 1 §cassessed by notified body
54user information and instructions as set out in Annex II;Annex VII, Section 1 §dassessed by notified body
55necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;Annex VII, Section 2 §aassessed by notified body
56necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;Annex VII, Section 2 §bassessed by notified body
57necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes;Annex VII, Section 2 §cassessed by notified body
58an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 13 of this Regulation, including how the essential requirements set out in Annex I, Part I, are applicable;Annex VII, Section 3assessed by notified body
59relevant information that was taken into account to determine the support period as referred to in Article 13(8) of the product with digital elements;Annex VII, Section 4assessed by notified body
60a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential requirements set out in of Annex I, Parts I and II, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;Annex VII, Section 5assessed by notified body
61reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential requirements as set out in Annex I, Parts I and II;Annex VII, Section 6assessed by notified body
62a copy of the EU declaration of conformity;Annex VII, Section 7assessed by notified body
63where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I.Annex VII, Section 8
Communication with the Authorities
IDRequirementReferenceCommentCheck
64A manufacturer shall ▌ notify ▌ any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.Article 14(1) of the Regulation-
65an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;Article 14(2) §a of the Regulation-
66unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be;Article 14(2) §b of the Regulation-
67unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: (i) a description of the vulnerability, including its severity and impact; (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability.Article 14(2) §c of the Regulation-
68A manufacturer shall ▌ notify ▌ any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16.Article 14(3) of the Regulation-
69Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant status updates about the actively exploited vulnerability or severe incident having an impact on the security of the product with digital elementsArticle 14(6) of the Regulation
Application for certification
IDRequirementReferenceCommentCheck
66The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned.Annex VIII, module H, section 3.1-
67The quality system shall ensure compliance of the products with digital elements with the essential requirements set out in Annex I, Part I, and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Annex I, Part II. All the elements, requirements and provisions adopted by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. That quality system documentation shall permit a consistent interpretation of the quality programmes, plans, manuals and records.Annex VIII, module H, section 3.2-
68The notified body shall assess the quality system to determine whether it satisfies the requirements referred to in point 3.2. It shall presume conformity with those requirements in respect of the elements of the quality system that comply with the corresponding specifications of the national standard that implements the relevant harmonised standard or technical specification. In addition to experience in quality management systems, the auditing team shall have at least one member experienced as an assessor in the relevant product field and product technology concerned, and shall have knowledge of the applicable requirements of this Regulation. The audit shall include an assessment visit to the manufacturer's premises, where such premises exist. The auditing team shall review the technical documentation referred to in point 3.1, second indent, to verify the manufacturer's ability to identify the applicable requirements of this Regulation and to carry out the necessary examinations with a view to ensuring compliance of the product with digital elements with those requirements. The manufacturer or its authorised representative shall be notified of the decision. The notification shall contain the conclusions of the audit and the reasoned assessment decisionAnnex VIII, module H, section 3.3-
69The manufacturer shall undertake to fulfil the obligations arising out of the quality system as approved and to maintain it so that it remains adequate and efficient.Annex VIII, module H, section 3.4-
70The manufacturer shall keep the notified body that has approved the quality system informed of any intended change to the quality system. The notified body shall evaluate any proposed changes and decide whether the modified quality system will continue to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary. It shall notify the manufacturer of its decision. The notification shall contain the conclusions of the examination and the reasoned assessment decision.Annex VIII, module H, section 3.5-
71The manufacturer shall, for assessment purposes, allow the notified body access to the design, development, production, inspection, testing and storage sites, and shall provide it with all necessary information, in particular: - the quality system documentation; - the quality records as provided for by the design part of the quality system, such as results of analyses, calculations and tests; - the quality records as provided for by the manufacturing part of the quality system, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned.Annex VIII, module H, sections 4.2-
72The notified body shall carry out periodic audits to make sure that the manufacturer maintains and applies the quality system and shall provide the manufacturer with an audit report.Annex VIII, module H, section 4.3-
73 The manufacturer shall affix the CE marking, and, under the responsibility of the notified body referred to in point 3.1, the latter's identification number to each individual product with digital elements that satisfies the requirements set out in Annex I, Part I, to this Regulation.Annex VIII, module H, section 5.1-
74The manufacturer shall draw up a written declaration of conformity for each product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up. A copy of the declaration of conformity shall be made available to the relevant authorities upon request.Annex VIII, module H, section 5.2-
75 The manufacturer shall, for a period ending at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep at the disposal of the national authorities: 6.1 the technical documentation referred to in point 3.1; 6.2 the documentation concerning the quality system referred to in point 3.1; 6.3 the change referred to in point 3.5, as approved; 6.4 the decisions and reports of the notified body referred to in points 3.5 and 4.3.Annex VI, module H, section 6-
76The manufacturer's obligations set out in points 3.1, 3.5, 5 and 6 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that they are specified in the mandateAnnex VIII, module H, section 8-
Developers of non-IMPORTANT software

Companies developing software not classified as Critical Products or Important Products Class II can self-assess their software compliance with the CRA’s requirements.

You can check Annex III of the Regulation for a list of Important Products and Annex IV for a list of Critical Products.

Companies developing software classified as Important Products Class I who either conform fully  to an harmonised standard or  conform fully  to common specifications or  has a European cybersecurity certification, can also self-assess their compliance with the CRA’s requirements.

⚠️Software developers of Important Products Class I who have not applied or have applied only in part harmonised standards, common specifications or European cybersecurity certification schemes must undergo a third party assessment (see “Important and Critical software tab”)

In any case, software developers of non-Important Products may choose to undergo the same assessment process as Important and Critical Products, wherein compliance with the CRA is assessed by a notified body. 

Check the Important and Critical software tab to know more.

Cybersecurity risk assessment
IDRequirementReferenceCommentCheck
1Conduct a cybersecurity risk assessment, while shall be a written document, included in the Technical Documentationarticle 13(3) of the Regulationself-assessed
2The cybersecurity risk assessment should include at least an analysis of cybersecurity risks based on the intended purpose and foreseeable use of the product with digital elementArticle 13(3) of the Regulationself-assessed
3The cybersecurity risk assessment should indicate how the manufacturer/software developer apply the general requirements (see table GENERAL REQUIREMENTS below)Article 13(3) of the Regulationself-assessed
4The cybersecurity risk assessment should indicate how the manufacturer/software developer applies the vulnerability handling requirements (see table GENERAL REQUIREMENTS below)Article 13(3) of the Regulationself-assessed
6Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment.(56)self-assessed
5The cybersecurity risk assessment should be updated when the nature of cybersecurity risks evolve, and when new vulnerabilities are discovered, at least during the product support period.Article 13(7) of the Regulationself-assessed
General requirements
IDRequirementReferenceCommentCheck
1The software is not released for testing purpose (such as alpha versions, beta versions or release candidates).¶21 of the Regulationsoftware release for testing does not fall under the scope of the CRA - but should be released after a risk assessment has been conducted
2Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks;Annex I, Section 1 §1self-assessed
3be made available on the market without known exploitable vulnerabilities;Annex I, Section 1 §2aself-assessed
4In order to facilitate the due diligence obligation set out in Article 13(5), in particular as regards manufacturers that integrate free and open-source software components in their products with digital elements, the Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by establishing voluntary security attestation programmes allowing the developers or users of products with digital elements qualifying as free and open-source software as well as other third parties to assess the conformity of such products with all or certain essential requirements or other obligations laid down in this Regulation.Article 25 of the regulationself-assessed
5be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;Annex I, Section 1 §2bself-assessed
6ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;Annex I, Section 1 §2cself-assessed
7ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;Annex I, Section 1 §2dself-assessed
8protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;Annex I, Section 1 §3c and Annex 1, Section 1 §2eself-assessed
9protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;Annex I, Section 1 §2fself-assessed
10 process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimisation of data);Annex I, Section 1 §2gself-assessed
11protect the availability of essential and basic functions, also after an incident, including through resilience ▌ and mitigation measures against denial-of-service attacks;Annex I, Section 1 §2hself-assessed
12minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks;Annex I, Section 1 §2iself-assessed
13be designed, developed and produced to limit attack surfaces, including external interfaces;Annex I, Section 1 §2jself-assessed
14be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;Annex I, Section 1 §2kself-assessed
15provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;Annex I, Section 1 §2lself-assessed
16provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. Annex I, Section 1 §2lself-assessed
17 identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products;Annex I, Section 2 §1self-assessed
18in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;Annex I, Section 2 §2self-assessed
19apply effective and regular tests and reviews of the security of the product with digital elements;Annex I, Section 2 §3self-assessed
20 ensure that, where security ▌ updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailormade product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.Annex I, Section 2 §4 and Section 2 §8self-assessed
21put in place and enforce a policy on coordinated vulnerability disclosure;Annex I, Section 2 §5self-assessed
22take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;Annex I, Section 2 §6self-assessed
General documentation
IDRequirementReferenceCommentCheck
25 the name, registered trade name or registered trademark of the manufacturer, and the postal address, ▌the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;Annex II, Section 1self-written
26the single point of contact where information about ▌ vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;Annex II, Section 2self-written
27name and type and any additional information enabling the unique identification of the product with digital elements ▌;Annex II, Section 3self-written
28any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks;Annex II, Section 5self-written
31the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure useAnnex II, Section 8 §aself-written
32how changes to the product with digital elements can affect the security of data;Annex II, Section 8 §bself-written
33 how security-relevant updates can be installed;Annex II, Section 8 §cself-written
34the secure decommissioning of the product with digital elements, including information on how user data can be securely removed;Annex II, Section 8 §dself-written
37If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed.Annex II, Section 9 §dself-written
35 how the default setting enabling the automatic installation of security updates, as required by Annex I, Part I, point (c), can be turned off;Annex II, Section 8 §e
36where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential requirements set out in Annex I and the documentation requirements set out in Annex VII.Annex II, Section 8 §f
EU declaration of conformity
IDRequirementReferenceCommentCheck
38Name and type and any additional information enabling the unique identification of the product with digital elements;Annex V, Section 1self-written
39Name and address of the manufacturer or its authorised representative;Annex V, Section 2self-written
40A statement that the EU declaration of conformity is issued under the sole responsibility of the provider;Annex V, Section 3self-written
41 Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate);Annex V, Section 4self-written
42A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation;Annex V, Section 5self-written
43 References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared;Annex V, Section 6self-written
44Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued;Annex V, Section 7self-written
45Additional information: Signed for and on behalf of:………………………………… (place and date of issue): (name, function) (signature):Annex V, Section 8self-written
Technical documentation
IDRequirementReferenceCommentCheck
45a general description of the product with digital elements, including: (a) its intended purpose;Annex VII, Section 1 §aself-written
46 versions of software affecting compliance with essential requirements;Annex VII, Section 1 §bself-written
47where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout;Annex VII, Section 1 §cself-written
48 user information and instructions as set out in Annex II;Annex VII, Section 1 §dself-written
49 a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;Annex VII, Section 2 §aself-written
50necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;Annex VII, Section 2 §bself-written
51necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes;Annex VII, Section 2 §cself-written
52 an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 13 of this Regulation, including how the essential requirements set out in Annex I, Part I, are applicable;Annex VII, Section 3self-written
53relevant information that was taken into account to determine the support period as referred to in Article 13(8) of the product with digital elements;Annex VII, Section 4self-written
54a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential requirements set out in of Annex I, Parts I and II, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;Annex VII, Section 5self-written
55 reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential requirements as set out in Annex I, Parts I and II;Annex VII, Section 6self-written
56 a copy of the EU declaration of conformity;Annex VII, Section 7self-written
57 where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I.Annex VII, Section 8
Communication with the Authorities
IDRequirementReferenceCommentCheck
58 Open-source software stewards shall cooperate with the market surveillance authorities, at their request, with a view to mitigating the cybersecurity risks posed by a product with digital elements qualifying as free and open-source software. Further to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by that authority, with the documentation referred to in paragraph 1, in paper or electronic form.Article 24(2) of the Regulationself-written
59an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;Article 14(2) §a of the Regulationself-written
60 unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be;Article 14(2) §b of the Regulationself-written
61Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilities as laid down in Article 15 by the developers of that product and take into account the specific nature of the open-source software steward and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source community.Article 24(1) of the Regulationself-written
62The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products.Article 24(3) of the Regulation-
Developers of IMPORTANT and critical software.

Companies developing software products classified as Important Products Class II and Class I (if their products do not fully conform to harmonized standards or common specification or have not been certified with a European Cybersecurity Certification) need to go through an external assessment process conducted by a notified body responsible for verifying the compliance of the products with the requirements of the CRA.

⚠️ As of March 2024, no certified body has been announced.

You can check the Annex III of the regulation for a list of software classified as Important Products.

Companies developing software products classified as Critical Products could be required in the future  to obtain a European cybersecurity certificate instead of undergoing the CRA’s dedicated assessment modules (see below); this is according to article 8(1). However, as of March 2024, the Commission has not yet adopted delegated acts that are required to determine which products are concerned and what certification scheme must be followed. In the absence of such delegated acts, developers of Critical Products can follow the same certification procedures as Important Products.

⚠️Once delegated acts are published and we know more about these certifications schemes, this web page will be updated.

You can check the Annex IV of the regulation for a list of software classified as Critical Products.

 

These software companies will need to go through Module H, which is a CRA assessment path wherein a quality system made of a written record of processes and procedures undertaken by the software company to ensure that the software meets the requirements of the CRA is assessed by the notified body.

Module H

Cybersecurity risk assessment
IDRequirementReferenceCommentCheck
1Conduct a cybersecurity risk assessment, while shall be a written document, included in the Technical Documentationarticle 13(3) of the Regulationself-assessed
2The cybersecurity risk assessment should include at least an analysis of cybersecurity risks based on the intended purpose and foreseeable use of the product with digital elementArticle 13(3) of the Regulationself-assessed
3The cybersecurity risk assessment should indicate how the manufacturer/software developer apply the general requirements (see table GENERAL REQUIREMENTS below)Article 13(3) of the Regulationself-assessed
4The cybersecurity risk assessment should indicate how the manufacturer/software developer applies the vulnerability handling requirements (see table GENERAL REQUIREMENTS below)Article 13(3) of the Regulationself-assessed
6Where certain essential requirements are not applicable to a product with digital elements, the manufacturer should include a clear justification in the cybersecurity risk assessment.(56)self-assessed
5The cybersecurity risk assessment should be updated when the nature of cybersecurity risks evolve, and when new vulnerabilities are discovered, at least during the product support period.Article 13(7) of the Regulationself-assessed
General requirements
IDRequirementReferenceCommentCheck
1Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks;Annex I, Section 1 §1software release for testing does not fall under the scope of the CRA - but should be released after a risk assessment has been conducted
2be made available on the market without known exploitable vulnerabilities;Annex I, Section 1 §2aassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
3be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;Annex I, Section 1 §2bassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
4ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;Annex I, Section 1 §2cassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.3
5 ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;Annex I, Section 1 §2dassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
6 protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;Annex I, Section 1 §2eassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
7protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;Annex I, Section 1 §2fassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
8process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (minimisation of data);Annex I, Section 1 §3c and Annex 1, Section 1 §2gassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
9protect the availability of essential and basic functions, also after an incident, including through resilience ▌ and mitigation measures against denial-of-service attacks;Annex I, Section 1 §2hassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
10minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks;Annex I, Section 1 §2iassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
11 be designed, developed and produced to limit attack surfaces, including external interfaces;Annex I, Section 1 §3jassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
12be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;Annex I, Section 1 §2kassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
13provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;Annex I, Section 1 §2lassessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
14provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. Annex I, Section 1 §2massessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
15identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products;Annex I, Section 2 §1assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
16in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;Annex I, Section 2 §2assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
17 apply effective and regular tests and reviews of the security of the product with digital elements;Annex I, Section 2 §3assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
18once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;Annex I, Section 2 §2, Section 2 §7 and Section 2 §4assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
19put in place and enforce a policy on coordinated vulnerability disclosure;Annex I, Section 2 §5assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
20 take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;Annex I, Section 2 §4 and Section 2 §6assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
21 provide for mechanisms to securely distribute updates for products with digital elements to ensure that ▌ vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;Annex I, Section 2 §7assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
22 ensure that, where security ▌ updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailormade product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.Annex I, Section 2 §8assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
23Annex I, Section 2 §6assessed by notified body, clear written policies, procedures and instructions shall be written, with regards to quality system - see Annex VI, module H, section 3.2
24Annex VI, Section 4.1if applicable
General documentation
IDRequirementReferenceCommentCheck
25 the name, registered trade name or registered trademark of the manufacturer, and the postal address, ▌the email address or other digital contact as well as, where available, the website at which the manufacturer can be contacted;Annex II, Section 1self-written
26the single point of contact where information about ▌ vulnerabilities of the product with digital elements can be reported and received, and where the manufacturer’s policy on coordinated vulnerability disclosure can be found;Annex II, Section 2self-written
27name and type and any additional information enabling the unique identification of the product with digital elements ▌;Annex II, Section 3self-written
28any known or foreseeable circumstance, related to the use of the product with digital elements in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to significant cybersecurity risks;Annex II, Section 5self-written
31the necessary measures during initial commissioning and throughout the lifetime of the product with digital elements to ensure its secure useAnnex II, Section 8 §aself-written
32how changes to the product with digital elements can affect the security of data;Annex II, Section 8 §bself-written
33 how security-relevant updates can be installed;Annex II, Section 8 §cself-written
34the secure decommissioning of the product with digital elements, including information on how user data can be securely removed;Annex II, Section 8 §dself-written
37If the manufacturer decides to make available the software bill of materials to the user, information on where the software bill of materials can be accessed.Annex II, Section 9 §dself-written
35 how the default setting enabling the automatic installation of security updates, as required by Annex I, Part I, point (c), can be turned off;Annex II, Section 8 §e
36where the product with digital elements is intended for integration into other products with digital elements, the information necessary for the integrator to comply with the essential requirements set out in Annex I and the documentation requirements set out in Annex VII.Annex II, Section 8 §f
EU declaration of conformity
IDRequirementReferenceCommentCheck
38Name and type and any additional information enabling the unique identification of the product with digital elements;Annex V, Section 1self-written
39Name and address of the manufacturer or its authorised representative;Annex V, Section 2self-written
40A statement that the EU declaration of conformity is issued under the sole responsibility of the provider;Annex V, Section 3self-written
41 Object of the declaration (identification of the product with digital elements allowing traceability, which may include a photograph, where appropriate);Annex V, Section 4self-written
42A statement that the object of the declaration described above is in conformity with the relevant Union harmonisation legislation;Annex V, Section 5self-written
43 References to any relevant harmonised standards used or any other common specification or cybersecurity certification in relation to which conformity is declared;Annex V, Section 6self-written
44Where applicable, the name and number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued;Annex V, Section 7self-written
45Additional information: Signed for and on behalf of:………………………………… (place and date of issue): (name, function) (signature):Annex V, Section 8self-written
Technical documentation
IDRequirementReferenceCommentCheck
46a general description of the product with digital elements, including: (a) its intended purpose;Annex VII, Section 1 §aself-written, assessed by notified body
47versions of software affecting compliance with essential requirements;Annex VII, Section 1 §bself-written, assessed by notified body
48 where the product with digital elements is a hardware product, photographs or illustrations showing external features, marking and internal layout;Annex VII, Section 1 §cself-written, assessed by notified body
49user information and instructions as set out in Annex II;Annex VII, Section 1 §dself-written, assessed by notified body
50a description of the design, development and production of the product with digital elements and vulnerability handling processes, including: (a) necessary information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing;Annex VII, Section 2 §aself-written, assessed by notified body
51necessary information and specifications of the vulnerability handling processes put in place by the manufacturer, including the software bill of materials, the coordinated vulnerability disclosure policy, evidence of the provision of a contact address for the reporting of the vulnerabilities and a description of the technical solutions chosen for the secure distribution of updates;Annex VII, Section 2 §b self-written, assessed by notified body
52necessary information and specifications of the production and monitoring processes of the product with digital elements and the validation of those processes;Annex VII, Section 2 §cself-written, assessed by notified body
53 an assessment of the cybersecurity risks against which the product with digital elements is designed, developed, produced, delivered and maintained as laid down in Article 13 of this Regulation, including how the essential requirements set out in Annex I, Part I, are applicable;Annex VII, Section 3self-written, assessed by notified body
54relevant information that was taken into account to determine the support period as referred to in Article 13(8) of the product with digital elements;Annex VII, Section 4self-written, assessed by notified body
55a list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union, common specifications as set out in Article 27 of this Regulation or European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881 pursuant to Article 27(8) of this Regulation, and, where those harmonised standards, common specifications or European cybersecurity certification schemes have not been applied, descriptions of the solutions adopted to meet the essential requirements set out in of Annex I, Parts I and II, including a list of other relevant technical specifications applied. In the event of partly applied harmonised standards, common specifications or European cybersecurity certification schemes, the technical documentation shall specify the parts which have been applied;Annex VII, Section 5self-written, assessed by notified body
56 reports of the tests carried out to verify the conformity of the product with digital elements and of the vulnerability handling processes with the applicable essential requirements as set out in Annex I, Parts I and II;Annex VII, Section 6self-written, assessed by notified body
57where applicable, the software bill of materials, further to a reasoned request from a market surveillance authority provided that it is necessary in order for this authority to be able to check compliance with the essential requirements set out in Annex I.Annex VII, Section 8if applicable, assessed by notified body
Communication with the Authorities
IDRequirementReferenceCommentCheck
58 Open-source software stewards shall cooperate with the market surveillance authorities, at their request, with a view to mitigating the cybersecurity risks posed by a product with digital elements qualifying as free and open-source software. Further to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by that authority, with the documentation referred to in paragraph 1, in paper or electronic form.Article 24(2) of the Regulationself-written
59an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;Article 14(2) §a of the Regulationself-written
60 unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be;Article 14(2) §b of the Regulationself-written
61Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilities as laid down in Article 15 by the developers of that product and take into account the specific nature of the open-source software steward and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source community.Article 24(1) of the Regulationself-written
62The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products.Article 24(3) of the Regulation-
Lodging an application for certification
IDRequirementReferenceCommentCheck
63Conformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations laid down in points 2 and 5, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential requirements set out in Annex I, Part I, and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Annex I, Part II.Annex VIII, module H, section 1-
64Design, development, production and vulnerability handling of products with digital elements The manufacturer shall operate an approved quality system as specified in point 3 for the design, development and final product inspection and testing of the products with digital elements concerned and for handling vulnerabilities, maintain its effectiveness throughout the support period, and shall be subject to surveillance as specified in point 4.Annex VIII, module H, section 2-
65The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned. The application shall include: - the name and address of the manufacturer and, if the application is lodged by the authorised representative, its name and address as well; - the technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall, wherever applicable, contain at least the elements as set out in Annex VII; - the documentation concerning the quality system; and - a written declaration that the same application has not been lodged with any other notified body.Annex VIII, module H, section 3.1-
66The quality system shall ensure compliance of the products with digital elements with the essential requirements set out in Annex I, Part I, and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Annex I, Part II. All the elements, requirements and provisions adopted by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. That quality system documentation shall permit a consistent interpretation of the quality programmes, plans, manuals and records. It shall, in particular, contain an adequate description of: - the quality objectives and the organisational structure, responsibilities and powers of the management with regard to design, development, product quality and vulnerability handling; - the technical design and development specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential requirements set out in Annex I, Part I, that apply to the products with digital elements will be met; - the procedural specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential requirements set out in Annex I, Part II, that apply to the manufacturer will be met; - the design and development control, as well as design and development verification techniques, processes and systematic actions that will be used when designing and developing the products with digital elements pertaining to the product category covered; - the corresponding production, quality control and quality assurance techniques, processes and systematic actions that will be used; - the examinations and tests that will be carried out before, during and after production, and the frequency with which they will be carried out; - the quality records, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned; - the means of monitoring the achievement of the required design and product quality and the effective operation of the quality systemAnnex VIII, module H, section 3.2-
67The notified body shall assess the quality system to determine whether it satisfies the requirements referred to in point 3.2. It shall presume conformity with those requirements in respect of the elements of the quality system that comply with the corresponding specifications of the national standard that implements the relevant harmonised standard or technical specification. In addition to experience in quality management systems, the auditing team shall have at least one member experienced as an assessor in the relevant product field and product technology concerned, and shall have knowledge of the applicable requirements of this Regulation. The audit shall include an assessment visit to the manufacturer's premises, where such premises exist. The auditing team shall review the technical documentation referred to in point 3.1, second indent, to verify the manufacturer's ability to identify the applicable requirements of this Regulation and to carry out the necessary examinations with a view to ensuring compliance of the product with digital elements with those requirements. The manufacturer or its authorised representative shall be notified of the decision. The notification shall contain the conclusions of the audit and the reasoned assessment decision.Annex VIII, module H, section 3.3-
68The manufacturer shall undertake to fulfil the obligations arising out of the quality system as approved and to maintain it so that it remains adequate and efficient.Annex VIII, module H, section 3.4-
69The manufacturer shall keep the notified body that has approved the quality system informed of any intended change to the quality system. The notified body shall evaluate any proposed changes and decide whether the modified quality system will continue to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary. It shall notify the manufacturer of its decision. The notification shall contain the conclusions of the examination and the reasoned assessment decision.Annex VIII, module H, section 3.5-
70Each notified body shall inform its notifying authorities of quality system approvals issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of quality system approvals refused, suspended or otherwise restricted. Each notified body shall inform the other notified bodies of quality system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issuedAnnex VIII, module H, section 7-
71Authorised representative The manufacturer's obligations set out in points 3.1, 3.5, 5 and 6 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that they are specified in the mandate.Annex VIII, module H, section 8-
Importers of products with digital elements

As a reminder, the CRA defines importers of products with digital elements as “a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;” article 3(16).

Consequently, importers who import products with digital elements under their own trademarks OR modify substantially a product with digital elements are considered “manufacturers” and should refer to the “hardware manufacturers” tab or “software developers” tab, whichever fits best.

General requirements
IDRequirementReferenceCheck
1Importers shall place on the market only products with digital elements that comply with the essential requirements set out in Annex I, Part I, and where the processes put in place by the manufacturer comply with the essential requirements set out in Annex I, Part II.article 19(1) of the Regulation
2Importers shall indicate their name, registered trade name or registered trademark, the postal address, email address or other digital contact as well as, where applicable, the website at which they can be contacted on the product with digital elements or ▌ on its packaging or in a document accompanying the product with digital elements. The contact details shall be in a language easily understood by users and market surveillance authoritiesarticle 19(4) of the Regulation
Product Requirements
IDRequirementReferenceCheck
3 Before making a product with digital elements available on the market, distributors shall verify that: (a) the product with digital elements bears the CE marking; (b) the manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article19(4), and have provided all necessary documents to the distributor.article 20(2) of the Regulation
Reporting Requirements
IDRequirementReferenceCheck
10Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect.article 20(3) of the Regulation
11Distributors who know or have reason to believe, on the basis of information in their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken. Upon becoming aware of a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-compliance and of any corrective measures taken.article 20(4) of the Regulation
13 Where the distributor of a product with digital elements becomes aware, on the basis of information in its possession, that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the distributor shall inform, without undue delay, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.article 20(6) of the Regulation
12 Distributors shall, further to a reasoned request from a market surveillance authority, provide all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements which they have made available on the market.article 20(5) of the Regulation
Distributors of products with digital elements

As a reminder, the CRA defines distributors of products with digital elements as “a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;” article 3(17).

Consequently, distributors who distribute products with digital elements under their own trademarks OR modify substantially a product with digital elements are considered “manufacturers” and should refer to the “hardware manufacturers” tab or “software developers” tab, whichever fits best.

General requirements
IDRequirementReferenceCheck
1When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements set out in this Regulationarticle 20(1) of the Regulation
2 Before making a product with digital elements available on the market, distributors shall verify that: (a) the product with digital elements bears the CE marking; (b) the manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article19(4), and have provided all necessary documents to the distributor.article 20(2) of the Regulation
Product Requirements
IDRequirementReferenceCheck
1When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements set out in this Regulation.article 20(1) of the Regulation
2Before making a product with digital elements available on the market, distributors shall verify that: (a) the product with digital elements bears the CE marking; (b) the manufacturer and the importer have complied with the obligations set out in Article 13(15), (16), (18), (19) and (20) and Article19(4), and have provided all necessary documents to the distributor.article 20(2) of the Regulation
Reporting Requirements
IDRequirementReferenceCheck
6Where a distributor considers or has reason to believe, on the basis of information in its possession, that a product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I, the distributor shall not make the product with digital elements available on the market until that product or the processes put in place by the manufacturer have been brought into conformity with this Regulation. Furthermore, where the product with digital elements poses a significant cybersecurity risk, the distributor shall inform, without undue delay, the manufacturer and the market surveillance authorities to that effect.article 20(3) of the Regulation
7Distributors who know or have reason to believe, on the basis of information in their possession, that a product with digital elements, which they have made available on the market, or the processes put in place by its manufacturer are not in conformity with this Regulation shall make sure that the corrective measures necessary to bring that product with digital elements or the processes put in place by its manufacturer into conformity, or to withdraw or recall the product, if appropriate, are taken. Upon becoming aware of a vulnerability in the product with digital elements, distributors shall inform the manufacturer without undue delay about that vulnerability. Furthermore, where the product with digital elements presents a significant cybersecurity risk, distributors shall immediately inform the market surveillance authorities of the Member States in which they have made the product with digital elements available on the market to that effect, giving details, in particular, of the non-compliance and of any corrective measures taken.article 20(4) of the Regulation
8 Distributors shall, further to a reasoned request from a market surveillance authority, provide all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and the processes put in place by its manufacturer with this Regulation in a language that can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by a product with digital elements which they have made available on the market.article 20(5) of the Regulation
9 Where the distributor of a product with digital elements becomes aware, on the basis of information in its possession, that the manufacturer of that product has ceased its operations and, as result, is not able to comply with the obligations laid down in this Regulation, the distributor shall inform, without undue delay, the relevant market surveillance authorities about this situation, as well as, by any means available and to the extent possible, the users of the products with digital elements placed on the market.article 20(6) of the Regulation
Resellers/ other economic actors

The CRA does not directly defines the term “resellers”, instead, we must look at the definition of the term “economic operator”, and specifically, the second half of the definition: ‘economic operator’ means the manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products on the market in accordance with this Regulation”; article 3(12).

Resellers who distribute digital elements under their own trademarks OR modify substantially a product with digital elements are considered “manufacturers” and should refer to the “hardware manufacturers” tab or “software developers” tab, whichever fits best.

General requirements
IDRequirementReferenceCheck
1 A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements and makes it available on the market, shall be considered to be a manufacturer for the purposes of this Regulation.article 22(1) of the Regulation
2That person shall be subject to ▌ the obligations set out in Articles 13 and 14 for the part of the product with digital elements that is affected by the substantial modification or, if the substantial modification has an impact on the cybersecurity of the product with digital elements as a whole, for the entire product.article 22(2) of the Regulation
Reporting Requirements
IDRequirementReferenceCheck
3 Economic operators shall, on request ▌, provide the market surveillance authorities with the following information: (a) the name and address of any economic operator who has supplied them with a product with digital elements; (b) where available, the name and address of any economic operator to whom they have supplied a product with digital elements.article 23(1) of the Regulation
4 Economic operators shall, on request ▌, provide the market surveillance authorities with the following information: (a) the name and address of any economic operator who has supplied them with a product with digital elements; (b) where available, the name and address of any economic operator to whom they have supplied a product with digital elements.article 23(2) of the Regulation
5Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA.article 15(1) of the Regulation
6Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA.article 15(2) of the Regulation

Take the CRA compliance cost calculator

Find out how much budget to allocate to compliance.

Cyber Security News and Events

Check out the latest events on cyber security and the Cyber Resilience Act.