Manufacturers

In an increasingly digitalized world, cyberattacks pose significant risks to manufacturers.

Manufacturers who proactively engage with the Cyber Resilience Act and adopt the required measures can navigate the complex cybersecurity landscape effectively. This helps safeguard their operations and contributes to a secure and resilient manufacturing ecosystem.

Discover our manufacturer’s guide to compliance now!

Prerequisites

Before placing a product with digital elements on the EU market, manufacturers must:

  • Analyze potential risks based on intended use, foreseeable conditions, and expected lifespan.
  • Integrate components securely: Exercise due diligence when sourcing components from third parties, including open-source software, to ensure they don’t compromise the product’s cybersecurity.
  • Have policies and procedures to address vulnerabilities reported from internal or external sources, including coordinated disclosure policies.
  • Prepare technical documentation.
  • Choose and conduct conformity assessment procedures.
  • Issue an EU declaration of conformity and affix the CE marking.
  • Include identification markings (type, batch, serial number) on the product, packaging, or accompanying documents.
  • Indicate the manufacturer’s name, contact details, and website on the product, packaging, or accompanying documents.
  • Provide support for at least 5 years, or the product’s lifespan if shorter.
  • Ensure security updates released during the support period remain available for at least 10 years or the remaining support period, whichever is longer.

Legal basis

When placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I.

For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users.

The cybersecurity risk assessment shall be documented and updated as appropriate
during the support period. It shall comprise at least an analysis of cybersecurity risks
based on the intended purpose and reasonably foreseeable use, as well as the conditions of use of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so, in what manner the security requirements set out in point 3 of Section 1 of Annex I are applicable to the respective product with digital elements and how these are implemented as informed by
the cybersecurity risk assessment. It shall also indicate how the manufacturer will apply point 1 of Section 1 of the Annex I and the vulnerability handling requirements in
Section 2 of Annex I.

When placing a product with digital elements on the market, the manufacturer shall include a cybersecurity risk assessment in the technical documentation as set out in Article 23 and Annex V. For products with digital elements referred to in Articles 8 and 24(4) that are also subject to other Union acts, the cybersecurity risk assessment may be part of the risk assessment required by those respective Union acts. Where certain essential requirements are not applicable to the marketed product with digital elements, the manufacturer shall include a clear justification in that documentation.

For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in a manner that such components do not compromise the cybersecurity of the product with digital elements, including when integrating components of free and open-source software that have not been made available on the market in the course of a commercial activity.

Manufacturers shall, upon identifying a vulnerability in a component, including in an
open source-component, which is integrated in the product with digital elements, report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in Annex I, Section 2. Where manufacturers have developed a software or hardware modification to address the vulnerability in that component, they shall share the relevant code or documentation with the person or entity manufacturing or maintaining the component, where appropriate in a machine-readable format.

Manufacturers shall ensure, when placing a product with digital elements on the market, and thereafter for the support period, that vulnerabilities of that product, including its components, are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.

Manufacturers shall determine the support period referred to in the first subparagraph
of this paragraph that reflects the time the product is expected to be in use, taking into
account in particular reasonable users’ expectations, the nature of the product,
including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements. When determining the support period, manufacturers may also take into account the support period of products with digital elements offering a similar functionality placed on the market by other manufacturers, the availability of the operating environment, the support period of integrated components that provide core functions and are sourced from third parties as well as relevant guidance provided by the dedicated administrative cooperation group (ADCO) established under Article 41(11) or the Commission. The above-mentioned elements to determine the support period shall be considered in a manner that ensures proportionality. 

Without prejudice to the second subparagraph of this paragraph, the support period shall be at least five years. When the product with digital elements is expected to be in use for less than five years, the support period shall correspond to the expected use time. 

Taking into account the ADCO recommendations referred to in Article 41(11a), the Commission may, by means of delegated acts, specify the minimum support period for specific product categories where the market surveillance data suggests inadequate support periods.

Manufacturers shall include information that was taken into account to determine the support period of a product with digital elements in the technical documentation as set out in Annex V.

Manufacturers shall have appropriate policies and procedures, including coordinated vulnerability disclosure policies, referred to in Section 2, point (5), of Annex I, to process and remediate potential vulnerabilities in the product with digital elements reported from internal or external sources.

Manufacturers shall ensure that each security update, referred to in Section 2, point (8),
of Annex I, which has been made available to users during the support period shall remain available after it has been issued for a minimum duration of 10 years or for the remainder of the support period, whichever is longer.

Where a manufacturer has placed subsequent substantially modified versions of a software product on the market, compliance with the essential requirement laid down in point 2 of section 2 of Annex I may be ensured only for the version that it has last placed on the market. The manufacturer may do so only if the users of the versions that have been previously placed on the market have access to the version last placed on the market free of charge and do not incur additional costs to adjust the hardware and software environment in which they use the original version of that product.

Manufacturers may maintain public software archives enhancing user access to historical versions. In those cases, users must be clearly informed in an easily accessible manner about risks associated with using unsupported software.

Before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation referred to in Article 23. 

They shall carry out the chosen conformity assessment procedures referred to in Article 24 or have them carried out. 

Where compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I and of the processes put in place by the manufacturer with the essential requirements set out in Section 2 of Annex I has been demonstrated by that conformity assessment procedure, manufacturers shall draw up the EU declaration of conformity in accordance with Article 20 and affix the CE marking in accordance with Article 22.

Manufacturers shall ensure that their products with digital elements bear a type, batch or serial number or other element allowing their identification, or, where that is not possible, ensure that this information is provided on their packaging or in a document accompanying the product with digital elements.

 Manufacturers shall indicate the name, registered trade name or registered trade mark of the manufacturer, and the postal address, email address or other digital contact as well as, where applicable, the website at which the manufacturer can be contacted, on the product with digital elements, on its packaging or in a document accompanying the product with digital elements. This information shall also be included in the information and instructions to the user referred to in Annex II. The contact details shall be in a language which can be easily understood by users and market surveillance authorities. 

For the purposes of this Regulation, manufacturers shall designate a single point of contact to enable users to communicate directly and rapidly with them, including in order to facilitate reporting on cybersecurity vulnerabilities of the product with digital elements.

Manufacturers shall ensure that the single point of contact can be easy to identify by the users. They shall also include the single point of contact in the information and instructions to the user set out in Annex II.

The single point of contact shall allow users to choose the means of communication,
which shall not rely exclusively on automated tools.

From the placing on the market and for at least the period of time referred to in paragraph 6, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.

European flag

Documentation

The following mandatory documentation requirements must be fulfilled by manufacturers:

    • Technical Documentation: This includes relevant cybersecurity aspects like identified vulnerabilities, third-party information, and updates to the risk assessment. It must be kept for 10 years or the support period (whichever is longer) after the product hits the market.
    • EU Declaration of Conformity: This document proves compliance with essential requirements. Manufacturers can provide either the full version or a simplified version with a link to the full one online. Both versions must be kept available for 10 years or the support period.
    • User Information and Instructions: These guides on safe installation, operation, and use must be clear, understandable, and in a language users and authorities can readily grasp. They must be kept accessible for 10 years or the support period, online or physically.

Legal basis

The manufacturer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the product with digital elements, including vulnerabilities it becomes aware of and any relevant information provided by third parties, and, where applicable, update the cybersecurity risk assessment of the product.

Manufacturers shall keep the technical documentation and the EU declaration of
conformity ▌ at the disposal of the market surveillance authorities for at least ten years or the support period, whichever is longer, after the product with digital elements has been placed on the market.

Manufacturers shall ensure that products with digital elements are accompanied by the information and instructions set out in Annex II, in an electronic or physical form. Such information and instructions shall be provided in a language which can be easily
understood by users and market surveillance authorities. They shall be clear,
understandable, intelligible and legible. They shall allow for a secure installation, operation and use of the products with digital elements. Manufacturers shall keep the information and instructions set out in Annex II at the disposal of users and market surveillance authorities for at least ten years or for the support period, whichever is longer. Where such information and instructions are provided online, manufacturers shall ensure that they are accessible and user-friendly and available online for at least ten years or the support period of the product with digital elements, whichever is longer.

 Manufacturers shall ensure that the end of the support period as referred to in paragraph 6, including at least the month and year, is clearly and understandably
specified at the time of purchase, in an easily accessible manner and where applicable on the product with digital elements, its packaging or by digital means.

Where technically feasible in light of the nature of the product with digital elements, manufacturers shall display a notification to users informing them that their product with digital elements has reached the end of its support period.

Manufacturers shall either provide a copy of the EU declaration of conformity or a
simplified EU declaration of conformity with the product with digital elements. Where a
simplified EU declaration of conformity is provided, it shall contain the exact internet address at which the full EU declaration of conformity can be accessed.

Reporting

These reporting requirements aim to enhance cybersecurity measures and enable coordinated responses to vulnerabilities and incidents. Consequently, manufacturers must:

  • Inform CSIRT within 24 hours vulnerabilities in their products. Details of the vulnerability and any corrective actions taken should be included.
  • Notify CSIRT within 24 hours of incidents impacting product security. Information on severity, impact, and suspected unlawful acts should be included. The market surveillance authority should be informed.
  • Quickly inform users about incidents and provide mitigation measures.
  • Report vulnerabilities in integrated components to the respective maintainers.

Legal basis

A manufacturer shall ▌ notify ▌ any actively exploited vulnerability contained in the
product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established in Article 11b.

For the purpose of the notification referred to in paragraph 1, the manufacturers shall
submit:

(a) an early warning notification on an actively exploited vulnerability without undue delay and in any event within 24 hours of the manufacturer becoming aware of its existence, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the respective vulnerability as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take. The notification shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be;

(c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following:

(i) a description of the vulnerability, including its severity and impact;

(ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; 

(iii) details about the security update or other corrective measures that have been
made available to remedy the vulnerability.

A manufacturer shall ▌ notify ▌ any severe incident having an impact on the security of
the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established in Article 11b.

For the purpose of the notification referred to in paragraph 3, the manufacturers shall
submit:

(a) an early warning notification on a severe incident having an impact on the security
of the product with digital elements without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the
incident is suspected of being caused by unlawful or malicious acts. The notification shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, as available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take. The notification shall also indicate, where applicable, how sensitive the manufacturer deems the notified information to be;

(c) unless the relevant information has already been provided, a final report, within
one month after the submission of the incident notification under point (b), including at least the following:

(i) a detailed description of the incident, including its severity and impact; 

(ii) the type of threat or root cause that is likely to have triggered the incident;

(iii) applied and ongoing mitigation measures.

For the purpose of paragraph 3, an incident having an impact on the security of the product with digital elements shall be considered to be severe, where:

(a) it negatively affects or is capable to negatively affect the ability of a manufacturer’s product with digital elements to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or

(b) it has led or is capable to lead to the introduction or execution of malicious code in a product with digital elements or in the network and information systems of a user
of the product with digital elements.

Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant
status updates about the actively exploited vulnerability or severe incident having an
impact on the security of the product with digital elements.

The notifications referred to in paragraphs 1 and 3 shall be submitted via the single
reporting platform referred to in Article 11b using one of the electronic notification endpoints referred to in Article 11b(1). The notification shall be submitted using the
electronic notification end-point of the CSIRT designated as coordinator of the Member State where the manufacturers have their main establishment in the Union and shall be simultaneously accessible to ENISA.

For the purposes of this Regulation, a manufacturer shall be considered to have its main establishment in the Union in the Member State where the decisions related to the cybersecurity of its products with digital elements are predominantly taken. If such a Member State cannot be determined, the main establishment shall be considered to be in the Member State where the manufacturer concerned has the establishment with the highest number of employees in the Union.

Where a manufacturer has no main establishment in the Union, it shall submit the notifications referred to in paragraphs 1 and 3 using the electronic notification endpoint of the CSIRT designated as coordinator in the Member State determined pursuant to the following order and based on the information available to the manufacturer:

(a) the Member State in which the authorised representative acting on behalf of the manufacturer for the highest number of the products with digital elements is established;

(b) the Member State in which the importer placing on the market the highest number of products with digital elements of that manufacturer is established;

(c) the Member State in which the distributor making available the highest number of products with digital elements of that manufacturer is established;

(d) the Member State in which the highest number of users of the products with digital elements of that manufacturer are located.

In relation to point (d) of the third subparagraph, a manufacturer may submit notifications related to any subsequent actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements to the same CSIRT designated as coordinator to which it first reported.

The manufacturer shall inform, ▌ after becoming aware, the impacted users of the product with digital elements, and where appropriate all users, about an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements and, where necessary, about risk mitigation and any corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured and easily automatically processible machine-readable format. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs may provide such information to the users when considered proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.

Cyber Security News and Events

Check out the latest events on cyber security and the Cyber Resilience Act.