In an increasingly digitalized world, cyberattacks pose significant risks to manufacturers.
Manufacturers who proactively engage with the Cyber Resilience Act and adopt the required measures can navigate the complex cybersecurity landscape effectively. This helps safeguard their operations and contributes to a secure and resilient manufacturing ecosystem.
Discover our manufacturer’s guide to compliance now!
Manufacturers must fulfill some prerequisites before retailing their products with digital elements on the European market.
In detail, they must first:
When placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with the essential requirements set out in Section 1 of Annex I.
For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing security incidents and minimising the impacts of such incidents, including in relation to the health and safety of users.
The risk assessment referred to in paragraph 2 shall be documented and updated as appropriate during the expected lifetime of the product. It shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the specific conditions of use of the product with digital elements, such as the operational environment, and the assets to be protected, taking into account the whole lifecycle of the product. The risk assessment shall indicate the specific security requirements as set out in point 3 of section 1 of Annex I that are applicable to the respective product with digital elements and how these are implemented as informed by the risk assessment.
When placing a product with digital elements on the market, the manufacturer shall include a cybersecurity risk assessment in the technical documentation as set out in Article 23 and Annex V. For products with digital elements referred to in Articles 8 and 24(4) that are also subject to other Union acts, the cybersecurity risk assessment may be part of the risk assessment required by those respective Union acts. Where certain essential requirements are not applicable to the marketed product with digital elements, the manufacturer shall include a clear justification in that documentation.
For the purposes of complying with the obligation laid down in paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties in a manner that such components do not compromise the security of the product with digital elements.
Manufacturers shall ensure, when placing a product with digital elements on the market and for the expected product lifetime, that vulnerabilities of that product, including its components, are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.
Manufacturers shall determine the expected product lifetime referred to in the first subparagraph of this paragraph taking into account the time users reasonably expect to be able to use the product with digital elements given its functionality and intended purpose and therefore can expect to receive security updates.
Manufacturers shall have appropriate policies and procedures, including coordinated vulnerability disclosure policies, referred to in Section 2, point (5), of Annex I, to process and remediate potential vulnerabilities in the product with digital elements reported from internal or external sources.
Security updates, referred to in Section 2, point (8), of Annex I, which have been made available to users shall remain available for a minimum duration of 10 years.
For the purpose of complying with the obligation provided for in the first subparagraph of paragraph 6, where manufacturers have placed subsequent versions of a software product on the market, they may provide security updates only for the software product that they have last placed on the market. They may do so only if the users of the relevant previous product versions have access to the latest product version free of charge and do not incur significant additional costs to adjust the hardware and software environment in which they operate the product.
Before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation referred to in Article 23. They shall carry out the chosen conformity assessment procedures referred to in Article 24 or have them carried out. Where compliance of the product with digital elements with the essential requirements set out in Section 1 of Annex I and of the processes put in place by the manufacturer with the essential requirements set out in Section 2 of Annex I has been demonstrated by that conformity assessment procedure, manufacturers shall draw up the EU declaration of conformity in accordance with Article 20 and affix the CE marking in accordance with Article 22.
From the placing on the market and for the period of time referred to in paragraph 6, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, to withdraw or to recall the product, as appropriate.
The following mandatory documentation requirements must be fulfilled by manufacturers:
The manufacturer shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the product with digital elements, including vulnerabilities they become aware of and any relevant information provided by third parties, and, where applicable, update the risk assessment of the product.
Manufacturers shall keep the technical documentation and the EU declaration of conformity, at the disposal of the market surveillance authorities for ten years after the product with digital elements has been placed on the market.
Manufacturers shall ensure that products with digital elements are accompanied by the information and instructions set out in Annex II, in an electronic or physical form. Such information and instructions shall be provided in a language which can be easily understood by users and market authorities. They shall be clear, understandable, intelligible and legible. They shall allow for a secure installation, operation and use of the products with digital elements.
Manufacturers shall ensure that the end date for the expected product lifetime as referred to in paragraph 6, including at least the month and year, until which the manufacturer will at least ensure the effective handling of vulnerabilities in accordance with the essential requirements set out in Section 2 of Annex I to this Regulation is clearly and understandably specified at the time of purchase, in an easily accessible manner and where applicable on the product with digital elements, its packaging or by digital means.
Manufacturers shall either provide a copy of the EU declaration of conformity or a simplified EU declaration of conformity with the product with digital elements. Where a simplified EU declaration of conformity is provided, it shall contain the exact internet address at which the full EU declaration of conformity can be accessed.
These reporting requirements aim to enhance cybersecurity measures and enable coordinated responses to vulnerabilities and incidents. Consequently, manufacturers must:
The manufacturers shall, notify any actively exploited vulnerability contained in the product with digital elements that they become aware of to the CSIRTs designated as coordinators pursuant to Article 12(1) of Directive (EU) 2022/2555, in accordance with paragraph 2b of the Article.
For the purpose of the notification referred to in paragraph 1, the manufacturers shall submit:
(a) Without undue delay and in any event within 24 hours of becoming aware of the actively exploited vulnerability, an early warning which shall provide general information, as available, about the product with digital elements concerned, the nature of the exploit and of the respective vulnerability. The early warning shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available. Where applicable, the early warning shall also indicate any corrective or mitigating measures taken, corrective or mitigating measures that users can take, and include an indication of how sensitive the manufacturer deems the notified information to be.
(b) Without undue delay and in any event within 72 hours of becoming aware of the actively exploited vulnerability, a notification updating the information referred to in point (a). Where applicable, the notification shall indicate any available information about the actively exploited vulnerability, the status of remediation and any corrective or mitigating measures taken.
Manufactuers shall, notify any incident having an impact on the security of the product with digital elements that they become aware of to the CSIRTs designated as coordinators pursuant to Article 12(1) of Directive (EU) 2022/2555, in accordance with paragraph 2b of this Article.
For the purpose of the notification referred to in paragraph 2, the manufacturers shall submit:
(a) Without undue delay and in any event within 24 hours of becoming aware of the incident, an early warning which shall provide general information, as available, about the nature of the incident and shall indicate whether the incident is suspected of being caused by unlawful or malicious acts or could have a crossborder impact. The early warning shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available. Where applicable, the early warning shall also indicate any corrective or mitigating measures taken, corrective or mitigating measures that users can take, and include an indication of how sensitive the manufacturer deems the notified information to be.
(b) Without undue delay and in any event within 72 hours of becoming aware of the incident, an incident notification which shall include information on the severity and impact of the incident, and, where applicable, update the information referred to in point (a). The notification shall also include, if available, information on the indicators of compromise.
The notifications referred to in paragraphs 1 and 2 shall be submitted through one of the electronic notification end-points of the single reporting platform referred to in paragraph 2c.
Where the manufacturers have their main establishment in the Union, they shall submit the notifications referred to in paragraphs 1 and 2 through the electronic notification end-point of the CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555 of the Member State in which they have their main establishment.
For the purposes of this Regulation, a manufacturer shall be considered to have its main establishment in the Union in the Member State where the decisions related to the cybersecurity of its products with digital elements are predominantly taken.
Where manufacturers have no main establishment in the Union, they shall notify via the single reporting platform to the CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555 in the Member State of their choice.
For the purposes of the notifications referred to in paragraphs 1 and 2, a single reporting platform shall be established, and the day-to-day operations managed and maintained by ENISA.
The architecture of the single reporting platform shall allow Member States and ENISA to put in place their own electronic notification end-points. The initial recipient of a notification shall, without delay, disseminate the notification via the single reporting platform to all the CSIRTs designated as coordinators pursuant to Article 12(1) of Directive (EU) 2022/2555 on whose territory the manufacturer has indicated that the product with digital elements has been made available and to ENISA. In exceptional circumstances and in particular upon request by the manufacturer and in light of the level of sensitivity of the notified information as indicated by the manufacturer under paragraph 1a (a), the dissemination of the notification may be delayed based on justified cybersecurity related grounds for a period of time that is strictly necessary, including in cases where a vulnerability is subject to a coordinated vulnerability disclosure procedure as referred to in Article 12(1) of Directive (EU) 2022/2555. The CSIRTs network, established pursuant to Article 15 of Directive (EU) 2022/2555, shall adopt guidelines on the terms and conditions for applying the aforementioned cybersecurity related grounds.
After receiving a notification regarding an actively exploited vulnerability in a product with digital elements or regarding an incident having an impact on the security of a product with digital elements, the CSIRTs shall provide market surveillance authorities of their respective Member States with the notified information necessary for the market surveillance authorities to fulfil their obligations under this Regulation.
ENISA may submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established under Article16 of Directive (EU) 2022/2555 information notified pursuant to paragraphs 1 (a), 1(b), 2a(a) and 2a(b) if such information is relevant for the coordinated management of large-scale cybersecurity incidents and crises at an operational level. For the purpose of determining such relevance, ENISA may consider technical analyses performed by the CSIRTs network, where available.
The manufacturer shall inform, after becoming aware, the users of the product with digital elements about an actively exploited vulnerability or incident, where appropriate in a structured and easily automatically processible machine-readable format. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRT may provide such information to the users when considered proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.
The Commission may, by means of implementing acts, specify further the type of information, format and procedure of the notifications submitted pursuant to paragraphs 1 to 2ab of the Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 51(2).
ENISA, on the basis of the notifications received pursuant to paragraphs 1 and 2, shall prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group established under Article 14 of Directive (EU) 2022/2555. The first such report shall be submitted within 24 months after the obligations laid down in paragraphs 1 and 2 start applying.
Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability to the person or entity maintaining the component. Where manufacturers have developed a software modification to address the vulnerability in that component, they shall share the relvant code with the person or entity maintaining the component, where appropriate in a machine readable format.
Cyber Security News and Events
Check out the latest events on cyber security and the Cyber Resilience Act.
Sign up to the CRA weekly newsletter
Sign up complete ! Check your inbox every Friday for our newsletter.