Manufacturers

In an increasingly digitalized world, cyberattacks pose significant risks to manufacturers.

Manufacturers who proactively engage with the Cyber Resilience Act and adopt the required measures can navigate the complex cybersecurity landscape effectively. This helps safeguard their operations and contributes to a secure and resilient manufacturing ecosystem.

Discover our manufacturer’s guide to compliance now!

Prerequisites

Before placing a product with digital elements on the EU market, manufacturers must:

  • Analyze potential risks based on intended use, foreseeable conditions, and expected lifespan.
  • Integrate components securely: Exercise due diligence when sourcing components from third parties, including open-source software, to ensure they don’t compromise the product’s cybersecurity.
  • Have policies and procedures to address vulnerabilities reported from internal or external sources, including coordinated disclosure policies.
  • Prepare technical documentation.
  • Choose and conduct conformity assessment procedures.
  • Issue an EU declaration of conformity and affix the CE marking.
  • Include identification markings (type, batch, serial number) on the product, packaging, or accompanying documents.
  • Indicate the manufacturer’s name, contact details, and website on the product, packaging, or accompanying documents.
  • Provide support for at least 5 years, or the product’s lifespan if shorter.
  • Ensure security updates released during the support period remain available for at least 10 years or the remaining support period, whichever is longer.

Legal basis

2. Without prejudice to Directives 2014/24/EU and 2014/25/EU, where products with digital elements that fall within the scope of this Regulation are procured, Member States shall ensure that compliance with the essential requirements set out in Annex I to this Regulation, including the manufacturers’ ability to handle vulnerabilities effectively, are taken into consideration in the procurement process.

4. Manufacturers of products with digital elements referred to in paragraph 1 of this Article may participate in the AI regulatory sandboxes referred to in [Article 53] of Regulation… [the AI Regulation].

1. When placing a product with digital elements on the market, manufacturers shall ensure that that product has been designed, developed and produced in accordance with the essential requirements set out in Annex I, Part I.

2. For the purpose of complying with the obligation laid down in paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising the impacts of such incidents, including in relation to the health and safety of users.

3. The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Annex I, Part I, point (3), are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Annex I, Part I, point (1), and the vulnerability handling requirements set out in Annex I, Part II.

4. When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment referred to in paragraph 3 of this Article in the technical documentation required pursuant to Article 31 and Annex VII. For products with digital elements referred to in Article 12 and Article 32(6), which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.

5. For the purpose of complying with paragraph 1, manufacturers shall exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements, including when integrating components of free and open-source software that have not been made available on the market in the course of a commercial activity.

6. Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in Annex I, Part II. Where manufacturers have developed a software or hardware modification to address the vulnerability in that component, they shall share the relevant code or documentation with the person or entity manufacturing or maintaining the component, where appropriate in a machine-readable format.

7. The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which it becomes aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products.

8. Manufacturers shall ensure, when placing a product with digital elements on the market, and for the support period, that vulnerabilities of that product, including its components, are handled effectively and in accordance with the essential requirements set out in Annex I, Part II. Manufacturers shall determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements. When determining the support period, manufacturers may also take into account the support periods of products with digital elements offering a similar functionality placed on the market by other manufacturers, the availability of the operating environment, the support periods of integrated components that provide core functions and are sourced from third parties as well as relevant guidance provided by the dedicated administrative cooperation group (ADCO) established pursuant to Article 52(15) and the Commission. The matters to be taken into account in order to determine the length of the support period shall be considered in a manner that ensures proportionality. Without prejudice to the second subparagraph, the support period shall be at least five years. Where the product with digital elements is expected to be in use for less than five years, the support period shall correspond to the expected use time. Taking into account ADCO recommendations as referred to in Article 52(16), the Commission may adopt delegated acts in accordance with Article 61 to supplement this Regulation by specifying the minimum support period for specific product categories where the market surveillance data suggests inadequate support periods. Manufacturers shall include the information that was taken into account to determine the support period of a product with digital elements in the technical documentation as set out in Annex VII. Manufacturers shall have appropriate policies and procedures, including coordinated vulnerability disclosure policies, referred to in Annex I, Part II, point (5), to process and remediate potential vulnerabilities in the product with digital elements reported from internal or external sources.

9. Manufacturers shall ensure that each security update, as referred to in Annex I, Part II, point (8), which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years after the product with digital elements has been placed on the market or for the remainder of the support period, whichever is longer.

10. Where a manufacturer has placed subsequent substantially modified versions of a software product on the market, that manufacturer may ensure compliance with the essential requirement laid down in Annex I, Part II, point (2), only for the version that manufacturer last placed on the market, provided that the users of the versions previously placed on the market have access to the version last placed on the market free of charge and do not incur additional costs to adjust the hardware and software environment in which they use the original version of that product.

11. Manufacturers may maintain public software archives enhancing user access to historical versions. In those cases, users shall be clearly informed in an easily
accessible manner about risks associated with using unsupported software.

12. Before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation referred to in Article 31.

They shall carry out the chosen conformity assessment procedures referred to in Article 32 or have them carried out. Where compliance of the product with digital elements with the essential requirements set out in Annex I, Part I, and of the processes put in place by the manufacturer with the essential requirements set out in Annex I, Part II, has been
demonstrated by that conformity assessment procedure, manufacturers shall draw up the EU declaration of conformity in accordance with Article 28 and affix the CE
marking in accordance with Article 30.

13. Manufacturers shall keep the technical documentation and the EU declaration of
conformity ▌ at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer,.

14. Manufacturers shall ensure that procedures are in place for products with digital elements that are part of a series of production to remain in conformity with this
Regulation. Manufacturers shall adequately take into account changes in the
development and production process or in the design or characteristics of the product with digital elements and changes in the harmonised standards, European cybersecurity certification schemes or common specifications referred to in Article 27 by reference to which the conformity of the product with digital elements is declared or by application of which its conformity is verified.

15. Manufacturers shall ensure that their products with digital elements bear a type, batch or serial number or other element allowing their identification, or, where
that is not possible, that that information is provided on their packaging or in a document accompanying the product with digital elements.

16. Manufacturers shall indicate the name, registered trade name or registered trademark of the manufacturer, and the postal address, email address or other digital contact details, as well as, where applicable, the website where the manufacturer can be contacted, on the product with digital elements, on its packaging or in a document accompanying the product with digital elements. That information shall also be included in the information and instructions to the user referred to in Annex II. The contact details shall be in a language which can be easily understood by users and market surveillance authorities.

17. For the purposes of this Regulation, manufacturers shall designate a single point
of contact to enable users to communicate directly and rapidly with them,
including in order to facilitate reporting on vulnerabilities of the product with digital elements. Manufacturers shall ensure that the single point of contact is easily identifiable by
the users. They shall also include the single point of contact in the information
and instructions to the user set out in Annex II.
The single point of contact shall allow users to choose their preferred means of
communication and shall not limit such means to automated tools.

18. Manufacturers shall ensure that products with digital elements are accompanied by the information and instructions to the user set out in Annex II, in paper or electronic form. Such information and instructions shall be provided in a language
which can be easily understood by users and market surveillance authorities. They
shall be clear, understandable, intelligible and legible. They shall allow for the secure installation, operation and use of products with digital elements. Manufacturers
shall keep the information and instructions to the user set out in Annex II at the disposal of users and market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. Where such information and instructions are provided online, manufacturers shall ensure that they are accessible, user-friendly and available online for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.

19. Manufacturers shall ensure that the end date of the support period referred to in paragraph 8, including at least the month and the year, is clearly and understandably specified at the time of purchase in an easily accessible manner and, where applicable, on the product with digital elements, its packaging or by
digital means. Where technically feasible in light of the nature of the product with digital
elements, manufacturers shall display a notification to users informing them that their product with digital elements has reached the end of its support period.

20. Manufacturers shall either provide a copy of the EU declaration of conformity or a simplified EU declaration of conformity with the product with digital elements. Where a simplified EU declaration of conformity is provided, it shall contain the exact internet address at which the full EU declaration of conformity can be
accessed.

21. From the placing on the market and for the support period ▌, manufacturers who
know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential requirements set out in Annex I shall immediately take the corrective measures
necessary to bring that product with digital elements or the manufacturer’s processes
into conformity, to withdraw or to recall the product, as appropriate.

22. Manufacturers shall, upon a reasoned request from a market surveillance authority,
provide that authority, in a language which can be easily understood by that
authority, with all the information and documentation, in paper or electronic form,
necessary to demonstrate the conformity of the product with digital elements and of the processes put in place by the manufacturer with the essential requirements set out in Annex I. Manufacturers shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by the product with digital
elements which they have placed on the market.

23. A manufacturer that ceases its operations and, as a result, is not able to comply with the obligations laid down in this Regulation shall inform, before the cessation of operations takes effect, the relevant market surveillance authorities as well as, by any means available and to the extent possible, the users of the relevant products with digital elements placed on the market, of the impending cessation of operations.

24. The Commission may, by means of implementing acts taking into account European or international standards and best practices, specify the format and elements of the software bill of materials referred to in Annex I, Part II, point (1).
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

25. In order to assess the dependence of Member States and of the Union as a whole on software components and in particular on components qualifying as free and
open-source software, ADCO may decide to conduct a Union wide dependency assessment for specific categories of products with digital elements. For that purpose, market surveillance authorities may request manufacturers of such
categories of products with digital elements to provide the relevant software bills of
materials as referred to in Annex I, Part II, point (1). On the basis of such
information, the market surveillance authorities may provide ADCO with
anonymised and aggregated information about software dependencies. ADCO
shall submit a report on the results of the dependency assessment to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555.

European flag

Documentation

The following mandatory documentation requirements must be fulfilled by manufacturers:

    • Technical Documentation: This includes relevant cybersecurity aspects like identified vulnerabilities, third-party information, and updates to the risk assessment. It must be kept for 10 years or the support period (whichever is longer) after the product hits the market.
    • EU Declaration of Conformity: This document proves compliance with essential requirements. Manufacturers can provide either the full version or a simplified version with a link to the full one online. Both versions must be kept available for 10 years or the support period.
    • User Information and Instructions: These guides on safe installation, operation, and use must be clear, understandable, and in a language users and authorities can readily grasp. They must be kept accessible for 10 years or the support period, online or physically.

Legal basis

When placing a product with digital elements on the market, the manufacturer shall include the cybersecurity risk assessment referred to in paragraph 3 of this Article in the technical documentation required pursuant to Article 31 and Annex VII. For products with digital elements referred to in Article 12 and Article 32(6), which are also subject to other Union legal acts, the cybersecurity risk assessment may be part of the risk assessment required by those Union legal acts. Where certain essential requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation.

The manufacturers shall systematically document, in a manner that is proportionate to the nature and the cybersecurity risks, relevant cybersecurity aspects concerning the products with digital elements, including vulnerabilities of which it becomes aware and any relevant information provided by third parties, and shall, where applicable, update the cybersecurity risk assessment of the products.

Manufacturers shall keep the technical documentation and the EU declaration of conformity ▌ at the disposal of the market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer,.

Manufacturers shall ensure that their products with digital elements bear a type, batch or serial number or other element allowing their identification, or, where that is not possible, that that information is provided on their packaging or in a document accompanying the product with digital elements.

Manufacturers shall indicate the name, registered trade name or registered trademark of the manufacturer, and the postal address, email address or other digital contact details, as well as, where applicable, the website where the manufacturer can be contacted, on the product with digital elements, on its packaging or in a document accompanying the product with digital elements. That information shall also be included in the information and instructions to the user referred to in Annex II. The contact details shall be in a language which can be easily understood by users and market surveillance authorities.

Manufacturers shall ensure that products with digital elements are accompanied by the information and instructions to the user set out in Annex II, in paper or electronic form. Such information and instructions shall be provided in a language which can be easily understood by users and market surveillance authorities. They shall be clear, understandable, intelligible and legible. They shall allow for the secure installation, operation and use of products with digital elements. Manufacturers shall keep the information and instructions to the user set out in Annex II at the disposal of users and market surveillance authorities for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. Where such information and instructions are provided online, manufacturers shall ensure that they are accessible, user-friendly and available online for at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.

Manufacturers shall either provide a copy of the EU declaration of conformity or a simplified EU declaration of conformity with the product with digital elements. Where a simplified EU declaration of conformity is provided, it shall contain the exact internet address at which the full EU declaration of conformity can be accessed.

Manufacturers shall, upon a reasoned request from a market surveillance authority, provide that authority, in a language which can be easily understood by that
authority, with all the information and documentation, in paper or electronic form,
necessary to demonstrate the conformity of the product with digital elements and of the processes put in place by the manufacturer with the essential requirements set out in Annex I. Manufacturers shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by the product with digital
elements which they have placed on the market.

Reporting

These reporting requirements aim to enhance cybersecurity measures and enable coordinated responses to vulnerabilities and incidents. Consequently, manufacturers must:

  • Inform CSIRT within 24 hours vulnerabilities in their products. Details of the vulnerability and any corrective actions taken should be included.
  • Notify CSIRT within 24 hours of incidents impacting product security. Information on severity, impact, and suspected unlawful acts should be included. The market surveillance authority should be informed.
  • Quickly inform users about incidents and provide mitigation measures.
  • Report vulnerabilities in integrated components to the respective maintainers.

Legal basis

A manufacturer shall ▌ notify ▌ any actively exploited vulnerability contained in the
product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16.

For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit:

(a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which
shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability
concerned as well as any corrective or mitigating measures taken, and
corrective or mitigating measures that users can take, and which shall also
indicate, where applicable, how sensitive the manufacturer deems the
notified information to be;

(c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following:

(i) a description of the vulnerability, including its severity and impact;

(ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability;

(iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability.

A manufacturer shall ▌ notify ▌ any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16.

For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit:

(a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any
event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available;

(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial
assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer deems
the notified information to be;

(c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following:

(i) a detailed description of the incident, including its severity and impact;

(ii) the type of threat or root cause that is likely to have triggered the incident;

(iii) applied and ongoing mitigation measures.

The notifications referred to in paragraphs 1 and 3 of this Article shall be
submitted via the single reporting platform referred to in Article 16 using one of the electronic notification end-points referred to in Article 16(1). The notification shall be submitted using the electronic notification end-point of the CSIRT
designated as coordinator of the Member State where the manufacturers have their main establishment in the Union and shall be simultaneously accessible to ENISA.

For the purposes of this Regulation, a manufacturer shall be considered to have its
main establishment in the Union, in the Member State where the decisions related to the cybersecurity of its products with digital elements are predominantly taken.
If such a Member State cannot be determined, the main establishment shall be considered to be in the Member State where the manufacturer concerned has the establishment with the highest number of employees in the Union.

Where a manufacturer has no main establishment in the Union, it shall submit the notifications referred to in paragraphs 1 and 3 using the electronic notification end-point of the CSIRT designated as coordinator in the Member State determined
pursuant to the following order and based on the information available to the manufacturer:

(a) the Member State in which the authorised representative acting on behalf of the manufacturer for the highest number of products with digital elements of that manufacturer is established;

(b) the Member State in which the importer placing on the market the highest number of products with digital elements of that manufacturer is established;

(c) the Member State in which the distributor making available on the market the highest number of products with digital elements of that manufacturer is established;

(d) the Member State in which the highest number of users of products with digital elements of that manufacturer are located.

In relation to the third subparagraph, point (d), a manufacturer may submit notifications related to any subsequent actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements to the same CSIRT designated as coordinator to which it first reported.

▌ After becoming aware of an actively exploited vulnerability or a severe incident, the manufacturer shall inform the impacted users of the product with digital
elements, and where appropriate all users, about the actively exploited vulnerability
or a severe incident having an impact on the security of the product with digital elements and, where necessary, about risk mitigation and any corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident,
where appropriate in a structured and easily automatically processible, machinereadable format. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as
coordinators may provide such information to the users when considered
proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident.

Manufacturers as well as other natural or legal persons may notify any
vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary
basis to a CSIRT designated as coordinator or ENISA.

Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as
near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA.

Cyber Security News and Events

Check out the latest events on cyber security and the Cyber Resilience Act.