BIJLAGE I
Bijlage I bestaat uit twee delen: Deel I; beveiligingseigenschappen die het product moet hebben; Deel II; processen voor kwetsbaarhedenbehandeling die de fabrikant moet uitvoeren. De nalevingsmatrix is op deze bijlage gebaseerd.
Part I Cybersecurity requirements relating to the properties of products with digital elements
Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.
On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:
be made available on the market without known exploitable vulnerabilities;
be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;
ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them;
ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;
protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means;
protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;
process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation);
protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks;
minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks;
be designed, developed and produced to limit attack surfaces, including external interfaces;
be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;
provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user;
provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.
Part II Vulnerability handling requirements
Manufacturers of products with digital elements shall:
identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products;
in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates;
apply effective and regular tests and reviews of the security of the product with digital elements;
once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch;
put in place and enforce a policy on coordinated vulnerability disclosure;
take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;
provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner;
ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.
BIJLAGE II
Het product met digitale elementen gaat ten minste vergezeld van:
de naam, de geregistreerde handelsnaam of het geregistreerde merk van de fabrikant, en het postadres, het e-mailadres of een ander digitaal communicatiemiddel alsook, indien beschikbaar, de website waarop contact met de fabrikant kan worden opgenomen;
het centraal contactpunt waar informatie over kwetsbaarheden van het product met digitale elementen kan worden gemeld en ontvangen, en waar het beleid van de fabrikant inzake gecoördineerde openbaarmaking van kwetsbaarheden kan worden gevonden;
naam en type en eventuele aanvullende informatie die de unieke identificatie van het product met digitale elementen mogelijk maakt;
het beoogde doel van het product met digitale elementen, met inbegrip van de door de fabrikant geboden beveiligingsomgeving, alsook de essentiële functies en informatie over de beveiligingseigenschappen van het product;
elke bekende of voorzienbare omstandigheid die verband houdt met het gebruik van het product met digitale elementen overeenkomstig het beoogde doel ervan of in een situatie van redelijkerwijs voorzienbaar verkeerd gebruik, die tot significante cyberbeveiligingsrisico’s kan leiden;
indien van toepassing, het internetadres waarop de EU-conformiteitsverklaring kan worden geraadpleegd;
het soort technische beveiligingsondersteuning dat door de fabrikant wordt aangeboden en de einddatum van de ondersteuningsperiode tijdens welke gebruikers kunnen verwachten dat kwetsbaarheden worden aangepakt en zij beveiligingsupdates ontvangen;
gedetailleerde instructies of een internetadres met betrekking tot dergelijke gedetailleerde instructies en informatie over:
de nodige maatregelen tijdens de eerste inbedrijfstelling en gedurende de hele levensduur van het product met digitale elementen om een veilig gebruik ervan te waarborgen;
hoe veranderingen in het product met digitale elementen van invloed kunnen zijn op de beveiliging van gegevens;
hoe veiligheidsrelevante updates kunnen worden geïnstalleerd;
de veilige buitenbedrijfstelling van het product met digitale elementen, met inbegrip van informatie over de wijze waarop gebruikersgegevens veilig kunnen worden verwijderd;
hoe de standaardinstelling die de automatische installatie van beveiligingsupdates mogelijk maakt, zoals voorgeschreven in deel I, punt 2, c), van bijlage I, kan worden uitgeschakeld;
indien het product met digitale elementen bestemd is om te worden geïntegreerd in andere producten met digitale elementen, de informatie die de integrator nodig heeft om te voldoen aan de essentiële cyberbeveiligingsvereisten van bijlage I en de documentatievereisten van bijlage VII.
indien de fabrikant besluit de softwarestuklijst ter beschikking te stellen van de gebruiker, informatie over waar de softwarestuklijst kan worden geraadpleegd.
BIJLAGE III
Als uw product hier wordt genoemd, is het 'belangrijk' (klasse I of II) en geldt er een strengere conformiteitsroute dan voor een standaardproduct.
Klasse I
software en hardware voor identiteitsbeheersystemen en voor het beheer van geprivilegieerde toegang, met inbegrip van lezers voor authenticatie en toegangscontrole, waaronder biometrische lezers
op zichzelf staande en ingebedde browsers
wachtwoordbeheer
software die kwaadaardige software opzoekt, verwijdert of in quarantaine plaatst
producten met digitale elementen met de functie van virtueel particulier netwerk (VPN)
netwerkbeheersystemen
Security information and event management-systemen (SIEM) (beveiligingsinformatie en evenementenbeheer)
bootmanagement
publiekesleutelinfrastructuur en software voor de afgifte van digitale certificaten
fysieke en virtuele netwerkinterfaces
besturingssystemen
routers, modems bestemd voor verbinding met het internet, en netwerkswitches
microprocessoren met beveiligingsgerelateerde functies
microcontrollers met beveiligingsgerelateerde functies
toepassingsspecifieke geïntegreerde schakelingen (ASIC) en veld-programmeerbare gatearrays (FPGA) met beveiligingsgerelateerde functies
virtuele assistenten voor slimme huizen voor algemene doeleinden
producten voor slimme huizen met beveiligingsfuncties, met inbegrip van slimme deursloten, beveiligingscamera’s, babymonitoringsystemen en alarmsystemen
met het internet verbonden speelgoed dat onder Richtlijn 2009/48/EG van het Europees Parlement en de Raad (1) valt en sociale interactieve functies (bv. spreken of filmen) of locatietraceringsfuncties heeft
persoonlijke wearables die op een menselijk lichaam moeten worden gedragen of geplaatst en bedoeld zijn voor gezondheidsmonitoring (zoals tracking) en die niet onder Verordening (EU) 2017/745 of (EU) 2017/746 vallen, of persoonlijke wearables die bestemd zijn voor gebruik door en voor kinderen
Klasse II
hypervisors en containerruntimesystemen die de gevirtualiseerde uitvoering van besturingssystemen en soortgelijke omgevingen ondersteunen
firewalls, inbraakdetectiesystemen en inbraakpreventiesystemen
manipulatiebestendige microprocessoren
manipulatiebestendige microcontrollers
BIJLAGE IV
Producten die hier worden genoemd, zijn ‘kritiek’ en moeten mogelijk over een Europees cyberbeveiligingscertificaat beschikken.
BIJLAGE V
De in artikel 28 bedoelde EU-conformiteitsverklaring omvat alle volgende informatie:
naam en type van het product met digitale elementen en eventuele aanvullende informatie die de unieke identificatie ervan mogelijk maakt
naam en adres van de fabrikant of de gemachtigde vertegenwoordiger van de fabrikant
een vermelding dat de EU-conformiteitsverklaring wordt verstrekt onder de uitsluitende verantwoordelijkheid van de aanbieder
voorwerp van de verklaring (identificatie van het product met digitale elementen aan de hand waarvan het product kan worden getraceerd; indien passend kan een foto worden bijgevoegd)
een verklaring dat het hierboven beschreven voorwerp van de verklaring in overeenstemming is met de desbetreffende harmonisatiewetgeving van de Unie
verwijzingen naar alle gebruikte relevante geharmoniseerde normen of andere gemeenschappelijke specificaties of cyberbeveiligingscertificering met betrekking waartoe de conformiteitsverklaring is aangegeven
indien van toepassing, de naam en het nummer van de aangemelde instantie, een beschrijving van de uitgevoerde conformiteitsbeoordelingsprocedure en de identificatie van het afgegeven certificaat;
aanvullende informatie:
Ondertekend voor en namens:
(plaats en datum van afgifte):
(naam, functie) (handtekening):
BIJLAGE VI
De in artikel 13, lid 20, bedoelde vereenvoudigde EU-conformiteitsverklaring wordt als volgt geformuleerd:
Hierbij verklaart … [naam van de fabrikant] dat het product met digitale elementen type … [aanduiding van het type product met digitale elementen] in overeenstemming is met Verordening (EU) 2024/2847 (1).
De volledige tekst van de EU-conformiteitsverklaring kan worden geraadpleegd op het volgende internetadres:
BIJLAGE VII
Bijlage VII is de checklist voor de technische documentatie die u moet samenstellen en 10 jaar moet bewaren.
De in artikel 31 bedoelde technische documentatie bevat ten minste de volgende informatie, voor zover van toepassing op het desbetreffende product met digitale elementen:
een algemene beschrijving van het product met digitale elementen, met inbegrip van:
het beoogde doel ervan;
versies van software die van invloed zijn op de naleving van de essentiële cyberbeveiligingsvereisten;
wanneer het product met digitale elementen een hardwareproduct is, foto’s of illustraties waarop de externe kenmerken, markering en interne lay-out te zien zijn;
gebruikersinformatie en -instructies zoals beschreven in bijlage II;
een beschrijving van het ontwerp, de ontwikkeling en de productie van het product met digitale elementen en de procedures inzake de respons op kwetsbaarheden, met inbegrip van:
noodzakelijke informatie over het ontwerp en de ontwikkeling van het product met digitale elementen, met inbegrip van, indien van toepassing, tekeningen en schema’s en een beschrijving van de systeemarchitectuur waarin wordt uitgelegd hoe softwarecomponenten voortbouwen op elkaar of elkaar aanvullen en zijn geïntegreerd in de algemene verwerking;
noodzakelijke informatie en specificaties van de door de fabrikant ingestelde processen inzake de respons op kwetsbaarheden, met inbegrip van de softwarestuklijst, het gecoördineerde beleid inzake openbaarmaking van kwetsbaarheden, bewijs van het verstrekken van een contactadres voor de melding van de kwetsbaarheden en een beschrijving van de gekozen technische oplossingen voor de veilige verspreiding van updates;
noodzakelijke informatie en specificaties van de productie- en monitoringprocessen van het product met digitale elementen en de validering van die processen;
een beoordeling van de cyberbeveiligingsrisico’s waartegen het product met digitale elementen wordt ontworpen, ontwikkeld, geproduceerd, geleverd en onderhouden op grond van artikel 13, met inbegrip van de wijze waarop de essentiële cyberbeveiligingsvereisten van deel I van bijlage I van toepassing zijn;
relevante informatie die in aanmerking is genomen om op grond van artikel 13, lid 8, de ondersteuningsperiode van het product met digitale elementen te bepalen;
een lijst van de geheel of gedeeltelijk toegepaste geharmoniseerde normen waarvan de referenties in het Publicatieblad van de Europese Unie zijn bekendgemaakt, gemeenschappelijke specificaties als bedoeld in artikel 27 van deze verordening of Europese cyberbeveiligingscertificeringsregelingen die zijn vastgesteld op grond van Verordening (EU) 2019/881 op grond van artikel 27, lid 8, van deze verordening en, indien die geharmoniseerde normen, gemeenschappelijke specificaties of Europese cyberbeveiligingscertificeringsregelingen niet zijn toegepast, een beschrijving van de gekozen oplossingen om aan de essentiële cyberbeveiligingsvereisten van de delen I en II van bijlage I te voldoen, met inbegrip van een lijst van andere relevante technische specificaties die zijn toegepast. In het geval van gedeeltelijk toegepaste geharmoniseerde normen, gemeenschappelijke specificaties of Europese cyberbeveiligingscertificeringsregelingen, wordt in de technische documentatie gespecificeerd welke delen zijn toegepast;
verslagen van de tests die zijn uitgevoerd om de conformiteit van het product met digitale elementen en van de procedures inzake de respons op kwetsbaarheden met de toepasselijke essentiële cyberbeveiligingsvereisten van de delen I en II van bijlage I te verifiëren;
een exemplaar van de EU-conformiteitsverklaring;
indien van toepassing, de softwarestuklijst, ingevolge een met redenen omkleed verzoek van een markttoezichtautoriteit, op voorwaarde dat dat noodzakelijk is om die autoriteit in staat te stellen de naleving van de essentiële cyberbeveiligingsvereisten van bijlage I te controleren.
BIJLAGE VIII
Part I Conformity assessment procedure based on internal control (based on module A)
Internal control is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2, 3 and 4 of this Part, and ensures and declares on its sole responsibility that the products with digital elements satisfy all the essential cybersecurity requirements set out in Part I of Annex I and the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.
The manufacturer shall draw up the technical documentation described in Annex VII.
Design, development, production and vulnerability handling of products with digital elements
The manufacturer shall take all measures necessary so that the design, development, production and vulnerability handling processes and their monitoring ensure compliance of the manufactured or developed products with digital elements and of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Parts I and II of Annex I.
Conformity marking and declaration of conformity
The manufacturer shall affix the CE marking to each individual product with digital elements that satisfies the applicable requirements set out in this Regulation.
The manufacturer shall draw up a written EU declaration of conformity for each product with digital elements in accordance with Article 28 and keep it together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The EU declaration of conformity shall identify the product with digital elements for which it has been drawn up. A copy of the EU declaration of conformity shall be made available to the relevant authorities upon request.
Gemachtigden
The manufacturer’s obligations set out in point 4 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.
Part II EU-type examination (based on module B)
EU-type examination is the part of a conformity assessment procedure in which a notified body examines the technical design and development of a product with digital elements and the vulnerability handling processes put in place by the manufacturer, and attests that a product with digital elements meets the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.
EU-type examination shall be carried out by assessing the adequacy of the technical design and development of the product with digital elements through the examination of the technical documentation and supporting evidence referred to in point 3, and the examination of specimens of one or more critical parts of the product (combination of production type and design type).
The manufacturer shall lodge an application for EU-type examination with a single notified body of its choice.
The application shall include:
3.1.
the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;
3.2.
a written declaration that the same application has not been lodged with any other notified body;
3.3.
the technical documentation, which shall make it possible to assess the conformity of the product with digital elements with the applicable essential cybersecurity requirements as set out in Part I of Annex I and the manufacturer’s vulnerability handling processes set out in Part II of Annex I and shall include an adequate analysis and assessment of the risks. The technical documentation shall specify the applicable requirements and cover, as far as relevant for the assessment, the design, manufacture and operation of the product with digital elements. The technical documentation shall contain, wherever applicable, at least the elements set out in Annex VII;
3.4.
the supporting evidence for the adequacy of the technical design and development solutions and vulnerability handling processes. This supporting evidence shall mention any documents that have been used, in particular where the relevant harmonised standards or technical specifications have not been applied in full. The supporting evidence shall include, where necessary, the results of tests carried out by the appropriate laboratory of the manufacturer, or by another testing laboratory on its behalf and under its responsibility.
The notified body shall:
4.1.
examine the technical documentation and supporting evidence to assess the adequacy of the technical design and development of the product with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and of the vulnerability handling processes put in place by the manufacturer with the essential cybersecurity requirements set out in Part II of Annex I;
4.2.
verify that specimens have been developed or manufactured in conformity with the technical documentation, and identify the elements which have been designed and developed in accordance with the applicable provisions of the relevant harmonised standards or technical specifications, as well as the elements which have been designed and developed without applying the relevant provisions of those standards;
4.3.
carry out appropriate examinations and tests, or have them carried out, to check that, where the manufacturer has chosen to apply the solutions in the relevant harmonised standards or technical specifications for the requirements set out in Annex I, they have been applied correctly;
4.4.
carry out appropriate examinations and tests, or have them carried out, to check that, where the solutions in the relevant harmonised standards or technical specifications for the requirements set out in Annex I have not been applied, the solutions adopted by the manufacturer meet the corresponding essential cybersecurity requirements;
4.5.
agree with the manufacturer on a location where the examinations and tests will be carried out.
The notified body shall draw up an evaluation report that records the activities undertaken in accordance with point 4 and their outcomes. Without prejudice to its obligations vis-à-vis the notifying authorities, the notified body shall release the content of that report, in full or in part, only with the agreement of the manufacturer.
Where the type and the vulnerability handling processes meet the essential cybersecurity requirements set out in Annex I, the notified body shall issue an EU-type examination certificate to the manufacturer. The certificate shall contain the name and address of the manufacturer, the conclusions of the examination, the conditions (if any) for its validity and the necessary data for identification of the approved type and vulnerability handling processes. The certificate may have one or more annexes attached.
The certificate and its annexes shall contain all relevant information to allow the conformity of manufactured or developed products with digital elements with the examined type and vulnerability handling processes to be evaluated and to allow for in-service control.
Where the type and the vulnerability handling processes do not satisfy the applicable essential cybersecurity requirements set out in Annex I, the notified body shall refuse to issue an EU-type examination certificate and shall inform the applicant accordingly, giving detailed reasons for its refusal.
The notified body shall keep itself apprised of any changes in the generally acknowledged state of the art which indicate that the approved type and the vulnerability handling processes may no longer comply with the applicable essential cybersecurity requirements set out in Annex I, and shall determine whether such changes require further investigation. If so, the notified body shall inform the manufacturer accordingly.
The manufacturer shall inform the notified body that holds the technical documentation relating to the EU-type examination certificate of all modifications to the approved type and the vulnerability handling processes that may affect the conformity with the essential cybersecurity requirements set out in Annex I, or the conditions for validity of the certificate. Such modifications shall require additional approval in the form of an addition to the original EU-type examination certificate.
The notified body shall carry out periodic audits to ensure that the vulnerability handling processes as set out in Part II of Annex I are implemented adequately.
Each notified body shall inform its notifying authorities concerning the EU-type examination certificates and any additions thereto which it has issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of certificates and any additions thereto refused, suspended or otherwise restricted.
Each notified body shall inform the other notified bodies concerning the EU-type examination certificates and any additions thereto which it has refused, withdrawn, suspended or otherwise restricted, and, upon request, concerning the certificates and additions thereto which it has issued.
The Commission, the Member States and the other notified bodies may, on request, obtain a copy of the EU-type examination certificates and any additions thereto. On request, the Commission and the Member States may obtain a copy of the technical documentation and the results of the examinations carried out by the notified body. The notified body shall keep a copy of the EU-type examination certificate, its annexes and additions, as well as the technical file including the documentation submitted by the manufacturer, until the expiry of the validity of the certificate.
The manufacturer shall keep a copy of the EU-type examination certificate, its annexes and additions together with the technical documentation at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer.
The manufacturer’s authorised representative may lodge the application referred to in point 3 and fulfil the obligations set out in points 7 and 10, provided that the relevant obligations are specified in the mandate.
Part III Conformity to type based on internal production control (based on module C)
Conformity to type based on internal production control is the part of a conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 3 of this Part, and ensures and declares that the products with digital elements concerned are in conformity with the type described in the EU-type examination certificate and satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.
Production
The manufacturer shall take all measures necessary so that the production and its monitoring ensure conformity of the manufactured products with digital elements with the approved type described in the EU-type examination certificate and with the essential cybersecurity requirements as set out in Part I of Annex I and ensures that the manufacturer meets the essential cybersecurity requirements set out in Part II of Annex I.
Conformity marking and declaration of conformity
3.1.
The manufacturer shall affix the CE marking to each individual product with digital elements that is in conformity with the type described in the EU-type examination certificate and satisfies the applicable requirements set out in this Regulation.
3.2.
The manufacturer shall draw up a written declaration of conformity for a product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up. A copy of the declaration of conformity shall be made available to the relevant authorities upon request.
Authorised representative
The manufacturer’s obligations set out in point 3 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.
Part IV Conformity based on full quality assurance (based on module H)
Conformity based on full quality assurance is the conformity assessment procedure whereby the manufacturer fulfils the obligations set out in points 2 and 5 of this Part, and ensures and declares on its sole responsibility that the products with digital elements or product categories concerned satisfy the essential cybersecurity requirements set out in Part I of Annex I and that the vulnerability handling processes put in place by the manufacturer meet the requirements set out in Part II of Annex I.
Design, development, production and vulnerability handling of products with digital elements
The manufacturer shall operate an approved quality system as specified in point 3 for the design, development and final product inspection and testing of the products with digital elements concerned and for handling vulnerabilities, maintain its effectiveness throughout the support period, and shall be subject to surveillance as specified in point 4.
Quality system
3.1.
The manufacturer shall lodge an application for assessment of its quality system with the notified body of its choice, for the products with digital elements concerned.
The application shall include:
the name and address of the manufacturer and, if the application is lodged by the authorised representative, the name and address of that authorised representative;
the technical documentation for one model of each category of products with digital elements intended to be manufactured or developed. The technical documentation shall, wherever applicable, contain at least the elements as set out in Annex VII;
the documentation concerning the quality system; and
a written declaration that the same application has not been lodged with any other notified body.
3.2.
The quality system shall ensure compliance of the products with digital elements with the essential cybersecurity requirements set out in Part I of Annex I and compliance of the vulnerability handling processes put in place by the manufacturer with the requirements set out in Part II of Annex I.
All the elements, requirements and provisions adopted by the manufacturer shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. That quality system documentation shall permit a consistent interpretation of the quality programmes, plans, manuals and records.
It shall, in particular, contain an adequate description of:
the quality objectives and the organisational structure, responsibilities and powers of the management with regard to design, development, product quality and vulnerability handling;
the technical design and development specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part I of Annex I that apply to the products with digital elements will be met;
the procedural specifications, including standards, that will be applied and, where the relevant harmonised standards or technical specifications will not be applied in full, the means that will be used to ensure that the essential cybersecurity requirements set out in Part II of Annex I that apply to the manufacturer will be met;
the design and development control, as well as design and development verification techniques, processes and systematic actions that will be used when designing and developing the products with digital elements pertaining to the product category covered;
the corresponding production, quality control and quality assurance techniques, processes and systematic actions that will be used;
the examinations and tests that will be carried out before, during and after production, and the frequency with which they will be carried out;
the quality records, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned;
the means of monitoring the achievement of the required design and product quality and the effective operation of the quality system.
3.3.
The notified body shall assess the quality system to determine whether it satisfies the requirements referred to in point 3.2.
It shall presume conformity with those requirements in respect of the elements of the quality system that comply with the corresponding specifications of the national standard that implements the relevant harmonised standard or technical specification.
In addition to experience in quality management systems, the auditing team shall have at least one member experienced as an assessor in the relevant product field and product technology concerned, and shall have knowledge of the applicable requirements set out in this Regulation. The audit shall include an assessment visit to the manufacturer’s premises, where such premises exist. The auditing team shall review the technical documentation referred to in point 3.1 (b), to verify the manufacturer’s ability to identify the applicable requirements set out in this Regulation and to carry out the necessary examinations with a view to ensuring compliance of the product with digital elements with those requirements.
The manufacturer or its authorised representative shall be notified of the decision.
The notification shall contain the conclusions of the audit and the reasoned assessment decision.
3.4.
The manufacturer shall undertake to fulfil the obligations arising out of the quality system as approved and to maintain it so that it remains adequate and efficient.
3.5.
The manufacturer shall keep the notified body that has approved the quality system informed of any intended change to the quality system.
The notified body shall evaluate any proposed changes and decide whether the modified quality system will continue to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary.
It shall notify the manufacturer of its decision. The notification shall contain the conclusions of the examination and the reasoned assessment decision.
Surveillance under the responsibility of the notified body
4.1.
The purpose of surveillance is to make sure that the manufacturer duly fulfils the obligations arising out of the approved quality system.
4.2.
The manufacturer shall, for assessment purposes, allow the notified body access to the design, development, production, inspection, testing and storage sites, and shall provide it with all necessary information, in particular:
the quality system documentation;
the quality records as provided for by the design part of the quality system, such as results of analyses, calculations and tests;
the quality records as provided for by the manufacturing part of the quality system, such as inspection reports and test data, calibration data and qualification reports on the personnel concerned.
4.3.
The notified body shall carry out periodic audits to make sure that the manufacturer maintains and applies the quality system and shall provide the manufacturer with an audit report.
Conformity marking and declaration of conformity
5.1.
The manufacturer shall affix the CE marking, and, under the responsibility of the notified body referred to in point 3.1, the latter’s identification number to each individual product with digital elements that satisfies the requirements set out in Part I of Annex I.
5.2.
The manufacturer shall draw up a written declaration of conformity for each product model and keep it at the disposal of the national authorities for 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer. The declaration of conformity shall identify the product model for which it has been drawn up.
A copy of the declaration of conformity shall be made available to the relevant authorities upon request.
The manufacturer shall, for a period ending at least 10 years after the product with digital elements has been placed on the market or for the support period, whichever is longer, keep at the disposal of the national authorities:
the technical documentation referred to in point 3.1;
the documentation concerning the quality system referred to in point 3.1;
the change referred to in point 3.5, as approved;
the decisions and reports of the notified body referred to in points 3.5 and 4.3.
Each notified body shall inform its notifying authorities of quality system approvals issued or withdrawn, and shall, periodically or upon request, make available to its notifying authorities the list of quality system approvals refused, suspended or otherwise restricted.
Each notified body shall inform the other notified bodies of quality system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued.
Authorised representative
The manufacturer’s obligations set out in points 3.1, 3.5, 5 and 6 may be fulfilled by its authorised representative, on its behalf and under its responsibility, provided that the relevant obligations are specified in the mandate.
A statement has been made with regard to this act and can be found in OJ C, 2024/6786, 20.11.2024, ELI: http://data.europa.eu/eli/C/2024/6786/oj.
ELI: http://data.europa.eu/eli/reg/2024/2847/oj
ISSN 1977-0677 (electronic edition)